—Ricky Rash, Father of Eric Rash
Our everyday lives are ruled by digital assets. They have largely replaced tangible ones, changing the way we interact and conduct business. Now, documents are stored in the cloud, photographs are uploaded to web sites, music is downloaded from web sites, conversations are text messages, and stacks of letters are e-mail folders. Living digital is unavoidable!
Our smartphones, computers, and on-line accounts have accumulated valuable and significant electronic data, which continue to increase daily. Recently, the most valuable digital asset sold was a virtual space station for $635,000 on Entropia Universe, an on-line gaming platform. According to a 2014 global survey by McAfee, the average person has digital assets worth approximately $35,000. Even though your digital assets may not be your most valuable, they can be some of your most cherished, for example, digital family photos and videos.
Today, fiduciaries face a world in which such assets and information, which used to appear in tangible form—letters, tax returns, bank statements, as well as music, art, and literature—now exist only in digital form. And, this digital content is not on servers owned or controlled by the decedent. From social media to banking, password-protected sites are used to perform daily affairs for business and pleasure alike, with a reliance on the promise of secure access. But what happens when that promise of security bars access when one dies or becomes incapacitated? Understand the developing legal environment to plan for fiduciary access to digital assets. We must be able to control our digital life and afterlife.
Federal and State Law—Barriers to Access
The growth of digital assets has outpaced state and federal laws as well as the regulatory laws governing digital assets. Terms of service agreements, those pesky “small print” documents that pop up when establishing an account that people typically check “agree” on without reading (TOSAs), as well as federal and state laws, do not contemplate that death or incapacity may prevent access to digital assets. Because of the prevalence of digital assets, permitting access to them after death or incapacity is essential. Without proper planning, however, administering them can become a nightmare—or even a crime.
Federal Privacy Laws
The Fourth Amendment provides citizens with a strong expectation of privacy in their homes. That same expectation of privacy exists when using a home computer network. But computer networks are not physically located or being accessed within computers or in homes. They, therefore, are not protected by the Fourth Amendment. To fill that gap, Congress enacted the Stored Communications Act (SCA) in 1986, as part of the Electronic Communications Privacy Act (ECPA).
It is not surprising that 30 years ago Congress did not contemplate the digital revolution and that the SCA would become a barrier for fiduciaries. The SCA creates privacy rights protecting the content of a user’s electronic communications and governs the conduct of custodians, the companies that store electronic communications on their servers. The SCA’s inherent privacy rights prohibit such custodians from voluntarily disclosing a user’s content to the government or any person or entity unless an exception under the SCA applies.
The SCA includes a “lawful consent” exception for disclosure, but the SCA is silent about fiduciaries. There is evidence that Congress intended fiduciaries to be able to authorize disclosure; however, it is not explicit. Moreover, cases have been brought under the SCA and civil damages awarded.
State and Federal Computer Fraud and Abuse Laws
The Computer Fraud and Abuse Act (CFAA) is the federal anti-hacking law. It criminalizes the unauthorized access of computer hardware and devices and the data stored thereon. A potential crime under the CFAA exists for “exceeding authorized access,” if a fiduciary violates the access rules of that custodian’s TOSA.
The CFAA calls for authorization by the owner of a computer or system. Even with the user’s authorization, a fiduciary’s access to the user’s account may be a crime. Why? Access to a user’s on-line account requires accessing the custodian’s computers, which requires the custodian’s further authorization. Many TOSAs prohibit a third party, which would include a fiduciary, from accessing an account. If a fiduciary accesses another’s account, even with the user’s authorization, the fiduciary violates the TOSA and thereby exceeds authorized access to the custodian’s system. The Department of Justice has used the CFAA to prosecute defendants based solely on violations of a web site’s TOSA.
State Probate Codes
Most state probate codes are silent on digital assets. They do not include a definition of or default rules governing fiduciary access.
These sporadic, outdated, and incomplete laws create a Catch-22: fiduciaries risk civil liability if they refuse to manage a decedent’s digital assets or criminal and civil liability if they perform their duties.
Advancing the Cause— Original UFADAA
UFADAA does not break new legal ground; it simply applies the tried and true laws governing fiduciaries to the digital assets that are widely used today.
The Uniform Law Commission (ULC) recognized the obstacles fiduciaries face when dealing with digital assets after death or incapacity and in response created the Uniform Fiduciary Access to Digital Assets Act (UFADAA). UFADAA was drafted to solve the problem by ensuring appointed fiduciaries can access digital assets as appropriate. Long-standing fiduciary law exists that allows a representative to stand in the shoes of a deceased or incapacitated person to recover real or tangible property. UFADAA was meant to clarify that those same laws apply to digital property, resolving many of the barriers to fiduciary access to digital assets. UFADAA was not meant to forge new ground but to modernize fiduciary law for the Digital Age.
UFADAA was approved by the Uniform Law Commission on July 16, 2014. Eight states (Connecticut, Indiana, Rhode Island, Oklahoma, Idaho, Virginia, Nevada, and Louisiana) had previously enacted more limited laws on fiduciary authority regarding digital assets. Delaware was the ninth state to enact such laws, but its enactment was the first based on UFADAA.
Opposition to Original UFADAA
Two cultures colliding.
—Florida Representative Jay Fant
UFADAA is model legislation that can be enacted by state legislatures, but not Congress, and does not become law until approved and enacted by each state. Twenty-seven states introduced the original UFADAA in their legislative process for 2015, including Arkansas, Colorado, Connecticut, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Kentucky, Maine, Maryland, Massachusetts, Minnesota, Mississippi, Montana, Nebraska, Nevada, New Mexico, North Dakota, Oregon, Pennsylvania, South Carolina, Tennessee, Texas, Virginia, and Washington. But none had success. (Delaware’s enactment could be termed a success, but it was based on a previous draft of UFADAA and not the final version.)
Nearly every one of these state legislatures faced strong opposition from the custodians, including Yahoo, Google, and Facebook, and failed to pass for 2015.
The custodians had three compelling arguments: privacy, consent, and contract. Below is a brief commentary on their arguments.
- Privacy. The custodians held that users did not want their information shared with a fiduciary after death or incapacity, and they postured themselves as the protector of a user’s privacy, maintaining that the SCA sets “Privacy On” by default.
- Consent/Preemption. The custodians held that disclosure to a fiduciary in compliance with UFADAA placed them in violation of the SCA. Original UFADAA was based on the concept that the fiduciary had the account holder’s implied consent and didn’t need actual consent, so that the custodian could voluntarily disclose content under the “lawful consent” exception of the SCA. The custodians did not fully accept that a fiduciary can stand in the shoes of the user for purposes of providing the necessary consent. It didn’t help that the SCA is silent on fiduciaries.
- Contract. The custodians held that the law would improperly override their TOSAs, making them null and void. They also were concerned that including postmortem access options during sign-up would result in the TOSAs’ being more difficult and time-consuming to complete and scare away new users.
Notwithstanding the custodians’ arguments, both the ULC and the custodians realized that legislation addressing the issue of fiduciary access to digital assets is critically important. Fiduciaries play an essential role, acting on behalf of living, incapacitated, and deceased individuals.
Back to the Drawing Board—Revised UFADAA
Applying fiduciary law to digital assets shouldn’t be a reach.
—Florida Representative Jay Fant
The ULC and the custodians went back to the drawing board, and after a year of legislative battles they negotiated a compromise—the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA). RUFADAA is basically a complete re-write of the original act. On September 28, 2015, the ULC released the final text of RUFADAA. As described by the ULC:
A fiduciary is a person appointed to manage the property of another person, subject to strict duties to act in the other person’s best interest. Common types of fiduciaries include executors of a decedent’s estate, trustees, conservators, and agents under a power of attorney. This act extends the traditional power of a fiduciary to manage tangible property to include management of a person’s digital assets. The act allows fiduciaries to manage digital property like computer files, web domains, and virtual currency, but restricts a fiduciary’s access to electronic communications such as email, text messages, and social media accounts unless the original user consented in a will, trust, power of attorney, or other record.
RUFADAA has been enacted in 13 states, which are Arizona, Colorado, Florida, Idaho, Indiana, Maryland, Michigan, Nebraska, Oregon, Tennessee, Washington, Wisconsin, and Wyoming. It has been introduced in 15 other states, with the hope it eventually becomes law in all 50 states. The custodians, including Facebook and the Center for Democracy and Technology, have issued statements in support of RUFADAA. There is hope that RUFADAA will begin to deliver fiduciary access to digital assets.
Without stepping through a deep analysis of RUFADAA, below is a summary of six key points:
- “On-line Tool” Concept. RUFADAA authorizes a custodian to offer an on-line tool and specifies that a direction regarding disclosure by using an on-line tool supersedes a contrary direction in any estate plan. An on-line tool is an electronic service provided by the custodian that allows a user to provide directions for the disclosure or nondisclosure of digital assets to a designated recipient, who may or may not be a fiduciary. The on-line tool is distinct and separate from the custodian’s TOSA, for example, Facebook’s Legacy Contact and Google’s Inactive Account Manager.
- Content vs. Catalogue. RUFADAA provides that under certain conditions, a fiduciary can receive from the custodian a “catalogue”—think of the outside of an envelope (the “to,” “from,” and “subject matter”) of a communication—without express prior consent. Contrast that with “content,” in which a fiduciary would be required to show actual express prior consent from the user to the fiduciary.
- Presumptive Access vs. Possible Access—Fiduciaries’ Access Limited. By creating an “opt in” structure, RUFADAA bestows a greater importance and emphasis on explicit direction provided in the estate plan for digital assets. Previously, UFADAA attempted to vest all fiduciaries with presumptive access to digital assets. RUFADAA instead provides that users can consent to disclosure of content to a fiduciary by either an on-line tool or record (will, power of attorney, or trust), which will override a TOSA’s boilerplate prohibition against disclosure. Without such express consent, TOSA controls.
- Disclosure. RUFADAA gives the custodian three options for disclosure: (1) grant the fiduciary full access, (2) grant partial access to the account sufficient enough to perform the tasks necessary to discharge duties, or (3) provide a “data dump” of the information and assets in the user’s account. Custodians can charge a reasonable fee and do not need to disclose assets deleted by the user.
- Court Orders. RUFADAA seems to allow a custodian to require a court order when the custodian feels it is necessary.
- Protection for the Custodians. RUFADAA provides immunity to the custodians for an act or omission done in good faith compliance with the act.
Delectable or detestable, all depends on what you place on the table.
—Constance Chuks Friday
Plan; There Is No Defense!
With RUFADAA it is more important than ever to plan and address fiduciary access within that plan. Take control of “who will delete the digital you” by:
- Inventory/Road Map. Keep an updated list of valuable and significant digital assets, including accounts, user names, passwords, and so on. This list can be written, stored electronically, or be a hybrid of the two.
- Tangible Media. Regularly back up data, for example, digital photos, to a local storage medium (computer’s hard drive, DVD, USB flash drive, and so on).
- On-line Tool. Use an on-line tool, a/k/a third-party access, when available, to name another person to manage and have access to your account after death or incapacity. Many custodians are looking to create similar on-line tools.
- Estate Plan. Include specific language in the estate planning documents authorizing custodians to release data to the fiduciary during incapacity or at death. The keyword to remember: consent. RUFADAA will not help a fiduciary for any individual who has not engaged in estate planning for digital assets. But do not overdraft—not all clients will want all content disclosed.
Example language to include in estate planning documents, which should grant such explicit consent, is as follows:
Digital Devise: To hold, control, and have access to and the use of any asset held by any kind of computing or digital storage device or otherwise in digital form, including, without limitation, lists of passwords and account information; social media sites; blogs, e-books, or other web-hosted materials of which I am the owner or author; digital albums; videos; and websites on which I conduct business transactions.
Digital Assets: I hereby authorize any person or entity that possesses or controls any electronically stored information or that provides to me an electronic communication service to divulge to my Fiduciary any electronically stored information or any record or other information pertaining to me. This authorization is to be construed as my lawful consent to all such access or disclosure under the Electronic Communications Privacy Act of 1986, the Computer Fraud and Abuse Act of 1986, and any other applicable state or federal data privacy law, as they may be amended. To employ any consultants or agents to advise or assist my Fiduciary in decrypting any encrypted electronically stored information of mine or in bypassing, resetting, or recovering any password or other kind of authentication or authorization, and I hereby authorize my Fiduciary to take any of these actions to access: (1) any kind of computing device of mine; (2) any kind of data storage device or medium of mine; (3) any electronically stored information of mine; and (4) any user account of mine. The terms used in this paragraph are to be construed as broadly as possible, including as contemplated in the Uniform Fiduciaries Access to Digital Assets Act, and the term “user account” includes without limitation an established relationship between a user and a computing device or between a user and a provider of Internet or other network access, electronic communication services, or remote computing services, whether public or private.
When I can no longer access my assets, I need my fiduciary to be able to, otherwise commerce stops.
—Florida Senator Dorothy Hukill