What was viewable online yesterday is not today
Yesterday, AG uncovered that some names, emails, locations, and document names of customers were publicly visible online, discovered through a simple Google search.
Realtor Frank Llosa tells the story of how this information was visible to everyone, noting that he was emailing with a user of his website who said they had a house to list and sell. As part of his “who is this person” background, he did a Google search on the prospect’s email and found that they had signed a listing agreement with a broker a couple of days prior.
Overnight, DocuSign took action
“Rest assured that DocuSign follows national and international security standards, including strict security policies and practices that set the standard for world-class information security,” said Chief Security Officer, Joan Ross in a statement last night.
The company tells AGBeat that “While DocuSign always encourages customers to save their DocuSigned documents on the secure DocuSign Global Network, it’s come to our attention that a small number of customers have saved personal copies of their documents on publicly accessible websites that are being indexed by search engines.”
DocuSign says they are taking the following actions to help their customers:
- “DocuSign is contacting the few customers we’ve found who have personal copies of DocuSigned documents on publicly accessible websites to either confirm that is their intent (which in some cases it is), or if not to suggest ways to secure them.
- To make information on signature validation even less accessible, DocuSign has added a second step that requires any party searching for information on a DocuSigned document to provide additional transaction details.
- To make personal copies of documents that DocuSign customers have saved on the public Internet less discoverable, DocuSign is working with search engines to block indexing of links to DocuSign within public documents.
- DocuSign will also proactively provide on-going education to customers and the market around best practices for securing personal copies of documents and data. Content will be made available through the DocuSign Trust Site and the DocuSign blog at https://www.docusign.com/blog/.”
All URLs that AGBeat was able to click and view yesterday now require a user to know the Envelope ID, in other words, the link is no longer indexed, and put behind a wall to everyone except those with the specific identification number given to the document.
Although AG uncovered additional documents and email addresses visible to the public, out of concern for DocuSign user privacy, we are not publishing any of that information, rather have turned it over to DocuSign to make necessary changes out of a shared concern, which the additional layer of requiring the Envelope ID number before viewing any details appears to have resolved.
The company tells AGBeat that “A benefit of DocuSign that customers value is that signatures on documents are verifiable through a hyperlink to a customer-created DocuSign ID card. This helps parties to a transaction validate who has actually signed a document and displays a legally binding audit trail. Search engines cannot and do not index documents saved on the secure DocuSign Global Network. Search engines do index hyperlinks from publicly accessible websites. Leaving personal copies of documents on public sites where they can be indexed rather than within the secure DocuSign Global Network is like leaving copies of documents from a locked filing cabinet out on a public table for others to see.”
DocuSign recommends that customers store documents in the secure DocuSign Global Network and limit saving personal copies only to secure locations that meet the security requirements of all signing parties. AG would add that some third party locations may seem secure, particularly document hosting and sharing sites, but it doesn’t take much for those hyperlinks to be shared and indexed by any search engine.