Thoughts on the Stored Communications Act, Federal Preemption and Supremacy, and State Laws on Fiduciary Access to Digital Property

As of the date of this posting, seven states have recently passed laws and at least eighteen other states are considering new laws granting fiduciary access to an incapacitated or deceased person’s online accounts and other digital property. The Uniform Law Commission has a Drafting Committee currently working on a Fiduciary Access to Digital Assets model act. How will these state laws interact with federal law, especially the privacy protections under the Stored Communications Act? In other words, do state laws attempting to grant fiduciary access to the contents of online accounts protected by the federal Stored Communications Act have no effect (or a limited effect) because of federal preemption or supremacy?

Based on the analysis below, I believe that a court would conclude that state fiduciary laws, in general, and the relevant provisions of the November 2013 draft of the Fiduciary Access to Digital Assets model act, in particular, are not in conflict with and are not preempted by the federal Stored Communications Act.

Below, I will describe: (1) some background information on the Stored Communications Act, (2) why fiduciaries need access to the contents of online accounts; and (3) my thoughts on federal preemption and supremacy.

Background Information on the Stored Communications Act

When I refer to the Stored Communications Act, I’m referring to Title II of the Electronic Communications Privacy Act of 1986, codified as 18 U.S.C. §§ 2701 through 2712. The Act creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain providers of electronic communication services and remote computing services. These privacy protections are a significant obstacle for fiduciaries and family members seeking access to the contents of an incapacitated or deceased user’s online accounts because, if the Act applies, the online account service provider is prohibited from disclosing the account contents to them—unless an exception under § 2702(b) of the Act is met.

The Stored Communications Act does not apply to everything on the Internet. In general, the Act protects the contents of an electronic communication service or a remote computing service provided to the public. So, a private electronic communication service isn’t protected, like an employer that provides e-mail accounts only to its employees. But, the Act does protect electronic communication services and remote computing services provided to the public, so it applies to the contents of e-mail accounts like Microsoft Outlook (formerly known as Hotmail), Google Gmail, or Yahoo! Mail, and it applies to certain social networking account contents like Facebook, Google+, or MySpace, among others. Note that the Act only protects electronic communications and files that are “restricted in some fashion”—so, for social networking accounts like Facebook, the Act protects contents that are restricted so that only your “friends” can view them, even if you have hundreds or thousands of friends, but it doesn’t protect contents that everyone can see. See Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11–cv–03305 (D.N.J. Aug. 20, 2013); Crispin v. Christian Audigier, Inc., 717 F.Supp.2d  965 (C.D. Cal. 2010).

If the Stored Communications Act applies, the service provider is prohibited by § 2702(a) of the Act from voluntarily divulging the contents of the electronic communications or files unless an exception is met. If one of the exceptions applies (e.g., the “lawful consent” exception under § 2702(b)(3) of the Act), then the service provider may voluntarily disclose the contents of the electronic communications and files protected under the Act. But, you cannot compel the service provider to disclose that information, even by bringing a civil action against the service provider. See In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, No. C 12–80171 LHK (N.D.Cal. Sept. 20, 2012) (a previous posting of mine describes this case involving the estate of Sahar Daftary); compare with Ajemian v. Yahoo!, Inc., 83 Mass.App.Ct. 565 (2013) (appellate court remanded the case to the probate court for further proceedings on whether the Stored Communications Act prohibits disclosure of the contents of Yahoo! e-mail accounts to the executor of a deceased user’s estate).

What would happen if a service provider violates the Stored Communications Act? Under § 2707 of the Act, the affected online account subscriber or other person aggrieved by the violation may bring a civil action against the service provider. The affected party can sue the service provider for actual damages suffered and, if the violation is willful or intentional, the court may assess punitive damages against the service provider. If the affected party’s civil action is successful, the court may assess reasonable attorney’s fees and other litigation costs against the service provider. The minimum amount of statutory damages for violating the Stored Communications Act is $1,000. A majority of federal courts that have addressed this issue have concluded that the affected party does not need to first prove that he or she suffered actual damages before being entitled to the statutory damages of $1,000. See Shefts v. Petrakis, No. 10–cv–1104 (C.D. Ill. Mar. 14, 2013); Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 759 F.Supp.2d 417 (S.D.N.Y. 2010); Freedman v. Town of Fairfield, No. 3:03CV01048 (D. Conn. Sept. 19, 2006); In re Hawaiian Airlines, Inc., 355 B.R. 225 (D. Haw. 2006); Cedar Hill Assocs., Inc. v. Paget, No. 04 C 0557 (N.D. Ill. Dec. 9, 2005); but see Van Alstyne v. Electronic Scriptorium, Ltd., 560 F.3d 199 (4th. Cir. 2009). Proof of actual damages is not required before being entitled to either punitive damages or attorney’s fees. Van Alstyne at 209.

Why Fiduciaries Need Access to the Contents of Online Accounts

After a person becomes incapacitated or dies, someone needs to: (1) take inventory of the person’s assets; (2) pay the person’s debts, taxes, and expenses; and (3) either preserve the person’s property during the period of incapacity or transfer the person’s property to the person’s beneficiaries after death. In general, these tasks are handled by one or more duly-appointed fiduciaries, including: (1) an attorney-in-fact acting under a power of attorney; (2) a court-appointed guardian or conservator of a living person; (3) a trustee of a trust; or (4) a court-appointed executor (also known as a personal representative) of a deceased person’s estate. In addition, some assets may pass at death according to a transfer-on-death beneficiary designation or according to a right of survivorship held by a joint owner of an asset, for example. A person’s duly-appointed fiduciary has powers, duties, and authority to act on the person’s behalf granted under a governing instrument (e.g., a last will and testament, a trust, or a power of attorney) and under state law.

For example, when a person dies owning real estate, bank accounts, brokerage accounts, online account contents, and other property, an executor is appointed by the applicable state court to act on behalf of the decedent’s probate estate. The executor is the deceased person’s alter ego, standing in the shoes of the decedent. Under § 3–711 of the Uniform Probate Code, the executor “has the same power over the title to property of the estate that an absolute owner would have, in trust however, for the benefit of the creditors and others interested in the estate. This power may be exercised without notice, hearing, or order of court.” Under § 3–703 of the Uniform Probate Code, the executor “is under a duty to settle and distribute the estate of the decedent in accordance with the terms of any probated and effective will and this code, and as expeditiously and efficiently as is consistent with the best interests of the estate.”

Fiduciaries have an obligation to gather information on valuable property for federal and state tax reporting purposes, including reporting it in any applicable income tax returns, as required by 26 U.S.C. § 6012(b) and any applicable state laws, and reporting a complete schedule of all valuable property and its fair market value in an estate tax return after death, if required by 26 U.S.C. § 6018(a) or any applicable state laws.

Traditionally, after a person became incapacitated or died, the duly-appointed fiduciaries would go to the person’s home; look through the person’s paper records; and watch the person’s U.S. mail for bills, account statements, and other important information needed for the administration process. However, many bills and account statements are now delivered by e-mail; checkbook registers, tax returns, receipts, and other important records may be kept only electronically on local storage media or in the cloud; and bill payments and other financial and business transactions might be done entirely over the Internet.

Now more than ever, fiduciaries need access to an incapacitated or deceased person’s electronically stored information, e-mail accounts, and other online accounts to fully accomplish their fiduciary duties to an incapacitated or deceased person. And, these fiduciaries often need to act quickly to meet federal and state tax filing requirements and the requirements of state courts and state fiduciary laws to promptly inventory and protect the person’s property. Acting quickly is especially important for online accounts because some service providers will close the person’s account and delete the person’s data if the account has not been accessed for several months. And, as I’ve written about previously, federal and state criminal laws on unauthorized access to computers have a significant chilling effect on fiduciaries who may want to use the person’s username and password to directly access the person’s online accounts and retrieve the account contents, because it may be a crime to do that! We need clear authority for fiduciary access to online accounts and digital property to keep administration costs down, to provide for a smooth administration, and to ensure no valuable or significant property is overlooked.

As I’ve written many times, planning ahead for incapacity and death is essential for online accounts and digital property. There are at least four significant digital property obstacles for fiduciaries if the person does not plan ahead: (1) passwords; (2) encryption; (3) criminal laws regarding unauthorized access to computer systems; and (4) data privacy laws, especially the Stored Communications Act.

Seven states have recently passed new laws and, as of the date of this posting, at least eighteen other state legislatures have been considering new laws on fiduciary access to digital property to help overcome some of these obstacles. And, the Uniform Law Commission is currently working on a Fiduciary Access to Digital Assets model act to provide a clear, consistent, and comprehensive law that states can adopt in the future to help overcome some of these obstacles—I think this consistency would be especially helpful to service providers.

My Thoughts on Federal Preemption and Supremacy

All of the background information above leads us to the question posed at the beginning of this posting (finally!). Do state laws attempting to grant fiduciary access to the contents of online accounts protected by the federal Stored Communications Act have no effect (or a limited effect) because of federal preemption or supremacy?

As of the date of this posting, I’m not aware of any court answering this question with respect to any of the seven existing state laws on fiduciary access to digital property or with respect to any of the general state fiduciary laws involving a power of attorney, guardianship, conservatorship, trust, or executor of a decedent’s probate estates. So, what follows are my initial thoughts about how a court might approach this question.

Let’s begin with Cipollone v. Liggett Group, Inc., 505 U.S. 504 (1992), in which the U.S. Supreme Court said that, “Consideration of issues arising under the Supremacy Clause ‘start[s] with the assumption that the historic police powers of the States [are] not to be superseded by…Federal Act unless that [is] the clear and manifest purpose of Congress.'” Id. at 516 (quoting Rice v. Santa Fe Elevator Corp., 331 U.S. 218, 230 (1947)). In general, the historic police powers of the states include reasonable regulations to protect the health, safety, morals, and general welfare of the public (including protecting state citizens against corporate misconduct, which is also one of the purposes of the Stored Communications Act). See, e.g., Jacobson v. Massachusetts, 197 U.S. 11 (1905).

Now, let’s walk through three main ways that courts have reviewed related state laws and federal laws under the concepts of federal supremacy or preemption: (1) does the federal law have an express preemption provision; (2) does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation; and (3) does the federal law actually conflict with state law? See Cal. Fed. Sav. & Loan Ass’n, 479 U.S. 272, 280–281 (1987).

1. Does the federal law have an express preemption provision?

First, does the federal law have an express preemption provision? In the case of the Stored Communications Act, the answer is “no”—there is no provision in the Act that expressly preempts state laws or regulations. Contrast that with the express preemption provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), codified as 42 U.S.C. § 1320d–7(a)(1), which states that HIPAA’s provisions “shall supersede any contrary provision of State law.” Congress clearly chose to trump and displace any state laws that conflicted with HIPAA’s privacy rule regarding protected health information. However, Congress chose not to include any statutory preemption language in the Stored Communications Act.

2. Does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation?

Second, does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation? In the case of the Stored Communications Act, the answer is “no.” The Stored Communications Act includes both criminal offenses (§ 2701(a) of the Act) and civil causes of action (§ 2707(a) of the Act) for unauthorized access to or prohibited disclosure of certain electronic communications and files. All fifty states have enacted laws regarding computer hacking or unauthorized access. And, refer to the Compilation of State and Federal Privacy Laws by Robert Ellis Smith for a comprehensive list of state laws on privacy, electronic surveillance, identity theft, etc. These state laws are within the scope of the historic police powers of the states, mentioned above, including reasonable regulations to protect the health, safety, morals, and general welfare of the public. Clearly, there is concurrent federal and state authority regarding criminal offenses and civil causes of action for unauthorized access to or prohibited disclosure of certain electronic communications and files, and the federal Stored Communications Act does not fully occupy the field of regulation.

3. Does the federal law actually conflict with state law?

Third, does the federal law actually conflict with state law? Courts have generally found actual conflicts if: (a) “compliance with both federal and state regulations is a physical impossibility” (Florida Lime & Avocado Growers, Inc., v. Paul, 373 U.S. 132, 142–143 (1963)) or (b) the state law is an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress” (Hines v. Davidowitz, 312 U.S. 52, 67 (1941)). Specifically, let’s look at Sections 8(a)(i) and 8(a)(ii) of the November 2013 draft of the Uniform Law Commission’s Fiduciary Access to Digital Assets (FADA) model act to see if either of these provisions would actually conflict with the Stored Communications Act.

Section 8(a)(i) of the FADA model act says that, “A fiduciary with authority over digital assets or electronic communications of an account holder…has the same authority as the account holder.” Section 8(a)(ii) of the FADA model act says that, “A fiduciary with authority over digital assets or electronic communications of an account holder…has the lawful consent of the account holder.”

While § 2702(b)(3) of the Stored Communications Act says that a user can provide “lawful consent” for the provider to divulge the contents of an electronic communication or file and § 2707 of the Act says that a user can bring a civil action for violations of the Act, the Act is silent regarding who can enforce the user’s rights while the user is incapacitated or after the user dies. The Act does not expressly authorize or expressly prohibit a duly-authorized fiduciary to act on behalf of a user.

3.a. Is compliance with both federal and state regulations a genuine or physical impossibility?

So, does the difference between the Stored Communications Act and the FADA model act rise to the level of “impossibility” and result in federal law actually conflicting with state law? I believe the court would conclude that the answer is “no.” In Thoughts on Preemption in the Wake of the Levine Decision, by Erika Fisher Lietzan and Sarah E. Pitlyk, regarding the “impossibility” analysis, the authors state “It is not enough that state law prohibits something that federal law permits, or vice versa. In each of these scenarios, a party could still comply with both laws by refraining from the conduct in question. In order for a court to find that it is genuinely impossible to comply with both state and federal law, one body of law must require something that the other prohibits. (footnotes omitted)” 13 J. Health Care L. & Pol’y 225, 227 (2010). For example, the article cites the case of Mich. Canners & Freezers Assn’ v. Agric. Mktg. & Bargaining Bd., 467 U.S. 461 (1984), which noted that a Michigan state law in question empowered people to do precisely what the federal law forbid them to do. But, the court noted that, “Because the Michigan Act is cast in permissive rather than mandatory terms…this is not a case in which it is impossible for an individual to comply with both state and federal law.” Id. at 477–478.

With respect to online accounts, there is no genuine or physical impossibility between the Stored Communications Act and the FADA model act. The FADA model act does not compel service providers to disclose the contents of the electronic communications and files protected under the Stored Communications Act. Disclosure is still voluntary for the service provider under the Stored Communications Act. In other words, a service provider that is skeptical of the effect of the FADA model act’s statement that a duly-appointed fiduciary has the “lawful consent” of the account holder could choose not to disclose the contents of the account holder’s electronic communications and files, if the service provider concludes that disclosure of the contents is prohibited under § 2702 of the Act (on the other hand, a written authorization signed by the account holder personally that signifies “lawful consent” should satisfy the service providers). Even though Section 9(a) of the FADA model act says that “the custodian must comply with the request” made by the fiduciary of an account holder for access to digital assets or electronic communications of the account holder, Section 4(a)(3) (regarding the personal representative of a deceased account holder) and Section 5(c)(3) (regarding the conservator of a protected person) both limit the fiduciary authority over contents of electronic communications “to the extent consistent with 18 U.S.C. Section 2702(b).” The other two fiduciaries, agents acting under a power of attorney in Section 6 of the FADA model act and trustees of a trust under Section 7 of the FADA model act, both must have an explicit delegation of authority from the account holder over the account holder’s digital property in the governing instrument, which would equate to the “lawful consent” of the account holder needed by the service provider to disclose the account contents under § 2702(b)(3) of the Stored Communications Act. So, the “to the extent consistent with 18 U.S.C. Section 2702(b)” limitations of Sections 4(a)(3) and 5(c)(3) allow a service provider that is skeptical of the effect of the FADA model act’s statement that a duly-appointed personal representative or conservator has the “lawful consent” of the account holder to choose not to disclose the contents of the account holder’s electronic communications and files, if the service provider concludes that disclosure of the contents is prohibited under § 2702 of the Act. However, service providers also could conclude, based on the FADA model act or other existing or future state fiduciary laws (whether those state fiduciary laws mention online accounts specifically or not), that the duly-appointed fiduciary is the alter ego of the account holder and stands in the shoes of the account holder for purposes of the Stored Communications Act, and the service provider could choose to disclose the account contents to that fiduciary. Support for this position comes from a statement made by the court in In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, No. C 12–80171 LHK (N.D.Cal. Sept. 20, 2012), “Of course, nothing prevents Facebook from concluding on its own that Applicants [the duly-appointed fiduciary acting on behalf of Sahar Daftary’s estate] have standing to consent on Sahar’s behalf and providing the requested materials voluntarily.” Because disclosure is voluntary, complying with both the Stored Communications Act and the FADA model act is not a genuine or physical impossibility for service providers. It’s also important to note that the quotation above comes from an order of the U.S. District Court, Northern District of California, because the Terms of Service contracts for Facebook, Apple, Google, LinkedIn, Twitter, WordPress, Yahoo!, YouTube, and other service providers state that any disputes with those companies must be resolved in a court in the same jurisdiction.

3.b. Is the state law is an obstacle to the accomplishment and execution of the full purposes and objectives of Congress?

That leaves the question of whether the state law is an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress,” and I believe the court would conclude that the answer is “no.” Fiduciaries play an important and necessary role in the U.S. legal system for our personal and business lives, especially when dealing with an incapacitated or deceased person’s valuable or significant property, including digital property. A duly-appointed fiduciary acts as a person’s alter ego, standing in the shoes of the person. The person’s online account contents and other digital property are directly relevant to the fiduciary’s duties when acting on behalf of the incapacitated or deceased person’s estate and property, and the FADA model act is carefully tailored and limited to provide duly-appointed fiduciaries the authority and powers needed to act on behalf of a user’s online accounts and digital property within the scope of the fiduciary relationship. I would think differently about a state law that attempted to say the person’s spouse or other family members were granted access to an incapacitated or deceased person’s online accounts and digital property, without the accompanying fiduciary duties and limitation in scope so that it’s relevant to that person’s involvement.

It’s important that someone is able to collect and administer the person’s digital property and enforce the person’s rights in that digital property, including privacy rights under the Stored Communications Act, and the person’s duly-appointed fiduciary is the appropriate agent to do this under U.S. laws. Who else would have authority to bring a civil cause of action under § 2707 of the Stored Communications Act for an incapacitated or deceased user other than the user’s duly-appointed fiduciary? So, I don’t see how these two sections of the FADA model act would be an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress” under the Stored Communications Act.

Based on my reading of the cases and analysis described above, I don’t think that a court would conclude the federal Stored Communications Act would actually conflict with the FADA model act or similar state fiduciary laws.

Other Reading

As I was reading through the cases on federal preemption and supremacy, I found the paper Congress’s Power to Preempt the States written by Professor Stephen Gardbaum in 2005 (and his 1994 paper The Nature of Preemption) to be a helpful resource for thinking through how a court today may (or should) think through these issues. In his paper, Professor Gardbaum proposes a new and simplified framework to analyze issues of federal supremacy and preemption. He asserts that Congress can preempt state law, but it must do so expressly in the federal law. He also asserts that, if there is no express preemption of state law by Congress in a federal law, the federal law will only supersede state law if there’s an actual conflict between them, as a result of the Supremacy Clause.

Conclusion

The bottom line is I believe that a court would conclude that state fiduciary laws, in general, and the relevant provisions of the November 2013 draft of the Fiduciary Access to Digital Assets model act, in particular, are not in conflict with and are not preempted by the federal Stored Communications Act. Ultimately, however, it will be up to the applicable courts to decide these issues.

Until that happens, hopefully a balance can be achieved for fiduciaries to receive the online account contents needed to carry out their fiduciary duties to an incapacitated or deceased person and for service providers to receive the assurances they need to respect a user’s privacy rights and to avoid potential civil damages for improper disclosures. Of course, I still prefer planning ahead for passwords, online accounts, and digital property, including having a written authorization signed by the account holder personally to signify “lawful consent,” rather than relying on the effect of state laws.

Finally, as with anything else in my blog, the views expressed are my personal views alone and do not necessarily represent the views of my law firm.

Posted in E-mail, General, Social Networking Accounts | Tagged , , , , , , , , , , | Comments Off

Jim Lamm Quoted in Morningstar on Digital Estate Planning

On October 3, 2013, I was quoted on Morningstar in the article “Do You Have a Plan for Your Digital ‘Estate’?” by Christine Benz.

The article is an excellent introduction to estate planning for online accounts and other digital property, including the problems fiduciaries and family members face with: (1) passwords; (2) encrypted data; (3) federal and state criminal laws regarding unauthorized access to computer systems (especially the Computer Fraud and Abuse Act); and (4) data privacy laws (especially the Stored Communications Act).

The article also outlines four practical steps to take to incorporate digital property into your estate plan.

Posted in General | Tagged , , , , , , , | Comments Off

August 2013 List of State Laws and Proposals Regarding Fiduciary Access to Digital Property During Incapacity or After Death

When a person becomes incapacitated or after a person dies, there are significant challenges that fiduciaries and family members face when dealing with that person’s smartphones, computers, electronically stored information, online accounts, Internet domain names, and other digital property. The first challenges are finding the person’s digital property and identifying which digital property is valuable or significant. Then, fiduciaries have several additional, significant digital property obstacles to overcome, including: (1) passwords; (2) encryption; (3) federal and state criminal laws that penalize “unauthorized access” to computers and data (including the Computer Fraud and Abuse Act); and (4) federal and state data privacy laws (including the Stored Communications Act).

As of the date of this posting, I am aware of seven states that currently have enacted specific laws to help fiduciaries deal with some fiduciary access to online accounts, although I believe that several of these laws are too limited in scope:

  1. Connecticut Statutes § 45a–334a gives the personal representative of a deceased person’s estate the powers to access or copy the contents of the person’s e–mail accounts (see also Proposed Bill 5227 introduced January 11, 2013, status).
  2. Idaho Statutes § 15–3–715(28) gives the personal representative of a deceased person’s estate the powers “to take control of, conduct, continue, or terminate” a deceased person’s e–mail account, social networking account, microblogging account, or short messaging service Web site, and Idaho Statutes § 15–5–424(3)(z) also grants similar powers to a person’s conservator.
  3. Indiana Code § 29–1–13–1.1 allows the personal representative to access or copy any of the decedent’s documents or information stored electronically by a “custodian,” and it requires the custodian to retain a deceased person’s electronic information for two years after receiving a request for access or copies.
  4. Nevada Revised Statutes chapter 143 has a new section taking effect October 1, 2013, (see Nevada Senate Bill number 131) that gives the personal representative of a deceased person’s estate the power to direct the termination of any online account or similar electronic or digital asset of the decedent, but it does not address powers to access these accounts or copy the contents.
  5. Oklahoma Statutes § 58–269 gives the personal representative of a deceased person’s estate the powers “to take control of, conduct, continue, or terminate” a deceased person’s e–mail account, social networking account, microblogging account, or short messaging service Web site.
  6. Rhode Island General Laws Chapter 33–27 gives the personal representative of a deceased person’s estate the powers to access or copy the contents of the person’s e–mail accounts.
  7. Virginia Code § 64.2–110 gives the personal representative of a deceased minor’s estate (but not a deceased adult’s estate!) the power to assume the minor’s Terms of Service agreement for an online account “for purposes of consenting to and obtaining the disclosure of the contents of the minor’s communications and subscriber records pursuant to 18 U.S.C. § 2702.”

The Uniform Law Commission appointed a Drafting Committee on Fiduciary Access to Digital Assets to prepare a model act on this topic, and they have a working draft that is expected to be finalized in 2014. As of the date of this posting, I am aware that the following other states have already introduced or are considering introducing new legislation to address fiduciary access to digital property, although I believe that several of these proposals are too limited in scope:

  1. California.
  2. Colorado.
  3. Florida.
  4. Maine: Legislative Document 850, passed May 21, 2013, appointed a commission to study the legal impediments to the disposition of digital assets upon an individual’s death or incapacity and develop legislative recommendations based on the study by December 1, 2013.
  5. Maryland: Senate Bill 29 introduced January 9, 2013, status (note: this bill received an “unfavorable” report by the Senate Judicial Proceedings Committee on February 14, 2013).
  6. Massachusetts: Senate Bill 702 (House Bill 1314), introduced January 22, 2013, status (see also Senate Bill 754, introduced January 24, 2011, Senate Bill 2205 introduced April 5, 2012, and Senate Bill 2313 introduced June 21, 2012).
  7. Michigan: House Bill 5929 introduced September 20, 2012, status, and Senate Bill 293 introduced April 10, 2013, status.
  8. Missouri.
  9. Nebraska: Legislative Bill 783 introduced January 5, 2012, status (note: this bill was indefinitely postponed as of April 18, 2013).
  10. New Hampshire: House Bill 116 introduced January 3, 2013, status.
  11. New Jersey: Assembly Bill 2943 introduced May 14, 2012, status.
  12. New York: Bill A823–2013 introduced January 9, 2013, status; Bill A6034–2013 introduced March 13, 2013, status; and Bill A6729–2013 introduced April 17, 2013, status (thank you to Damien McCallig for notifying me about Bill A6034–2013).
  13. North Carolina Senate Bill 279 introduced March 12, 2013, status (note: the digital asset provisions contained in the first two versions of this bill were removed before this bill was signed into law June 12, 2013).
  14. North Dakota: House Bill 1455 introduced January 21, 2013, status (note: this bill did not pass the vote taken in April 2013).
  15. Ohio.
  16. Oregon Senate Bill 54 introduced January 14, 2013, status.
  17. Pennsylvania: House Bill 2580 introduced August 23, 2012, status.
  18. Virginia: Senate Bill 914 introduced January 7, 2013, status.

If you are aware of any other state (or state bar association) that is considering this type of legislation, please contact me so that I can add it to the list.

Posted in General | Tagged , , , , , , | Comments Off

Tips From Security Experts on Choosing and Storing Passwords

One of the most frequently asked questions I hear when I talk about estate planning for digital property is, “How should I choose and store secure passwords for my accounts?” There’s a great July 10, 2013, article by Dan Goodin on Ars Technica asking this question to five computer security experts, including security technologist, cryptographer, and author Bruce Schneier (his blog and his books are excellent). The article has some helpful password tips, and it’s interesting to see the differences in how the security experts store their passwords!

I’ve written about choosing and storing secure passwords before. As I’ve mentioned, Microsoft generally recommends using a different strong password for each account, and choose strong passwords that are at least fourteen characters long, using a mix of uppercase letters, lowercase letters, numbers, and symbols.

When it comes to storing your passwords and keeping them up-to-date, my general recommendation is to choose a system that you’ll actually use. A written list may work well for you because it’s easy to create. A written list is much better than doing nothing, but a written list may be insecure and less convenient to update and to keep with you all the time. An electronic list can be much more secure (encrypted) than a written list, and a wide variety of easy-to-use tools are available to help you create and manage your electronic password list. Look for electronic password list software or an electronic password list Website that is easy-to-update, convenient, and secure (encrypted).

Some of the popular software tools that you can install on your computer or smartphone include Dashlane, LastPass, 1Password, KeePass, RoboForm, and Keeper. Several of these software tools are mentioned and used by the five security experts interviewed in the Ars Technica article above. Make sure that you write down instructions for your fiduciaries so they can find and access your electronic password list if you are incapacitated or deceased (store the written instructions in a secure location like a safe deposit box, home safe, etc.).

Some of the popular Web-based electronic password list services (accessed through a Web browser) offer a mechanism for authorized fiduciaries or family members to access your electronic password list if you are incapacitated or deceased. You tell the company in advance which key people can unlock this information at the appropriate time, and, after being contacted by that fiduciary or family member, the company will grant access after a verification procedure. Some of these services also can store scans of your important legal documents, including financial powers of attorney, health care directives, wills, trusts, deeds, and insurance policies. Some of the popular Web-based electronic password list services include AfterSteps, AssetLock, Assets In Order, Deathswitch, EstateMap, Estate++, E-Z-Safe, LegacyLocker, SecureSafe, and World Without Me. Check out their Web sites for more information on the services and features that they offer.

Posted in General | Tagged , , , , , , , , , | Comments Off

Video Clip: What Happens to E-mail, Facebook, and iTunes After You Die?

Minnesota’s KSTP-TV Eyewitness News ran a five-minute video story on May 2, 2013, by Tom Hauser on what happens to your Apple iTunes purchases, e-mail accounts, Facebook account, and other online accounts after you die. I had the pleasure of being interviewed for the story, and Mark Lanterman, CEO and CTO of Computer Forensic Services, was also interviewed. You can read the text story and watch the video story at the following link: http://kstp.com/news/stories/S3020243.shtml

I was also interviewed for an April 30, 2013, story on WNYC public radio by Stan Alcorn. You can read the text of the story and listen to the audio recording at the following link: http://www.wnyc.org/shows/newtechcity/blogs/new-tech-city-blog/2013/apr/30/three-barriers-make-it-hard-pass-digital-accounts-after-death/

Technology is changing the way we interact with people and transact business. We are accumulating valuable and important electronic data in our smartphones, computers, and online accounts. We need to plan ahead for our data and online accounts so that our fiduciaries and family members can receive that data after we become incapacitated and after we die.

First, you should make a list of any valuable or important data, online accounts, and digital property. This could be a written list or an electronic list stored in your smartphone, in your computer, or in an online account. Make sure to include where each account or digital property item is, how you access it, and why it’s valuable or important to you. And, make sure to keep the list up-to-date!

Second, you should contact your estate planning attorney to include your digital property in your estate plan. Make sure your estate plan appoints a fiduciary to act on your behalf with respect to your digital property (as well as for all your other property) during incapacity and after death. This may include preparing a durable power of attorney, a will, and a revocable living trust, if appropriate for your situation—please contact your estate planning attorney for tax and legal advice about your specific facts and circumstances. And, make sure your estate plan authorizes the companies that hold your electronic data to release that data to your fiduciaries during your incapacity and after your death.

Planning ahead for your digital property is essential to arrange for full access to your data, to keep estate administration costs down, to provide for a smooth estate administration, and to ensure that none of your valuable or important digital property is overlooked. If you haven’t planned ahead, a computer forensics expert may be able to recover and access data from your smartphone or your computer. But, it may be practically impossible to retrieve the data from your online accounts if you haven’t planned ahead!

Contact your estate planning attorney today to include your digital property in your estate plan!

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , , , , | Comments Off

Google Users Can Now Plan Ahead for Incapacity and Death for their Google Data

If you use Google’s Gmail service or one of its other popular services, Google has new user account settings that are helpful for digital estate planning purposes. With these settings, you can direct Google to send your Gmail messages and your other Google data to a trusted person after your Google account “times out” due to inactivity. You can also set how many months (3, 6, 9, or 12) before your Google account “times out,” and Google will send you a warning before that happens.

In other words, you could set it up so that, if you haven’t logged in to your Google account within the last three months (e.g., due to incapacity or death), then Google should send your Google Gmail (e–mail) messages, your documents stored on Google Drive, and your data from other selected Google services to your spouse, to one or more of your children, or to someone else. You can select up to 10 people to receive a notification that your account is closed and, if you choose you can also send one or more of those people Google account data that you select (e.g., you can send your Google Gmail messages to one person and your Google Drive documents to someone else). You designate these people with an e–mail address and, if you choose to send them your data, with a mobile phone number also. One challenge with this is that the person you designate to receive your data may not be able to receive your data because they changed e–mail accounts, because they changed phone numbers, because they are incapacitated, or because they are deceased. So, consider naming more than one person to receive your Gmail messages and other Google data, and keep those e–mail accounts and phone numbers up–to–date. Also make sure to update your designated recipients if you get divorced or if a designated person dies.

Although these new Google account settings allow you to give your Gmail messages and other Google data to someone else during incapacity or after death, these settings do not transfer “the account itself”—just the data in the account. Google’s current policy is not to transfer one user’s account to another user.

Another option that these new Google account settings allow is to delete your Google account and your Google data after your account “times out.” Unfortunately, it’s an all–or–nothing setting (e.g., you can’t specify to delete your Google Gmail messages but preserve your Google Drive documents).

These new settings are called the “Inactive Account Manager,” which is under the Account Management heading [December 2013 update: Google recently moved the Inactive Account Manager settings under the Data Tools heading] of your Account section of your Google account settings. Note that this is not in your Gmail settings—instead, you need to navigate to your Google account page, which has this Web address: https://www.google.com/settings/account [December 2013 update: you can now use this Web address to go directly to Google’s Data Tools settings: https://www.google.com/settings/datatools]. For more information about these new settings, read Google’s Public Policy Blog posting from April 11, 2013.

Hopefully, other online account providers like Apple, Facebook, Microsoft, Yahoo!, and others will offer similar account settings so that users can plan ahead for what happens to their e–mail accounts and other online account data during incapacity and after death. As I’ve mentioned before, it’s important to integrate digital property into your estate plan. You should plan ahead for incapacity and death with respect to your online accounts and other digital property: (1) to arrange for full access to your electronically stored information; (2) to keep costs down; (3) to provide for a smooth administration; and (4) to ensure no valuable or significant online accounts or other digital property are overlooked by your fiduciaries and family members.

Posted in E-mail | Tagged , , , , , , , , , , | Comments Off

Convertible Virtual Currency (Like Bitcoin) is Subject to U.S. Money-Laundering Rules

On March 18, 2013, the the U.S. Financial Crimes Enforcement Network released new interpretive guidance regarding “convertible virtual currency” for purposes of the Bank Secrecy Act (BSA). The BSA requires financial institutions in the United States to report cash transactions and suspicious financial activities that might signify money laundering, tax evasion, or other criminal activities. The Financial Crimes Enforcement Network is a bureau of the U.S. Department of the Treasury that combats money laundering, among other things.

Under the new interpretive guidance, “virtual currency” is defined as a medium of exchange that operates like a currency in some environments but does not have all the attributes of real currency (“real currency” is the coin and paper money of the United States that is designated as legal tender). “Convertible virtual currency,” then, is defined as virtual currency that has an equivalent value in real currency or that acts as a substitute for real currency.

Without getting into too much detail, the new interpretive guidance states that “exchangers” and “administrators” are “money transmitters” within the scope of the Bank Secrecy Act and its regulations, unless a limitation or exemption applies, if they either: (1) accept and transmit a convertible virtual currency or (2) buy or sell convertible virtual currency. In other words, these parties may be subject to the registration requirements, record-keeping requirements for certain transactions, and mandatory reporting requirements for certain suspicious activities that might signify money laundering, tax evasion, or other criminal activities. Under the new interpretive guidance, an “exchanger” is a person engaged as a business in the exchange of virtual currency for real currency, funds, or other virtual currency, and an “administrator” is a person engaged as a business in issuing (putting into circulation) a virtual currency and who has the authority to redeem (to withdraw from circulation) the virtual currency.

However, a mere “user” of convertible virtual currency is not subject to the Bank Secrecy Act and its regulations. Under the new interpretive guidance, a “user” is a person that obtains virtual currency to purchase goods and services. In other words, merely using convertible virtual currency to purchase real or virtual goods or services does not make the person a “money transmission service” (so the person does not have the registration, reporting, or record-keeping obligations under the Bank Secrecy Act regulations).

One example of a popular convertible virtual currency is Bitcoin. Based on the definition of “convertible virtual currency,” the new interpretive guidance might also apply to the virtual currencies used in online video games and virtual worlds (e.g., if the video game or virtual world virtual currency has an equivalent value in real currency), bringing certain video game transactions within the scope of the Bank Secrecy Act and its regulations unless a limitation or exemption applies. According to a March 21, 2013, article in the Wall Street Journal by Jeffrey Sparshott, the “anti-money-laundering rules would apply depending on the ‘factors and circumstances’ of each business.”

This new interpretive guidance is another example of how much value is being converted into virtual currencies and how much these virtual currencies have become part of our daily lives. On May 18, 2009, John D. Sutter on CNN reported that at least $1 billion per year is transferred into virtual currencies each year, primarily for online video games. That’s amazing, and I can only imagine how much more value is converted into virtual currencies today. These virtual currencies, including Bitcoin and amounts in video games and virtual worlds, can have financial value and should be included as part of a person’s estate planning.

Posted in Financial Accounts, Video Games & Virtual Worlds | Tagged , , , , , , , , , , | Comments Off

Jim Lamm Presents at 2013 Miami Law Review Symposium on “Will You Have a Digital Afterlife?”

On Friday, February 15, 2013, I presented a ninety–minute seminar titled “Will You Have a Digital Afterlife?” with Professor Christina L. Kunz, Michael J. McGuire, and Damien A. Riehl at the 2013 Miami Law Review Symposium on Social Media & the Law in Coral Gables, Florida. Our panel discussed how computers, electronically stored information, online accounts, and other digital property have changed the way we interact with people and how we transact business, and this flood of digital property is also changing how fiduciaries and family members administer an estate after a person’s incapacity or death.

Our panel discussed the four main obstacles for fiduciaries and family members trying to access electronically stored information, online accounts (e–mail, social networking accounts like Facebook and Google+, etc.), and other digital property. These four main obstacles are: (1) passwords; (2) encryption; (3) federal and state criminal laws that penalize “unauthorized access” to computers and data (including the Computer Fraud and Abuse Act); and (4) federal and state data privacy laws (including the Stored Communications Act).

Our panel reported on current state legislative efforts regarding fiduciary access to digital property and the Uniform Law Commission’s Drafting Committee that is working on this topic. We also discussed intellectual property law issues, including a current case addressing the issue of whether a person can sell a “used” digital music file, book, or movie purchased from Apple’s iTunes store without violating copyright law. And our panel discussed estate planning tips to plan ahead for digital property during incapacity and after death as well as tips to help identify an incapacitated or deceased person’s online accounts and software tools to help gain access to electronically stored information that may be protected by a password on the person’s smartphone, iPad, or computer.

Posted in General | Tagged , , , , , , , , , , , , , | Comments Off

February 2013 List of State Laws and Proposals Regarding Fiduciary Access to Digital Property During Incapacity or After Death

Note: please refer to this August 2013 post for an updated list of state laws.

When a person becomes incapacitated or after a person dies, there are significant challenges that fiduciaries and family members face when dealing with that person’s smartphones, computers, electronically stored information, online accounts, Internet domain names, and other digital property. As I’ve mentioned in previous posts, there are four main obstacles for fiduciaries and family members trying to access this digital property (especially online accounts like e–mail accounts, social networking accounts like Facebook, etc.): (1) passwords; (2) encryption; (3) federal and state criminal laws that penalize “unauthorized access” to computers and data (including the Computer Fraud and Abuse Act); and (4) federal and state data privacy laws (including the Stored Communications Act).

in May 2011, my colleague Gene Hennig and I submitted to the Uniform Law Commission a Project Proposal for a uniform law to grant fiduciaries specific powers and authority regarding a person’s online accounts and digital property during incapacity and after death. In January 2012, the Uniform Law Commission appointed a Study Committee, which presented its final report at the July 2012 Uniform Law Commission annual meeting. On July 17, 2012, the Uniform Law Commission appointed a Drafting Committee on Fiduciary Access to Digital Assets to prepare a uniform law on this topic. The first meeting of the Drafting Committee was held November 30 and December 1, 2012, and the second meeting of the Drafting Committee is February 15–17, 2013.

As of the date of this posting, I am aware of five states that currently have enacted specific laws to help fiduciaries deal with e–mail fiduciary access to online accounts, although I believe that several of these laws are too limited in scope:

  1. Connecticut Statutes § 45a–334a (see also Proposed Bill 5227 introduced January 11, 2013, status)
  2. Idaho Statutes §–15–3–715(28)
  3. Oklahoma Statutes § 58–269
  4. Rhode Island General Laws Chapter 33–27
  5. Indiana Code § 29–1–13–1.1

As I mentioned above, the Uniform Law Commission appointed a Drafting Committee on Fiduciary Access to Digital Assets to prepare a uniform law on this topic. As of the date of this posting (including the updates mentioned below), I am aware that the following other states that have already introduced or are considering introducing new legislation to address fiduciary access to digital property, although I believe that several of these proposals are too limited in scope:

  1. California
  2. Colorado
  3. Maine: Legislative Document 850 introduced March 5, 2013, (to study the issue), status (thank you to Justin LeBlanc for notifying me about this bill)
  4. Maryland: Senate Bill 29 introduced January 9, 2013, status
  5. Massachusetts
  6. Michigan: House Bill 5929 introduced September 20, 2012, status (thank you to Brian Cohan for notifying me about this bill)
  7. Missouri
  8. Nebraska: Legislative Bill 783 introduced January 5, 2012, status
  9. Nevada: Senate Bill 131 introduced February 18, 2013, status (thank you to Ashley Watkins for notifying me about this bill)
  10. New Hampshire: House Bill 116 introduced January 3, 2013, status
  11. New Jersey: Assembly Bill 2943 introduced May 14, 2012, status
  12. New York: Bill A823–2013 introduced January 9, 2013, status
  13. North Carolina Senate Bill 279 introduced March 12, 2013, status (thank you to Evan Carroll for notifying me about this bill)
  14. North Dakota: House Bill 1455 introduced January 21, 2013, status
  15. Ohio
  16. Oregon Senate Bill 54 introduced January 14, 2013, status (thank you to Evan Carroll for notifying me about this bill)
  17. Pennsylvania: House Bill 2580 introduced August 23, 2012, status
  18. Virginia: Senate Bill 914 introduced January 7, 2013, status

If you are aware of any other state that is considering this type of legislation, please contact me so that I can add it to the list.

[Updated February 25, 2013, to add links to Michigan bill; on March 18, 2013, to add links to Nevada, North Carolina, and Oregon bills; and on April 1, 2013, to add links to the Maine bill]

Posted in General | Tagged , , , , , , , | Comments Off

Jim Lamm Presents on Digital Death at 2013 Heckerling Institute

On Thursday, January 17, 2013, I presented a ninety–minute seminar titled “Digital Death: What to Do When Your Client Is Six Feet Under But His Data Is in the Cloud” with Professor Christina L. Kunz and Damien A. Riehl at the 47th Annual Heckerling Institute on Estate Planning in Orlando, Florida. Our panel discussed how fiduciaries and family members need to inventory, value, and administer smartphones, computers, electronically stored information, online accounts, domain names, and other digital property as part of their duties for estate and trust administrations, guardianships, and conservatorships. We also talked about estate planning tips to plan ahead for digital property during incapacity and after death.

Specifically, we talked about the four main obstacles for fiduciaries and family members trying to access electronically stored information, online accounts (e–mail, social networking accounts like Facebook and Google+, etc.), and other digital property. These four main obstacles are: (1) passwords; (2) encryption; (3) federal and state criminal laws that penalize “unauthorized access” to computers and data (including the Computer Fraud and Abuse Act); and (4) federal and state data privacy laws (including the Stored Communications Act).

Our panel also discussed intellectual property law issues, including a current case addressing the issue of whether a person can sell a “used” digital music file, book, or movie purchased from Apple’s iTunes store without violating copyright law. Finally our panel reported on state legislative efforts regarding fiduciary access to digital property and the Uniform Law Commission’s Drafting Committee that is working on this topic.

You can download the Table of Contents from the seminar materials here: Table of Contents (PDF link).

Posted in E-mail, Intellectual Property Rights, Social Networking Accounts | Tagged , , , , , , , , , , , , , , , | Comments Off