Trusts and Estates’ readers keep up-to-the-minute on the best ways for clients to create, protect and transfer wealth. Yet, many advisors pay scant attention to an ubiquitous and often valuable property interest—digital assets.
Most state laws governing the actions of fiduciaries fail to mention or differentiate digital from non-digital assets. Most agreements governing online accounts ignore death and incapacity altogether, or worse, provide for automatic account termination if either occurs.
Read on and you’ll learn why fiduciaries need access to digital assets, why that access is so difficult to secure and what estate planners and their clients can do to facilitate it.
What are Digital Assets?
Digital assets are everywhere—anything that’s owned in a digital file—for example, email accounts, web pages, domain names, blogs and social-media accounts.
Artists create digital art, and you can buy services and products online with Bitcoins, a digital currency.1 Swords that exist only in games fetch tens of thousands of dollars. We bank using computers and smart phones; small businesses accept credit cards using smart phones and tablets, and they may exist solely online, with no brick and mortar presence at all. This year, a will drafted on a tablet computing device was admitted to probate in Ohio.2 As many as one out of five books sold in the United States is now an eBook.3
Defining digital assets is a little bit like nailing jello to a wall, because the digital world is constantly evolving in both content and use. The Uniform Law Commission’s (ULC’s) Fiduciary Access to Digital Assets Act (FADA), in its Fall 2013 draft, defined digital assets with specificity, as:
a) information created, generated, sent, communicated, received, or stored by electronic means on a digital device or system that delivers digital information, and includes a contract right; and b) an electronic system for creating, generating, sending, receiving, storing, displaying, or processing information which the accountholder is entitled to access.
The next draft may, instead, generalize that definition, by describing a digital asset as an electronic record that a person is entitled to access. (See “New Legislation on the Way,” p. 37.)
Digital assets, however defined, are accessed by a tangible device, such as a computer, smartphone, tablet or server.4 Those assets are frequently held in online accounts, which are in turn governed by adhesion contracts known as “Terms of Service Agreements” (TSAs). They’re enforceable, even though rarely read, and are unenforceable only if a court finds the terms to be unconscionable.5 A contract of adhesion is appropriately named. It’s a contract that sticks it to one of the
Why Fiduciaries Need Access
Domain names and other digital assets can have significant monetary value. Fiduciaries are obligated to collect (marshall) and preserve the assets of the estates they manage.6 The management and transfer of digital and traditional assets accessed by or held in online accounts require compliance with Internet-based service agreements. It’s now more convenient to bank online than to bank in a branch office. And, to prevent identity theft, fiduciaries must monitor and protect (perhaps simply by termination) an incapable’s or decedent’s online accounts.7
Digital assets can also have significant sentimental value. Grieving family members and friends frequently search for answers, comfort and support in the social media accounts of their deceased relatives and friends (the dearly digitally departed). Teenager Eric Rash’s parents were, for example, the driving force behind Virginia legislation that grants parents post-mortem access to a minor’s Facebook account.8 Others find comfort in saving and replaying voicemail messages.9
Legal Impediments to Access
Fiduciaries must be careful not to violate any laws or contractual agreements when trying to get access to digital assets.
Computer Fraud and Abuse Acts. Federal and state Computer Fraud and Abuse Acts (CFAAs) criminalize (or at least, create civil liability for) the unauthorized access of computer hardware and devices and their stored data.10
Because CFAAs are supposed to be directed at fraudulent activity, and not authorized acts, they shouldn’t reach a fiduciary’s use of a computer or device. Most likely, a fiduciary using a computer or system that the fiduciary lawfully possesses or controls is “authorized” to do so for CFAA purposes. The analogy would be that using, or even hacking into, the computer is no more illegal than a fiduciary using a locksmith (or crowbar) to get into a deceased’s house. Unfortunately, that a fiduciary is authorized by the owner or state law to use a computer or to act for an account user isn’t an absolute bar to CFAA prosecution.
By accessing another’s digital account, the fiduciary may be violating the account provider’s TSA and, in turn, the federal CFAA.11 Very few people read TSAs.12 Prosecutors have used the CFAA to prosecute defendants based solely on violations of a website’s TSA.13 The FADA draft would absolve fiduciaries of such technical TSA breaches by codifying the concept of the fiduciary stepping into the shoes of the accountholder.14
A TSA not to shout about. Yahoo!’s TSA prohibits postmortem transfer or access altogether.15 Recently, Yahoo! refused to accept a co-administrator’s authority to access his deceased brother’s Yahoo! emails, even though the surviving brother opened and originally shared access to the account, but had forgotten the password.16 Yahoo! attempted to dismiss the Massachusetts declaratory action based on the California forum designation provision in its TSA and claimed that the emails weren’t the property of the Massachusetts estate. The appeals court refused to enforce the adhesive TSA provisions but remanded the case to the probate court to determine whether the emails were an asset of the estate and whether the Stored Communications Act (SCA) (discussed below) barred Yahoo! from disclosing them. The court’s opinion discusses and differentiates between “clickwrap” agreements (requiring the user to click an “I agree” box) and “browsewrap” agreements, in which the terms are simply posted, but the user needn’t confirm having read them. The court concluded that without evidence that the accountholder agreed to the TSA, it wasn’t enforceable against anyone, especially not against the estate’s co-administrators, who weren’t parties to it. The court didn’t rule on the application of the SCA.
Instagram and Vine, two popular video and photo sharing services, both have TSAs and privacy policies indicating that, while users own their posted videos and photos, users grant the service rights to use their content (but not to sell it to advertisers). These conditions suggests that users may bequeath their content. However, the Instagram TSA says its policy is to “remove” the user’s account when notified of the user’s death, and it says nothing about granting post mortem access to the content.21 Likewise, Twitter’s policy now contemplates only deactivation of an account and provides no mechanism for obtaining a copy or archive of the user’s account files or content. Previous versions of Twitter’s policy gave family members the option of either removing the account or saving a back up of public tweets.22
The SCA. The SCA is a major impediment to fiduciary access to electronic communications. Enacted in 1986 as a part of the Electronic Communications Privacy Act (ECPA), it extends Fourth Amendment protections against unreasonable search and seizure to data stored remotely on computer networks.23
The privacy protections of the SCA work by prohibiting specified providers of public communications services from disclosing the contents of users’ communications to a government or nongovernment entity (different rules apply to each), except under limited circumstances, which are akin to the warrant required under the Fourth Amendment. Social media account contents (for example, photos, videos and posts) are probably all “communications” protected by the SCA.24
If a provider isn’t subject to the SCA, it may disclose content without penalty to a third party. While law enforcement officials can compel the provider (who’s otherwise covered and subject to the SCA) to divulge the contents of an account, it provides no mechanism for nongovernment requesters to compel providers to disclose content.
Providers subject to the SCA can voluntarily disclose electronic communications content to a third party only if an exception to the nondisclosure rule applies.25 The relevant exception permits service providers to disclose communications with the “lawful consent” of “the originator or an addressee or intended recipient of such communication[s], or the subscriber…”26 For this reason, underlying state law or a court order should expressly provide that the fiduciary requesting the SCA protected material has the user’s “lawful consent.” That’s why Facebook essentially asked one court, in its memorandum supporting its motion to quash a civil subpoena for information contained in a deceased user’s profile and account, to alternatively hold that the fiduciary had lawful consent and to order Facebook to disclose the requested content.27 Instead of accepting that invitation, the court granted Facebook’s motion and quashed the subpoena.28
Providers are always allowed to divulge non-content information, such as the user’s name, address, connection records, IP address and account information, because the SCA prohibits only the disclosure of the contents of communications.
SCA violations can give rise to civil damages. A federal jury in Massachusetts awarded $450,000 in damages in a recent private civil action.29 The defendant had been given the plaintiff’s email account password, so she could access it for business purposes. A business dispute followed, and the defendant used the (unchanged) password to access the account for reasons connected to the business dispute, but well beyond the initial authorization. The plaintiff alleged that the subsequent, unauthorized access to his account violated the SCA. Despite very thin (or nonexistent) testimony to support the damage claim, the jury awarded the plaintiff $450,000 for the unauthorized intrusion.
Encryption. Access to the computer won’t automatically grant the fiduciary access to the data stored on the computer’s hard drive if the passwords and the data on the computer are encrypted.
Copyright, commercial privacy and data protection statutes. These laws might impede a fiduciary from downloading or distributing another person’s digital files. Those actions may violate copyright law, the limited common law of privacy, trade secret law or federal or any state personal data protection statutes.30
Inadequate state laws. Only seven states have enacted legislation expressly granting some fiduciary access to digital assets: Connecticut, Idaho, Indiana, Oklahoma, Rhode Island and, in 2013, Nevada and Virginia. Most of the 2013 proposed legislation died, as legislatures were urged to wait for the ULC’s draft to be finalized and approved in 2014. Of the federal privacy laws, only the Gramm Leach Bliley Act allows information to be divulged to fiduciaries.31
Enabling Fiduciary Access
Instill digital asset awareness in clients. Advise clients to make an inventory of these assets, including how and where they’re held, along with usernames, passwords and password “prompts.” This list should be updated periodically (easier said than done). A will, of course, shouldn’t contain passwords or other critical information about digital assets.
Compiling passwords, in any manner, is risky because the list will almost immediately become outdated and must be constantly updated to be useful. Once shared, it can be used to access accounts prematurely. But, it’s appealingly simple to leave written records of password and login information to family and fiduciaries. While use of an accountholder’s access information will violate many a TSA, it’s practical, and it works, at least until the password needs to be reset for some reason. That practice may soon become impossible, though, as biometric access (backed up with a passcode if the biometric scanner fails) becomes more common.32 Some have deemed this march towards biometric security necessary to protect against the inherent insecurity of “easy” passwords and the impossibility of consumers remembering lots of secure (long) ones.33
Alert clients to consider their email provider’s policies. In today’s digital world, access to email is critical—a decedent’s email account often has the information needed to collect assets and receivables, pay debts, manage a business and wind up affairs. Emails concerning financial and business accounts can be time-sensitive.
Unfortunately, emails may be in an employer’s system and not in a personal account. An employer might deny a family or fiduciary access to an employer-provided account for a number of reasons—for example, it may need to limit or prevent access to sensitive customer or client information, or access may require security clearance. With luck, an employer will be willing to search an employee’s account at the family’s or fiduciary’s request to provide copies of personal messages or banking or other necessary information.
Ensure that estate-planning documents properly address digital assets. The trust and estate lawyer’s natural common assumption is that all digital assets behave and are legally treated just like real property, tangible and intangible assets. However, not all digital assets are transferable on death. Depending on the nature of the digital asset and the TSA, the service provider may or may not recognize a will or trust as validly transferring either access to, or ownership of, the account.
In April 2013, Google introduced an option called “Inactive Account Manager” to allow users to determine (within preset options) what will happen to their Google accounts after a predetermined period of inactivity. Users can set the time period of inactivity that triggers a Google response, and Google will also alert the user by text and email one month before deleting the account. Users may have Google notify up to 10 “beneficiaries” that the account will be closed before Google deletes it. After the recipients receive that notice, those designated “beneficiaries” can download the user’s Google content (such as gmail, photos, YouTube videos or blogs). Or, the user can simply instruct Google to delete all account content.34 Although this feature won’t assist with postmortem access if it isn’t used by the deceased accountholder, or if the designated “beneficiary” is unavailable, incapable or dead, it’s a step forward. Unlike Google, Facebook hasn’t updated its policies on post-mortem access.35
Other companies offer services, which, like Google’s, can help clients plan for their digital passing. There are many services that offer master, secure storage for passwords.36 Others are more like digital estate-planning (DEP) services, which purportedly allow clients to grant others access to their digital accounts after the clients die or become incapable.37 Because that access itself may violate a TSA, the legality or, at least, utility of those services is unclear.38
Powers of attorney. Clients should give their agents authority over digital accounts in the event of incapacity.
Protecting privacy can trump protecting the digital assets. It’s important not only to include provisions for the disposition of digital assets with monetary or sentimental value, but also to provide for the destruction or securing of digital assets the client wants kept secret. Further, fiduciary power provisions should cover digital assets, and if they are to be destroyed or accounts terminated, that direction should be accompanied by a corresponding exculpation provision.
Personal representatives should be aware of digital assets and who controls them to determine if their disposition comports with the decedent’s estate plan. There aren’t any state statutes that treat digital accounts and assets any differently from other assets for purposes of inheritance or trust law. Thus, issues of access and descent would be decided under existing probate laws, which vary widely.
A number of commercial services exist to reduce headaches for survivors by allowing a decedent’s beneficiaries or personal representative to show evidence of the decedent’s death to only one service provider, rather than each individual service provider with which the decedent had an account.39
Some of these DEP services purport to allow users to designate beneficiaries or allow access to digital accounts after the user or owner dies. Those beneficiary designations may conflict with the decedent’s traditional estate plan, state intestacy law or a spouse’s community property rights. It’s unclear whether these designations are enforceable as nonprobate beneficiary designations or whether they violate the statute of wills.40 The Uniform Probate Code (UPC) and various state laws validate certain nonprobate transfers by deeming them to be non-testamentary, but absent a validating state law, such transfers violate the Statute of Wills; therefore, they’re unenforceable.41 While it’s possible that an online beneficiary designation might be upheld as a valid, written nonprobate beneficiary designation under the UPC or another state law, its validity is far from certain.42
Some digital assets may not be transferable on death at all. Frequently, accountholders are granted very limited contract rights or licenses in assets like music, movies and travel reward and mileage programs. Unsurprisingly, those rights don’t generally include rights to transfer those assets to beneficiaries at death.43 A beneficiary may, or may not, be able to invalidate a TSA that renders a digital asset “indescendible.”44
A DEP service that claims to make nontransferable content transferable violates the TSA and impermissibly gives the service (or fiduciary) greater rights than the accountholder. If the purported beneficiary of the digital account and the beneficiary under the will or intestate taker aren’t to be the same, presumably, the will or intestacy law would govern—unless the DEP service beneficiary can validate the DEP beneficiary designation under state law as a will substitute or valid nonprobate, testamentary transfer.45
In any case, we should discuss DEP services with our clients, just as we typically ask about joint ownership, securities account registration and beneficiary designations.
Effectuating a decedent’s intent. Some decedents may have wanted to prevent postmortem access to, or publication of, the content of their digital accounts. Some might try to block family or fiduciary access by using an account manager feature, such as Google’s, or a DEP service. Or, they may entrust their password and deletion instructions to a friend or advisor. (A superb password or encryption might work to protect data on a hard drive, but it wouldn’t provide foolproof protection for data stored on a remote server.)
What about the decedent who leaves evidence that her intent was to prevent access or mandate the destruction of all content in an account, but fails to leave the login or password information? Some commentators suggest that a client who wishes to maintain her privacy after death should use a secret account because heirs who are unaware of it can’t request access to its contents.46
The situation becomes more complicated when the content the decedent directs to be destroyed has monetary value. It seems that situation should be treated no differently from that of a decedent who mandates the destruction of printed files, letters or tangible works.47 One can easily predict a battle over a mandate to destroy content with little economic but great sentimental value to erstwhile beneficiaries. In that situation, it seems that the decedent should have the legal right to order the destruction, or waste, of her digital property, especially when motivated by a desire to maintain privacy. However, a court is likely to prevent a fiduciary from carrying out an instruction to delete economically valuable digital accounts or access information if a beneficiary objects.48
If an otherwise economically valuable digital asset is destroyed after death, it will be subject to estate tax just as any other asset. The owner’s gross estate includes “the value at the time of his death of all property, real or personal, tangible or intangible, wherever situated.”49 The mandatory post-mortem destruction of the property would, arguably, serve to reduce the date-of- death value of the asset if the direction to destroy were enforceable.50
Protect the decedent’s identity. Personal representatives should take basic precautions against identity theft, including cancelling credit and charge accounts, sending copies of the death certificate to the three credit reporting bureaus, obtaining free credit reports from each credit bureau to ensure there was no post-death activity, cancelling the decedent’s driver’s license and asking the issuer to refuse any requests for duplicates.
1. http://bitcoin.org/en/ and www.spendbitcoins.com/places/?place_type=shopping.
3. www.factbrowser.com/tags/ebook/; www.thepassivevoice.com/10/2013/publishing-statistics-2013-ebook-or-print-book/.
4. Jamie B. Hopkins, “Afterlife in the Cloud: Managing a Digital Estate,” 5 Hastings. Sci. & Tech. L.J. 210, 212 (Summer 2013).
5. Terms of Service Agreements (TSAs) contain numerous “take them or leave them” terms, which are classic indicia of adhesion contracts. Most are “clickwrap” or “shrinkwrap” agreements, which the user has to click through (on an “I accept” or “I agree” button) to sign up for an online account or license. They’re often upheld. See, e.g., ProCD, Inc. v. Zeidenberg, 86 F.3d 1447 (7th Cir. 1996); Forrest v. Verizon, 805 A.2d. 1007 (D.C. Court of Appeals 2002).
6. See Uniform Probate Code (UPC) Section 3-711 and Kendall Dobra, “An Executor’s Duty Toward Digital Assets,” The Practical Lawyer, Vol. 59, No. 5
(October 2013) at p. 21.
7. See Gerry W. Beyer and Naomi Cahn, “When You Pass On Don’t Leave the Passwords Behind,” 26 Probate and Property 40 (January/February 2012).
8. Virginia Code Section 64.2–110.
9. Beth Teitell, “Preserving Voicemail’s Help Modern Grieving Process,” www.bostonglobe.com/lifestyle/style/2013/11/20/grief-has-modern-form-mou....
10. See 18 U.S.C. Section 1030(e)(2), defining a protected computer in a manner that includes virtually all computers and smartphones and the list of state laws at www.ncsl.org/research/telecommunications-and-information-technology/computer-hacking-and-unauthorized-access-laws.aspx; 18 U.S.C. Section 1030(a)(2)(C).
14. See Section 8(a) of the Fall 2013 meeting draft at www.uniformlaws.org/shared/docs/Fiduciary%20Access%20to%20Digital%20Asse....
15. “Yahoo! accounts and the contents therein are nontransferable including when the accountholder is deceased” (sic), Yahoo! policy, as of June 20, 2013.
16. Ajemian vs. Yahoo!, Inc., 83 Mass. App. Ct. 565, 576-77 (2013).
20. See www.apple.com/legal/internet-services/itunes/us/terms.html#SERVICE, which indicates that Apple grants customers an end-user license to download and play songs, but not to transfer them to third parties.
23. The Stored Communications Act is codified as 18 U.S.C. Sections 2701-2711. See Orin S. Kerr, “A User’s Guide to the Stored Communications Act,” 72 G. Wash. Law Rev. 1208 (2004).
24. See Rudolph J. Burshnic, “Applying the Stored Communications Act to the Civil Discovery of Social Networking Sites,” 69 Wash. and Lee Law Rev. 1259 (2012).
25. 18 U.S.C. Section 2702(b).
26. 18 U.S.C. Section 2702(b)(3).
27. Facebook, Inc.’s Motion to Quash Subpoena in Civil Case, No. C 12-80171 LHK (N.D. Cal. Aug. 6, 2012).
28. See the request for order requiring Facebook, Inc., to produce documents and things, No. C 12-80171 LHK (N.D. Cal. Sept. 20, 2012). (The name of the decedent was Sahar Daftary.)
29. Jury Verdict Form at 1-3, Cheng v. Romo, No. 11-cv-10007-DJC, 2013 WL 2245312 (D. Mass.); Cheng v. Romo, No11-1007-DJC, 2012 WL 6021369, at *1-3 (D. Mass. Nov. 28, 2012).
30. For example, Massachusetts has a data security statute, which requires encryption of personal information “owned or licensed [held by permission]” by any person. (See 201 CMR 17.00, generally effective March 1, 2010, which requires businesses to encrypt sensitive personal information on Massachusetts residents that’s stored on portable devices, such as personal digital assistants and laptops, or on storage media, such as memory sticks and DVDs.) According to the National Conference of State Legislatures, 46 states have enacted a data breach or privacy law of some kind.
31. 15 U.S.C. Sections 6801-6809; Andrew B. Serwin, Information Security and Privacy; A Guide to Federal and State Law and Compliance, Section 16 (2009).
35. www.facebook.com/help/contact/305593649477238, last accessed Nov. 7, 2013.
37. Evan Carroll maintains a good list on his website, “The Digital Beyond,” at www.thedigitalbeyond.com/online-services-list/.
38. Legacy Locker’s legal disclaimer admits that:
Legacy Locker is not a legal substitute for a Will, Trust, or Power of Attorney. Although Legacy Locker is a reliable way to give your designated beneficiaries access and control over each the Websites you use, it is not legally binding. In some instances, your designated beneficiary may not be able to act on your behalf, if the court or your other legal documents appoint another person to handle your estate. Ownership of any electronic rights related to the internet such as intellectual property, domain names, or marketing affiliation agreements, cannot be granted or transferred through Legacy Locker. We strongly recommend that you consult an attorney to coordinate your Legacy Locker designations with the appropriate legal documents, such as a Will, Trust, and Power of Attorney.
40. See, e.g., UPC Section 2-502; C.G.S. Section 45a-251.
41. UPC Section 6-101.
42. See ibid., which validates most nonprobate transfers, but can be read to require that beneficiary designations be written and doesn’t contemplate
clickwrap or any other online agreements.
43. See David Horton, “Indescendibility,” 102 Cal. L. Rev. --, at p. --, a (forthcoming 2014); available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2311506. .
45. See Michael D. Roy, “Beyond the Digital Asset Dilemma: Will Online Services Revolutionalize Estate Planning?” 24 Quinnipiac Prob. L.J. 376 (2011).
46. Jonathan J. Darrow and Gerald Ferrera, “Who Owns a Decedent’s E-Mails: Inheritable Probate Assets or Property of The Network?” 10 NYU Journal of Legislation and Public Policy 281, 315 (2007).
47. A testator’s or donor’s intent is effectuated in virtually all circumstances. Restatement (Third) of Property: Wills and Other Donative Transfers Section 10.1 (2008). One limit on donative intent is the rule against capricious purposes, which will prevent enforcement of frivolous directions to destroy valuable property that would otherwise pass to beneficiaries. John H. Langbein, “Burn the Rembrandt? Trust Law’s Limits on the Settlor’s Power to Direct Investments,” 90 B.U. L. Rev. 375 (2010). Content creators may have greater rights to mandate the destruction of their valuable property than others, perhaps because such requests aren’t viewed as frivolous ones. Lior Strahilevitz, “The Right to Destroy,” 114 Yale Law Journal 781, 830 (2004).
48. Strahilevitz, ibid.
49. Internal Revenue Code Section 2031(a).
50. See, e.g., discussion in Estate of Andrews v. United States, 850 F. Supp. 1279 (E.D. Va. 1994), citing Jephson v. Commissioner, 81 T.C. 999, 1983 WL 14908 (1983), suggesting that some post-mortem events might be taken into account in valuing an asset.