Google and Microsoft Update Their E-Mail Privacy Policies

Google and Microsoft have both recently updated their policies regarding the privacy of e-mail contents. The updates are about different issues and were initiated in response to different events.

Google updated their Terms of Service agreement on April 14, 2014, to add the following sentences (among other changes):

Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.

Google apparently made this change in response to a lawsuit filed against the company alleging that they violate privacy laws by scanning the contents of e-mails to provide targeted ads to Gmail users. This change to their Terms of Service agreement clarifies what Google does. For more details read these Ars Technica articles from April 15, 2014, and September 27, 2013.

Microsoft, on the other hand, issued a statement on March 20, 2014, that they are strengthening their policies to protect the privacy of e-mail contents (although their Terms of Service agreement and Online Privacy Statement have not changed). As described in a March 21, 2014, article by Fahmida Y. Rashid on PCMag.com, this change in Microsoft’s policy comes in response to complaints about an incident in which Microsoft read the contents of a Hotmail user’s e-mails without notifying the user or obtaining a court order. Microsoft’s March 20, 2014, statement affirms that “Outlook and Hotmail email are and should be private” and that Microsoft “will not conduct a search of customer email and other services unless the circumstances would justify a court order, if one were available.”

Posted in E-mail | Tagged , , , , , , , , , , , | Comments Off

Facebook Updates Its Policies for Deceased Users

According to a February 21, 2014, news release, Facebook has made two updates to its policies regarding the accounts of deceased users.

Previously, Facebook allowed one of two options for a deceased user’s account. First, the personal representative of a deceased person’s estate (also known as an executor) or an immediate family member could ask Facebook to remove a deceased user’s account and account contents from Facebook. Second, an immediate family member (a spouse, parent, sibling, or child), an extended family member (a grandparent, aunt, uncle, or cousin), or even a non-family member (a friend, co-worker, or classmate) could ask Facebook instead to “memorialize” a deceased user’s account, which locks the account and restricts other people from viewing the deceased user’s profile and other contents unless that other person was a “friend” of the deceased user on Facebook. Please note that Facebook’s Terms of Service agreement does not permit anyone to log into another user’s account, not even a deceased user’s account. Also, note that Facebook will not reset or reveal the password of a deceased user’s account.

The February 21, 2014, news release states that Facebook’s policy for “memorializing” a deceased user’s account has now changed. No longer will a memorialized account have its visibility restricted to only “friends” of the deceased user. Instead, Facebook will preserve the same privacy and visibility settings that the deceased user had specified during lifetime. For example, a user’s Facebook contents that were restricted so that only “friends” could view them would continue to be restricted after the user dies (once the account is memorialized), but a user’s Facebook contents that were visible to everyone would continue to be visible to everyone after the user dies (once the account is memorialized). The February 21, 2014, news release does not mention any changes to the procedure for removing a deceased user’s account and account contents from Facebook.

An additional change announced in the February 21, 2014, news release is the ability to request a “Look Back” movie for a deceased user’s Facebook account. Only a “friend” can make the request for a “Look Back” movie for a deceased user, and this request must be made after the deceased user’s Facebook account has been memorialized. More information about Facebook “Look Back” movies is available in this February 4, 2014, article from The Verge.

It’s great to see that Facebook is being respectful of and responsive to the issues related to a deceased user’s online account and account contents. Each year, more of our personal and business lives are moving into the digital world of computers, online accounts, and electronic storage, and some of this data has financial value or sentimental value to family members after the user becomes incapacitated or dies.

The vast majority of Terms of Service agreements that I’ve read for online accounts do not specify what happens while a user is incapacitated or after a user is deceased. As a result, family members and the duly-appointed fiduciaries acting on behalf of the user face confusion, delays, and obstacles related to the user’s online accounts and other digital property. Maybe they don’t have the user’s password. Maybe they do have the user’s password but can’t use it for fear of “exceeding authorized access” in violation the account’s Terms of Service agreement, which potentially could be prosecuted under state or federal criminal laws including the Computer Fraud and Abuse Act. Or, maybe the duly-appointed fiduciary has requested a copy of the contents of the deceased user’s online account, but the account provider is not able to divulge the contents without the “lawful consent” of the user because of the privacy protections under the federal Stored Communications Act. These are significant obstacles facing family members, fiduciaries, and their team of advisers when dealing with an incapacitated or deceased user’s online accounts and digital property.

My hope is that it will someday be best practices for Terms of Service agreements of online accounts to: (1) clearly authorize a duly-appointed fiduciary to access to a user’s online account during lifetime or after death for purposes of state and federal criminal laws including the Computer Fraud and Abuse Act; (2) clearly confirm that the user is providing “lawful consent” within the meaning of the federal Stored Communications Act to divulge the user’s online account contents to a duly-appointed fiduciary; and (3) clearly state what happens to the user’s account itself and the user’s account contents after death.

It also would be helpful if a user could easily designate one or more “beneficiaries” who could receive a copy of all (or a specified portion) of the user’s account contents after the user has died. Please note that the I mentioned “a copy” of the account contents—I’m drawing a distinction between making “a copy” of the data versus the legal issues that may be involved in transferring rights or ownership interests in the user’s account itself or transferring rights or ownership interests in the user’s data. See my earlier blog post about Google’s “inactive account manager,” which provides a similar “beneficiary designation” to transfer a copy of the account contents to designated people.

This is an emerging area of law, and I’m hopeful that the confusion, delays, and obstacles facing family members and fiduciaries dealing with the incapacity or death of a loved one can be resolved by better clarification and more consistency in Terms of Service agreements.

Posted in Social Networking Accounts | Tagged , , , , , , , , | Comments Off

The Digital Death Conundrum: How Federal and State Laws Prevent Fiduciaries from Managing Digital Property

The University of Miami Law Review just published The Digital Death Conundrum: How Federal and State Laws Prevent Fiduciaries from Managing Digital Property (direct PDF link), a new article coauthored by James D. Lamm, Christina L. Kunz, Damien A. Riehl, and Peter John Rademacher. This article discusses the importance of estate planning for online accounts and other digital property, describes the types of fiduciaries that are appointed to act on behalf of an incapacitated or deceased person, and the main obstacles fiduciaries may face in dealing with digital property.

What do I mean when I say “fiduciary”? Generally, it’s a person appointed to act on your behalf. A living person may designate an agent under a power of attorney document to act on his or her behalf. If a person is incapacitated, a court may appoint a conservator (or guardian) to act on behalf of the person. If a person is deceased, a court may appoint a personal representative (also known as an executor) to act on behalf of the deceased person’s estate. A person also might establish a trust during lifetime or upon death that acquires or receives certain digital property, and the trustee acts on behalf of the trust.

Fiduciaries can run into a variety of problems when dealing with online accounts and other digital property, including passwords, data encryption, criminal laws on “exceeding authorized access,” and data privacy laws. The key federal laws that are obstacles are the Computer Fraud and Abuse Act and the Stored Communications Act (also known as the Electronic Communications Privacy Act). Online accounts also may have a restrictive Terms of Service Agreement that does not allow a user to share his or her password or allow anyone else to access his or her account.

The article proposes brief and focused amendments to the federal Computer Fraud and Abuse Act and to the Stored Communications Act to resolve the uncertainty of fiduciary authority and access to digital property. The article also describes an early draft of the Uniform Law Commission’s Fiduciary Access to Digital Assets model act, which is a model for state legislatures to enact that provides clear authority under state law for fiduciaries to access, manage, and deal with online accounts and other digital property. I’m hopeful that the Fiduciary Access to Digital Assets model act will be finalized in 2014 so that states can begin the process of considering and enacting it.

The article includes a sample will provision to consider that grants powers and authority over digital property to the personal representative of a decedent’s estate. Finally, the article includes a stand-alone sample Authorization and Consent for Release of Electronically Stored Information document to consider that authorizes fiduciaries to receive digital property for purposes of the Computer Fraud and Abuse Act and the Stored Communications Act. As noted in this blog’s disclaimer below, these sample provisions are intended for general educational and information purposes only—they should not be construed or relied upon as legal advice or opinion on any specific facts or circumstances, and you should consult with an attorney licensed to practice in your state concerning your own situation and any specific legal questions you may have.

I want to say a special thank you to Chris Kunz, Damien Riehl, and Peter Rademacher for all of their hard work on this article—it was a great team effort!

Posted in E-mail, Social Networking Accounts, Web Pages and Blogs | Tagged , , , , , , , , , , , , | Comments Off

Valuable $50,000 Twitter Account Allegedly Stolen

There was an interesting January 29, 2014, article on CNET written by Don Reisinger describing how a thief/hacker allegedly hijacked an Internet domain name and e-mail account belonging to Naoki Hiroshima and stole his Twitter username. According to Mr. Hiroshima’s own description of how this happened, he was previously offered $50,000 for his rare and valuable one-letter Twitter username (his Twitter username was @N).

Unfortunately, the increasing financial value of some Internet domain names and online accounts makes this digital property an attractive target for thieves and hackers. It’s important to protect your valuable or significant digital property during your lifetime, and it’s also important for family members and fiduciaries to protect this digital property during your incapacity and after your death. For example, use two-factor authentication for your online accounts that offer that extra layer of security. And, for Internet domain names, consider adding security features to your domain name registration including making the registration information private and restricting any domain name transfers unless an additional authorization code is used. These features help protect against “domain hijacking” and “domain slamming.” In an interview on National Public Radio’s All Things Considered program broadcast on May 11, 2009, John W. Dozier, Jr., a Virginia attorney, described a case in which hackers stole a decedent’s domain names before the beneficiaries of the estate knew about them. In that case, the law firm was able to help the estate recover all of the domain names.

The bottom line is that we need to take appropriate steps protect our online accounts and digital property just like we take appropriate steps to protect our other “real world” property. And when a user becomes incapacitated or dies with valuable or significant online accounts and digital property, the fiduciaries and family members should act quickly to protect this digital property.

Update: According to a February 26, 2014, article on Ars Technica, Twitter has now returned Mr. Hiroshima’s “@N” account to him.

Posted in Domain Names, E-mail, Social Networking Accounts | Tagged , , , , , , , , , , , | Comments Off

Thoughts on the Stored Communications Act, Federal Preemption and Supremacy, and State Laws on Fiduciary Access to Digital Property

As of the date of this posting, seven states have recently passed laws and at least eighteen other states are considering new laws granting fiduciary access to an incapacitated or deceased person’s online accounts and other digital property. The Uniform Law Commission has a Drafting Committee currently working on a Fiduciary Access to Digital Assets model act. How will these state laws interact with federal law, especially the privacy protections under the Stored Communications Act? In other words, do state laws attempting to grant fiduciary access to the contents of online accounts protected by the federal Stored Communications Act have no effect (or a limited effect) because of federal preemption or supremacy?

Based on the analysis below, I believe that a court would conclude that state fiduciary laws, in general, and the relevant provisions of the November 2013 draft of the Fiduciary Access to Digital Assets model act, in particular, are not in conflict with and are not preempted by the federal Stored Communications Act.

Below, I will describe: (1) some background information on the Stored Communications Act, (2) why fiduciaries need access to the contents of online accounts; and (3) my thoughts on federal preemption and supremacy.

Background Information on the Stored Communications Act

When I refer to the Stored Communications Act, I’m referring to Title II of the Electronic Communications Privacy Act of 1986, codified as 18 U.S.C. §§ 2701 through 2712. The Act creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain providers of electronic communication services and remote computing services. These privacy protections are a significant obstacle for fiduciaries and family members seeking access to the contents of an incapacitated or deceased user’s online accounts because, if the Act applies, the online account service provider is prohibited from disclosing the account contents to them—unless an exception under § 2702(b) of the Act is met.

The Stored Communications Act does not apply to everything on the Internet. In general, the Act protects the contents of an electronic communication service or a remote computing service provided to the public. So, a private electronic communication service isn’t protected, like an employer that provides e-mail accounts only to its employees. But, the Act does protect electronic communication services and remote computing services provided to the public, so it applies to the contents of e-mail accounts like Microsoft Outlook (formerly known as Hotmail), Google Gmail, or Yahoo! Mail, and it applies to certain social networking account contents like Facebook, Google+, or MySpace, among others. Note that the Act only protects electronic communications and files that are “restricted in some fashion”—so, for social networking accounts like Facebook, the Act protects contents that are restricted so that only your “friends” can view them, even if you have hundreds or thousands of friends, but it doesn’t protect contents that everyone can see. See Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11–cv–03305 (D.N.J. Aug. 20, 2013); Crispin v. Christian Audigier, Inc., 717 F.Supp.2d  965 (C.D. Cal. 2010).

If the Stored Communications Act applies, the service provider is prohibited by § 2702(a) of the Act from voluntarily divulging the contents of the electronic communications or files unless an exception is met. If one of the exceptions applies (e.g., the “lawful consent” exception under § 2702(b)(3) of the Act), then the service provider may voluntarily disclose the contents of the electronic communications and files protected under the Act. But, you cannot compel the service provider to disclose that information, even by bringing a civil action against the service provider. See In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, No. C 12–80171 LHK (N.D.Cal. Sept. 20, 2012) (a previous posting of mine describes this case involving the estate of Sahar Daftary); compare with Ajemian v. Yahoo!, Inc., 83 Mass.App.Ct. 565 (2013) (appellate court remanded the case to the probate court for further proceedings on whether the Stored Communications Act prohibits disclosure of the contents of Yahoo! e-mail accounts to the executor of a deceased user’s estate).

What would happen if a service provider violates the Stored Communications Act? Under § 2707 of the Act, the affected online account subscriber or other person aggrieved by the violation may bring a civil action against the service provider. The affected party can sue the service provider for actual damages suffered and, if the violation is willful or intentional, the court may assess punitive damages against the service provider. If the affected party’s civil action is successful, the court may assess reasonable attorney’s fees and other litigation costs against the service provider. The minimum amount of statutory damages for violating the Stored Communications Act is $1,000. A majority of federal courts that have addressed this issue have concluded that the affected party does not need to first prove that he or she suffered actual damages before being entitled to the statutory damages of $1,000. See Shefts v. Petrakis, No. 10–cv–1104 (C.D. Ill. Mar. 14, 2013); Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 759 F.Supp.2d 417 (S.D.N.Y. 2010); Freedman v. Town of Fairfield, No. 3:03CV01048 (D. Conn. Sept. 19, 2006); In re Hawaiian Airlines, Inc., 355 B.R. 225 (D. Haw. 2006); Cedar Hill Assocs., Inc. v. Paget, No. 04 C 0557 (N.D. Ill. Dec. 9, 2005); but see Van Alstyne v. Electronic Scriptorium, Ltd., 560 F.3d 199 (4th. Cir. 2009). Proof of actual damages is not required before being entitled to either punitive damages or attorney’s fees. Van Alstyne at 209.

Why Fiduciaries Need Access to the Contents of Online Accounts

After a person becomes incapacitated or dies, someone needs to: (1) take inventory of the person’s assets; (2) pay the person’s debts, taxes, and expenses; and (3) either preserve the person’s property during the period of incapacity or transfer the person’s property to the person’s beneficiaries after death. In general, these tasks are handled by one or more duly-appointed fiduciaries, including: (1) an attorney-in-fact acting under a power of attorney; (2) a court-appointed guardian or conservator of a living person; (3) a trustee of a trust; or (4) a court-appointed executor (also known as a personal representative) of a deceased person’s estate. In addition, some assets may pass at death according to a transfer-on-death beneficiary designation or according to a right of survivorship held by a joint owner of an asset, for example. A person’s duly-appointed fiduciary has powers, duties, and authority to act on the person’s behalf granted under a governing instrument (e.g., a last will and testament, a trust, or a power of attorney) and under state law.

For example, when a person dies owning real estate, bank accounts, brokerage accounts, online account contents, and other property, an executor is appointed by the applicable state court to act on behalf of the decedent’s probate estate. The executor is the deceased person’s alter ego, standing in the shoes of the decedent. Under § 3–711 of the Uniform Probate Code, the executor “has the same power over the title to property of the estate that an absolute owner would have, in trust however, for the benefit of the creditors and others interested in the estate. This power may be exercised without notice, hearing, or order of court.” Under § 3–703 of the Uniform Probate Code, the executor “is under a duty to settle and distribute the estate of the decedent in accordance with the terms of any probated and effective will and this code, and as expeditiously and efficiently as is consistent with the best interests of the estate.”

Fiduciaries have an obligation to gather information on valuable property for federal and state tax reporting purposes, including reporting it in any applicable income tax returns, as required by 26 U.S.C. § 6012(b) and any applicable state laws, and reporting a complete schedule of all valuable property and its fair market value in an estate tax return after death, if required by 26 U.S.C. § 6018(a) or any applicable state laws.

Traditionally, after a person became incapacitated or died, the duly-appointed fiduciaries would go to the person’s home; look through the person’s paper records; and watch the person’s U.S. mail for bills, account statements, and other important information needed for the administration process. However, many bills and account statements are now delivered by e-mail; checkbook registers, tax returns, receipts, and other important records may be kept only electronically on local storage media or in the cloud; and bill payments and other financial and business transactions might be done entirely over the Internet.

Now more than ever, fiduciaries need access to an incapacitated or deceased person’s electronically stored information, e-mail accounts, and other online accounts to fully accomplish their fiduciary duties to an incapacitated or deceased person. And, these fiduciaries often need to act quickly to meet federal and state tax filing requirements and the requirements of state courts and state fiduciary laws to promptly inventory and protect the person’s property. Acting quickly is especially important for online accounts because some service providers will close the person’s account and delete the person’s data if the account has not been accessed for several months. And, as I’ve written about previously, federal and state criminal laws on unauthorized access to computers have a significant chilling effect on fiduciaries who may want to use the person’s username and password to directly access the person’s online accounts and retrieve the account contents, because it may be a crime to do that! We need clear authority for fiduciary access to online accounts and digital property to keep administration costs down, to provide for a smooth administration, and to ensure no valuable or significant property is overlooked.

As I’ve written many times, planning ahead for incapacity and death is essential for online accounts and digital property. There are at least four significant digital property obstacles for fiduciaries if the person does not plan ahead: (1) passwords; (2) encryption; (3) criminal laws regarding unauthorized access to computer systems; and (4) data privacy laws, especially the Stored Communications Act.

Seven states have recently passed new laws and, as of the date of this posting, at least eighteen other state legislatures have been considering new laws on fiduciary access to digital property to help overcome some of these obstacles. And, the Uniform Law Commission is currently working on a Fiduciary Access to Digital Assets model act to provide a clear, consistent, and comprehensive law that states can adopt in the future to help overcome some of these obstacles—I think this consistency would be especially helpful to service providers.

My Thoughts on Federal Preemption and Supremacy

All of the background information above leads us to the question posed at the beginning of this posting (finally!). Do state laws attempting to grant fiduciary access to the contents of online accounts protected by the federal Stored Communications Act have no effect (or a limited effect) because of federal preemption or supremacy?

As of the date of this posting, I’m not aware of any court answering this question with respect to any of the seven existing state laws on fiduciary access to digital property or with respect to any of the general state fiduciary laws involving a power of attorney, guardianship, conservatorship, trust, or executor of a decedent’s probate estates. So, what follows are my initial thoughts about how a court might approach this question.

Let’s begin with Cipollone v. Liggett Group, Inc., 505 U.S. 504 (1992), in which the U.S. Supreme Court said that, “Consideration of issues arising under the Supremacy Clause ‘start[s] with the assumption that the historic police powers of the States [are] not to be superseded by…Federal Act unless that [is] the clear and manifest purpose of Congress.’” Id. at 516 (quoting Rice v. Santa Fe Elevator Corp., 331 U.S. 218, 230 (1947)). In general, the historic police powers of the states include reasonable regulations to protect the health, safety, morals, and general welfare of the public (including protecting state citizens against corporate misconduct, which is also one of the purposes of the Stored Communications Act). See, e.g., Jacobson v. Massachusetts, 197 U.S. 11 (1905).

Now, let’s walk through three main ways that courts have reviewed related state laws and federal laws under the concepts of federal supremacy or preemption: (1) does the federal law have an express preemption provision; (2) does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation; and (3) does the federal law actually conflict with state law? See Cal. Fed. Sav. & Loan Ass’n, 479 U.S. 272, 280–281 (1987).

1. Does the federal law have an express preemption provision?

First, does the federal law have an express preemption provision? In the case of the Stored Communications Act, the answer is “no”—there is no provision in the Act that expressly preempts state laws or regulations. Contrast that with the express preemption provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), codified as 42 U.S.C. § 1320d–7(a)(1), which states that HIPAA’s provisions “shall supersede any contrary provision of State law.” Congress clearly chose to trump and displace any state laws that conflicted with HIPAA’s privacy rule regarding protected health information. However, Congress chose not to include any statutory preemption language in the Stored Communications Act.

2. Does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation?

Second, does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation? In the case of the Stored Communications Act, the answer is “no.” The Stored Communications Act includes both criminal offenses (§ 2701(a) of the Act) and civil causes of action (§ 2707(a) of the Act) for unauthorized access to or prohibited disclosure of certain electronic communications and files. All fifty states have enacted laws regarding computer hacking or unauthorized access. And, refer to the Compilation of State and Federal Privacy Laws by Robert Ellis Smith for a comprehensive list of state laws on privacy, electronic surveillance, identity theft, etc. These state laws are within the scope of the historic police powers of the states, mentioned above, including reasonable regulations to protect the health, safety, morals, and general welfare of the public. Clearly, there is concurrent federal and state authority regarding criminal offenses and civil causes of action for unauthorized access to or prohibited disclosure of certain electronic communications and files, and the federal Stored Communications Act does not fully occupy the field of regulation.

3. Does the federal law actually conflict with state law?

Third, does the federal law actually conflict with state law? Courts have generally found actual conflicts if: (a) “compliance with both federal and state regulations is a physical impossibility” (Florida Lime & Avocado Growers, Inc., v. Paul, 373 U.S. 132, 142–143 (1963)) or (b) the state law is an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress” (Hines v. Davidowitz, 312 U.S. 52, 67 (1941)). Specifically, let’s look at Sections 8(a)(i) and 8(a)(ii) of the November 2013 draft of the Uniform Law Commission’s Fiduciary Access to Digital Assets (FADA) model act to see if either of these provisions would actually conflict with the Stored Communications Act.

Section 8(a)(i) of the FADA model act says that, “A fiduciary with authority over digital assets or electronic communications of an account holder…has the same authority as the account holder.” Section 8(a)(ii) of the FADA model act says that, “A fiduciary with authority over digital assets or electronic communications of an account holder…has the lawful consent of the account holder.”

While § 2702(b)(3) of the Stored Communications Act says that a user can provide “lawful consent” for the provider to divulge the contents of an electronic communication or file and § 2707 of the Act says that a user can bring a civil action for violations of the Act, the Act is silent regarding who can enforce the user’s rights while the user is incapacitated or after the user dies. The Act does not expressly authorize or expressly prohibit a duly-authorized fiduciary to act on behalf of a user.

3.a. Is compliance with both federal and state regulations a genuine or physical impossibility?

So, does the difference between the Stored Communications Act and the FADA model act rise to the level of “impossibility” and result in federal law actually conflicting with state law? I believe the court would conclude that the answer is “no.” In Thoughts on Preemption in the Wake of the Levine Decision, by Erika Fisher Lietzan and Sarah E. Pitlyk, regarding the “impossibility” analysis, the authors state “It is not enough that state law prohibits something that federal law permits, or vice versa. In each of these scenarios, a party could still comply with both laws by refraining from the conduct in question. In order for a court to find that it is genuinely impossible to comply with both state and federal law, one body of law must require something that the other prohibits. (footnotes omitted)” 13 J. Health Care L. & Pol’y 225, 227 (2010). For example, the article cites the case of Mich. Canners & Freezers Assn’ v. Agric. Mktg. & Bargaining Bd., 467 U.S. 461 (1984), which noted that a Michigan state law in question empowered people to do precisely what the federal law forbid them to do. But, the court noted that, “Because the Michigan Act is cast in permissive rather than mandatory terms…this is not a case in which it is impossible for an individual to comply with both state and federal law.” Id. at 477–478.

With respect to online accounts, there is no genuine or physical impossibility between the Stored Communications Act and the FADA model act. The FADA model act does not compel service providers to disclose the contents of the electronic communications and files protected under the Stored Communications Act. Disclosure is still voluntary for the service provider under the Stored Communications Act. In other words, a service provider that is skeptical of the effect of the FADA model act’s statement that a duly-appointed fiduciary has the “lawful consent” of the account holder could choose not to disclose the contents of the account holder’s electronic communications and files, if the service provider concludes that disclosure of the contents is prohibited under § 2702 of the Act (on the other hand, a written authorization signed by the account holder personally that signifies “lawful consent” should satisfy the service providers). Even though Section 9(a) of the FADA model act says that “the custodian must comply with the request” made by the fiduciary of an account holder for access to digital assets or electronic communications of the account holder, Section 4(a)(3) (regarding the personal representative of a deceased account holder) and Section 5(c)(3) (regarding the conservator of a protected person) both limit the fiduciary authority over contents of electronic communications “to the extent consistent with 18 U.S.C. Section 2702(b).” The other two fiduciaries, agents acting under a power of attorney in Section 6 of the FADA model act and trustees of a trust under Section 7 of the FADA model act, both must have an explicit delegation of authority from the account holder over the account holder’s digital property in the governing instrument, which would equate to the “lawful consent” of the account holder needed by the service provider to disclose the account contents under § 2702(b)(3) of the Stored Communications Act. So, the “to the extent consistent with 18 U.S.C. Section 2702(b)” limitations of Sections 4(a)(3) and 5(c)(3) allow a service provider that is skeptical of the effect of the FADA model act’s statement that a duly-appointed personal representative or conservator has the “lawful consent” of the account holder to choose not to disclose the contents of the account holder’s electronic communications and files, if the service provider concludes that disclosure of the contents is prohibited under § 2702 of the Act. However, service providers also could conclude, based on the FADA model act or other existing or future state fiduciary laws (whether those state fiduciary laws mention online accounts specifically or not), that the duly-appointed fiduciary is the alter ego of the account holder and stands in the shoes of the account holder for purposes of the Stored Communications Act, and the service provider could choose to disclose the account contents to that fiduciary. Support for this position comes from a statement made by the court in In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, No. C 12–80171 LHK (N.D.Cal. Sept. 20, 2012), “Of course, nothing prevents Facebook from concluding on its own that Applicants [the duly-appointed fiduciary acting on behalf of Sahar Daftary's estate] have standing to consent on Sahar’s behalf and providing the requested materials voluntarily.” Because disclosure is voluntary, complying with both the Stored Communications Act and the FADA model act is not a genuine or physical impossibility for service providers. It’s also important to note that the quotation above comes from an order of the U.S. District Court, Northern District of California, because the Terms of Service contracts for Facebook, Apple, Google, LinkedIn, Twitter, WordPress, Yahoo!, YouTube, and other service providers state that any disputes with those companies must be resolved in a court in the same jurisdiction.

3.b. Is the state law is an obstacle to the accomplishment and execution of the full purposes and objectives of Congress?

That leaves the question of whether the state law is an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress,” and I believe the court would conclude that the answer is “no.” Fiduciaries play an important and necessary role in the U.S. legal system for our personal and business lives, especially when dealing with an incapacitated or deceased person’s valuable or significant property, including digital property. A duly-appointed fiduciary acts as a person’s alter ego, standing in the shoes of the person. The person’s online account contents and other digital property are directly relevant to the fiduciary’s duties when acting on behalf of the incapacitated or deceased person’s estate and property, and the FADA model act is carefully tailored and limited to provide duly-appointed fiduciaries the authority and powers needed to act on behalf of a user’s online accounts and digital property within the scope of the fiduciary relationship. I would think differently about a state law that attempted to say the person’s spouse or other family members were granted access to an incapacitated or deceased person’s online accounts and digital property, without the accompanying fiduciary duties and limitation in scope so that it’s relevant to that person’s involvement.

It’s important that someone is able to collect and administer the person’s digital property and enforce the person’s rights in that digital property, including privacy rights under the Stored Communications Act, and the person’s duly-appointed fiduciary is the appropriate agent to do this under U.S. laws. Who else would have authority to bring a civil cause of action under § 2707 of the Stored Communications Act for an incapacitated or deceased user other than the user’s duly-appointed fiduciary? So, I don’t see how these two sections of the FADA model act would be an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress” under the Stored Communications Act.

Based on my reading of the cases and analysis described above, I don’t think that a court would conclude the federal Stored Communications Act would actually conflict with the FADA model act or similar state fiduciary laws.

Other Reading

As I was reading through the cases on federal preemption and supremacy, I found the paper Congress’s Power to Preempt the States written by Professor Stephen Gardbaum in 2005 (and his 1994 paper The Nature of Preemption) to be a helpful resource for thinking through how a court today may (or should) think through these issues. In his paper, Professor Gardbaum proposes a new and simplified framework to analyze issues of federal supremacy and preemption. He asserts that Congress can preempt state law, but it must do so expressly in the federal law. He also asserts that, if there is no express preemption of state law by Congress in a federal law, the federal law will only supersede state law if there’s an actual conflict between them, as a result of the Supremacy Clause.

Conclusion

The bottom line is I believe that a court would conclude that state fiduciary laws, in general, and the relevant provisions of the November 2013 draft of the Fiduciary Access to Digital Assets model act, in particular, are not in conflict with and are not preempted by the federal Stored Communications Act. Ultimately, however, it will be up to the applicable courts to decide these issues.

Until that happens, hopefully a balance can be achieved for fiduciaries to receive the online account contents needed to carry out their fiduciary duties to an incapacitated or deceased person and for service providers to receive the assurances they need to respect a user’s privacy rights and to avoid potential civil damages for improper disclosures. Of course, I still prefer planning ahead for passwords, online accounts, and digital property, including having a written authorization signed by the account holder personally to signify “lawful consent,” rather than relying on the effect of state laws.

Finally, as with anything else in my blog, the views expressed are my personal views alone and do not necessarily represent the views of my law firm.

Posted in E-mail, General, Social Networking Accounts | Tagged , , , , , , , , , , | Comments Off

Jim Lamm Quoted in Morningstar on Digital Estate Planning

On October 3, 2013, I was quoted on Morningstar in the article “Do You Have a Plan for Your Digital ‘Estate’?” by Christine Benz.

The article is an excellent introduction to estate planning for online accounts and other digital property, including the problems fiduciaries and family members face with: (1) passwords; (2) encrypted data; (3) federal and state criminal laws regarding unauthorized access to computer systems (especially the Computer Fraud and Abuse Act); and (4) data privacy laws (especially the Stored Communications Act).

The article also outlines four practical steps to take to incorporate digital property into your estate plan.

Posted in General | Tagged , , , , , , , | Comments Off

August 2013 List of State Laws and Proposals Regarding Fiduciary Access to Digital Property During Incapacity or After Death

When a person becomes incapacitated or after a person dies, there are significant challenges that fiduciaries and family members face when dealing with that person’s smartphones, computers, electronically stored information, online accounts, Internet domain names, and other digital property. The first challenges are finding the person’s digital property and identifying which digital property is valuable or significant. Then, fiduciaries have several additional, significant digital property obstacles to overcome, including: (1) passwords; (2) encryption; (3) federal and state criminal laws that penalize “unauthorized access” to computers and data (including the Computer Fraud and Abuse Act); and (4) federal and state data privacy laws (including the Stored Communications Act).

As of the date of this posting, I am aware of seven states that currently have enacted specific laws to help fiduciaries deal with some fiduciary access to online accounts, although I believe that several of these laws are too limited in scope:

  1. Connecticut Statutes § 45a–334a gives the personal representative of a deceased person’s estate the powers to access or copy the contents of the person’s e–mail accounts (see also Proposed Bill 5227 introduced January 11, 2013, status).
  2. Idaho Statutes § 15–3–715(28) gives the personal representative of a deceased person’s estate the powers “to take control of, conduct, continue, or terminate” a deceased person’s e–mail account, social networking account, microblogging account, or short messaging service Web site, and Idaho Statutes § 15–5–424(3)(z) also grants similar powers to a person’s conservator.
  3. Indiana Code § 29–1–13–1.1 allows the personal representative to access or copy any of the decedent’s documents or information stored electronically by a “custodian,” and it requires the custodian to retain a deceased person’s electronic information for two years after receiving a request for access or copies.
  4. Nevada Revised Statutes chapter 143 has a new section taking effect October 1, 2013, (see Nevada Senate Bill number 131) that gives the personal representative of a deceased person’s estate the power to direct the termination of any online account or similar electronic or digital asset of the decedent, but it does not address powers to access these accounts or copy the contents.
  5. Oklahoma Statutes § 58–269 gives the personal representative of a deceased person’s estate the powers “to take control of, conduct, continue, or terminate” a deceased person’s e–mail account, social networking account, microblogging account, or short messaging service Web site.
  6. Rhode Island General Laws Chapter 33–27 gives the personal representative of a deceased person’s estate the powers to access or copy the contents of the person’s e–mail accounts.
  7. Virginia Code § 64.2–110 gives the personal representative of a deceased minor’s estate (but not a deceased adult’s estate!) the power to assume the minor’s Terms of Service agreement for an online account “for purposes of consenting to and obtaining the disclosure of the contents of the minor’s communications and subscriber records pursuant to 18 U.S.C. § 2702.”

The Uniform Law Commission appointed a Drafting Committee on Fiduciary Access to Digital Assets to prepare a model act on this topic, and they have a working draft that is expected to be finalized in 2014. As of the date of this posting, I am aware that the following other states have already introduced or are considering introducing new legislation to address fiduciary access to digital property, although I believe that several of these proposals are too limited in scope:

  1. California.
  2. Colorado.
  3. Florida.
  4. Maine: Legislative Document 850, passed May 21, 2013, appointed a commission to study the legal impediments to the disposition of digital assets upon an individual’s death or incapacity and develop legislative recommendations based on the study by December 1, 2013.
  5. Maryland: Senate Bill 29 introduced January 9, 2013, status (note: this bill received an “unfavorable” report by the Senate Judicial Proceedings Committee on February 14, 2013).
  6. Massachusetts: Senate Bill 702 (House Bill 1314), introduced January 22, 2013, status (see also Senate Bill 754, introduced January 24, 2011, Senate Bill 2205 introduced April 5, 2012, and Senate Bill 2313 introduced June 21, 2012).
  7. Michigan: House Bill 5929 introduced September 20, 2012, status, and Senate Bill 293 introduced April 10, 2013, status.
  8. Missouri.
  9. Nebraska: Legislative Bill 783 introduced January 5, 2012, status (note: this bill was indefinitely postponed as of April 18, 2013).
  10. New Hampshire: House Bill 116 introduced January 3, 2013, status.
  11. New Jersey: Assembly Bill 2943 introduced May 14, 2012, status.
  12. New York: Bill A823–2013 introduced January 9, 2013, status; Bill A6034–2013 introduced March 13, 2013, status; and Bill A6729–2013 introduced April 17, 2013, status (thank you to Damien McCallig for notifying me about Bill A6034–2013).
  13. North Carolina Senate Bill 279 introduced March 12, 2013, status (note: the digital asset provisions contained in the first two versions of this bill were removed before this bill was signed into law June 12, 2013).
  14. North Dakota: House Bill 1455 introduced January 21, 2013, status (note: this bill did not pass the vote taken in April 2013).
  15. Ohio.
  16. Oregon Senate Bill 54 introduced January 14, 2013, status.
  17. Pennsylvania: House Bill 2580 introduced August 23, 2012, status.
  18. Virginia: Senate Bill 914 introduced January 7, 2013, status.

If you are aware of any other state (or state bar association) that is considering this type of legislation, please contact me so that I can add it to the list.

Posted in General | Tagged , , , , , , | Comments Off

Tips From Security Experts on Choosing and Storing Passwords

One of the most frequently asked questions I hear when I talk about estate planning for digital property is, “How should I choose and store secure passwords for my accounts?” There’s a great July 10, 2013, article by Dan Goodin on Ars Technica asking this question to five computer security experts, including security technologist, cryptographer, and author Bruce Schneier (his blog and his books are excellent). The article has some helpful password tips, and it’s interesting to see the differences in how the security experts store their passwords!

I’ve written about choosing and storing secure passwords before. As I’ve mentioned, Microsoft generally recommends using a different strong password for each account, and choose strong passwords that are at least fourteen characters long, using a mix of uppercase letters, lowercase letters, numbers, and symbols.

When it comes to storing your passwords and keeping them up-to-date, my general recommendation is to choose a system that you’ll actually use. A written list may work well for you because it’s easy to create. A written list is much better than doing nothing, but a written list may be insecure and less convenient to update and to keep with you all the time. An electronic list can be much more secure (encrypted) than a written list, and a wide variety of easy-to-use tools are available to help you create and manage your electronic password list. Look for electronic password list software or an electronic password list Website that is easy-to-update, convenient, and secure (encrypted).

Some of the popular software tools that you can install on your computer or smartphone include Dashlane, LastPass, 1Password, KeePass, RoboForm, and Keeper. Several of these software tools are mentioned and used by the five security experts interviewed in the Ars Technica article above. Make sure that you write down instructions for your fiduciaries so they can find and access your electronic password list if you are incapacitated or deceased (store the written instructions in a secure location like a safe deposit box, home safe, etc.).

Some of the popular Web-based electronic password list services (accessed through a Web browser) offer a mechanism for authorized fiduciaries or family members to access your electronic password list if you are incapacitated or deceased. You tell the company in advance which key people can unlock this information at the appropriate time, and, after being contacted by that fiduciary or family member, the company will grant access after a verification procedure. Some of these services also can store scans of your important legal documents, including financial powers of attorney, health care directives, wills, trusts, deeds, and insurance policies. Some of the popular Web-based electronic password list services include AfterSteps, AssetLock, Assets In Order, Deathswitch, EstateMap, Estate++, E-Z-Safe, LegacyLocker, SecureSafe, and World Without Me. Check out their Web sites for more information on the services and features that they offer.

Posted in General | Tagged , , , , , , , , , | Comments Off

Video Clip: What Happens to E-mail, Facebook, and iTunes After You Die?

Minnesota’s KSTP-TV Eyewitness News ran a five-minute video story on May 2, 2013, by Tom Hauser on what happens to your Apple iTunes purchases, e-mail accounts, Facebook account, and other online accounts after you die. I had the pleasure of being interviewed for the story, and Mark Lanterman, CEO and CTO of Computer Forensic Services, was also interviewed. You can read the text story and watch the video story at the following link: http://kstp.com/news/stories/S3020243.shtml

I was also interviewed for an April 30, 2013, story on WNYC public radio by Stan Alcorn. You can read the text of the story and listen to the audio recording at the following link: http://www.wnyc.org/shows/newtechcity/blogs/new-tech-city-blog/2013/apr/30/three-barriers-make-it-hard-pass-digital-accounts-after-death/

Technology is changing the way we interact with people and transact business. We are accumulating valuable and important electronic data in our smartphones, computers, and online accounts. We need to plan ahead for our data and online accounts so that our fiduciaries and family members can receive that data after we become incapacitated and after we die.

First, you should make a list of any valuable or important data, online accounts, and digital property. This could be a written list or an electronic list stored in your smartphone, in your computer, or in an online account. Make sure to include where each account or digital property item is, how you access it, and why it’s valuable or important to you. And, make sure to keep the list up-to-date!

Second, you should contact your estate planning attorney to include your digital property in your estate plan. Make sure your estate plan appoints a fiduciary to act on your behalf with respect to your digital property (as well as for all your other property) during incapacity and after death. This may include preparing a durable power of attorney, a will, and a revocable living trust, if appropriate for your situation—please contact your estate planning attorney for tax and legal advice about your specific facts and circumstances. And, make sure your estate plan authorizes the companies that hold your electronic data to release that data to your fiduciaries during your incapacity and after your death.

Planning ahead for your digital property is essential to arrange for full access to your data, to keep estate administration costs down, to provide for a smooth estate administration, and to ensure that none of your valuable or important digital property is overlooked. If you haven’t planned ahead, a computer forensics expert may be able to recover and access data from your smartphone or your computer. But, it may be practically impossible to retrieve the data from your online accounts if you haven’t planned ahead!

Contact your estate planning attorney today to include your digital property in your estate plan!

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , , , , | Comments Off

Google Users Can Now Plan Ahead for Incapacity and Death for their Google Data

If you use Google’s Gmail service or one of its other popular services, Google has new user account settings that are helpful for digital estate planning purposes. With these settings, you can direct Google to send your Gmail messages and your other Google data to a trusted person after your Google account “times out” due to inactivity. You can also set how many months (3, 6, 9, or 12) before your Google account “times out,” and Google will send you a warning before that happens.

In other words, you could set it up so that, if you haven’t logged in to your Google account within the last three months (e.g., due to incapacity or death), then Google should send your Google Gmail (e–mail) messages, your documents stored on Google Drive, and your data from other selected Google services to your spouse, to one or more of your children, or to someone else. You can select up to 10 people to receive a notification that your account is closed and, if you choose you can also send one or more of those people Google account data that you select (e.g., you can send your Google Gmail messages to one person and your Google Drive documents to someone else). You designate these people with an e–mail address and, if you choose to send them your data, with a mobile phone number also. One challenge with this is that the person you designate to receive your data may not be able to receive your data because they changed e–mail accounts, because they changed phone numbers, because they are incapacitated, or because they are deceased. So, consider naming more than one person to receive your Gmail messages and other Google data, and keep those e–mail accounts and phone numbers up–to–date. Also make sure to update your designated recipients if you get divorced or if a designated person dies.

Although these new Google account settings allow you to give your Gmail messages and other Google data to someone else during incapacity or after death, these settings do not transfer “the account itself”—just the data in the account. Google’s current policy is not to transfer one user’s account to another user.

Another option that these new Google account settings allow is to delete your Google account and your Google data after your account “times out.” Unfortunately, it’s an all–or–nothing setting (e.g., you can’t specify to delete your Google Gmail messages but preserve your Google Drive documents).

These new settings are called the “Inactive Account Manager,” which is under the Account Management heading [December 2013 update: Google recently moved the Inactive Account Manager settings under the Data Tools heading] of your Account section of your Google account settings. Note that this is not in your Gmail settings—instead, you need to navigate to your Google account page, which has this Web address: https://www.google.com/settings/account [December 2013 update: you can now use this Web address to go directly to Google's Data Tools settings: https://www.google.com/settings/datatools]. For more information about these new settings, read Google’s Public Policy Blog posting from April 11, 2013.

Hopefully, other online account providers like Apple, Facebook, Microsoft, Yahoo!, and others will offer similar account settings so that users can plan ahead for what happens to their e–mail accounts and other online account data during incapacity and after death. As I’ve mentioned before, it’s important to integrate digital property into your estate plan. You should plan ahead for incapacity and death with respect to your online accounts and other digital property: (1) to arrange for full access to your electronically stored information; (2) to keep costs down; (3) to provide for a smooth administration; and (4) to ensure no valuable or significant online accounts or other digital property are overlooked by your fiduciaries and family members.

Posted in E-mail | Tagged , , , , , , , , , , | Comments Off