Do you have bank or investment account statements delivered to you on-line because businesses are encouraging or even pressuring customers to go paperless? Do you have hundreds if not thousands of photographs of your charming family or adorable pets stored on-line? Do you post to any on-line social media accounts that tell part of the story of your personal or professional life? What happens to those accounts or assets when you die or become incapacitated? Does your personal representative have the authority or ability to access those accounts and try to put the pieces of a financial picture back together? Can those photographs be copied and delivered to the grieving family left behind? Should certain accounts or information be deleted, particularly if a protected person is being targeted on-line or identity theft is an issue? Even if an authorized user has the password to access an on-line account, is that a fraudulent cybercrime by misrepresenting to the end user who you are? All of these questions lead to one inescapable issue: the Internet is outrunning the law.
A personal representative to an estate, a conservator for a protected person, and a trustee for a trust have a legal duty to marshal and protect assets of the decedent or protected person; however, they face significant roadblocks when dealing with on-line providers that have widely varying terms-of-service agreements or policies regarding when or if they will provide access to on-line accounts and information to duly appointed fiduciaries. Unif. Trust Code § 801 (for example, “Upon acceptance of a trusteeship, the trustee shall administer the trust in good faith, in accordance with its terms and purposes and the interests of the beneficiaries, and in accordance with [the Uniform Trust Code]”); Robert E. Calem, What Happens to Your On-line Accounts When You Die?, Techlicious (June 29, 2010), http://tinyurl.com/38vqhtx. For example, Yahoo’s terms-of-service agreement purports to provide the company with full and sole authority to delete an account on the death of the account holder—regardless of the effect that may have on the estate.
In the midst of the chaos created by barring fiduciaries from performing their required duties, the Uniform Law Commission launched a more-than-two-year process resulting in the Uniform Fiduciary Access to Digital Assets Act (UFADAA). See generally Uniform Fiduciary Access to Digital Assets Act (2014), available at http://tinyurl.com/p7oshxl. UFADAA does not create new law insomuch as it mends a large gap that prohibits fiduciaries from doing their legally mandated job.
UFADAA is an overlay statute designed to work in conjunction with a state’s existing laws on probate, guardianship, trusts, and powers of attorney. Enacting UFADAA will simply extend a fiduciary’s existing authority over a person’s traditional assets to include the person’s digital assets, with the same fiduciary duties to act for the benefit of the represented person or estate. It is a vital statute for the digital age and should be enacted by every state legislature as soon as possible. Indeed, most states are actively pursuing the legislation in 2015.
The Uniform Law Commission Tackles “The Digital Divide”
For 124 years the Uniform Law Commission (ULC) has been providing states with “non-partisan, well-conceived and well-drafted legislation that brings clarity and stability to critical areas of state statutory law.” UFADAA (2014), available at http://tinyurl.com/p7oshxl; Suzanne Brown Walsh, The Uniform Fiduciary Access to Digital Assets Act (“UFADAA”) (2014), available at http://tinyurl.com/m4xkath (credit to Walsh for coining “The Digital Divide”). The ULC is a nonprofit, unincorporated association that seeks to provide states with nonpartisan proposed legislation regarding state laws. The ULC consists of more than 300 practicing lawyers, governmental lawyers, law professors, and lawyer-legislators from the 50 states, Washington, D.C., Puerto Rico, and the U.S. Virgin Islands. It is a well-respected organization that has been highly successful in proposing uniform laws that support certainty for businesses and individuals, including the Uniform Commercial Code and the Uniform Trust Code.
In 2012 the Uniform Law Commission created a drafting committee to consider a uniform act to vest fiduciaries with the authority to manage and distribute digital assets, copy or delete digital assets, and access digital assets. The drafting committee completed its work last year, and UFADAA was approved by the ULC on July 16, 2014.
What Are Digital Assets?
In the Internet age, the nature of property and our methods of communication have changed dramatically. A generation ago, a human being delivered our mail, and we kept photos in albums, documents in file cabinets, and money on deposit at the corner bank. For most people today, at least some of their property and communications are stored as data on a computer server and accessed via the Internet. One’s digital assets are the electronic information stored on a computer or through computer-related technology. These could include digital images from photographs, electronic investment account statements, e-mails, social media accounts, bank account statements, and so on. For many, our primary means of communication is e-mail, often through multiple e-mail accounts. We tweet about the latest happenings through our on-line accounts. We keep in touch with friends and colleagues through social networking sites. We store important information and family photos on a growing array of on-line sites. We access our financial assets, such as bank accounts and brokerage accounts, over the Internet. We pay our bills electronically. We own Internet domain names. In the aggregate, these digital assets have tremendous financial, emotional, and aesthetic value.
Nearly every individual has some type of on-line account. These accounts are used to communicate, pay bills, conduct business, create on-line personalities, and even date. Because many individuals protect such accounts by limiting access to themselves only, accounts with protected passwords can create problems when the account holder dies because no one has access to the passwords. As a result, digital assets, including on-line accounts and information, documents, or media stored on one’s computer, are often left untouched. These include photos, videos, music, medical records, legal or financial documents, web sites, blogs, social media accounts, banking information, business accounts, and any other material or data owned by an individual. Lev Grossman, The Beast with a Billion Eyes, Time, Jan. 30, 2012, http://tinyurl.com/lxp2vup (“For every minute that passes in real time, 60 hours of video are uploaded to YouTube.”). Often, these assets have economic value and should be included in the estate for tax purposes.
Digital assets can be software (Word, Excel, Turbo Tax, Quicken); stored information on a hard drive, backup drive, CD, DVD, or thumb drive; on-line presences such as web sites, blogs, and social media accounts; on-line e-mail, bank, brokerage, financial, shopping, and travel accounts; and on-line gaming pieces, photos, digital music, client lists, bitcoins, and even digital art. See Roundup: Where to Spend Your BitCoins, Time, Dec. 9, 2013, at 9 (bitcoins are being accepted more often at places like Subway shops, for airline travel on CheapAir.com, on Baidu, China’s most popular web site, and for tuition at the University of Nicosia in Cyprus); Alexandra Sifferlin, Digital Art Clicks on the Auction Block, Time, Oct. 21, 2013. Rafael Rozendaal, the “on-line king of digital art,” builds interactive web sites that draw as many as 40 million views a year. Thirty million Facebook accounts belong to dead people. The average individual has 25 passwords. Some service providers have explicit policies on what will happen when an individual dies, but most do not; even when these policies are included in the terms of service, most consumers click-through these agreements.
Collectively, a person’s digital property and electronic communications are referred to as digital assets, and the companies that store those assets on their servers are called “custodians.” Access to digital assets is usually governed by a restrictive terms-of-service agreement provided by the custodian. This creates problems when account holders die or otherwise lose the ability to manage their own digital assets. Although there is no universally accepted definition of digital assets, UFADAA defines them as electronic records, not including an underlying asset or liability unless the asset or liability is itself a record that is electronic. All digital assets, however defined, are accessed by a tangible device, such as a computer, smartphone, tablet, or a server. Jamie P. Hopkins, Afterlife in the Cloud: Managing a Digital Estate, 5 Hastings Sci. & Tech. L.J. 210, 212 (2013).
Fiduciaries Must Have Access to Digital Accounts
A fiduciary is a person with the legal authority to manage another’s property and the duty to act in that person’s best interests. UFADAA concerns four common types of fiduciaries:
- executors or administrators of deceased persons’ estates,
- court-appointed guardians or conservators of protected persons’ estates,
- agents appointed under powers of attorney, and
UFADAA gives people the power to plan for the management and disposition of their digital assets in the same way they can make plans for their tangible property: by providing instructions in a will, trust, or power of attorney. If a person fails to plan, the same court-appointed fiduciary that manages the person’s tangible assets can manage the person’s digital assets, distributing those assets to heirs or disposing of them as appropriate.
Some custodians of digital assets provide an on-line planning option by which account holders can choose to delete or preserve their digital assets after some period of inactivity. UFADAA defers to the account holder’s choice in such circumstances but overrides any provision in a click-through terms-of-service agreement that conflicts with the account holder’s express instructions.
Under UFADAA, fiduciaries who manage an account holder’s digital assets have the same right to access those assets as the account holder, but only for the limited purpose of carrying out their fiduciary duties. Thus, an executor may access a decedent’s e-mail account to make an inventory of estate assets and ultimately to close the account in an orderly manner, but may not publish the decedent’s confidential communications or impersonate the decedent by sending e-mail from the account. Moreover, a fiduciary’s management of digital assets may be limited by other law. For example, a fiduciary may not copy or distribute digital files in violation of copyright law and may not access the contents of communications protected by federal privacy laws.
To gain access to digital assets, a fiduciary must, under UFADAA, send a request to the custodian, accompanied by a certified copy of the document granting fiduciary authority, such as letters testamentary, a court order, or a certification of trust. Custodians of digital assets that receive an apparently valid request for access are immune from any liability for good faith compliance.
The reasons a duly-authorized fiduciary may need access to on-line accounts and information are varied.
To Prevent Identity Theft
Fiduciaries are bound to preserve the assets of the estates they manage. The Bureau of Justice Statistics recently found that 16.6 million American adults experienced identity theft in 2012. Alexander Trowbridge, Identity Theft Rises, Consumers Rage, CBS News (July 1, 2014), http://tinyurl.com/n72ycq3. “[M]ore than half of adults who use social networks post information that puts them at risk for identity theft and other cybercrimes.” Chelsea Ray, ‘Til Death Do Us Part: A Proposal for Handling Digital Assets After Death, 47 Real Prop., Tr. & Est. L.J. 3, 583, 588 (2013) (quoting Alex Pham, Internet Security 101: What Not to Post on Facebook, L.A. Times Technology (May 3, 2010), http://tinyurl.com/2f7crxy). When an individual is unable to continue to monitor his or her on-line accounts because of incapacity or death, it becomes easier for criminals to hack these accounts, open new credit cards, apply for jobs, and even obtain state identification cards. Thus, a fiduciary may have to monitor and protect—perhaps simply by terminating—a decedent’s on-line accounts. See Gerry W. Beyer & Naomi R. Cahn, When You Pass on, Don’t Leave the Passwords Behind: Planning for Digital Assets, Prob. & Prop., Jan./Feb. 2012, at 40. The issue of deleting on-line information has garnered international attention with the Mario Costja Gonzalez case in Spain in which the Court of Justice concluded “that a person should be able to demand that a search engine remove links ‘on the ground that that information may be prejudicial to him or that he wishes it to be ‘forgotten’ after a certain time.’” Lev Grossman, You Have the Right to Be Forgotten: A European Court Has Upheld an Increasingly Precious Principle, Time, May 15, 2014, http://tinyurl.com/lntljps.
To Marshal and Collect Assets
It is now virtually impossible to collect mementos, contact friends and family, or sort through financial records without access to e-mail accounts. Most creditors and banks strongly encourage customers to “go green” and receive bills and statements electronically. Frequent flyer miles and other loyalty programs accumulate through on-line systems. There are young people who conduct all of their business and, in effect, earn their livings on-line, as bloggers, authors, or entrepreneurs. Some banks and financial institutions exist solely on-line, with no brick-and-mortar branches. Both digital and nondigital accounts may be subject to Internet-based service agreements. Although the assets themselves can be available to the executor or agent, their management and transfer may require compliance with those agreements. Digital assets themselves can have significant monetary value. The most obvious example is Bitcoin, a digital currency. See Bitcoin Home Page, https://bitcoin.org/en/ (last visited Nov. 25, 2014). The domain name “Insure.com” sold for $16 million in 2009, “sex.com” sold for $14 million in 2006, and “Fund.com” sold for £9.99 million in 2008, to name just a few. Chris Irvine, Top 10 Most Expensive Domain Names, The Telegraph, Mar. 10, 2010, http://tinyurl.com/yg4y337.
Yahoo Mail considers an account to be private property and will not hand over account information to the decedent’s family members without legal action. Peggy Hoyt & Sarah Aumiller, Estate Planning for Your On-line Identity, Estate and Business Planning Blog (June 9, 2010), http://tinyurl.com/oxzhutg. In addition, Yahoo Mail will permanently delete all accounts and their contents, preventing access to anyone, on receipt of a copy of a death certificate. Calem, What Happens to Your On-line Accounts When You Die?, supra. In fact, Yahoo’s terms of service include a “no right of survivorship and non-transferability clause.” The clause states: “You agree that your Yahoo! account is non-transferable and any rights to your Yahoo! ID or contents within your account terminate upon your death. Upon receipt of a copy of a death certificate, your account may be terminated and all contents therein permanently deleted.” Id. Such unilateral control may be directly contrary to the decedent’s intent.
With billions of dollars in unclaimed bank accounts (and other assets) finding their way to state treasurers every year, a lack of information through digital accounts will only increase this amount. Saabira Chaudhuri, The 25 Documents You Need Before You Die, Wall St. J., July 2, 2011 (“According to the National Association of Unclaimed Property Administrators, state treasurers currently hold $32.9 billion in unclaimed bank accounts and other assets.”).
To Console Grieving Loved Ones
Stories abound of grieving family members and friends searching for answers, comfort, and support in the social media accounts, voice mails, or other digital assets of their deceased friends and relatives. Beth Teitell, Preserving Voicemails Helps Modern Grieving Process, Boston Globe, Nov. 20, 3013, http://tinyurl.com/l4tvbxa. For example, David and Karen Williams v. Facebook, Inc., No. 0704-03971 (Multnomah Cnty. Cir. Ct. 2007), resulted in a Stipulated Order Permitting Access to Facebook.com Account Information, although the resulting information was unilaterally redacted by Facebook. A recent story to circulate is that of a teenage boy who, 10 years after his father died, discovered his “ghost” in a game they had played together when the boy was only six years old. Alex Lloyd, Teenage Son Discovers His Deceased Father’s Ghost Car in Xbox Rally Game, Yahoo! Autos (July 22, 2014), http://tinyurl.com/k5jxd3e. Although the monetary value of social media accounts is generally small, access to the account may be priceless to family and friends. This is what motivated teenager Eric Rash’s parents, Ricky and Diane Rash, to become the driving force behind Virginia legislation that grants parents postmortem access to a minor’s Facebook account content. Tracy Sears, Family, Lawmakers Push for Facebook Changes Following Son’s Suicide, CBS 6 (Jan. 8, 2013), http://tinyurl.com/pwp63mp. With 7.5 million American children under the age of 13 using Facebook, a uniform approach to allow fiduciary access will save untold grief and litigation expense. Ray, ‘Til Death Do Us Part, supra, at 588 (citing Somini Sengupta, Update Urged on Children’s On-line Privacy, N.Y. Times, Sept. 15, 2011, http://tinyurl.com/9b7w5lg).
In the well-known case of In re Justin Ellsworth, a U.S. Marine was killed in Iraq, and his family was denied access to his Yahoo e-mail account because of company policy. Justin Atwater, Who Owns E-Mail? Do You Have the Right to Decide the Disposition of Your Private Digital Life?, 2006 Utah L. Rev. 397, 399 (2006). Yahoo refused to give the e-mail password to the family as a result of its terms of service, which required the company not to disclose the private e-mail communications of its users. Id. at 401. The family filed suit against Yahoo, and in April 2005, a probate judge signed an order directing Yahoo! to provide the contents of the e-mail account used by Ellsworth. Id. Although Yahoo complied with the order, it maintained that its compliance was no way indicative of its stance on who holds legal title to the account information. Id. Yahoo’s compliance, it claimed, was a product of the court order, and it promised to defend its commitment to treat user e-mails as private and confidential. Id.
Rather than continue with costly litigation and varying legal interpretations that fail to provide consistency to businesses and individuals, UFADAA seeks to provide a dependable process throughout the United States.
Impediments to Fiduciary Access to Digital Assets
Most on-line accounts are password protected, and generally the passwords can be reset or recovered only with access to the account holder’s e-mail account—if they can be reset or recovered at all.
Only a minority of states have legislation dealing with fiduciary access to digital assets: Connecticut, Idaho, Indiana, Louisiana, Oklahoma, Rhode Island, Nevada, Virginia, and Delaware. H.B. 345, 2011-12 Leg., 129th Sess. (Ohio 2012) (signed into law on August 12, 2014, over on-line providers’ efforts to obtain a veto from the governor). Of those statutes, only the Delaware act is comprehensive and substantially similar to UFADAA, although numerous states have UFADAA in the legislative pipeline for consideration in 2015.
Federal and State Computer Fraud and Abuse Acts
Each state and Congress has enacted a Computer Fraud and Abuse Act (CFAA) that criminalizes (or at least, creates civil liability for) the unauthorized access of computer hardware and devices and the data stored thereon. The federal CFAA provides:
(a) Whoever— . . . (2) intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— . . . (C) information from any protected computer if the conduct involved an interstate or foreign communication; . . . shall be punished as provided in subsection (c) of this section.
18 U.S.C. § 1030(a)(2)(C) (emphasis added).
Thus, the CFAA criminalizes “unauthorized access” to the Internet or a computer system or account because “obtaining information” could mean loading a web page, and a “protected computer” is defined not only as any computer connected to a government network but also as one used in interstate or foreign commerce. Because most Internet servers are not located in the same state as the web site’s user, using the Internet could involve obtaining information from a “protected computer” and thus implicate the CFAA. That is an unacceptable scenario for fiduciaries. Although “without authorization” is not defined, the term “exceeds authorized access” is defined at 18 U.S.C. § 1030(e)(6) in the CFAA to mean:
[T]o access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.
This second prong, wherein a user who has access but exceeds his or her authority by accessing other files or information on the system, is designed to prohibit something nefarious: computer trespass. Although the state statutes vary in their coverage, they also typically prohibit “unauthorized access.”
Because the laws governing “access” to a computer or computer system or network call for authorization by the owner of that computer or system, they are directed at fraudulent activity such as malicious altering of computer systems and theft of services, and not authorized acts. See, e.g., 18 U.S.C. §§ 2701 and 1030.
Unfortunately, the fact that a fiduciary is “authorized” by the owner or state law to use a computer or to act for an account user may not be a bar to CFAA prosecution, even though it should be. The analogy would be that using, or even hacking into, the computer is no more illegal than a fiduciary using a locksmith to get into a building owned by an incapacitated person, principal, or decedent. Accessing a hard drive, however, may be different from accessing the decedent’s, incapacitated person’s, or principal’s digital accounts or assets. By accessing another’s digital accounts or assets on-line, the fiduciary may be violating the account provider’s terms-of-service agreement (TOSA) and, in turn, the federal CFAA.
Very few people read TOSAs. Most of us open accounts and click through the TOSAs without a glance. To illustrate how easy it is unintentionally to violate a TOSA: an archived version of Google’s TOSA until recently prohibited minors who lacked contractual capacity from using its services. Google Terms of Service, http://tinyurl.com/mextubw (last visited Nov 25, 2014). The concern is that some federal prosecutors may use the CFAA to prosecute defendants based solely on violations of a web site’s TOSA. The Aaron Swartz case was a recent, highly publicized example of such prosecution. See Andrea Peterson, The Law Used to Prosecute Aaron Swartz Remains Unchanged a Year After His Death, Wash. Post, Jan. 11, 2014, http://tinyurl.com/otpk3d2. Aaron Swartz was a self-described Internet activist who committed suicide in 2013, while facing prosecution for downloading, without permission, 4.8 million academic articles from the JSTOR digital library system.
In 2006, a mother who created a fake “MySpace” profile in violation of MySpace’s TOSA, to bully a child who then committed suicide, was prosecuted and convicted solely under the CFAA. That is, no underlying state law violation applied to her conduct. Ultimately, the trial judge overturned her conviction, ruling that the conscious violation of a web site’s terms of service, alone, is not automatically a criminal violation of the CFAA. United States v. Drew, 259 F.R.D. 449, 464 (C.D. Cal. 2009).
Until Congress amends the CFAA, the scope and breadth of the CFAA’s reach remains unclear. Here is an excerpt from the written testimony of Richard W. Downing, deputy chief of the DOJ’s Computer Crime and Intellectual Property Section Criminal Division, before the House Judiciary Committee Subcommittee on Crime, Terrorism, and National Security, presented on November 15, 2011. This testimony evidences that the DOJ will continue to prosecute TOSA violations:
Finally, on behalf of the Department I want to address concerns regarding the scope of the CFAA in the context of the definition of “exceeds authorized access.” In short, the statute permits the government to charge a person with violating the CFAA when that person has exceeded his access by violating the access rules put in place by the computer owner and then commits fraud or obtains information. Some have argued that this can lead to prosecutions based upon “mere” violations of website terms of service or use policies. As a result, some have argued that the definition of “exceeds authorized access” in the CFAA should be restricted to disallow prosecutions based upon a violation of contractual agreements with an employer or service provider. We appreciate this view, but we are concerned that restricting the statute in this way would make it difficult or impossible to deter and address serious insider threats through prosecution.
Richard W. Downing, Cybersecurity: Protecting America’s New Frontier, Committee on Judiciary (Nov. 15, 2011) (emphasis added), available at http://tinyurl.com/k2nv3o3.
Access to the computer does not automatically grant the fiduciary access to the data stored on the computer’s hard drive if the data are encrypted. One often cited example of this was Leonard Bernstein, who died in 1990, leaving the manuscript for his memoir titled “Blue Ink” on his computer in a password protected file. To this day, no one has been able to break the password and access the document. Helen Gunnarsson, Plan for Administering Your Digital Estate, 99 Ill. B.J. 71 (2011).
Copyright, Commercial Privacy, and Data Protection Statutes
Other bodies of law might impede a fiduciary from downloading or distributing another person’s digital files: such action may violate copyright law, the limited common law of privacy, trade secret law, and federal and state personal data protection statutes. For example, Massachusetts has a data security statute that requires encryption of personal information “owned or licensed [held by permission]” by any person. See 201 Mass. Code Regs. § 17.00 (2010) (generally effective March 1, 2010, which requires businesses to encrypt sensitive personal information on Massachusetts residents that is stored on portable devices such as PDAs and laptops or on storage media such as memory sticks and DVDs). According to the National Conference of State Legislatures, 46 states have enacted a data breach or privacy law of some kind.
The Stored Communications Act
The Fourth Amendment to the U.S. Constitution provides citizens with a strong expectation of privacy in their homes: “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause[.]” As a result, the government cannot normally search our homes without first showing probable cause and obtaining a search warrant authorizing a search.
When we use a computer network, we may have the same personal expectation of privacy, but, of course, the network is not located in our homes. Addressing this issue, Congress enacted the Stored Communications Act (SCA) in 1986, as a part of the Electronic Communications Privacy Act (ECPA). See generally 18 U.S.C. §§ 2701–2711; see also Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, 72 Geo. Wash. L. Rev. 1208 (2004). “The SCA is notoriously complicated and confusing, and its application to social networking sites has only further muddied the waters.” Rudolph J. Burshnic, Applying the Stored Communications Act to the Civil Discovery of Social Networking Sites, 69 Wash. & Lee L. Rev. 1259, 1264 (2012). “Despite vast technological advancement since the SCA’s passage, Congress has yet to update the SCA to conform to modern day innovations related to e-mail and cell phones, among other things.” Id.
The way the privacy protections of the Stored Communications Act work is to prohibit certain providers of public communications services from disclosing the contents of the user’s communications to a government or nongovernment entity (different rules apply to each), except under limited circumstances that are akin to the “warrant” required under the Fourth Amendment. So, if the provider of the electronic communications service provides it only to employees or students, and not to the general public, that provider is not subject to the SCA and cannot use its provisions as a shield against a fiduciary’s request or law enforcement demands for copies of communications or access to an account. But it is crucial to understand that the SCA applies different rules to government/law enforcement entities requesting information and all others, such as fiduciaries. Under the SCA, law enforcement officials can force or compel the provider who is otherwise covered and subject to the SCA to divulge the contents of an account. A fiduciary, however, cannot compel the provider to divulge the same information. Indeed, Google recently took the position, unsuccessfully, that the SCA confers “a blanket exemption or immunity on service providers against compulsory civil discovery process.” Negro v. Navalimpianti USA, Inc., 179 Cal. Rptr. 3d 215, 230 (Ct. App. 2014). That California court failed to follow such a restricted reading of the SCA: “The Act cannot be so construed.” Id.
A public communications provider can voluntarily disclose communications to a fiduciary, but only if an exception to the SCA’s prohibition against disclosure applies. 18 U.S.C. § 2702(b). The relevant exception for fiduciaries permits service providers to disclose communications with the “lawful consent” of “the originator” or an addressee or intended recipient of such communication, or the subscriber. 18 U.S.C. § 2702(b)(3). To give providers reassurance that a fiduciary can have such “lawful consent,” underlying state law or a court order should expressly provide that the fiduciary requesting the contents of SCA protected material has the user’s lawful consent. That is why Facebook essentially asked one court, in a memorandum supporting Facebook’s motion to quash a civil subpoena for information contained in a deceased user’s profile and account, to alternatively hold that the fiduciary had lawful consent and to order Facebook to disclose the requested content. Facebook, Inc.’s Motion to Quash Subpoena in Civil Case, No. C 12-80171 LHK (N.D. Cal. Aug. 6, 2012). The court granted Facebook’s motion and quashed the subpoena. In re Request for Order Requiring Facebook, Inc., to Produce Documents and Things, No. C 1280171 LHK (N.D. Cal. Sept. 20, 2012). A more recent ruling, however, minimized extraneous statements in that case: “The court’s remarks on this point may have been dictum.” Negro, 179 Cal. Rptr. 3d at 232 n.6.
A federal jury in Massachusetts awarded a plaintiff significant monetary damages in a civil action brought under the SCA recently. The defendant had been given the plaintiff’s e-mail account password so she could access it to read consultation reports when the two parties practiced medicine together. When the defendant left the practice and a business dispute arose, the defendant used the plaintiff’s unchanged password to access the account for reasons connected to the business dispute. The plaintiff sued, alleging her later access was unauthorized under the SCA. Despite very thin testimony to support the damage claim, the jury awarded the plaintiff $450,000 for the unauthorized intrusion. Jury Verdict Form, at 13, Cheng v. Romo, No. 11-cv-10007-DJC, 2013 WL 2245312 (D. Mass. Apr. 29, 2013); Cheng v. Romo, No. 11-1007-DJC, 2012 WL 6021369, at *13 (D. Mass. Nov. 28, 2012).
Providers are allowed to divulge noncontent information, such as the user’s name, address, connection records, IP address, and account information because the SCA only prohibits the disclosure of the contents of communications. Providers are still balking, however, at granting executors access to the content of decedents’ e-mail accounts. Recently, Yahoo! refused to accept a co-administrator’s authority to access his deceased brother’s e-mails, even though the surviving brother had opened and had shared access to the account but had forgotten the password. Ajemian v. Yahoo!, Inc., 987 N.E.2d 604, 613 (Mass. App. Ct. 2013). Yahoo! attempted to dismiss the Massachusetts declaratory action based on the California forum selection provision in its TOSA and claimed that the e-mails were not property of the Massachusetts estate, among other arguments. The appeals court refused to enforce the adhesive TOSA provisions but remanded the case to the probate court to determine whether or not the e-mails were an asset of the estate and whether or not the SCA barred Yahoo! from disclosing them. The court’s opinion differentiated between “clickwrap” agreements (requiring the user to click an “I agree” box) and “browsewrap” agreements in which the terms are simply posted, but the user need not confirm having read them. The court concluded that without evidence that the account holder agreed to the TOSA, the TOSA was not enforceable against anyone, especially not against the estate’s co-administrators, who were not parties to it.
Private social media account contents with photos, videos, or posts may all be “communications” protected by the SCA. See Burshnic, Applying the Stored Communications Act to the Civil Discovery of Social Networking Sites, supra. UFADAA clarifies that fiduciaries are “authorized users” with “consent” comporting with the federal laws such that on-line providers and fiduciaries will not risk running afoul of federal laws when fiduciaries are provided access to on-line accounts and information.
The Terms of Service Agreements
The account provider’s TOSAs are frequently silent as to fiduciary access or postmortem options, or they may prohibit postmortem transfer altogether. For example, Yahoo’s policy specifies:
We know that dealing with the loss of a relative is very difficult. To protect the privacy of your loved one, it is our policy to honor the initial agreement that they made with us, even in the event of their passing.
At the time of registration, all account holders agree to the Yahoo Terms (TOS). Pursuant to the TOS, neither the Yahoo account nor any of the content therein are transferable, even when the account owner is deceased. As a result, Yahoo cannot provide passwords or access to deceased users’ accounts, including account content such as email.
Yahoo does have a process in place to request that your loved one’s account be closed, billing and premium services suspended, and any contents permanently deleted for privacy.
Options Available When a Yahoo Account Owner Passes Away, Yahoo! Help, http://tinyurl.com/q76cvg8 (last visited Nov. 25, 2014). Facebook’s policy on postmortem account use and access has been widely publicized. Unlike Google, Facebook has not updated its policies on postmortem access. Essentially, Facebook will allow a personal representative or family member to obtain content with a court order via “Special Request.” See How Do I Submit a Special Request for a Deceased Person’s Account on the Site?, Facebook, http://tinyurl.com/k2ldyb6 (last visited Nov. 25, 2014) (once the account is “memorialized,” Facebook will not allow anyone except the user (who presumably would then have to prove that the user has not actually died, as reported) to log into it. It will allow verified family members to request that the account be removed from Facebook). Tucker Bounds, a spokesman for Facebook, has stated, however: “We will provide the estate of the deceased with a download of the accounts’ data if prior consent is obtained from or decreed by the deceased, or mandated by law.” Alissa Skelton, Facebook After Death: What Should the Law Say?, Mashable (Jan. 26, 2012), http://tinyurl.com/7r89yn9. With that admission, UFADAA actually supports Facebook’s stated policy.
Apple’s iTunes terms-of-use grants the account holder a license to download and use/listen to digital music files, but expressly prohibits their sale or transfer. This may or may not allow the user to bequeath the content or actual music files—the terms-of-use do not mention death. See Terms and Conditions, Apple, http://tinyurl.com/p69flak (last visited Nov. 25, 2014).
Amazon’s Kindle books, however, can indeed be willed, so it may be that on-line providers will begin to acknowledge the consumer demand for more choices. Katy Steinmetz, From Here to E-ternity: What Happens to Your Virtual Things When You’re Gone?, Time, Feb. 11, 2013. “Shoppers shelled out an estimated $4.5 billion last year for e-books and billions more for music, movies and other stuff that exists only on a computer or in the cloud.” Id.
With court opinions not always in alignment as to the enforceability of clickwrap or shrinkwrap on-line providers’ TOSAs, “the enforceability of agreements that require a mere ‘click’ to assent may not be as uniformly enforceable as large social media companies would have their users believe.” Ray, ‘Til Death Do Us Part, supra, at 601.
UFADAA authorizes fiduciaries to fulfill their responsibilities for on-line assets. This is not a new legal concept but rather a natural extension of the responsibilities a fiduciary has in connection with on-line assets. But without the statutory changes, the on-line providers often hold all of the power, including the power to hit the delete button and destroy irreplaceable financial or personal information.
A fiduciary is legally obligated to marshal assets and distribute, under the decedent’s stated intent. As more and more people move more and more assets and information on-line, how can a fiduciary get the necessary information? If a fiduciary goes on-line and uses a decedent’s password, then that is a cybercrime in most states and under federal law for making a fraudulent representation to the end user.
A fiduciary must have a predictable way to access and manage on-line assets. That is what UFADDA does. It does not create new law; it allows fiduciaries to comply with their existing responsibilities. Otherwise, the fiduciaries are in the impossible position of being ordered to marshal on-line assets but not having the authority to do so.
Bridging the Gap to Confirm Fiduciaries Are Authorized Users with Consent to Access
Who do you want making decisions for your estate: your fiduciary or the on-line providers? At least 27 states have proposed UFADAA legislation in 2015, in many instances supported by state-sponsored organizations. This should not be a controversial topic. The only controversy is that on-line providers have a lot of money to hire lobbyists to cry that the sky is falling, but it is not.
An existing body of law governs what fiduciaries can and cannot do, but to do their jobs, they must have on-line access.
Business owners need this law. Let’s look at the small- to medium-sized business—which is what the United States of America is founded on—and what happens when the owner becomes incapacitated or dies? Most laypeople believe that someone will have access to their personal and business digital accounts to handle their affairs. But that is not true.
UFADAA Approach in General
UFADAA aims to resolve the impediments to fiduciary access to digital assets. UFADAA defines digital assets, provides default rules, defers to the intent of account holders and privacy desires, and encourages custodian compliance. It was drafted with the assistance of observers from several state bar committees and from NAELA, ACTEC, Facebook, Google, Yahoo, NetChoice, Microsoft, The Verge, Northern Trust, the American Bankers’ Association, and representatives from the gaming industry. Although some Internet industry observers objected to some UFADAA provisions, the final version of the act differentiates between electronic mail content that is protected by the SCA and other content, as they had requested.
Key Concepts and Definitions
UFADAA covers personal representatives, conservators, agents acting under powers of attorney, and trustees. By defining the fiduciary as an authorized user, the act gives the fiduciary the authorization to access digital files under the first section (18 U.S.C. § 2701) of the SCA as well as under the CFAA, and it gives the fiduciary “the lawful consent” of the originator/subscriber so that the provider can voluntarily disclose the files under the second relevant provision of the SCA (18 U.S.C. § 2702). Moreover, this language should be adequate to avoid liability under state unauthorized access laws.
UFADAA grants fiduciaries access to digital assets limited to what is necessary to carry out their fiduciary duties; it is not personal access and does not allow a fiduciary to maintain or continue social media accounts by “impersonating” the account holder for whom the fiduciary is acting.
UFADAA § 2(1) defines an “account holder” as a person who has entered into a terms-of-service agreement with a custodian or a fiduciary for such a person. UFADAA § 2(8) defines a custodian as “a person that carries, maintains, processes, receives or stores a digital asset of an account holder.” (Elsewhere, UFADAA § 3(b) specifies that an employer is not a custodian under most circumstances.) UFADAA § 2(3) defines “carries” as engaging in the transmission of electronic communications, which is based on language in 47 U.S.C. § 1001(8).
UFADAA § 2(9) defines “digital asset” as a record that is electronic, not including an underlying asset or liability unless the asset or liability is itself a record that is electronic. This includes both the catalogue of electronic communications and the content of electronic communications, but it would exclude securities or currency. For example, consider an on-line commodities account for purchasing gold bullion. The digital assets covered by UFADAA are the records concerning the account, not the gold bullion itself.
UFADAA § 2(6) defines “content of an electronic communication” (EC) as information concerning the substance or meaning of the communication that has been sent or received by an account holder, that is in electronic storage by a custodian “covered” by the SCA, and that is not readily accessible to the public and is therefore “protected” by the SCA. So, such content is defined narrowly in reference to the SCA. Other EC content is covered not by this definition but instead by the broader definitionof a digital asset. UFADAA § 2(11) defines electronic communication as it is defined in 18 U.S.C. § 2510(12), which is, essentially, a transfer of data or signals electronically. Securities held in street name or money in a bank are not digital assets; UFADAA reinforces the fiduciary’s right to access all relevant electronic communications and the on-line account that provides evidence of ownership.
Personal Representatives’ Access
UFADAA § 4 is devoted to access by personal representatives, which is available by default unless the decedent prevented access in a TOSA election that complies with UFADAA § 8(b) or in a will, or a court otherwise prohibits access. In deference to custodians’ unease as to the availability of fiduciary authority under SCA, personal representatives have access to electronic communications content only if disclosure is permitted under federal law.
Conservator or Guardian Access
UFADAA § 5 permits a court to authorize conservator access to digital assets after the opportunity for a hearing. The protected person’s privacy is protected by default. Disclosure of EC contentmay be ordered only if permitted under federal law. State law typically requires the court to consider the protected person’s intent, best interests, and personal values. Social media companies object to ongoing use of an account, as opposed to limited access, which is why the act speaks of “access” and not management.
Access by Agents Acting Under Powers of Attorney
UFADAA § 6 provides that unless prohibited by the principal, an agent has access to most of the principal’s digital assets and the principal’s catalogue of electronic communications. The act, however, does not give an agent default authority over electronic communications content, so this authority is akin to gifting in that the principal must expressly include the authority to grant access. Although debate about this policy was lengthy on the floor of the annual meeting, ultimately the Uniform Law Commission voted to track the SCA, which requires the account holder’s lawful consent. For that reason, UFADAA makes access to EC content by an agent a “hot” power—something that must be identified specifically in the power of attorney document.
Access by Trustees
UFADAA § 7 provides that trusteeswho are original account holders can access all digital assets held in the trust. There should be no question that when the trustee is the original account holder, it will have full access to all digital assets. For assets that are transferred by the settlor or otherwise, a trustee becomes the successor account holder of the digital assets. Although the designation or transfer of the legal title should supply the necessary “lawful consent” under federal law, UFADAA § 7(b) distinguishes between access to EC content and the catalogue when the trustee is not the original account holder, just to be safe.
In all cases, the settlor is free to prevent trustee access to digital assets by language in the trust instrument or by a TOSA election that complies with UFADAA § 8(b), or a court can prohibit access, satisfying privacy concerns.
UFADAA does not contain provisions facilitating the transfer of digital assets into a trust. That transfer would be accomplished by the settlor while alive and capable, the settlor’s agent, or a personal representative. Underlying trust documents or default trust law generally supplies the allocation of responsibilities among trustees. Therefore, drafters should consider access to digital assets when drafting trustee powers provisions.
UFADAA § 8 specifies the nature, extent, and limitation of the fiduciary’s authority over digital assets. UFADAA § 8(a)(1) establishes that the fiduciary is authorized to exercise control over digital assets subject to the TOSA and applicable laws, such as copyright, and that the fiduciary may act only to the extent of the account holder’s authority and the fiduciary’s powers. UFADAA § 8(a)(2) says that the fiduciary has the account holder’s lawful consent under applicable electronic privacy laws. UFADAA § 8(a)(3) further specifies that the fiduciary is an authorized user under any applicable CFAA.
The fiduciary has the same authority as the account holder except when, under UFADAA § 8(b), the account holder has explicitly opted out of fiduciary access. This renders a boilerplate TOSA provision limiting fiduciary access as void against public policy. The TOSA can allow an account holder to prevent access, but it must be an affirmative election. The drafting committee felt this was absolutely necessary, given the reality of widespread user ignorance of TOSA provisions. See Londoners Give Up Eldest Children in Public Wi-Fi Security Horror Show, The Guardian, http://tinyurl.com/ng8379o (last visited Nov. 25, 2014) (reporting on Londoners connecting to free public Wi-Fi who were asked to approve terms and conditions that included a “Herod clause” promising the free Wi-Fi, but only if “the recipient agreed to assign their first born child to us for the duration of eternity.” Six people signed up).
UFADAA § 8(b)(2) reinforces the “stepping into the shoes” nature of fiduciary authority by indicating that the fiduciary’s access, by itself, will not violate a TOSA provision prohibiting third-party access. This will prevent prosecutions based solely on a fiduciary’s access. Subsection (c) supports the importance of fiduciary access by providing that any choice of law governing the effect of a TOSA that prevents fiduciary access is unenforceable. Subsection (d) clarifies that the fiduciary is authorized to access digital assets stored on devices, such as computers or smartphones, avoiding violations of state or federal laws on unauthorized computer access.
Compliance and Immunity
UFADAA § 9 provides that if a fiduciary has access under UFADAA and substantiates his or her authority as specified, a custodian must comply with the fiduciary’s request for access, control, or a copy of the digital asset.
UFADAA thereby mandates what the SCA merely permits if the request is for EC content. In exchange, UFADAA § 10 immunizes a custodian who complies with the request.
UFADAA § 3 provides that the act is applicable to the actions of all fiduciaries regardless of the date their authority was granted by a court or in an instrument. UFADAA § 3(b) provides that the act does not apply to digital assets of an employer used by an employee in the ordinary course of the employer’s business. This language is intended to preclude fiduciary access to employer-provided e-mail systems and employer data. It would allow fiduciaries of the employees of custodians who have personal accounts (with the employer custodian) that are not used for business to access the personal accounts. So, for example, a Yahoo! employee’s fiduciary would not have access to the employee’s business e-mail or other accounts but potentially could access a personal Yahoo! account.
The Temperature Increases as On-line Providers Gather the Lobbyists
Although five states had already passed legislation authorizing fiduciary access to digital assets when the ULC began its research on this important issue, and the on-line providers have been intimately involved in the ULC conversation, now that UFADAA is a viable legislative option for states to move forward, certain lobbyists for on-line providers have begun a full court press to scare state legislators away from the topic.
Only a few behemoth businesses do not like this law. And when you are Goliath, certainly your viewpoint is different from David’s. Michael Scherer, Hacking Politics, Time, June 17, 2013 (“In 2012, Google alone spent $23 million on direct corporate lobbying in D.C., more than defense contractors like Boeing, drug firms like Pfizer and oil companies like ExxonMobil”). When you have companies like Yahoo that have TOSAs allowing them to hit the delete button when the account holder dies, then yes, they do not like this law. But how is the fiduciary going to perform his job when the very assets he is supposed to marshal are within that account?
The worldview from some on-line providers is that they cannot and will not provide any on-line information without a criminal warrant; they appear to have no regard for the civil courts and scoff at the long-standing notion that a duly appointed fiduciary steps into the shoes of the decedent.
In a slight variation on the claim of a blanket exemption, Google contends that the language of the Act makes the consent exception “permissive” and the provider’s disclosure under it “voluntary.” Thus the Act, in Google’s view, “allows, but does not require, disclosure by an electronic communications service provider,” so that “Google may not be compelled by an order issued in a civil proceeding to disclose content, even with the user’s consent.” According to Google, the “text and title of the SCA could not be clearer” on this point.
Negro, 179 Cal. Rptr. 3d at 231. The California court did not agree with Google’s position: “This reading of the Act, however, does not survive scrutiny.” Id.
The legal reality that fiduciaries are a special group is a concept banks already understand. From a banking perspective, UFADAA is not a new and sexy law; banks already understand that when a decedent dies, the personal representative steps into the shoes of the decedent and will be allowed access to accounts or safe deposit boxes. On-line accounts are simply a different storage box. Trust officers from banks and other corporate fiduciaries support UFADAA because it provides certainty.
If UFADAA legislation does not move forward, it will be for one reason only—well-paid lobbyists’ fear tactics are scaring people from bringing the law up to date so that fiduciaries can properly perform their legal obligations. The positive effect UFADAA will have is apparent for fiduciaries trying to do their jobs, any business conducting business on-line or an individual with on-line accounts who becomes incapacitated or dies, and banks and trust companies that seek straightforward laws as guidance. All need certainty in the law. If state legislators back down because a few well-paid lobbyists scream that the sky is falling, then these constituencies are left in an ethical dilemma when working with a diverse group of clients: are attorneys supposed to advise them to commit a cybercrime by accessing an on-line account in the current confusion? How do we help our clients when the law has a gaping hole in it? The law must change to catch up with technology.
This is not a privacy issue. Fiduciaries routinely deal with private documents and issues. A well-established body of law governs fiduciaries in the performance of their responsibilities—the duty of loyalty, the duty to administer prudently, and the duty of confidentiality. Just because a fiduciary has authority under UFADAA to access on-line accounts or information does not require the fiduciary to do so in all situations, nor does it require the fiduciary to broadcast the information to the world. In fact, a fiduciary would subject himself to claims of breach of his fiduciary duty if he went rogue with on-line access. Laws are already in place that govern a fiduciary’s proper performance once he has access to on-line assets and information. UFADAA is necessary to open the door so that fiduciaries can perform their jobs appropriately.
This is an important policy issue: a fiduciary should have access on behalf of a decedent or protected person even though the access may not comply with a TOSA. Banks have safe deposit boxes, yet a personal representative has the authority to access the safe deposit box when a person dies, regardless of the contract. On-line accounts are just information stored in a different box—an electronic box. Indeed, it is interesting to note that, although fiduciaries have the right to complete access to federal U.S. mail addressed to a decedent or protected person, some on-line companies take the position that fiduciaries do not have the same rights to digital information and assets. A fiduciary has always had access to personal and perhaps sensitive information, including finding a long lost box of letters to a secret lover or incriminating photos or documents in the far reaches of a bottom drawer. The challenge of how a fiduciary handles private or sensitive information is not a new challenge.
Since 2010, some states have enacted laws addressing digital assets or accounts: Connecticut, Idaho, Indiana, Oklahoma, and Rhode Island. To date, none of these laws has been overturned, despite the new focus by on-line providers on arguing that federal law prohibits production of on-line information.
Conclusion: Why Your State Should Adopt UFADAA
UFADAA modernizes fiduciary law for the Internet age. Nearly everyone today has digital assets, such as documents, photographs, e-mails, and social media accounts. Digital assets have both monetary and sentimental value. But Internet service agreements, passwords that can be reset only through the account holder’s e-mail, and federal and state privacy laws that do not contemplate that the account holder’s death or incapacity may prevent fiduciaries from gaining access to these valuable assets. UFADAA solves the problem by ensuring that fiduciaries can access, delete, preserve, and distribute digital assets as appropriate.
- UFADAA gives account holders control. UFADAA allows account holders to specify whether their digital assets should be preserved, distributed to heirs, or destroyed.
- UFADAA treats digital assets like all other assets. If a fiduciary has authority to inventory and dispose of all of a person’s documents, it should not matter whether those documents are printed on paper, stored on a personal computer, or stored in the cloud. UFADAA provides a fiduciary with access to digital property.
- UFADAA provides rules for four common types of fiduciaries. The executor of a decedent’s estate has responsibilities different from those of an agent under a living person’s power of attorney. UFADAA provides appropriate default rules governing access for executors, agents, conservators, and trustees.
- UFADAA protects custodians and copyright holders. Under UFADAA, fiduciaries must provide proof of their authority in the form of a certified document. Custodians of digital assets that comply with a fiduciary’s apparently authorized request for access are immune from liability. A fiduciary’s authority over digital assets is limited by federal law, including the Copyright Act and the Electronic Communications Privacy Act.
- UFADAA provides efficient uniformity for all concerned. Digital assets travel across state lines instantaneously. In our modern society, people relocate more often than ever. Because state law governs fiduciaries, a uniform law ensures that, regardless of the state, fiduciaries will have equal access to digital assets and custodians will benefit from uniform regulation.
Contact ULC Legislative Counsel, Benjamin Orzeske, with any questions at firstname.lastname@example.org.
UFADAA updates state fiduciary law for the Internet age. When a person dies or loses the capacity to manage his or her affairs, a fiduciary receives legal authority to manage or distribute the person’s property as appropriate. Most people now own a variety of digital assets, including photographs, documents, social media accounts, web sites, and more. Access to digital assets is often limited by custodians through restrictive terms-of-service agreements. UFADAA ensures that fiduciaries have the access they need to carry out their duties in accordance with the account holder’s estate plan, if there is one, otherwise in the account holder’s best interests.
UFADAA provides a predictable manner by which a fiduciary, consistent with well-established fiduciary law, can deal with on-line accounts and assets. UFADAA does not create new law but rather allows fiduciaries and on-line providers to comply with the current law without inadvertent exposure to federal laws. Otherwise, fiduciaries are in the impossible position of being ordered to marshal and distribute assets without the ability to gain access. UFADAA avoids such chaos.