Is Your Digital Life Ready for Your Death?

Legal Framework and Limitations

                  Federal Criminal Legislation. The Federal Government enacted the Computer Fraud and Abuse Act (CFAA”) in part to criminalize internet theft, data theft, computer hacking, and other forms of internet crime. As written, CFAA criminalizes the unauthorized access to any computer, online service or online account. Unfortunately, to determine who may and may not access a specific account, even with the explicit permission of the account holder, you must read the service or account provider’s Terms of Service contract. As an example, Facebook’s Terms of Service Agreement prohibits anyone from logging into a user’s Facebook account, other than the user themself, even with the permission of the user. Therefore, a family member, friend, or even a fiduciary that logs into a Facebook account, using the password provided to them by the user themself, has violated the Terms of Service contract and is now committing a federal crime under the CFAA. Fortunately, the Department of justice has made it clear that they are not looking to enforce the CFAA when dealing with simple violations of online Terms of Service contracts, unless there are other more criminal factors involved. However, as advisors to our clients, and to fiduciaries such as Power of Attorneys, Executors, and Trustees, can we ethically advise clients to access digital assets and accounts where we know that they will be committing a crime under the CFAA? Further, if our fiduciaries do decide to access such accounts and commit a crime, how will we respond to a challenge from an unhappy beneficiary who is aware of the access and its violation of the CFAA?

B.                  Federal Privacy Legislation. In addition to the criminalization of unauthorized access of digital assets and online accounts, the Federal Government has also passed the Stored Communications Act (“SCA”) which creates a right to privacy for data and information stored online. Similar in nature to the federal health information privacy act (often referred to as HIPAA), the SCA creates specific guidelines as to whether, and when, providers of electronic communication services and holders of online data can release the information. As you will see below, these protections can create significant hurdles for family members and fiduciaries who attempt to access information stored online with these service providers and content holders.

1)                  Law Enforcement Agencies may compel the release of the information otherwise protected by the SCA through the use of subpoenas and other legal procedures.

2)                  Service providers are prohibited from disclosing information, or granting access to accounts, to non-Law Enforcement individuals (family and fiduciaries), unless one of the statutory exemptions are met. While there are exemptions for specific situations such and employment related emails being released to an employer or being disclosed during a lawsuit against a business, the main exemption that we should be aware of and plan with is the “Lawful Consent” exemption found in Code Section 2701(b)(3) of the SCA. This exemption allows a service provider to voluntarily turn over (or grant access to) stored information if the recipient has the lawful consent of the creator of such digital asset to access such information. However, this exception only provides that the service provider MAY turn over the information, but does not require them to. In fact, there are several national cases where service providers have chosen not to disclose the information. In these situations where the recipient actually had lawful consent, the courts indicated that the SCA exemption does not mandate the disclosure of the stored information, and that the courts could not compel the distribution of the information under the SCA even through legal proceedings.


C.                        State Criminal Legislation. Every state in the United States has its own version of computer and online fraud statutes that it uses to be able to bring state law charges for online theft, fraud, hacking, and other internet and computer crimes. In Florida, we have Florida Statute §§ 815.01-815.07 (“Florida Computer Crimes Act” or “Florida CCA”), enacted in 1979, which provides our state legislation. Typical violations under the Florida CCA are

  • unauthorized access of another user’s account
  • unauthorized modification, deletion, copying of files, or programs
  • unauthorized modification or damage of computer equipment.

However, Florida-based businesses usually prefer to pursue cases under the federal CFAA for relief because the Florida CCA allows plaintiffs to bring the civil action against a hacker only after a criminal conviction is successful.

  1. State Fiduciary Powers. Given the lawful consent exemption to the SCA that was discussed above, several states have amended their state statutes to provide that fiduciaries in their state shall be deemed to have lawful consent to access online information under the SCA. This is intended to open the door to allow service providers to voluntarily disclose stored content without the fear of having to determine on a case by case basis whether the fiduciary of an account holder has been given lawful consent. Unfortunately, to date, only five states have enacted such laws (Connecticut, Idaho, Oklahoma, Rhode Island and Indiana), and another 18 states have a relevant bill introduced (California, Colorado, Maine, Maryland, Massachusetts, Michigan, Missouri, Nebraska, Nevada, New Hampshire, New Jersey, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, Virginia), with the majority of the pending legislation introduced in the last 2 years. Unfortunately, even the enacted statutes provide little guidance in the form of definitions and procedure, and therefore while certainly a step in the right direction, these enacted and pending statutes have a long way to go to fully fix the access problems.
  2. Website and Service Provider Contracts. Online service providers mandate that all users agree to the provisions of a Terms of Service Contract (“TOSC’s”) which governs the actions of both the service provider and the user. Unfortunately, the TOSC’s are a take it or leave it situation, and can not be negotiated by the user. Can you imagine if each user could independently negotiate the terms of his or her contract with iTunes or their email service provider? Therefore we are relegated to accepting the often one-sided terms mandated by the service provider. These TOSC’s often restrict who may access a registered account or service to the individual that created the account, thereby eliminating any flexibility for fiduciaries or other authorized people from accessing the account. Likewise, such TOS’s will usually create restrictions on the ability of someone other than the user to reset or obtain password. In general, it’s the restrictions found in these TOCS’s that set up our fiduciaries for failure under the CFA and SCA.
Digital Legacy Association urges hospices to support patients in managing their digital estate

Obstacles to Transferring Online Accounts

One possible obstacle to the transfer of online accounts concerns privacy laws. If an account owner dies, a personal representative or successor trustee may not be able to simply call up the service provider and obtain a password to the decedent’s account. The service provider may have a privacy policy that prohibits turning over account information or content to a third party without a user’s consent. As a result, the service provider may refuse to allow the personal representative access. In that case, counsel may need to make use of one of the procedures I describe in the previous section. Although the service provider arguably has an obligation to surrender property of the decedent, the service provider may want a court order authorizing turn over of the account in order to protect itself from a claim of a privacy violation. Even if the decedent did not assert a privacy claim, government regulators might. Therefore, requiring a court order would seem to be a prudent course for a service provider.

In addition, planners should consider the effect of cybercrime laws, like the Computer Fraud and Abuse Act, California’s cybercrime and identity theft laws. They should also account for service providers’ terms of service. A service provider could take the position that a personal representative’s use of a decedent’s password to access an account after death is a violation of its terms of service. The service provider might also say that using the decedent’s account violates cybercrime laws. On the other hand, the personal representative could contend that he or she steps in the shoes of the decedent for purposes of authority to access the account. Moreover, the personal representative may have documents signed by the decedent authorizing access to online accounts.

There seems to be a gray area regarding the legality of post-death access to accounts. Nonetheless, the Nicholson article mentioned above in Section III suggests to service providers

that they should make plans for death and disability by allowing users to name a contingent authorized user who has the authority to access the account. In the absence of clear procedures for contingent authorized users to an account, where online services warn of criminal liability for unauthorized access to accounts, it may be prudent for a personal

representative to avoid simply accessing the account following the decedent’s death using the decedent’s password. In such cases, it may be best to obtain the court’s instructions permitting the access.

Digital death is still a problem. A widow’s battle to access her husband’s Apple account

Practical Problems for Planning and Management

  1. Unawareness. In order for the fiduciary to take steps essential to property handle the belongings of the property, the fiduciary has to pay attention to these belongings’ existence.
  2. Digital Bureaucracy. Many of the businesses that function custodians of digital media, accounts, and companies, have created some type of aid for the fiduciaries and the members of the family of the deceased. Unfortunately, as every firm is performing underneath the authorized restraints and uncertainty nonetheless surrounding the digital estate planning, there isn’t any uniformity in approaches chosen by every firm, which makes it tough to search out the suitable method and navigate by way of the procedures. The procedures a person should observe to entry the info pertaining to the deceased vary from sending a standard letter with a duplicate of a demise certificates, will, authorities IDs, private contact data, proof of relationship, and different verifying data of the deceased, to sending an electronic mail with sure data or proof of being appointed a fiduciary, to filling out an internet type with no further verification. Apart from time delay, a few of these approaches add a considerable quantity of paperwork.
  3. Passwords and PIN Codes. Passwords are the important thing to entry our many units and recordsdata. Our telephones are password protected, our computer systems and emails are password protected, all of our on-line monetary accounts are password protected, and even now our flash drives will be password protected. Without entry to the passwords, the Digital Assets saved in these gadgets and in these on-line areas are of lowered if any worth.
  4. Encryption. 32-bit, sixty four-bit, 128-bit, and 256-bit encryption are all ranges of encryption used to additional safe domestically or remotely saved information, or knowledge that’s being transported on-line from a service supplier to your pc or cellphone. Fiduciaries who’re unable to seek out, guess or in any other case use passwords to open secured accounts are left with the choice of attempting to interrupt the encryption that secures the digital asset. However, that is simpler mentioned than executed! As reported by Seagate, a number one expertise firm, in 2008, a file encrypted with 128-bit AES encryption has over 340,000,000,000,000,000,000,000,000,000,000,000,000 potential mixtures, or sufficient to maintain 70 billion computer systems busy computing for over seventy seven billion years at 2008 computing speeds to guess the right key to unlock the encryption. With this in thoughts, cracking or guess in password appears a complete lot extra life like than cracking the encryption. In case you had been questioning, it’s believed that the present 256 AES encryption will be ample encryption safety till roughly the yr 2031, when pc will be quick sufficient that this degree of encryption will now not be robust sufficient.
  5. CFAA Criminal Laws. As famous above, the Computer Fraud and Abuse Act stands in the way in which of Fiduciaries who try and entry on-line accounts with out acceptable authorization.
  6. SCA Privacy legal guidelines. As famous above, the Stored Communications Act prohibits the disclosure of a shopper’s electronically saved info until the fiduciary meets one of many listed exemptions, and even then the service supplier might chorus from disclosing the knowledge or granting entry to the saved info.
Texts from the dead: Post-mortem digital communication has arrived

Template of a Digital Property Provision for a Will

(template)  Generally the following provision will be inserted as a subparagraph in the Powers of Personal Representative (Executor) Section of the Will, and may be modified to be used with Trust Agreements.

Power With Regard to Digital and other Intangible Property.

In the event that at the time of my death I owned an interest in any form of electronic, digital or intangible assets (including but not limited to leaseholds, licenses, contractual rights, computing devices, data storage devices, a domain names, user accounts, email accounts, digital pictures, digital music, or any other form of electronically stored information (collectively, “Digital Assets”)), whether included in my probate estate or not, then in addition to any other powers described in this Section or provided for under applicable law, the powers granted to the Personal Representative of my estate shall include, but not be limited to, the following:

(1)   the power to obtain copies of any electronically stored information of mine from any person or entity that possesses, custodies, or controls that information, including but not limited to entities that may be subject to the Stored Communications Act under or similar state laws that may then be in effect;

(2)   power to decrypt any encrypted electronically stored information of mine or to bypass, reset, or recover any passwords or other kind of authentication or authorization necessary to gain access to access the Digital Assets;

(3)   the power to waive any confidentiality that I may have had under any Terms of Service Agreement or Privacy Policy that I had previously agreed to in regards to any Digital Asset, to the extent allowable under such Terms of Service or Privacy Policy;

(4)   all other powers that an absolute owner of a Digital Asset would have, and any other powers appropriate to achieve the proper investment, management, and distribution of my Digital Assets, including the power to employ any consultants or agents to advise or assist the Personal Representative in exercising the powers listed above.

In furtherance of such powers of personal representative, I hereby authorize, to the extent permitted by federal and state law, including the Electronic Communications Privacy Act of1986 (which includes the Stored Communications Act), as amended, the Computer Fraud and Abuse Act of 1986, as amended, any person or entity that possesses, custodies, or controls any electronically stored information of mine or that provides to me an electronic communication service or remote computing service, whether public or private, to divulge to the Personal Representative: (1) any electronically stored information of mine; (2) the contents of any communication that is in electronic storage by that service or that is carried or maintained on that service; and (3) any record or other information pertaining to me with respect to that service. This authorization is to be construed to be my lawful consent under the Stored Communications Act, as amended, and any other applicable federal or state data privacy law or criminal law. The terms used in this paragraph are to be construed as broadly as possible, and the term “user account” includes without limitation an established relationship between a user and a computing device or between a user and a provider of Internet or other network access, electronic communication services, or remote computing services, whether public or private.