Timestamping: a tool to secure your business
Although electronic timestamping is mostly used when electronically signing documents, it is useful in many other areas for proof and traceability purposes. Throughout this article, we will give concrete examples of how timestamping is a tool to secure your business.
Copyright protection exists from the moment a work is created and does not require any additional formality, contrary to a trademark or an invention. This remains true throughout the 179 signatory countries to the Berne Convention.
In the absence of compulsory registration with an office, it can, however, be difficult to provide proof of the existence and the content of a digital creation on a specific date, that is to say before that claimed by a possible infringer.
It is therefore recommended to create a so-called “evidentiary repository” with a trusted third party such as a bailiff, a notary, or Vaultinum.
Due to its technology involving the use of symmetric and asymmetric encryption algorithms, hash functions/fingerprint creation and electronic timestamping guaranteeing the integrity of the transmitted elements, the deposit made with Vaultinum:
- materialises the content of the digital creation;
- dates the creation;
- attests to the depositor’s ownership;
- records the content and creation dates.
In this context, the evidentiary repository presents several advantages:
- It limits the risks of appropriation of an invention by partners and/or third parties;
- It affixes a certain date to ideas, projects, preparatory documents, etc. pending the validation of a patent application;
- It records the results of research (especially laboratory notebooks) as and when discoveries are made so as to preserve prior rights and ensure a fair distribution of rights between employees;
- It proves that an invention kept secret was developed before a third party filed a patent on it, allowing the inventor to continue to use it (right of prior personal possession).
Personal data protection
· Provide proof of consent
In cases where the legal basis for processing is consent, the data controller must be able to demonstrate that the data subject has given consent to the processing of personal data concerning them.
In practice, compliance with this obligation can be complicated as the text does not specify how this evidence can be reported. It is therefore essential for the data controller to be equipped with a tool ensuring the preservation and traceability of the following elements:
- the content and date of the consent;
- the means used to give consent;
- the information communicated at the time of consent; and
- if applicable, the date of withdrawal of consent.
On this point, the French Data Protection Authority (CNIL) indicated, in March 2017, that "the digital timestamping of the indication of consent (by means of a click or a ticked box) and the implementation of a procedure for obtaining consent, duly documented, must be considered as a valid means of establishing proof of consent”.
· Providing proof of the deletion of personal data
In accordance with the General Data Protection Regulation (GDPR), the data controller is required to determine a data retention period for each category “not exceeding that necessary for the purposes for which it is processed".
The life cycle of personal data can be divided into three successive phases:
- Common or active database: the data can be used regularly by the departments involved for the time necessary to carry out the processing;
- Intermediate archiving: data is kept if there is a legal obligation or as evidence in the event of litigation, but access is restricted;
- Deletion, anonymisation/pseudonymisation or final archiving of data if they are of historical interest.
In order to prove compliance with the established retention periods, the data controller may use a tool to date the starting point of each phase of the data life cycle from collection to archiving/deletion.
Vaultinum provides support to its clients in setting up a timestamping system to date consent. Using Vaultinum API, client systems can interface with Vaultinum's timestamping solution to continuously and automatically timestamp thousands of consents in a reliable, secure and adaptable manner.
The authenticity of discounts offered during promotional operations is assessed with regard to unfair commercial practices.
Although professionals are free to determine the reference price of their choice (for example, regular price, competitor's price, recommended price), they must be able to justify the reality of the reference price on the basis of which the price reduction is announced. To do this, they may use notes, slips, order forms, sales receipts, catalogues, advertising leaflets or any other documents. However, these means are costly and difficult to execute, especially when price reductions are offered online and repeatedly. They also necessitate tremendous data collection and evidence-based archiving.
With a view to limiting the impact of these regulations and simplifying the application of price reductions, professionals are recommended to use an automated timestamping tool to ensure the preservation, traceability and integrity of the following elements:
- the chosen reference price (example: price applied by a competitor);
- the location of the chosen reference price (example: a website page);
- the date of application of the chosen reference price.
The implementation of reliable and recognized means of proof to justify the reference price is all the more important as relevant authorities have been closely monitoring online sales and, in particular, misleading price reduction announcements.
Whether human or automated, each action taken in an IT system is likely to leave tracks which must be recorded. These could be:
- successful connection to an application;
- access to a file or to the internet;
- attempted intrusions into the information system;
- application requests.
Event logs are an essential technical component to the proper management of the security of information systems.
To ensure this reliability, events cannot be timestamped through sole use of the computer's internal clock, as this is easily falsified and deviates naturally over time. Authorities recommend synchronizing the clocks of IT equipment with several internal time sources that are coherent with each other, themselves synchronized with several reliable external sources.
Secondly, a logging system must be set up insofar as the main objective of logging is to allow the person or the equipment causing an event to be identified directly or indirectly.
Finally, logs must be signed and timestamped as soon as they are created so as to ensure their integrity.
Following a number of scandals that testified to a lack of supply chain transparency in the food industry, regulation no. 178/2002 of 28 January 2002 introduced a requirement for food traceability at all stages of production, processing and distribution in order to identify sources of contamination more quickly.
In terms of supply chain (agro-food, luxury goods, wine, pharmaceutical industry), electronic timestamping and, more generally, timestamping applied to "blockchain" technology (a chain of records keeping track of a set of information, in a decentralized, transparent and secure way), has a real potential to ensure traceability and control of the origin of a product.
At every stage of the supply chain (producer, processor, distributor), a certain amount of information (dates, origin) concerning a food product, from its manufacture to its sale, will be recorded in a timestamped blockchain register. Depending on the case, the recording on the register could be done either by means of human intervention such as a photograph of the items, or automatically, through the use of connected sensors. Each actor in the supply chain can access the blockchain register to learn the identity of the person who first entered the information, the content of information itself (the integrity of which is guaranteed), and the date of registration of this information.
And yet, blockchain has its limits. Distributors and other importers need to protect their commercial networks and other trade secrets. The transparency of blockchain prevents this protection, but another solution exists. It consists of validation by a trusted third party by virtue of the presence of secure, timestamped register systems at each stage of the supply chain.
Quality assurance and monitoring of document versions
Business continuity plans (BCPs) have long been required by buyers of products and services. These plans are generally tested and updated annually.
They are essential because they provide information on the measures taken to avoid service interruptions on the supplier's side, for example, in the event of unforeseeable events or natural disasters and, and in turn, on the buyer's side. As such, it is essential that tests and updates are timestamped and securely archived in order to maintain documentary evidence over time and ensure the legal protection of all parties concerned.
Vaultinum provides secure and reliable archiving and timestamping services.
Banking and insurance
Data and information are often submitted online and are sometimes used to generate positions, offers or assessments. In order to avoid any dispute related to the content of the information submitted and its date of submission, and to guarantee that requests are dealt with properly and within a given timeframe, content should be archived securely and with a timestamp token.
Vaultinum supports banks and insurance companies by offering them a turnkey solution for timestamping and secure archiving of online requests. This adaptable, reliable and secure solution enables the automation of certified timestamping and secure archiving.
The digitalization of invoicing processes promises significant efficiency gains and cost reductions.
At the tax level, many countries allow taxpayers to digitalize their paper invoices received and issued and to keep them in digitalized format for the fiscal retention period.
However, in most countries, digitalized invoices must meet two conditions:
- they must be secured to ensure their integrity;
- they must be timestamped.
Although the timestamp can be internal, a timestamp certified by a trusted third party or a qualified timestamp process is essential to avoid disputes, especially since the timestamping of invoices is also used to enforce payment deadlines and calculate late payment penalties.
The opinions, presentations, figures and estimates set forth on the website, including in this blog, are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.
The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Vaultinum. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.