Minnesota Joins Other States Enacting the Revised Uniform Fiduciary Access to Digital Assets Act

On May 22, 2016, Minnesota’s Governor signed a bill enacting the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA). The new law takes effect August 1, 2016, and will be found in Minnesota Statutes Chapter 521A. The new law creates a clear procedure to enable access to or disclosure of online accounts and digital assets to a person’s fiduciaries. A person’s fiduciaries may include an agent under a power of attorney, a court-appointed conservator of a living person, a trustee of a trust, or a court-appointed personal representative of a deceased person’s estate.

At latest count (updated July 14, 2016), including Minnesota, 18 states have enacted RUFADAA into law, and 13 other states have introduced RUFADAA in their legislatures. My understanding is that many other introductions of RUFADAA are planned within the next year. An up-to-date list of RUFADAA introductions and enactments in state legislatures can be found on the Uniform Law Commission Web site. A good summary of RUFADAA is also available on the ULC Web site.

Even with the new enactment of RUFADAA in Minnesota and other states, it is important for individuals to plan ahead for access to or disclosure of their online accounts and digital assets during incapacity or after death. The federal Stored Communications Act (18 U.S.C. § 2702) creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain providers of electronic communication services or remote computing services. If the privacy protections of the Stored Communications Act apply, an online account service provider is prohibited from disclosing the contents of certain electronic communications and files unless an exception under § 2702(b) of the Act is met. Under § 2702(b)(3) of the Act, with the “lawful consent” of the user, an online account service provider may disclose the contents of the user’s electronic communications and files that are protected by the Act. RUFADAA provides a clear state law procedure for fiduciaries to follow to request access to or disclosure of online account contents and other digital assets.

So, a user’s “lawful consent” for disclosure of digital assets should be included in an individual’s estate plan, such as an individual’s financial power of attorney document for use while the individual is living, the individual’s will for use after the individual is deceased, and, if applicable, the individual’s revocable living trust (or irrevocable trust) for use if any digital assets are held in the trust. Under Section 4(b) of RUFADAA, it is also possible to sign a stand-alone document (what RUFADAA calls a “record”) to allow or prohibit disclosure to a fiduciary of some or all of an individual’s digital assets, including the content of electronic communications sent or received by the individual.

A document evidencing a user’s “lawful consent” for disclosure of digital assets is important to coordinate with the full fiduciary access and disclosure procedures under RUFADAA. In addition, there are other important digital asset issues that should be addressed as part of a comprehensive estate plan that an estate planning attorney can help plan and implement. For example, how should digital assets be distributed at death? Should family photos and videos be copied for each of the individual’s children? Should some beneficiaries be prohibited from receiving some of the digital assets? Should some of the digital assets be deleted on the individual’s death?

Because so many aspects of our personal and business lives have moved into the digital world, it’s important for an individual considering disclosure of and distribution of digital assets to seek legal advice from an attorney licensed to practice in the individual’s state as part of a comprehensive estate plan.

Posted in General | Tagged , , , , , , , , | Comments Off on Minnesota Joins Other States Enacting the Revised Uniform Fiduciary Access to Digital Assets Act

Widow Told by Apple to Get Court Order So She Can Continue to Play a Card Game on the Couple’s iPad After Her Husband’s Death

Peggy Bush, a 72-year old Canadian woman whose husband died in August, was told by Apple that she needed to obtain a court order so that she could continue playing a card game app on the couple’s iPad device. The couple owned the iPad and used one Apple ID to purchase apps, including the card game app that Peggy enjoyed playing. She knew the password to access the iPad itself, but she didn’t know the password her husband used for the Apple ID associated with the iPad.

When the family contacted Apple to reset the Apple ID password, Apple told them a court order was required. However, it can be costly and time-consuming to obtain a court order. On the positive side, at least Apple will permit the family to reset the Apple ID password with a court order—some online service providers refuse to reset or reveal a user’s password after the user has died.

An excellent news report by Rosa Marchitelli of CBC News describes the family’s struggle with Apple’s customer service. Peggy’s daughter was quoted in the article saying, “What do you mean a court order? I said that was ridiculous, because we’ve been able to transfer the title to the house, we’ve been able to transfer the car, all these things, just using a notarized death certificate and the will.” Peggy was quoted in the news report as saying, “I could get the pensions, I could get the benefits, I could get all kinds of things from the federal government … [b]ut from Apple, I couldn’t even get a silly password. It’s nonsense.”

When CBC News contacted Apple to ask about its official policy for users seeking to reset Apple ID passwords or to obtain data of family members who have passed away, Apple told them it would not comment.

This is an excellent reminder of why it’s important to plan ahead for access to your digital property—passwords, online accounts, and electronically-stored information—in your estate plan. By planning ahead, you can arrange for full access to your digital property, keep administration costs down, and ensure that no valuable or significant digital property is overlooked.

Compared with traditional types of property, digital property may have four additional, significant obstacles for fiduciaries and family members to overcome: (1) passwords, (2) data encryption, (3) criminal laws regarding unauthorized access to computers, and (4) data privacy laws. These obstacles can make it practically impossible for fiduciaries and family members to access your digital property if you don’t plan ahead.

How should you plan ahead? First, make a list of your important passwords, online accounts, and digital property, and specify what should be done with each item on your list if you become incapacitated or after you die. Keep your list up to date, store it in a secure location, and let your fiduciaries and family members know how to access it. A “My Digital Audit” form to use for your list can be downloaded here: http://www.digitalpassing.com/digital-audit/

Second, if you store valuable or significant digital property in the cloud, back up your data to a local computer or local storage device on a regular basis. Fiduciaries and family members can access the local computer or local storage device without the obstacles that may prevent them from accessing your data stored in online accounts.

Third, work with an estate planning attorney to update your will, power of attorney, and revocable living trust to address digital property. Your estate planning documents should: (1) specify your wishes about the distribution of or deletion of your digital property; (2) provide your consent to divulge the contents of your electronic communications to your fiduciaries; (3) authorize your fiduciaries to access your computing devices, storage devices, accounts, and data; and (4) permit your fiduciaries to bypass, reset, or recover your passwords on your computing devices and to decrypt your encrypted data, if desired. But, don’t list your passwords in your will, power of attorney, or revocable living trust documents—that isn’t secure. Instead, store your passwords securely, and let your fiduciaries and family members know how to access them.

Posted in General | Tagged , , , , , , , , | Comments Off on Widow Told by Apple to Get Court Order So She Can Continue to Play a Card Game on the Couple’s iPad After Her Husband’s Death

Income Taxes, Identity Theft, and Identity Fraud

According to the Bureau of Justice Statistics, about 17.6 million individuals in the U.S. were victims of identity theft in 2014. When a data breach occurs at a company, the company may offer to provide identity protection services to its customers, employees, or other affected individuals. Is the value of those identity protection services taxable income?

In Announcement 2015-22, the IRS concluded that, for an individual whose personal information may have been compromised, the IRS will not treat the value of identity protection services as gross income to that individual when provided by a company that experienced a data breach. Similarly, for an employee whose personal information may have been compromised in a data breach of the employer, of an agent of the employer, or of a service provider of the employer, the IRS will not treat the value of identity protection services as gross income to that employee when provided by the employer. Identity protection services include credit reporting and monitoring services, identity theft insurance policies, identity restoration services, or other similar services.

In Announcement 2016-2, the IRS extended these conclusions to identity protection services provided before a data breach occurs. So, for an individual who provides personal information (e.g., the individual’s name, social security number, bank account number, or credit card number) to a company, the IRS will not treat the value of identity protection services as gross income to that individual when provided by that company before a data breach occurs. Similarly, for an employee, the IRS will not treat the value of identity protection services as gross income to that employee when provided by the employer before a data breach occurs.

As we begin the 2016 income tax filing season, it’s also important for taxpayers and tax preparers to take extra precautions regarding identity theft, tax refund fraud, and tax-related scam emails. The IRS has issued Publication 4524 on Security Awareness for Taxpayers and Publication 4557 on Safeguarding Taxpayer Data. The IRS reports that since 2013, there were 3,331 identity theft investigations initiated by the IRS Criminal Investigation division resulting in 1,976 convictions. For fiscal year 2015, their incarceration rate is 84.6% with an average of 38 months to serve. The IRS also has released as series of security awareness tax tips. Finally, certain eligible taxpayers can apply for an Identity Protection PIN from the IRS to prevent someone else from filing a tax return with the taxpayer’s social security number.

If you are concerned about identity theft or identity fraud, consider placing a security freeze on your credit file at the three major credit bureaus: Equifax, Experian, and TransUnion. For more information about this, read the recent report from the U.S. Public Interest Research Group “Why You Should Get Security Freezes Before Your Information is Stolen—Tips to Protect Yourself Against Identity Theft & Financial Fraud.” According to the report, a security freeze is the only reliable way to prevent someone from opening new financial accounts in your name.

Posted in General | Tagged , , , , , | Comments Off on Income Taxes, Identity Theft, and Identity Fraud

October is National Cyber Security Awareness Month

October has been designated as National Cyber Security Awareness Month. Here are a few resources from the federal government on how to stay safe online:

  1. Department of Homeland Security’s Mobile Security Tip Card
  2. Department of Homeland Security’s Social Media Guide
  3. Department of Homeland Security’s Internet of Things Tip Guide
  4. National Cyber Security Alliance’s information on Malware & Botnets
  5. National Cyber Security Alliance’s information on Spam & Phishing
  6. National Cyber Security Alliance’s information on Hacked Accounts
  7. National Cyber Security Alliance’s information on Securing Your Home Network
  8. National Cyber Security Alliance’s information on Identity Theft, Fraud & Victims of Cybercrime
  9. National Cyber Security Alliance’s information on Passwords & Securing Your Accounts
  10. National Cyber Security Alliance’s information on Online Shopping
  11. National Cyber Security Alliance’s information on Backing Up Important Files
  12. National Cyber Security Alliance’s information on Internet Safety & Security Tips for Parents

More cyber security news and articles are available on StaySafeOnline.org’s blog.

Posted in General | Tagged , , , , , | Comments Off on October is National Cyber Security Awareness Month

Revised Uniform Fiduciary Access to Digital Assets Act

On September 28, 2015, the Uniform Law Commission released the final text of the Revised Uniform Fiduciary Access to Digital Assets Act (revised UFADAA). The original UFADAA was released in 2014.

For background on why the original UFADAA was revised, read the ULC’s document explaining the proposed changes to the original UFADAA. They also prepared a helpful chart comparing the original UFADAA, the revised UFADAA, and the Privacy Expectations Afterlife and Choices Act (PEAC Act). The PEAC Act was prepared by a coalition of Internet service providers and their lobbyists, and a version of it was enacted in Virginia. The revised UFADAA addresses and resolves concerns raised by some Internet service providers and some privacy advocates who initially opposed enactment of the original UFADAA.

The ULC Web site has a document explaining why your state should adopt the revised UFADAA, and more information about the enactment status of the revised UFADAA will be posted on the ULC Web site as it becomes available

Posted in General | Tagged , , , , , | Comments Off on Revised Uniform Fiduciary Access to Digital Assets Act

Remembering Gene Hennig

My friend and colleague, Gene Hennig, passed away on August 25, 2015. I had the privilege of working with Gene at two different law firms over the past 18 years.

Gene was a business law attorney at the Gray Plant Mooty law firm and was one of Minnesota’s commissioners to Uniform Law Commission. In 2009, I started writing and speaking about an emerging area of law—estate planning for passwords, online accounts, and digital property. Gene thought that the current state laws didn’t adequately deal with these emerging issues, so Gene thought this would be a great topic for a new uniform state law. We co-authored and submitted a proposal to the Uniform Law Commission on May 31, 2011, for a uniform law on fiduciary powers and authority to access online accounts and digital property during incapacity and after death.

With Gene’s encouragement, the Uniform Law Commission appointed a Study Committee in January 2012 to consider this topic. Gene and I were both involved in that process, and the Study Committee presented its final report at the July 2012 Uniform Law Commission annual meeting. On July 17, 2012, the Uniform Law Commission appointed a Drafting Committee to prepare a uniform law on fiduciary access to digital assets, and Gene and I participated in that process together. The first reading of the Uniform Fiduciary Access to Digital Access Act (UFADAA) was at the July 2013 Uniform Law Commission annual meeting.

Gene was diagnosed with a brain tumor in November of 2013, but he continued to stay actively involved in the drafting of UFADAA. On July 16, 2014, the Uniform Law Commission approved the final version of UFADAA at their annual meeting. Gene continued to be actively involved in encouraging enactment of UFADAA. On January 20, 2015, Gene and I testified together at the Civil Law and Data Practices Committee of the Minnesota House of Representatives to explain why UFADAA is needed in Minnesota. Our local Minnesota Channel 5 Eyewitness News ran a TV segment about it. At last count, 27 states had introduced legislation based on UFADAA.

The Uniform Law Commission approved a revised version of UFADAA at their July 2015 meeting, and the final text of the revised UFADAA is expected by October 2015. The draft version of the revised UFADAA and a discussion of the changes made by the revised UFADAA are available on the Uniform Law Commission Web site.

Gene lived a full and amazing life as a lawyer, a law professor at both William Mitchell College of Law and the University of St. Thomas School of Law, a Uniform Law Commissioner, a volunteer, a family man, a world traveler (vising more than 60 countries!), and much more. You can read more about Gene’s life at the following Web sites:

Posted in General | Tagged , , , , , , , , , | Comments Off on Remembering Gene Hennig

Theft of Virtual Currency and Virtual Property

There can be significant financial value in digital property, and thieves have started to take notice. Below are a few recent news stories about stolen virtual currency and stolen virtual property.

In June 2015, armed robbers stole $1,100 worth of the popular virtual currency Bitcoin from a New York man. The man had advertised bitcoins for sale on Craigslist, and a potential buyer forced the man at gunpoint to transfer his bitcoins. This follows two other recent armed robberies in New York targeting bitcoins. In one of those robberies, a man was stabbed in an attempt to take his bitcoins. In the other robbery, $8,500 worth of bitcoins were taken at gunpoint. Because Bitcoin is anonymous—no name or Social Security number is connected to a Bitcoin address—it makes it more difficult for law enforcement to find the robbers.

In January 2015, Bitstamp—an online marketplace for buying and selling bitcoins—was compromised, and it appears that about $5.1 million of bitcoins were stolen. The compromise affected the company’s bitcoin reserves, but the bitcoins of their customers were not affected.

Also, a May 20, 2015, article by Kashmir Hill describes the theft of in-game virtual currency and virtual property from players of the online video game Diablo III. In 2012, thieves used a remote access tool to gain control of twenty to thirty computers used by other video game players, which allowed them to take the in-game virtual currency and property of those players. FBI agents tracked down the thieves, seized their computers, and arrested them on felony charges. The prosecutors alleged that the thieves sold the stolen in-game virtual currency and virtual property for over $8,000. In 2014, the thieves plead guilty to misdemeanor charges.

Posted in Video Games & Virtual Worlds, Virtual Currency | Tagged , , , , | Comments Off on Theft of Virtual Currency and Virtual Property

Can’t Remember Your Password? There’s a Pill for That!

A recent presentation by Jonathan LeBlanc, PayPal’s Global Head of Developer Advocacy, argues that passwords are insecure and need to be replaced. One replacement he suggested is a pill that you swallow containing a microchip. Then, your computer or smartphone would connect to that microchip to authenticate you instead of typing in a password.

The idea of replacing passwords with something you ingest every few days or something you permanently implant in your body isn’t new. Regina Dugan from Motorola made a similar presentation in 2013, describing vitamin authentication pills and electronic tattoos that could replace passwords. Other authentication devices might check your heart’s unique electrical activity or recognize the unique pattern of the veins in your body.

At this point, the “password pills” that these presentations describe aren’t available to buy. It’s an interesting concept for the future that companies are considering. On one hand, swallowing a password pill every day or every few days may be objectionable to some people. On the other hand, maybe the microchip could be combined with other vitamins or medications that a person is already taking regularly, which also could be a good reminder to be current on your medications—if you don’t take your daily vitamin password pill, you can’t check your email or do any online shopping!

Hopefully, these new biometric, embeddable, and ingestible authentication devices will not be a significant obstacle for fiduciaries and family members dealing with a user’s incapacity or death. Current biometric devices, such as the fingerprint reader on Apple iPhone and iPad devices, include a fallback authentication procedure (e.g., a password to type). Companies developing the next generation of these authentication devices should include fallback authentication procedures so that an incapacitated or deceased user’s fiduciaries can access the user’s devices and accounts.

Posted in General | Tagged , , , , , , , | Comments Off on Can’t Remember Your Password? There’s a Pill for That!

Appointing a Legacy Contact for a Facebook Account After Death

Facebook now allows you to appoint a “legacy contact” for your Facebook account after you die. Previously, after a user died, Facebook would not allow anyone else to access or modify the deceased user’s Facebook account, but the account could be closed or “memorialized.” Facebook also now allows you to set your account so that it’s permanently deleted when you die.

A Facebook account legacy contact can: (1) download a copy of what the deceased user shared on Facebook (photos, videos, wall posts, profile information, contact information, events, and the deceased user’s list of friends); (2) write a pinned post for the deceased user’s profile to share a remembrance or final message on behalf of the deceased user; (3) respond to new friend requests with the deceased user; and (4) update the deceased user’s profile picture and cover photo.

However, a Facebook account legacy contact cannot: (1) read or download the messages that the deceased user sent to friends (or photos that the deceased user automatically synced with Facebook but didn’t post); (2) remove friends of the deceased user; (3) change photos, postings, or other items shared on the decedent’s timeline; or (4) log in to the deceased user’s account. Although a legacy contact cannot read or download messages that the deceased user sent to friends, Facebook may provide a copy of the deceased user’s messages if the deceased user expressed clear consent to allow this in the decedent’s will or another legal consent document.

Instructions for how to add, change, or remove a Facebook account legacy contact are available here: https://www.facebook.com/help/1070665206293088. Note that your legacy contact must be an existing Facebook friend of yours.

After a Facebook user dies, if a legacy contact has been appointed, first the deceased user’s account should be memorialized. A family member or friend can submit the request to memorialize the decedent’s account using this form on Facebook’s Web site: https://www.facebook.com/help/contact/651319028315841. After the decedent’s account is memorialized, Facebook will notify the legacy contact. Although the legacy contact cannot log into the deceased user’s account, the legacy contact can take the actions described above by going to the deceased user’s memorialized profile and clicking the “manage” link in the bottom-right of the cover photo.

If you would prefer to permanently delete your Facebook account when you die, instructions to set that up are available here: https://www.facebook.com/help/103897939701143.

Posted in Social Networking Accounts | Tagged , , , , , , | Comments Off on Appointing a Legacy Contact for a Facebook Account After Death

Video Clip: Family Fights to Access Late Son’s Digital Data

Minnesota’s KSTP-TV Eyewitness News ran a video story on January 20, 2015, by Tom Hauser about the Anderson family who tragically lost their nineteen-year-old son, Jake. Their son’s death was ruled accidental, but the family wants answers about the events leading up to his death. They have tried unsuccessfully to obtain copies of Jake’s final emails, text messages, social networking posts, photos, and cell phone data from service providers.

The Anderson family started an online petition asking the Minnesota State Legislature to pass a law clearly authorizing fiduciary access to a deceased person’s digital data. At the time of this blog post, there were over 4,000 online signatures to that petition. If you’d like to show your support, the online petition is available here: http://www.gopetition.com/petitions/accessing-jakes-digital-data.html.

The video story includes an interview with Andersons and an excerpt of their testimony on January 20, 2015, before the Civil Law and Data Practices Committee of the Minnesota House of Representatives in support of a bill to enact the Uniform Fiduciary Access to Digital Assets Act (UFADAA) in Minnesota. My colleague Gene Hennig and I also testified at this committee meeting, a brief excerpt of which is included in the video story.

The full text of UFADAA is available on the Uniform Law Commission’s Web site, as well as a brief summary of UFADAA and a list of reasons why states should adopt UFADAA.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , | Comments Off on Video Clip: Family Fights to Access Late Son’s Digital Data