Video Clip: Family Wants Access to Son’s Digital Data After Death

Minnesota’s KMSP-TV Fox 9 News ran a video story on September 9, 2014, by Ted Haller about a family wanting access to their deceased nineteen-year-old son’s digital data. They have been seeking access to his text messages, e-mails, and Facebook account to find out more about the moments leading up to his tragic death.

I was interviewed for the story to comment about the current federal privacy laws that restrict disclosure of private electronic communications, how service providers could change their Terms of Service agreements to clearly authorize fiduciary access, and what online account users can do to plan ahead for incapacity and death.

The Anderson family, which was interviewed for the KMSP-TV Fox 9 News story about their nineteen-year-old son, is hoping to get 20,000 signatures to an online petition asking the Minnesota State Legislature to pass a law clearly authorizing fiduciary access to a deceased person’s digital data. If you’d like to show your support, the online petition is available here: http://www.gopetition.com/petitions/accessing-jakes-digital-data.html.

Technology is changing the way we interact with people and transact business. We are accumulating valuable and significant electronic data in our smartphones, computers, and online accounts. We need to plan ahead for our data and online accounts so that our fiduciaries and family members can access that data after we become incapacitated and after we die.

First, you should make a list of your valuable or significant data, online accounts, and digital property. This could be a written list or an electronic list stored in your smartphone, in your computer, or in an online account. Make sure to indicate where each account or digital property item is located, how to access it, and why it’s valuable or significant to you. And, make sure to keep the list up-to-date!

Second, if you have been storing valuable or significant data exclusively in online accounts (for example, your digital photos), it’s important to regularly back up that data to local storage media—to your computer’s hard drive, a USB flash drive, a CD, a DVD, etc.—so that your fiduciaries and family members will have access to that data without the additional obstacles that online accounts have. One obstacle that could be avoided is the Stored Communications Act, also known as the Electronic Communications Privacy Act, which creates privacy rights to protect the contents of certain electronic communications and files from disclosure by a provider of an electronic communication service or a remote computing service, unless an exception is met under that law. A second obstacle that could be avoided is a potential criminal charge for “exceeding authorized access” to your online accounts, under federal or state laws, if a fiduciary or family member violates the access rules of that account’s Terms of Service agreement. Some service providers prohibit you from sharing your password or allowing anyone else to access your account, but other providers do not have these prohibitions. It’s important to read the Terms of Service agreement before attempting fiduciary access to an online account.

Third, you should contact your estate planning attorney to include plans for your digital property in your estate plan. Make sure your estate plan specifies your wishes about your property and appoints a fiduciary to act on your behalf with respect to all of your property, including your digital property, during incapacity and after death. This may include preparing a durable power of attorney, a will, and a revocable living trust (if appropriate for your situation). You should contact an estate planning attorney who is licensed to practice in your state concerning your own situation and any specific tax or legal questions that you may have. And, make sure that your estate planning documents explicitly authorize the companies that hold your electronic data to release that data to your fiduciaries during your incapacity and after your death, which is important for the Stored Communications Act’s privacy protections.

Planning ahead for your digital property is essential to arrange for full access to your data, to keep estate administration costs down, to provide for a smooth estate administration, and to ensure that none of your valuable or significant digital property is overlooked. If you haven’t planned ahead, a computer forensics expert may be able to recover and access data from your smartphone or your computer. But, it may be practically impossible to retrieve the data from your online accounts if you haven’t planned ahead!

To help deal with situations where an incapacitated or deceased person did not plan ahead in the person’s estate plan, many states are now considering adopting the recently-approved Uniform Fiduciary Access to Digital Assets Act (UFADAA). Eight states so far have enacted laws on fiduciary authority regarding digital assets after death, and Delaware was the first state enactment based on UFADAA.

Contact your estate planning attorney today to include your digital property in your estate plan!

Posted in General | Tagged , , , , , , , , , , | Comments Off

Delaware Enacts Fiduciary Access to Digital Assets Act

On August 12, 2014, Delaware’s governor signed into law the Delaware Fiduciary Access to Digital Assets Act, which is based on an earlier draft of the recently-approved Uniform Fiduciary Access to Digital Asset Act. Delaware’s new law takes effect January 1, 2015, and it grants access and authorization for digital assets to personal representatives, guardians, agents under a durable personal power of attorney, and trustees (and an adviser with authority to direct the trustees).

So far, Delaware’s Fiduciary Access to Digital Assets Act is the most comprehensive law of its type that has been enacted. Many other states are now considering the recently-approved Uniform Fiduciary Access to Digital Asset Act, which vests four types of fiduciaries with the authority to access, control, or copy digital assets, while respecting the privacy and intent of the account holder. Other states have previously enacted more limited laws on fiduciary access to digital assets, including:

  1. Connecticut Statutes § 45a-334a, signed into law on June 24, 2005, gives the personal representative of a deceased person’s estate the powers to access or copy the contents of the person’s e-mail accounts. Unfortunately, this law falls short of the current scope of online accounts and digital property, and it only applies to personal representatives.

  2. Indiana Code § 29-1-13-1.1, approved March 30, 2007, allows the personal representative to access or copy any of the decedent’s documents or information stored electronically by a “custodian.” It also requires the custodian to retain a deceased person’s electronic information for two years after receiving a request for access or copies. Unfortunately, the law only applies to personal representatives.

  3. Rhode Island General Laws Chapter 33-27, which became law on July 2, 2007, gives the personal representative of a deceased person’s estate the powers to access or copy the contents of the person’s e-mail accounts. Unfortunately, this law falls short of the current scope of online accounts and digital property, and it only applies to personal representatives.

  4. Oklahoma Statutes § 58-269, signed into law April 29, 2010, gives the personal representative of a deceased person’s estate the powers “to take control of, conduct, continue, or terminate” a deceased person’s e-mail account, social networking account, microblogging account, or short messaging service Web site. Unfortunately, this law falls short of the current scope of online accounts and digital property, and it only applies to personal representatives.

  5. Idaho Statutes § 15-3-715(28), signed into law March 16, 2011, gives the personal representative of a deceased person’s estate the powers “to take control of, conduct, continue, or terminate” a deceased person’s e-mail account, social networking account, microblogging account, or short messaging service Web site. Idaho Statutes § 15-5-424(3)(z) also grants similar powers to a person’s conservator. Unfortunately, these laws fall short of the current scope of online accounts and digital property, and they only apply to personal representatives and conservators.

  6. Virginia Code § 64.2–110, signed into law on March 13, 2013, gives the personal representative of a deceased minor’s estate (but not a deceased adult’s estate!) the power to assume the minor’s Terms of Service agreement for an online account “for purposes of consenting to and obtaining the disclosure of the contents of the minor’s communications and subscriber records pursuant to 18 U.S.C. § 2702.” Unfortunately, this law only applies to online accounts of deceased minors.

  7. Nevada Revised Statutes § 143.188, signed into law on June 1, 2013, gives the personal representative of a deceased person’s estate the power to direct the termination of any online account or similar electronic or digital asset of the decedent. However, this law does not address powers to access these accounts or copy the contents, and it only applies to personal representatives.

  8. Louisiana Code of Civil Procedure Article 3191, signed into law on June 19, 2014, gives the succession representative of a deceased person’s estate the power “to take control of, handle, conduct, continue, distribute, or terminate any digital account of the decedent,” unless the decedent’s will specifies otherwise. It requires a provider to provide access to the account within thirty days after receiving a copy of documents showing the representative’s authority, to the extent permitted by federal law. And, this law states that it supersedes any contrary provision in a Terms of Service contract for the decedent’s digital accounts. The term “digital account” includes social networking accounts, blogs, microblogs, short messaging accounts, email accounts, financial accounts, or any similar electronic services or records.

Posted in General | Tagged , , , , , , , | Comments Off

Uniform Fiduciary Access to Digital Assets Act (UFADAA)

On July 16, 2014, the Uniform Fiduciary Access to Digital Assets Act (UFADAA) was approved by the Uniform Law Commission. My colleague Gene Hennig and I originally proposed this uniform law in May of 2011, and I’m very happy with the end result. The final version of UFADAA that was approved is now available here (excluding the comments, which are available here in the previous draft), and the Committee on Style will be reviewing and editing this version before UFADAA is officially final.

The purpose of UFADAA is to vest fiduciaries with the authority to access, control, or copy digital assets, while respecting the privacy and intent of the account holder. This uniform law address four types of fiduciaries: (1) personal representatives (also known as executors) of a deceased person’s estate; (2) conservators (also known as guardians) for a living person; (3) agents acting under a power of attorney; and (4) trustees of a trust.

Fiduciaries play an essential role in our economy, acting on behalf of living, incapacitated, and deceased individuals. Fiduciaries generally have the same power over assets that an absolute owner would have. In general, UFADAA confirms that a person’s fiduciary stands in the shoes of the person, even in the digital world. This is important because digital assets may have additional obstacles to overcome that do not apply to traditional types of property. These additional obstacles in the digital world include: (1) passwords; (2) encryption; (3) criminal laws regarding unauthorized access to computers (including the Computer Fraud and Abuse Act); and (4) data privacy laws (including the Stored Communications Act, also known as the Electronic Communications Privacy Act). UFADAA helps fiduciaries address obstacles #1, #3, and #4, but it doesn’t solve obstacle #2—encryption. As I’ve explained before, strong encryption can make it practically impossible for a fiduciary to access a person’s data if you don’t know the password.

Now that the Uniform Law Commission has approved UFADAA, the Committee on Style will review and edit the final text of the uniform act, as amended during the reading and comment period of UFADAA that occurred on Monday, July 14, 2014. That review process might be completed by October or November of 2014, then the final version of UFADAA will published and ready for state legislatures to begin considering local enactment.

The Uniform Fiduciary Access to Digital Assets Act would not have been possible without the leadership of Suzy Walsh, who chaired the Drafting Committee for this uniform act, and Professor Naomi Cahn, who was the reporter for this uniform act. The final version is the result of an active collaboration by Uniform Law Commissioners who were members of the Drafting Committee and over 130 observers who participated in the process, including representatives from The American College of Trust and Estate Counsel, the American Bar Association, the National Academy of Elder Law Attorneys, the American Bankers Association, Internet service providers and several of their industry groups, and consumer rights and privacy groups.

The final version of UFADAA provides the access to digital assets that fiduciaries need to carry out their duties, while respecting the privacy and intent of the account holder. Thank you to everyone who was involved in this process!

Posted in General | Tagged , , , , , , , | Comments Off

Estate Planning and Tax Issues for Bitcoin and Other Virtual Currencies

For estate planning and tax advisers, it’s important to know about all of a person’s valuable and significant assets, including digital assets, so that they can help the person properly plan ahead for incapacity, death, and taxes. New types of assets are being created in and only exist in the digital world, including virtual currencies like Bitcoin and Dogecoin.

I recommend reading the May 14, 2014, article, “Bitcoin Is Creating New Headaches for Estate Planners, Though it May Someday Cure Them,” written by Joseph Wright. I was interviewed for this article and quoted in it. The article describes Bitcoin, estate planning obstacles regarding digital assets, and the Uniform Law Commission’s Fiduciary Access to Digital Assets act. This article is reprinted with permission from Electronic Commerce & Law Report™, 19 ECLR 607 (May 14, 2014). Copyright 2014 by The Bureau of National Affairs, Inc. (800–372–1033) http://www.bna.com/.

Although there are over 200 virtual currencies in use currently, Bitcoin is by far the most recognized and widely-used. Bitcoin has been in the news for its dramatic rise and fall in value recently. In May 2010, when Bitcoin was still relatively new, a person in Jacksonville, Florida, paid 10,000 bitcoins (worth about $41.00 at the time) for two large Papa John’s pizzas. Since then, at several times in late 2013 and early in 2014, the price per bitcoin jumped to about $1,000—making that a $10 million pizza (in hindsight)! You can check the current price per bitcoin at CoinMarketCap.

The IRS recently issued Notice 2014-21 to describe how they will apply U.S. tax principles to virtual currency. In general, the IRS treats virtual currency as property for federal tax purposes, valued in U.S. dollars. So, the virtual currency has a tax basis, and a person realizes gain or loss when the virtual currency is exchanged for other property. It is not treated as a currency that could generate foreign currency gain or loss for federal tax purposes.

Bitcoins are created by “mining,” which is done by using a significant amount of computing power to solve increasingly complex mathematical equations (a “block”) used for the virtual currency. For example, one high-end personal computer with a mid-range graphics card (the graphics card can significantly accelerate the computations involved) might be able to mine one Bitcoin block in just over three years, on average. Under Notice 2014-21, when a person mines and receives virtual currency, the IRS treats that as an income event for the person.

Finding virtual currencies after a person dies or becomes incapacitated can be a significant challenge because of the variety of ways they can be “stored.” Bitcoin, for example, is referred to as a “cryptocurrency” because it’s based on the principles of public key cryptography and relies on two separate “keys,” one public and one private, that are mathematically linked to represent bitcoins. A Bitcoin “address” is the public key. Think of it like an e–mail address—it’s used for sending or receiving bitcoins in a transaction. But, unlike an e–mail address, it’s generally recommended for security and privacy that a different Bitcoin address be used for each separate Bitcoin transaction. A Bitcoin private key is kept secret by the Bitcoin owner because it enables bitcoins to be transferred.

Multiple private keys are held in a “wallet” (think of a Bitcoin wallet like a bank account). One or more wallets can be stored on a computer, smartphone, online service, or offline (referred to as “cold storage”). To protect against the risk of theft or loss of bitcoins, a person may have multiple wallets for their bitcoins. Multiple wallets and multiple possible storage locations for the wallets can make it more difficult for fiduciaries to find bitcoins or other virtual currencies after a person’s incapacity or death.

A Bitcoin transaction requires the sender’s Bitcoin address, the recipient’s Bitcoin address, and the number of bitcoins to transfer, and this information is “signed” using the sender’s Bitcoin private key, which proves the sender owns the transferred bitcoins and can be verified by the Bitcoin network.

You can read more about my estate planning tips and strategies for dealing with Bitcoin in the BNA Bloomberg article that is linked above in the second paragraph.

Posted in Virtual Currency | Tagged , , , , , , , , , | Comments Off

Google and Microsoft Update Their E-Mail Privacy Policies

Google and Microsoft have both recently updated their policies regarding the privacy of e-mail contents. The updates are about different issues and were initiated in response to different events.

Google updated their Terms of Service agreement on April 14, 2014, to add the following sentences (among other changes):

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.

Google apparently made this change in response to a lawsuit filed against the company alleging that they violate privacy laws by scanning the contents of e-mails to provide targeted ads to Gmail users. This change to their Terms of Service agreement clarifies what Google does. For more details read these Ars Technica articles from April 15, 2014, and September 27, 2013.

Microsoft, on the other hand, issued a statement on March 20, 2014, that they are strengthening their policies to protect the privacy of e-mail contents (although their Terms of Service agreement and Online Privacy Statement have not changed). As described in a March 21, 2014, article by Fahmida Y. Rashid on PCMag.com, this change in Microsoft’s policy comes in response to complaints about an incident in which Microsoft read the contents of a Hotmail user’s e-mails without notifying the user or obtaining a court order. Microsoft’s March 20, 2014, statement affirms that “Outlook and Hotmail email are and should be private” and that Microsoft “will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available.”

Posted in E-mail | Tagged , , , , , , , , , , , | Comments Off

Facebook Updates Its Policies for Deceased Users

According to a February 21, 2014, news release, Facebook has made two updates to its policies regarding the accounts of deceased users.

Previously, Facebook allowed one of two options for a deceased user’s account. First, the personal representative of a deceased person’s estate (also known as an executor) or an immediate family member could ask Facebook to remove a deceased user’s account and account contents from Facebook. Second, an immediate family member (a spouse, parent, sibling, or child), an extended family member (a grandparent, aunt, uncle, or cousin), or even a non-family member (a friend, co-worker, or classmate) could ask Facebook instead to “memorialize” a deceased user’s account, which locks the account and restricts other people from viewing the deceased user’s profile and other contents unless that other person was a “friend” of the deceased user on Facebook. Please note that Facebook’s Terms of Service agreement does not permit anyone to log into another user’s account, not even a deceased user’s account. Also, note that Facebook will not reset or reveal the password of a deceased user’s account.

The February 21, 2014, news release states that Facebook’s policy for “memorializing” a deceased user’s account has now changed. No longer will a memorialized account have its visibility restricted to only “friends” of the deceased user. Instead, Facebook will preserve the same privacy and visibility settings that the deceased user had specified during lifetime. For example, a user’s Facebook contents that were restricted so that only “friends” could view them would continue to be restricted after the user dies (once the account is memorialized), but a user’s Facebook contents that were visible to everyone would continue to be visible to everyone after the user dies (once the account is memorialized). The February 21, 2014, news release does not mention any changes to the procedure for removing a deceased user’s account and account contents from Facebook.

An additional change announced in the February 21, 2014, news release is the ability to request a “Look Back” movie for a deceased user’s Facebook account. Only a “friend” can make the request for a “Look Back” movie for a deceased user, and this request must be made after the deceased user’s Facebook account has been memorialized. More information about Facebook “Look Back” movies is available in this February 4, 2014, article from The Verge.

It’s great to see that Facebook is being respectful of and responsive to the issues related to a deceased user’s online account and account contents. Each year, more of our personal and business lives are moving into the digital world of computers, online accounts, and electronic storage, and some of this data has financial value or sentimental value to family members after the user becomes incapacitated or dies.

The vast majority of Terms of Service agreements that I’ve read for online accounts do not specify what happens while a user is incapacitated or after a user is deceased. As a result, family members and the duly-appointed fiduciaries acting on behalf of the user face confusion, delays, and obstacles related to the user’s online accounts and other digital property. Maybe they don’t have the user’s password. Maybe they do have the user’s password but can’t use it for fear of “exceeding authorized access” in violation the account’s Terms of Service agreement, which potentially could be prosecuted under state or federal criminal laws including the Computer Fraud and Abuse Act. Or, maybe the duly-appointed fiduciary has requested a copy of the contents of the deceased user’s online account, but the account provider is not able to divulge the contents without the “lawful consent” of the user because of the privacy protections under the federal Stored Communications Act. These are significant obstacles facing family members, fiduciaries, and their team of advisers when dealing with an incapacitated or deceased user’s online accounts and digital property.

My hope is that it will someday be best practices for Terms of Service agreements of online accounts to: (1) clearly authorize a duly-appointed fiduciary to access to a user’s online account during lifetime or after death for purposes of state and federal criminal laws including the Computer Fraud and Abuse Act; (2) clearly confirm that the user is providing “lawful consent” within the meaning of the federal Stored Communications Act to divulge the user’s online account contents to a duly-appointed fiduciary; and (3) clearly state what happens to the user’s account itself and the user’s account contents after death.

It also would be helpful if a user could easily designate one or more “beneficiaries” who could receive a copy of all (or a specified portion) of the user’s account contents after the user has died. Please note that the I mentioned “a copy” of the account contents—I’m drawing a distinction between making “a copy” of the data versus the legal issues that may be involved in transferring rights or ownership interests in the user’s account itself or transferring rights or ownership interests in the user’s data. See my earlier blog post about Google’s “inactive account manager,” which provides a similar “beneficiary designation” to transfer a copy of the account contents to designated people.

This is an emerging area of law, and I’m hopeful that the confusion, delays, and obstacles facing family members and fiduciaries dealing with the incapacity or death of a loved one can be resolved by better clarification and more consistency in Terms of Service agreements.

Posted in Social Networking Accounts | Tagged , , , , , , , , | Comments Off

The Digital Death Conundrum: How Federal and State Laws Prevent Fiduciaries from Managing Digital Property

The University of Miami Law Review just published The Digital Death Conundrum: How Federal and State Laws Prevent Fiduciaries from Managing Digital Property (direct PDF link), a new article coauthored by James D. Lamm, Christina L. Kunz, Damien A. Riehl, and Peter John Rademacher. This article discusses the importance of estate planning for online accounts and other digital property, describes the types of fiduciaries that are appointed to act on behalf of an incapacitated or deceased person, and the main obstacles fiduciaries may face in dealing with digital property.

What do I mean when I say “fiduciary”? Generally, it’s a person appointed to act on your behalf. A living person may designate an agent under a power of attorney document to act on his or her behalf. If a person is incapacitated, a court may appoint a conservator (or guardian) to act on behalf of the person. If a person is deceased, a court may appoint a personal representative (also known as an executor) to act on behalf of the deceased person’s estate. A person also might establish a trust during lifetime or upon death that acquires or receives certain digital property, and the trustee acts on behalf of the trust.

Fiduciaries can run into a variety of problems when dealing with online accounts and other digital property, including passwords, data encryption, criminal laws on “exceeding authorized access,” and data privacy laws. The key federal laws that are obstacles are the Computer Fraud and Abuse Act and the Stored Communications Act (also known as the Electronic Communications Privacy Act). Online accounts also may have a restrictive Terms of Service Agreement that does not allow a user to share his or her password or allow anyone else to access his or her account.

The article proposes brief and focused amendments to the federal Computer Fraud and Abuse Act and to the Stored Communications Act to resolve the uncertainty of fiduciary authority and access to digital property. The article also describes an early draft of the Uniform Law Commission’s Fiduciary Access to Digital Assets model act, which is a model for state legislatures to enact that provides clear authority under state law for fiduciaries to access, manage, and deal with online accounts and other digital property. I’m hopeful that the Fiduciary Access to Digital Assets model act will be finalized in 2014 so that states can begin the process of considering and enacting it.

The article includes a sample will provision to consider that grants powers and authority over digital property to the personal representative of a decedent’s estate. Finally, the article includes a stand-alone sample Authorization and Consent for Release of Electronically Stored Information document to consider that authorizes fiduciaries to receive digital property for purposes of the Computer Fraud and Abuse Act and the Stored Communications Act. As noted in this blog’s disclaimer below, these sample provisions are intended for general educational and information purposes only—they should not be construed or relied upon as legal advice or opinion on any specific facts or circumstances, and you should consult with an attorney licensed to practice in your state concerning your own situation and any specific legal questions you may have.

I want to say a special thank you to Chris Kunz, Damien Riehl, and Peter Rademacher for all of their hard work on this article—it was a great team effort!

Posted in E-mail, Social Networking Accounts, Web Pages and Blogs | Tagged , , , , , , , , , , , , | Comments Off

Valuable $50,000 Twitter Account Allegedly Stolen

There was an interesting January 29, 2014, article on CNET written by Don Reisinger describing how a thief/hacker allegedly hijacked an Internet domain name and e-mail account belonging to Naoki Hiroshima and stole his Twitter username. According to Mr. Hiroshima’s own description of how this happened, he was previously offered $50,000 for his rare and valuable one-letter Twitter username (his Twitter username was @N).

Unfortunately, the increasing financial value of some Internet domain names and online accounts makes this digital property an attractive target for thieves and hackers. It’s important to protect your valuable or significant digital property during your lifetime, and it’s also important for family members and fiduciaries to protect this digital property during your incapacity and after your death. For example, use two-factor authentication for your online accounts that offer that extra layer of security. And, for Internet domain names, consider adding security features to your domain name registration including making the registration information private and restricting any domain name transfers unless an additional authorization code is used. These features help protect against “domain hijacking” and “domain slamming.” In an interview on National Public Radio’s All Things Considered program broadcast on May 11, 2009, John W. Dozier, Jr., a Virginia attorney, described a case in which hackers stole a decedent’s domain names before the beneficiaries of the estate knew about them. In that case, the law firm was able to help the estate recover all of the domain names.

The bottom line is that we need to take appropriate steps protect our online accounts and digital property just like we take appropriate steps to protect our other “real world” property. And when a user becomes incapacitated or dies with valuable or significant online accounts and digital property, the fiduciaries and family members should act quickly to protect this digital property.

Update: According to a February 26, 2014, article on Ars Technica, Twitter has now returned Mr. Hiroshima’s “@N” account to him.

Posted in Domain Names, E-mail, Social Networking Accounts | Tagged , , , , , , , , , , , | Comments Off

Thoughts on the Stored Communications Act, Federal Preemption and Supremacy, and State Laws on Fiduciary Access to Digital Property

As of the date of this posting, seven states have recently passed laws and at least eighteen other states are considering new laws granting fiduciary access to an incapacitated or deceased person’s online accounts and other digital property. The Uniform Law Commission has a Drafting Committee currently working on a Fiduciary Access to Digital Assets model act. How will these state laws interact with federal law, especially the privacy protections under the Stored Communications Act? In other words, do state laws attempting to grant fiduciary access to the contents of online accounts protected by the federal Stored Communications Act have no effect (or a limited effect) because of federal preemption or supremacy?

Based on the analysis below, I believe that a court would conclude that state fiduciary laws, in general, and the relevant provisions of the November 2013 draft of the Fiduciary Access to Digital Assets model act, in particular, are not in conflict with and are not preempted by the federal Stored Communications Act.

Below, I will describe: (1) some background information on the Stored Communications Act, (2) why fiduciaries need access to the contents of online accounts; and (3) my thoughts on federal preemption and supremacy.

Background Information on the Stored Communications Act

When I refer to the Stored Communications Act, I’m referring to Title II of the Electronic Communications Privacy Act of 1986, codified as 18 U.S.C. §§ 2701 through 2712. The Act creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain providers of electronic communication services and remote computing services. These privacy protections are a significant obstacle for fiduciaries and family members seeking access to the contents of an incapacitated or deceased user’s online accounts because, if the Act applies, the online account service provider is prohibited from disclosing the account contents to them—unless an exception under § 2702(b) of the Act is met.

The Stored Communications Act does not apply to everything on the Internet. In general, the Act protects the contents of an electronic communication service or a remote computing service provided to the public. So, a private electronic communication service isn’t protected, like an employer that provides e-mail accounts only to its employees. But, the Act does protect electronic communication services and remote computing services provided to the public, so it applies to the contents of e-mail accounts like Microsoft Outlook (formerly known as Hotmail), Google Gmail, or Yahoo! Mail, and it applies to certain social networking account contents like Facebook, Google+, or MySpace, among others. Note that the Act only protects electronic communications and files that are “restricted in some fashion”—so, for social networking accounts like Facebook, the Act protects contents that are restricted so that only your “friends” can view them, even if you have hundreds or thousands of friends, but it doesn’t protect contents that everyone can see. See Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11–cv–03305 (D.N.J. Aug. 20, 2013); Crispin v. Christian Audigier, Inc., 717 F.Supp.2d  965 (C.D. Cal. 2010).

If the Stored Communications Act applies, the service provider is prohibited by § 2702(a) of the Act from voluntarily divulging the contents of the electronic communications or files unless an exception is met. If one of the exceptions applies (e.g., the “lawful consent” exception under § 2702(b)(3) of the Act), then the service provider may voluntarily disclose the contents of the electronic communications and files protected under the Act. But, you cannot compel the service provider to disclose that information, even by bringing a civil action against the service provider. See In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, No. C 12–80171 LHK (N.D.Cal. Sept. 20, 2012) (a previous posting of mine describes this case involving the estate of Sahar Daftary); compare with Ajemian v. Yahoo!, Inc., 83 Mass.App.Ct. 565 (2013) (appellate court remanded the case to the probate court for further proceedings on whether the Stored Communications Act prohibits disclosure of the contents of Yahoo! e-mail accounts to the executor of a deceased user’s estate).

What would happen if a service provider violates the Stored Communications Act? Under § 2707 of the Act, the affected online account subscriber or other person aggrieved by the violation may bring a civil action against the service provider. The affected party can sue the service provider for actual damages suffered and, if the violation is willful or intentional, the court may assess punitive damages against the service provider. If the affected party’s civil action is successful, the court may assess reasonable attorney’s fees and other litigation costs against the service provider. The minimum amount of statutory damages for violating the Stored Communications Act is $1,000. A majority of federal courts that have addressed this issue have concluded that the affected party does not need to first prove that he or she suffered actual damages before being entitled to the statutory damages of $1,000. See Shefts v. Petrakis, No. 10–cv–1104 (C.D. Ill. Mar. 14, 2013); Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 759 F.Supp.2d 417 (S.D.N.Y. 2010); Freedman v. Town of Fairfield, No. 3:03CV01048 (D. Conn. Sept. 19, 2006); In re Hawaiian Airlines, Inc., 355 B.R. 225 (D. Haw. 2006); Cedar Hill Assocs., Inc. v. Paget, No. 04 C 0557 (N.D. Ill. Dec. 9, 2005); but see Van Alstyne v. Electronic Scriptorium, Ltd., 560 F.3d 199 (4th. Cir. 2009). Proof of actual damages is not required before being entitled to either punitive damages or attorney’s fees. Van Alstyne at 209.

Why Fiduciaries Need Access to the Contents of Online Accounts

After a person becomes incapacitated or dies, someone needs to: (1) take inventory of the person’s assets; (2) pay the person’s debts, taxes, and expenses; and (3) either preserve the person’s property during the period of incapacity or transfer the person’s property to the person’s beneficiaries after death. In general, these tasks are handled by one or more duly-appointed fiduciaries, including: (1) an attorney-in-fact acting under a power of attorney; (2) a court-appointed guardian or conservator of a living person; (3) a trustee of a trust; or (4) a court-appointed executor (also known as a personal representative) of a deceased person’s estate. In addition, some assets may pass at death according to a transfer-on-death beneficiary designation or according to a right of survivorship held by a joint owner of an asset, for example. A person’s duly-appointed fiduciary has powers, duties, and authority to act on the person’s behalf granted under a governing instrument (e.g., a last will and testament, a trust, or a power of attorney) and under state law.

For example, when a person dies owning real estate, bank accounts, brokerage accounts, online account contents, and other property, an executor is appointed by the applicable state court to act on behalf of the decedent’s probate estate. The executor is the deceased person’s alter ego, standing in the shoes of the decedent. Under § 3–711 of the Uniform Probate Code, the executor “has the same power over the title to property of the estate that an absolute owner would have, in trust however, for the benefit of the creditors and others interested in the estate. This power may be exercised without notice, hearing, or order of court.” Under § 3–703 of the Uniform Probate Code, the executor “is under a duty to settle and distribute the estate of the decedent in accordance with the terms of any probated and effective will and this code, and as expeditiously and efficiently as is consistent with the best interests of the estate.”

Fiduciaries have an obligation to gather information on valuable property for federal and state tax reporting purposes, including reporting it in any applicable income tax returns, as required by 26 U.S.C. § 6012(b) and any applicable state laws, and reporting a complete schedule of all valuable property and its fair market value in an estate tax return after death, if required by 26 U.S.C. § 6018(a) or any applicable state laws.

Traditionally, after a person became incapacitated or died, the duly-appointed fiduciaries would go to the person’s home; look through the person’s paper records; and watch the person’s U.S. mail for bills, account statements, and other important information needed for the administration process. However, many bills and account statements are now delivered by e-mail; checkbook registers, tax returns, receipts, and other important records may be kept only electronically on local storage media or in the cloud; and bill payments and other financial and business transactions might be done entirely over the Internet.

Now more than ever, fiduciaries need access to an incapacitated or deceased person’s electronically stored information, e-mail accounts, and other online accounts to fully accomplish their fiduciary duties to an incapacitated or deceased person. And, these fiduciaries often need to act quickly to meet federal and state tax filing requirements and the requirements of state courts and state fiduciary laws to promptly inventory and protect the person’s property. Acting quickly is especially important for online accounts because some service providers will close the person’s account and delete the person’s data if the account has not been accessed for several months. And, as I’ve written about previously, federal and state criminal laws on unauthorized access to computers have a significant chilling effect on fiduciaries who may want to use the person’s username and password to directly access the person’s online accounts and retrieve the account contents, because it may be a crime to do that! We need clear authority for fiduciary access to online accounts and digital property to keep administration costs down, to provide for a smooth administration, and to ensure no valuable or significant property is overlooked.

As I’ve written many times, planning ahead for incapacity and death is essential for online accounts and digital property. There are at least four significant digital property obstacles for fiduciaries if the person does not plan ahead: (1) passwords; (2) encryption; (3) criminal laws regarding unauthorized access to computer systems; and (4) data privacy laws, especially the Stored Communications Act.

Seven states have recently passed new laws and, as of the date of this posting, at least eighteen other state legislatures have been considering new laws on fiduciary access to digital property to help overcome some of these obstacles. And, the Uniform Law Commission is currently working on a Fiduciary Access to Digital Assets model act to provide a clear, consistent, and comprehensive law that states can adopt in the future to help overcome some of these obstacles—I think this consistency would be especially helpful to service providers.

My Thoughts on Federal Preemption and Supremacy

All of the background information above leads us to the question posed at the beginning of this posting (finally!). Do state laws attempting to grant fiduciary access to the contents of online accounts protected by the federal Stored Communications Act have no effect (or a limited effect) because of federal preemption or supremacy?

As of the date of this posting, I’m not aware of any court answering this question with respect to any of the seven existing state laws on fiduciary access to digital property or with respect to any of the general state fiduciary laws involving a power of attorney, guardianship, conservatorship, trust, or executor of a decedent’s probate estates. So, what follows are my initial thoughts about how a court might approach this question.

Let’s begin with Cipollone v. Liggett Group, Inc., 505 U.S. 504 (1992), in which the U.S. Supreme Court said that, “Consideration of issues arising under the Supremacy Clause ‘start[s] with the assumption that the historic police powers of the States [are] not to be superseded by…Federal Act unless that [is] the clear and manifest purpose of Congress.'” Id. at 516 (quoting Rice v. Santa Fe Elevator Corp., 331 U.S. 218, 230 (1947)). In general, the historic police powers of the states include reasonable regulations to protect the health, safety, morals, and general welfare of the public (including protecting state citizens against corporate misconduct, which is also one of the purposes of the Stored Communications Act). See, e.g., Jacobson v. Massachusetts, 197 U.S. 11 (1905).

Now, let’s walk through three main ways that courts have reviewed related state laws and federal laws under the concepts of federal supremacy or preemption: (1) does the federal law have an express preemption provision; (2) does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation; and (3) does the federal law actually conflict with state law? See Cal. Fed. Sav. & Loan Ass’n, 479 U.S. 272, 280–281 (1987).

1. Does the federal law have an express preemption provision?

First, does the federal law have an express preemption provision? In the case of the Stored Communications Act, the answer is “no”—there is no provision in the Act that expressly preempts state laws or regulations. Contrast that with the express preemption provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), codified as 42 U.S.C. § 1320d–7(a)(1), which states that HIPAA’s provisions “shall supersede any contrary provision of State law.” Congress clearly chose to trump and displace any state laws that conflicted with HIPAA’s privacy rule regarding protected health information. However, Congress chose not to include any statutory preemption language in the Stored Communications Act.

2. Does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation?

Second, does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation? In the case of the Stored Communications Act, the answer is “no.” The Stored Communications Act includes both criminal offenses (§ 2701(a) of the Act) and civil causes of action (§ 2707(a) of the Act) for unauthorized access to or prohibited disclosure of certain electronic communications and files. All fifty states have enacted laws regarding computer hacking or unauthorized access. And, refer to the Compilation of State and Federal Privacy Laws by Robert Ellis Smith for a comprehensive list of state laws on privacy, electronic surveillance, identity theft, etc. These state laws are within the scope of the historic police powers of the states, mentioned above, including reasonable regulations to protect the health, safety, morals, and general welfare of the public. Clearly, there is concurrent federal and state authority regarding criminal offenses and civil causes of action for unauthorized access to or prohibited disclosure of certain electronic communications and files, and the federal Stored Communications Act does not fully occupy the field of regulation.

3. Does the federal law actually conflict with state law?

Third, does the federal law actually conflict with state law? Courts have generally found actual conflicts if: (a) “compliance with both federal and state regulations is a physical impossibility” (Florida Lime & Avocado Growers, Inc., v. Paul, 373 U.S. 132, 142–143 (1963)) or (b) the state law is an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress” (Hines v. Davidowitz, 312 U.S. 52, 67 (1941)). Specifically, let’s look at Sections 8(a)(i) and 8(a)(ii) of the November 2013 draft of the Uniform Law Commission’s Fiduciary Access to Digital Assets (FADA) model act to see if either of these provisions would actually conflict with the Stored Communications Act.

Section 8(a)(i) of the FADA model act says that, “A fiduciary with authority over digital assets or electronic communications of an account holder…has the same authority as the account holder.” Section 8(a)(ii) of the FADA model act says that, “A fiduciary with authority over digital assets or electronic communications of an account holder…has the lawful consent of the account holder.”

While § 2702(b)(3) of the Stored Communications Act says that a user can provide “lawful consent” for the provider to divulge the contents of an electronic communication or file and § 2707 of the Act says that a user can bring a civil action for violations of the Act, the Act is silent regarding who can enforce the user’s rights while the user is incapacitated or after the user dies. The Act does not expressly authorize or expressly prohibit a duly-authorized fiduciary to act on behalf of a user.

3.a. Is compliance with both federal and state regulations a genuine or physical impossibility?

So, does the difference between the Stored Communications Act and the FADA model act rise to the level of “impossibility” and result in federal law actually conflicting with state law? I believe the court would conclude that the answer is “no.” In Thoughts on Preemption in the Wake of the Levine Decision, by Erika Fisher Lietzan and Sarah E. Pitlyk, regarding the “impossibility” analysis, the authors state “It is not enough that state law prohibits something that federal law permits, or vice versa. In each of these scenarios, a party could still comply with both laws by refraining from the conduct in question. In order for a court to find that it is genuinely impossible to comply with both state and federal law, one body of law must require something that the other prohibits. (footnotes omitted)” 13 J. Health Care L. & Pol’y 225, 227 (2010). For example, the article cites the case of Mich. Canners & Freezers Assn’ v. Agric. Mktg. & Bargaining Bd., 467 U.S. 461 (1984), which noted that a Michigan state law in question empowered people to do precisely what the federal law forbid them to do. But, the court noted that, “Because the Michigan Act is cast in permissive rather than mandatory terms…this is not a case in which it is impossible for an individual to comply with both state and federal law.” Id. at 477–478.

With respect to online accounts, there is no genuine or physical impossibility between the Stored Communications Act and the FADA model act. The FADA model act does not compel service providers to disclose the contents of the electronic communications and files protected under the Stored Communications Act. Disclosure is still voluntary for the service provider under the Stored Communications Act. In other words, a service provider that is skeptical of the effect of the FADA model act’s statement that a duly-appointed fiduciary has the “lawful consent” of the account holder could choose not to disclose the contents of the account holder’s electronic communications and files, if the service provider concludes that disclosure of the contents is prohibited under § 2702 of the Act (on the other hand, a written authorization signed by the account holder personally that signifies “lawful consent” should satisfy the service providers). Even though Section 9(a) of the FADA model act says that “the custodian must comply with the request” made by the fiduciary of an account holder for access to digital assets or electronic communications of the account holder, Section 4(a)(3) (regarding the personal representative of a deceased account holder) and Section 5(c)(3) (regarding the conservator of a protected person) both limit the fiduciary authority over contents of electronic communications “to the extent consistent with 18 U.S.C. Section 2702(b).” The other two fiduciaries, agents acting under a power of attorney in Section 6 of the FADA model act and trustees of a trust under Section 7 of the FADA model act, both must have an explicit delegation of authority from the account holder over the account holder’s digital property in the governing instrument, which would equate to the “lawful consent” of the account holder needed by the service provider to disclose the account contents under § 2702(b)(3) of the Stored Communications Act. So, the “to the extent consistent with 18 U.S.C. Section 2702(b)” limitations of Sections 4(a)(3) and 5(c)(3) allow a service provider that is skeptical of the effect of the FADA model act’s statement that a duly-appointed personal representative or conservator has the “lawful consent” of the account holder to choose not to disclose the contents of the account holder’s electronic communications and files, if the service provider concludes that disclosure of the contents is prohibited under § 2702 of the Act. However, service providers also could conclude, based on the FADA model act or other existing or future state fiduciary laws (whether those state fiduciary laws mention online accounts specifically or not), that the duly-appointed fiduciary is the alter ego of the account holder and stands in the shoes of the account holder for purposes of the Stored Communications Act, and the service provider could choose to disclose the account contents to that fiduciary. Support for this position comes from a statement made by the court in In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, No. C 12–80171 LHK (N.D.Cal. Sept. 20, 2012), “Of course, nothing prevents Facebook from concluding on its own that Applicants [the duly-appointed fiduciary acting on behalf of Sahar Daftary’s estate] have standing to consent on Sahar’s behalf and providing the requested materials voluntarily.” Because disclosure is voluntary, complying with both the Stored Communications Act and the FADA model act is not a genuine or physical impossibility for service providers. It’s also important to note that the quotation above comes from an order of the U.S. District Court, Northern District of California, because the Terms of Service contracts for Facebook, Apple, Google, LinkedIn, Twitter, WordPress, Yahoo!, YouTube, and other service providers state that any disputes with those companies must be resolved in a court in the same jurisdiction.

3.b. Is the state law is an obstacle to the accomplishment and execution of the full purposes and objectives of Congress?

That leaves the question of whether the state law is an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress,” and I believe the court would conclude that the answer is “no.” Fiduciaries play an important and necessary role in the U.S. legal system for our personal and business lives, especially when dealing with an incapacitated or deceased person’s valuable or significant property, including digital property. A duly-appointed fiduciary acts as a person’s alter ego, standing in the shoes of the person. The person’s online account contents and other digital property are directly relevant to the fiduciary’s duties when acting on behalf of the incapacitated or deceased person’s estate and property, and the FADA model act is carefully tailored and limited to provide duly-appointed fiduciaries the authority and powers needed to act on behalf of a user’s online accounts and digital property within the scope of the fiduciary relationship. I would think differently about a state law that attempted to say the person’s spouse or other family members were granted access to an incapacitated or deceased person’s online accounts and digital property, without the accompanying fiduciary duties and limitation in scope so that it’s relevant to that person’s involvement.

It’s important that someone is able to collect and administer the person’s digital property and enforce the person’s rights in that digital property, including privacy rights under the Stored Communications Act, and the person’s duly-appointed fiduciary is the appropriate agent to do this under U.S. laws. Who else would have authority to bring a civil cause of action under § 2707 of the Stored Communications Act for an incapacitated or deceased user other than the user’s duly-appointed fiduciary? So, I don’t see how these two sections of the FADA model act would be an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress” under the Stored Communications Act.

Based on my reading of the cases and analysis described above, I don’t think that a court would conclude the federal Stored Communications Act would actually conflict with the FADA model act or similar state fiduciary laws.

Other Reading

As I was reading through the cases on federal preemption and supremacy, I found the paper Congress’s Power to Preempt the States written by Professor Stephen Gardbaum in 2005 (and his 1994 paper The Nature of Preemption) to be a helpful resource for thinking through how a court today may (or should) think through these issues. In his paper, Professor Gardbaum proposes a new and simplified framework to analyze issues of federal supremacy and preemption. He asserts that Congress can preempt state law, but it must do so expressly in the federal law. He also asserts that, if there is no express preemption of state law by Congress in a federal law, the federal law will only supersede state law if there’s an actual conflict between them, as a result of the Supremacy Clause.

Conclusion

The bottom line is I believe that a court would conclude that state fiduciary laws, in general, and the relevant provisions of the November 2013 draft of the Fiduciary Access to Digital Assets model act, in particular, are not in conflict with and are not preempted by the federal Stored Communications Act. Ultimately, however, it will be up to the applicable courts to decide these issues.

Until that happens, hopefully a balance can be achieved for fiduciaries to receive the online account contents needed to carry out their fiduciary duties to an incapacitated or deceased person and for service providers to receive the assurances they need to respect a user’s privacy rights and to avoid potential civil damages for improper disclosures. Of course, I still prefer planning ahead for passwords, online accounts, and digital property, including having a written authorization signed by the account holder personally to signify “lawful consent,” rather than relying on the effect of state laws.

Finally, as with anything else in my blog, the views expressed are my personal views alone and do not necessarily represent the views of my law firm.

Posted in E-mail, General, Social Networking Accounts | Tagged , , , , , , , , , , | Comments Off

Jim Lamm Quoted in Morningstar on Digital Estate Planning

On October 3, 2013, I was quoted on Morningstar in the article “Do You Have a Plan for Your Digital ‘Estate’?” by Christine Benz.

The article is an excellent introduction to estate planning for online accounts and other digital property, including the problems fiduciaries and family members face with: (1) passwords; (2) encrypted data; (3) federal and state criminal laws regarding unauthorized access to computer systems (especially the Computer Fraud and Abuse Act); and (4) data privacy laws (especially the Stored Communications Act).

The article also outlines four practical steps to take to incorporate digital property into your estate plan.

Posted in General | Tagged , , , , , , , | Comments Off