Identity Theft Safeguard

Do You and Your Aging Parents Have a Digital Estate Plan?

You may be comfortable that your have your estate plan in order. You have a will, a durable power of attorney, a living will and a health care proxy. But do you have a digital estate plan?

In the past, we kept albums full of snapshots, vinyl records and shoeboxes full of correspondence. Now our photos are all on Flickr and IPhoto, our music is downloaded from ITunes and our correspondence is email via Yahoo or Google. Naomi Cahn, a law professor at George Washington University, stated that most adults have 20-25 accounts on the internet. And many of those accounts are for banking or investments.

Have you given instructions to your family on what to do with your internet accounts if you should die? And do they even know how to access those accounts? User names, passwords, internet addresses?

The family of Ricky Rash, a 15 year old who committed suicide in 2011, discovered how difficult it was to recover information from their deceased son’s internet account. In an effort to understand why he had taken his own life, they requested but were refused access to his Facebook account.

Facebook claimed that according to the Stored Communications Act of 1986 – the federal law that governs the protection of a person’s electronic data – even the account of a minor is protected from access by his parents or anyone else.  Other sites and providers interpret the legislation this way, making access all but impossible.

There are only five states that have taken any steps to help recover the internet data of a deceased person—Indiana, Idaho and Oklahoma legislation covers social media and blogging accounts, while Connecticut and Rhode Island legislation covers only email.

What does this mean for you? It is critical that you create a digital estate plan. The listing of internet accounts needs to be comprehensive. Information must include:

  • the name of the account
  • the contents of the account
  • the URL address
  • username
  • password
  • instructions for the disposition of the account including the person to oversee such disposition.

Digital Files After Death, What Happens to Your Digital Legacy?

Have You Completed Your Client’s Digital Estate Plan?

I’m sure you are comfortable that your clients’ estate plans are up to date. But have you reviewed your client’s digital estate plan? What is a digital estate plan? It’s a plan for the disposition of all your clients internet accounts once he or she is deceased

Experts have estimated that the average adult with access to the internet has more than 25 internet accounts! In the past, we kept albums full of snapshots, vinyl records and shoeboxes full of correspondence. Now our photos are all on Flickr and IPhoto, our music is downloaded from ITunes and our correspondence is email via Yahoo or Google.

And probably more important than that, a lot of your clients bank and investment accounts may be entirely online.!

And what happens if your client dies? Who has access to these internet accounts? And if they want those accounts taken off the internet how do they do it? You may discover that it is more difficult than you think to access their accounts or erase them from the internet

The family of Ricky Rash, a 15 year old who committed suicide in 2011, discovered how difficult it was to recover information from their deceased son’s internet account. In an effort to understand why he had taken his own life, they requested but were refused access to his Facebook account. Facebook claimed that according to the Stored Communications Act of 1986 – the federal law that governs the protection of a person’s electronic data – even the account of a minor is protected from access by his parents or anyone else.  Other sites and providers interpret the legislation this way, making access all but impossible.

There are only five states that have taken any steps to help recover the internet data of a deceased person—Indiana, Idaho and Oklahoma legislation covers social media and blogging accounts, while Connecticut and Rhode Island legislation covers only email.

What does this mean for your clients? It is critical that they create a digital estate plan.The listing of internet accounts needs to be more comprehensive than I originally recommended. Information must include:

  • the name of the account
  • the contents of the account
  • the URL address
  • username
  • password
  • instructions for the disposition of the account including the person to oversee such disposition.
Digital planning
Digital planning

There is a whole new industry that has been created to service your clients’ digital estate , a new digital estate planning service. Your clients can create an account and then enter their user names, passwords and wishes for each of their digital assets. They can specify an heir for each account; Legacy Locker will provide heirs with information after the account holder’s death is verified.

There are also online memorial services to celebrate your client’s life. These services enable your clients to create their own memorials before they pass away. Facebook and Twitter also offer these services for family members.

The importance of having a digital estate plan will increase as more and more of our assets (and access to assets) are online. Gradually laws will evolve to give family members access to deceased loved ones’ accounts. It is important to prepare your clients for the disposition of their digital assets now so that family members will not be unpleasantly surprised when they attempt to uncover them.

If you want to explore digital estate planning in more detail feel free to wander around.

Learn How to Preserve Your Data with Take Control of Your Digital Legacy

US digital legacy laws in 2013

New Hampshire recently gave some thoughts about what happens to your facebook page when you die. More precisely, legislation is being changed so that an estate executor would be in a position to get a hold on the different social networks, emails, … after the death of the owner – which is something that is not the custom today.

Peter Sullivan is the State Rep. who started the movement of digital estate planning in the New Hampshire House of Representatives, which accepted this bill 222 to 128. The goal of these legislation is namely to give a better control of the situation to the persons who just suffered from a loss.

The other states so far are Rhode Island, Connecticut, Oklahoma, Idaho, and Indiana. The first and the second were the first states to introduce a control of digital legacy, but at the same time only applied on a limited number of services. Oklahoma was supported by a state legislator, Ryan Kiesel. Kiesel helped draft the texts, but according to his own advice, the issue must be addressed to by the federal government.

 

Let’s have a quick look at the different states and statuses. Here are attached links to the different texts concerning the current laws (as of beginning of 2013).

 

Rhode Island: The legislation simply allows an executor to access the accounts of emails of the departed.

Source: http://webserver.rilin.state.ri.us/Statutes/TITLE33/33-27/33-27-3.htm

 

Connecticut : The same applies – and still the question of social networks is not raised.

Source: http://www.cga.ct.gov/2005/act/Pa/2005PA-00136-R00SB-00262-PA.htm

 

Indiana: The executor can be granted access to “information being stored online”.

Source: http://www.in.gov/legislative/ic/code/title29/ar1/ch13.html

 

Okhlahoma: The text gives the executor (or an estate administrator) the right to be granted the access to emails, as well as social networks, accounts.

Source: http://legiscan.com/OK/bill/HB2800/2010

 

Idaho: The Idaho text allows the executor to take over and control the account of the decedent, including the Facebook, Twitter, as well as any email provider. The major difference resides in the fact that the executor can resume the use of the account, even on a posthumous base.

Source: http://legislature.idaho.gov/legislation/2011/S1044.pdf

 

What Makes up Your Digital Estate?

Digital death laws

As per today, laws are not uniform around the globe, even in a single country like the US. Connecticut, Idaho, Oklahoma, Rhode Island, and Indiana are the only states so far to have laws concerning post mortem digital asset management. And even within this group, assets are not classified evenly : for example, 2005 Connecticut only considered an email address in its text.

However, the common point is that the aim of passing laws is to grant access to the digital executor of the dead person.

Is Your Digital Life Ready for Your Death?

Legal Framework and Limitations

                  Federal Criminal Legislation. The Federal Government enacted the Computer Fraud and Abuse Act (CFAA”) in part to criminalize internet theft, data theft, computer hacking, and other forms of internet crime. As written, CFAA criminalizes the unauthorized access to any computer, online service or online account. Unfortunately, to determine who may and may not access a specific account, even with the explicit permission of the account holder, you must read the service or account provider’s Terms of Service contract. As an example, Facebook’s Terms of Service Agreement prohibits anyone from logging into a user’s Facebook account, other than the user themself, even with the permission of the user. Therefore, a family member, friend, or even a fiduciary that logs into a Facebook account, using the password provided to them by the user themself, has violated the Terms of Service contract and is now committing a federal crime under the CFAA. Fortunately, the Department of justice has made it clear that they are not looking to enforce the CFAA when dealing with simple violations of online Terms of Service contracts, unless there are other more criminal factors involved. However, as advisors to our clients, and to fiduciaries such as Power of Attorneys, Executors, and Trustees, can we ethically advise clients to access digital assets and accounts where we know that they will be committing a crime under the CFAA? Further, if our fiduciaries do decide to access such accounts and commit a crime, how will we respond to a challenge from an unhappy beneficiary who is aware of the access and its violation of the CFAA?

B.                  Federal Privacy Legislation. In addition to the criminalization of unauthorized access of digital assets and online accounts, the Federal Government has also passed the Stored Communications Act (“SCA”) which creates a right to privacy for data and information stored online. Similar in nature to the federal health information privacy act (often referred to as HIPAA), the SCA creates specific guidelines as to whether, and when, providers of electronic communication services and holders of online data can release the information. As you will see below, these protections can create significant hurdles for family members and fiduciaries who attempt to access information stored online with these service providers and content holders.

1)                  Law Enforcement Agencies may compel the release of the information otherwise protected by the SCA through the use of subpoenas and other legal procedures.

2)                  Service providers are prohibited from disclosing information, or granting access to accounts, to non-Law Enforcement individuals (family and fiduciaries), unless one of the statutory exemptions are met. While there are exemptions for specific situations such and employment related emails being released to an employer or being disclosed during a lawsuit against a business, the main exemption that we should be aware of and plan with is the “Lawful Consent” exemption found in Code Section 2701(b)(3) of the SCA. This exemption allows a service provider to voluntarily turn over (or grant access to) stored information if the recipient has the lawful consent of the creator of such digital asset to access such information. However, this exception only provides that the service provider MAY turn over the information, but does not require them to. In fact, there are several national cases where service providers have chosen not to disclose the information. In these situations where the recipient actually had lawful consent, the courts indicated that the SCA exemption does not mandate the disclosure of the stored information, and that the courts could not compel the distribution of the information under the SCA even through legal proceedings.

 

C.                        State Criminal Legislation. Every state in the United States has its own version of computer and online fraud statutes that it uses to be able to bring state law charges for online theft, fraud, hacking, and other internet and computer crimes. In Florida, we have Florida Statute §§ 815.01-815.07 (“Florida Computer Crimes Act” or “Florida CCA”), enacted in 1979, which provides our state legislation. Typical violations under the Florida CCA are

  • unauthorized access of another user’s account
  • unauthorized modification, deletion, copying of files, or programs
  • unauthorized modification or damage of computer equipment.

However, Florida-based businesses usually prefer to pursue cases under the federal CFAA for relief because the Florida CCA allows plaintiffs to bring the civil action against a hacker only after a criminal conviction is successful.

  1. State Fiduciary Powers. Given the lawful consent exemption to the SCA that was discussed above, several states have amended their state statutes to provide that fiduciaries in their state shall be deemed to have lawful consent to access online information under the SCA. This is intended to open the door to allow service providers to voluntarily disclose stored content without the fear of having to determine on a case by case basis whether the fiduciary of an account holder has been given lawful consent. Unfortunately, to date, only five states have enacted such laws (Connecticut, Idaho, Oklahoma, Rhode Island and Indiana), and another 18 states have a relevant bill introduced (California, Colorado, Maine, Maryland, Massachusetts, Michigan, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Virginia), with the majority of the pending legislation introduced in the last 2 years. Unfortunately, even the enacted statutes provide little guidance in the form of definitions and procedure, and therefore while certainly a step in the right direction, these enacted and pending statutes have a long way to go to fully fix the access problems.
  2. Website and Service Provider Contracts. Online service providers mandate that all users agree to the provisions of a Terms of Service Contract (“TOSC’s”) which governs the actions of both the service provider and the user. Unfortunately, the TOSC’s are a take it or leave it situation, and can not be negotiated by the user. Can you imagine if each user could independently negotiate the terms of his or her contract with iTunes or their email service provider? Therefore we are relegated to accepting the often one-sided terms mandated by the service provider. These TOSC’s often restrict who may access a registered account or service to the individual that created the account, thereby eliminating any flexibility for fiduciaries or other authorized people from accessing the account. Likewise, such TOS’s will usually create restrictions on the ability of someone other than the user to reset or obtain password. In general, it’s the restrictions found in these TOCS’s that set up our fiduciaries for failure under the CFA and SCA.