Widow Told by Apple to Get Court Order So She Can Continue to Play a Card Game on the Couple’s iPad After Her Husband’s Death

Peggy Bush, a 72-year old Canadian woman whose husband died in August, was told by Apple that she needed to obtain a court order so that she could continue playing a card game app on the couple’s iPad device. The couple owned the iPad and used one Apple ID to purchase apps, including the card game app that Peggy enjoyed playing. She knew the password to access the iPad itself, but she didn’t know the password her husband used for the Apple ID associated with the iPad.

When the family contacted Apple to reset the Apple ID password, Apple told them a court order was required. However, it can be costly and time-consuming to obtain a court order. On the positive side, at least Apple will permit the family to reset the Apple ID password with a court order—some online service providers refuse to reset or reveal a user’s password after the user has died.

An excellent news report by Rosa Marchitelli of CBC News describes the family’s struggle with Apple’s customer service. Peggy’s daughter was quoted in the article saying, “What do you mean a court order? I said that was ridiculous, because we’ve been able to transfer the title to the house, we’ve been able to transfer the car, all these things, just using a notarized death certificate and the will.” Peggy was quoted in the news report as saying, “I could get the pensions, I could get the benefits, I could get all kinds of things from the federal government … [b]ut from Apple, I couldn’t even get a silly password. It’s nonsense.”

When CBC News contacted Apple to ask about its official policy for users seeking to reset Apple ID passwords or to obtain data of family members who have passed away, Apple told them it would not comment.

This is an excellent reminder of why it’s important to plan ahead for access to your digital property—passwords, online accounts, and electronically-stored information—in your estate plan. By planning ahead, you can arrange for full access to your digital property, keep administration costs down, and ensure that no valuable or significant digital property is overlooked.

Compared with traditional types of property, digital property may have four additional, significant obstacles for fiduciaries and family members to overcome: (1) passwords, (2) data encryption, (3) criminal laws regarding unauthorized access to computers, and (4) data privacy laws. These obstacles can make it practically impossible for fiduciaries and family members to access your digital property if you don’t plan ahead.

How should you plan ahead? First, make a list of your important passwords, online accounts, and digital property, and specify what should be done with each item on your list if you become incapacitated or after you die. Keep your list up to date, store it in a secure location, and let your fiduciaries and family members know how to access it. A “My Digital Audit” form to use for your list can be downloaded here: http://www.digitalpassing.com/digital-audit/

Second, if you store valuable or significant digital property in the cloud, back up your data to a local computer or local storage device on a regular basis. Fiduciaries and family members can access the local computer or local storage device without the obstacles that may prevent them from accessing your data stored in online accounts.

Third, work with an estate planning attorney to update your will, power of attorney, and revocable living trust to address digital property. Your estate planning documents should: (1) specify your wishes about the distribution of or deletion of your digital property; (2) provide your consent to divulge the contents of your electronic communications to your fiduciaries; (3) authorize your fiduciaries to access your computing devices, storage devices, accounts, and data; and (4) permit your fiduciaries to bypass, reset, or recover your passwords on your computing devices and to decrypt your encrypted data, if desired. But, don’t list your passwords in your will, power of attorney, or revocable living trust documents—that isn’t secure. Instead, store your passwords securely, and let your fiduciaries and family members know how to access them.

Posted in General | Tagged , , , , , , , , | Comments Off on Widow Told by Apple to Get Court Order So She Can Continue to Play a Card Game on the Couple’s iPad After Her Husband’s Death

Income Taxes, Identity Theft, and Identity Fraud

According to the Bureau of Justice Statistics, about 17.6 million individuals in the U.S. were victims of identity theft in 2014. When a data breach occurs at a company, the company may offer to provide identity protection services to its customers, employees, or other affected individuals. Is the value of those identity protection services taxable income?

In Announcement 2015-22, the IRS concluded that, for an individual whose personal information may have been compromised, the IRS will not treat the value of identity protection services as gross income to that individual when provided by a company that experienced a data breach. Similarly, for an employee whose personal information may have been compromised in a data breach of the employer, of an agent of the employer, or of a service provider of the employer, the IRS will not treat the value of identity protection services as gross income to that employee when provided by the employer. Identity protection services include credit reporting and monitoring services, identity theft insurance policies, identity restoration services, or other similar services.

In Announcement 2016-2, the IRS extended these conclusions to identity protection services provided before a data breach occurs. So, for an individual who provides personal information (e.g., the individual’s name, social security number, bank account number, or credit card number) to a company, the IRS will not treat the value of identity protection services as gross income to that individual when provided by that company before a data breach occurs. Similarly, for an employee, the IRS will not treat the value of identity protection services as gross income to that employee when provided by the employer before a data breach occurs.

As we begin the 2016 income tax filing season, it’s also important for taxpayers and tax preparers to take extra precautions regarding identity theft, tax refund fraud, and tax-related scam emails. The IRS has issued Publication 4524 on Security Awareness for Taxpayers and Publication 4557 on Safeguarding Taxpayer Data. The IRS reports that since 2013, there were 3,331 identity theft investigations initiated by the IRS Criminal Investigation division resulting in 1,976 convictions. For fiscal year 2015, their incarceration rate is 84.6% with an average of 38 months to serve. The IRS also has released as series of security awareness tax tips. Finally, certain eligible taxpayers can apply for an Identity Protection PIN from the IRS to prevent someone else from filing a tax return with the taxpayer’s social security number.

If you are concerned about identity theft or identity fraud, consider placing a security freeze on your credit file at the three major credit bureaus: Equifax, Experian, and TransUnion. For more information about this, read the recent report from the U.S. Public Interest Research Group “Why You Should Get Security Freezes Before Your Information is Stolen—Tips to Protect Yourself Against Identity Theft & Financial Fraud.” According to the report, a security freeze is the only reliable way to prevent someone from opening new financial accounts in your name.

Posted in General | Tagged , , , , , | Comments Off on Income Taxes, Identity Theft, and Identity Fraud

October is National Cyber Security Awareness Month

October has been designated as National Cyber Security Awareness Month. Here are a few resources from the federal government on how to stay safe online:

  1. Department of Homeland Security’s Mobile Security Tip Card
  2. Department of Homeland Security’s Social Media Guide
  3. Department of Homeland Security’s Internet of Things Tip Guide
  4. National Cyber Security Alliance’s information on Malware & Botnets
  5. National Cyber Security Alliance’s information on Spam & Phishing
  6. National Cyber Security Alliance’s information on Hacked Accounts
  7. National Cyber Security Alliance’s information on Securing Your Home Network
  8. National Cyber Security Alliance’s information on Identity Theft, Fraud & Victims of Cybercrime
  9. National Cyber Security Alliance’s information on Passwords & Securing Your Accounts
  10. National Cyber Security Alliance’s information on Online Shopping
  11. National Cyber Security Alliance’s information on Backing Up Important Files
  12. National Cyber Security Alliance’s information on Internet Safety & Security Tips for Parents

More cyber security news and articles are available on StaySafeOnline.org’s blog.

Posted in General | Tagged , , , , , | Comments Off on October is National Cyber Security Awareness Month

Revised Uniform Fiduciary Access to Digital Assets Act

On September 28, 2015, the Uniform Law Commission released the final text of the Revised Uniform Fiduciary Access to Digital Assets Act (revised UFADAA). The original UFADAA was released in 2014.

For background on why the original UFADAA was revised, read the ULC’s document explaining the proposed changes to the original UFADAA. They also prepared a helpful chart comparing the original UFADAA, the revised UFADAA, and the Privacy Expectations Afterlife and Choices Act (PEAC Act). The PEAC Act was prepared by a coalition of Internet service providers and their lobbyists, and a version of it was enacted in Virginia. The revised UFADAA addresses and resolves concerns raised by some Internet service providers and some privacy advocates who initially opposed enactment of the original UFADAA.

The ULC Web site has a document explaining why your state should adopt the revised UFADAA, and more information about the enactment status of the revised UFADAA will be posted on the ULC Web site as it becomes available

Posted in General | Tagged , , , , , | Comments Off on Revised Uniform Fiduciary Access to Digital Assets Act

Remembering Gene Hennig

My friend and colleague, Gene Hennig, passed away on August 25, 2015. I had the privilege of working with Gene at two different law firms over the past 18 years.

Gene was a business law attorney at the Gray Plant Mooty law firm and was one of Minnesota’s commissioners to Uniform Law Commission. In 2009, I started writing and speaking about an emerging area of law—estate planning for passwords, online accounts, and digital property. Gene thought that the current state laws didn’t adequately deal with these emerging issues, so Gene thought this would be a great topic for a new uniform state law. We co-authored and submitted a proposal to the Uniform Law Commission on May 31, 2011, for a uniform law on fiduciary powers and authority to access online accounts and digital property during incapacity and after death.

With Gene’s encouragement, the Uniform Law Commission appointed a Study Committee in January 2012 to consider this topic. Gene and I were both involved in that process, and the Study Committee presented its final report at the July 2012 Uniform Law Commission annual meeting. On July 17, 2012, the Uniform Law Commission appointed a Drafting Committee to prepare a uniform law on fiduciary access to digital assets, and Gene and I participated in that process together. The first reading of the Uniform Fiduciary Access to Digital Access Act (UFADAA) was at the July 2013 Uniform Law Commission annual meeting.

Gene was diagnosed with a brain tumor in November of 2013, but he continued to stay actively involved in the drafting of UFADAA. On July 16, 2014, the Uniform Law Commission approved the final version of UFADAA at their annual meeting. Gene continued to be actively involved in encouraging enactment of UFADAA. On January 20, 2015, Gene and I testified together at the Civil Law and Data Practices Committee of the Minnesota House of Representatives to explain why UFADAA is needed in Minnesota. Our local Minnesota Channel 5 Eyewitness News ran a TV segment about it. At last count, 27 states had introduced legislation based on UFADAA.

The Uniform Law Commission approved a revised version of UFADAA at their July 2015 meeting, and the final text of the revised UFADAA is expected by October 2015. The draft version of the revised UFADAA and a discussion of the changes made by the revised UFADAA are available on the Uniform Law Commission Web site.

Gene lived a full and amazing life as a lawyer, a law professor at both William Mitchell College of Law and the University of St. Thomas School of Law, a Uniform Law Commissioner, a volunteer, a family man, a world traveler (vising more than 60 countries!), and much more. You can read more about Gene’s life at the following Web sites:

Posted in General | Tagged , , , , , , , , , | Comments Off on Remembering Gene Hennig

Theft of Virtual Currency and Virtual Property

There can be significant financial value in digital property, and thieves have started to take notice. Below are a few recent news stories about stolen virtual currency and stolen virtual property.

In June 2015, armed robbers stole $1,100 worth of the popular virtual currency Bitcoin from a New York man. The man had advertised bitcoins for sale on Craigslist, and a potential buyer forced the man at gunpoint to transfer his bitcoins. This follows two other recent armed robberies in New York targeting bitcoins. In one of those robberies, a man was stabbed in an attempt to take his bitcoins. In the other robbery, $8,500 worth of bitcoins were taken at gunpoint. Because Bitcoin is anonymous—no name or Social Security number is connected to a Bitcoin address—it makes it more difficult for law enforcement to find the robbers.

In January 2015, Bitstamp—an online marketplace for buying and selling bitcoins—was compromised, and it appears that about $5.1 million of bitcoins were stolen. The compromise affected the company’s bitcoin reserves, but the bitcoins of their customers were not affected.

Also, a May 20, 2015, article by Kashmir Hill describes the theft of in-game virtual currency and virtual property from players of the online video game Diablo III. In 2012, thieves used a remote access tool to gain control of twenty to thirty computers used by other video game players, which allowed them to take the in-game virtual currency and property of those players. FBI agents tracked down the thieves, seized their computers, and arrested them on felony charges. The prosecutors alleged that the thieves sold the stolen in-game virtual currency and virtual property for over $8,000. In 2014, the thieves plead guilty to misdemeanor charges.

Posted in Video Games & Virtual Worlds, Virtual Currency | Tagged , , , , | Comments Off on Theft of Virtual Currency and Virtual Property

Can’t Remember Your Password? There’s a Pill for That!

A recent presentation by Jonathan LeBlanc, PayPal’s Global Head of Developer Advocacy, argues that passwords are insecure and need to be replaced. One replacement he suggested is a pill that you swallow containing a microchip. Then, your computer or smartphone would connect to that microchip to authenticate you instead of typing in a password.

The idea of replacing passwords with something you ingest every few days or something you permanently implant in your body isn’t new. Regina Dugan from Motorola made a similar presentation in 2013, describing vitamin authentication pills and electronic tattoos that could replace passwords. Other authentication devices might check your heart’s unique electrical activity or recognize the unique pattern of the veins in your body.

At this point, the “password pills” that these presentations describe aren’t available to buy. It’s an interesting concept for the future that companies are considering. On one hand, swallowing a password pill every day or every few days may be objectionable to some people. On the other hand, maybe the microchip could be combined with other vitamins or medications that a person is already taking regularly, which also could be a good reminder to be current on your medications—if you don’t take your daily vitamin password pill, you can’t check your email or do any online shopping!

Hopefully, these new biometric, embeddable, and ingestible authentication devices will not be a significant obstacle for fiduciaries and family members dealing with a user’s incapacity or death. Current biometric devices, such as the fingerprint reader on Apple iPhone and iPad devices, include a fallback authentication procedure (e.g., a password to type). Companies developing the next generation of these authentication devices should include fallback authentication procedures so that an incapacitated or deceased user’s fiduciaries can access the user’s devices and accounts.

Posted in General | Tagged , , , , , , , | Comments Off on Can’t Remember Your Password? There’s a Pill for That!

Appointing a Legacy Contact for a Facebook Account After Death

Facebook now allows you to appoint a “legacy contact” for your Facebook account after you die. Previously, after a user died, Facebook would not allow anyone else to access or modify the deceased user’s Facebook account, but the account could be closed or “memorialized.” Facebook also now allows you to set your account so that it’s permanently deleted when you die.

A Facebook account legacy contact can: (1) download a copy of what the deceased user shared on Facebook (photos, videos, wall posts, profile information, contact information, events, and the deceased user’s list of friends); (2) write a pinned post for the deceased user’s profile to share a remembrance or final message on behalf of the deceased user; (3) respond to new friend requests with the deceased user; and (4) update the deceased user’s profile picture and cover photo.

However, a Facebook account legacy contact cannot: (1) read or download the messages that the deceased user sent to friends (or photos that the deceased user automatically synced with Facebook but didn’t post); (2) remove friends of the deceased user; (3) change photos, postings, or other items shared on the decedent’s timeline; or (4) log in to the deceased user’s account. Although a legacy contact cannot read or download messages that the deceased user sent to friends, Facebook may provide a copy of the deceased user’s messages if the deceased user expressed clear consent to allow this in the decedent’s will or another legal consent document.

Instructions for how to add, change, or remove a Facebook account legacy contact are available here: https://www.facebook.com/help/1070665206293088. Note that your legacy contact must be an existing Facebook friend of yours.

After a Facebook user dies, if a legacy contact has been appointed, first the deceased user’s account should be memorialized. A family member or friend can submit the request to memorialize the decedent’s account using this form on Facebook’s Web site: https://www.facebook.com/help/contact/651319028315841. After the decedent’s account is memorialized, Facebook will notify the legacy contact. Although the legacy contact cannot log into the deceased user’s account, the legacy contact can take the actions described above by going to the deceased user’s memorialized profile and clicking the “manage” link in the bottom-right of the cover photo.

If you would prefer to permanently delete your Facebook account when you die, instructions to set that up are available here: https://www.facebook.com/help/103897939701143.

Posted in Social Networking Accounts | Tagged , , , , , , | Comments Off on Appointing a Legacy Contact for a Facebook Account After Death

Video Clip: Family Fights to Access Late Son’s Digital Data

Minnesota’s KSTP-TV Eyewitness News ran a video story on January 20, 2015, by Tom Hauser about the Anderson family who tragically lost their nineteen-year-old son, Jake. Their son’s death was ruled accidental, but the family wants answers about the events leading up to his death. They have tried unsuccessfully to obtain copies of Jake’s final emails, text messages, social networking posts, photos, and cell phone data from service providers.

The Anderson family started an online petition asking the Minnesota State Legislature to pass a law clearly authorizing fiduciary access to a deceased person’s digital data. At the time of this blog post, there were over 4,000 online signatures to that petition. If you’d like to show your support, the online petition is available here: http://www.gopetition.com/petitions/accessing-jakes-digital-data.html.

The video story includes an interview with Andersons and an excerpt of their testimony on January 20, 2015, before the Civil Law and Data Practices Committee of the Minnesota House of Representatives in support of a bill to enact the Uniform Fiduciary Access to Digital Assets Act (UFADAA) in Minnesota. My colleague Gene Hennig and I also testified at this committee meeting, a brief excerpt of which is included in the video story.

The full text of UFADAA is available on the Uniform Law Commission’s Web site, as well as a brief summary of UFADAA and a list of reasons why states should adopt UFADAA.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , | Comments Off on Video Clip: Family Fights to Access Late Son’s Digital Data

Keeping a Secure List of Passwords, Online Accounts, and Digital Property

An important part of a comprehensive estate plan (planning ahead for incapacity and death) is preparing a complete list of your passwords, online accounts, and other digital property—and keeping it up to date. This list helps fiduciaries and family members find your valuable and significant online accounts and digital property, keep administration costs down, provide for a smooth administration, and ensure no property is overlooked.

A written list is easy for anyone to create, but it’s insecure to keep with you at all times and may be inconvenient to update. A sample written list is available on my blog—I call it “My Digital Audit.” You can download the Adobe PDF form to your own device and either edit it electronically or print it and fill it out by hand. Keep your written list in a secure location, like a safe deposit box or a home safe. Secure storage and frequent updates don’t work well together for a written list, so an electronic list or a hybrid method combining an electronic list and separate written instructions is preferable to only keeping a written list.

Personally, I prefer to use an encrypted electronic list because it’s secure, easy to update, convenient to use, and it’s on my smartphone so it’s always with me. A master password is used to access the encrypted data in the list. So, I only need to remember one master password, then I can use the electronic list to keep track of all my separate, strong passwords for each online account that I use. An electronic list can be stored on a smartphone, a computer, a portable storage device, or in the cloud.

When choosing software or a Web-based service to keep an encrypted electronic list of passwords, online accounts, and digital property, look for one that synchronizes your list among your computer, tablet, and smartphone (and the cloud, if desired) so that it’s easily accessible by you. Also, look for one that integrates with your Web browser to securely and automatically enter the username and password for your online accounts. In addition to being a time-saver, it also encourages you to use separate, strong passwords for each of your online accounts (if you’d like to learn more about strong passwords, read this article from Microsoft on Six Rules for Safer Financial Transactions Online). The ones that integrate with your Web browser also help keep your list up to date by automatically updating your list when you create a new online account or when you change an online account’s password. If the software or Web-based service stores your list in the cloud (not just stored locally on your device), make sure it encrypts your data before sending it to the cloud so that the service provider (or a hacker compromising the service provider’s security) can’t access your confidential data.

Five of the most popular free and commercial software tools to keep an encrypted electronic list are described in a January 11, 2015, article at Lifehacker.com by Alan Henry. The five encrypted electronic list tools the article describes, in alphabetical order, are: 1Password, Dashlane, KeePass, LastPass, and Roboform.

A key problem with an encrypted electronic list is that fiduciaries and family members need to know your master password in order to read your list while you are incapacitated or after you are deceased. Without the master password, the list may be practically impossible to access (e.g., if the list is protected with strong encryption and a strong password).

One idea is to use a hybrid method by keeping an encrypted electronic list of your passwords, online accounts, and digital property plus keeping a separate written instruction sheet describing how to find and access your encrypted electronic list, including the master password. Keep the separate written instruction sheet in a secure location, like a safe deposit box or a home safe.

Another idea is to use a Web-based service to both keep your encrypted electronic list and provide a mechanism for designated fiduciaries or family members to access the unencrypted list. Some of these Web-based services, in alphabetical order, are: AfterSteps, Assets in Order, BestBequest, Deathswitch, Estate Map, E-Z-Safe, PasswordBox’s Legacy Locker, and SecureSafe. However, unlike the software tools listed three paragraphs above, the Web-based services listed in this paragraph currently do not integrate with your Web browser to enter the username and password for your online accounts securely and automatically, which may make these services less convenient to use and less convenient to keep up to date. Also, if the service provider has the ability to turn over the unencrypted contents of your list to a fiduciary or family member that you designate, that means the service provider (or a hacker compromising the service provider’s security) potentially could gain access to your confidential data—this is a trade-off between convenience and security.

During your incapacity or after your death, fiduciaries and family members should read the applicable Terms of Service contract before attempting to use your password to access your online account. There are federal and state laws that penalize unauthorized access to computer systems and types of private or protected personal data. These laws provide consumer protection against fraud and identity theft but may have a chilling effect on fiduciaries and family members trying to access an incapacitated or deceased person’s online accounts.The U.S. Department of Justice asserts that 18 U.S.C. § 1030(a)(2), which is a provision of the Computer Fraud and Abuse Act (“CFAA”), is broad enough to permit the government to charge a person with a crime for violating the CFAA when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. For example, some Terms of Service contracts prohibit you from allowing anyone else to access your online account, which may mean that a fiduciary or family member using your password to access the account is “exceeding authorized access” within the scope of the CFAA. If any of your online accounts has an access restriction like this in its Terms of Service contract, your fiduciary or family member should consider asking the service provider for a copy of your account’s contents instead of attempting to use your password to access your account.

Posted in General | Tagged , , , , , , , | Comments Off on Keeping a Secure List of Passwords, Online Accounts, and Digital Property