October is National Cyber Security Awareness Month

October has been designated as National Cyber Security Awareness Month. Here are a few resources from the federal government on how to stay safe online:

  1. Department of Homeland Security’s Mobile Security Tip Card
  2. Department of Homeland Security’s Social Media Guide
  3. Department of Homeland Security’s Internet of Things Tip Guide
  4. National Cyber Security Alliance’s information on Malware & Botnets
  5. National Cyber Security Alliance’s information on Spam & Phishing
  6. National Cyber Security Alliance’s information on Hacked Accounts
  7. National Cyber Security Alliance’s information on Securing Your Home Network
  8. National Cyber Security Alliance’s information on Identity Theft, Fraud & Victims of Cybercrime
  9. National Cyber Security Alliance’s information on Passwords & Securing Your Accounts
  10. National Cyber Security Alliance’s information on Online Shopping
  11. National Cyber Security Alliance’s information on Backing Up Important Files
  12. National Cyber Security Alliance’s information on Internet Safety & Security Tips for Parents

More cyber security news and articles are available on StaySafeOnline.org’s blog.

Posted in General | Tagged , , , , , | Comments Off on October is National Cyber Security Awareness Month

Revised Uniform Fiduciary Access to Digital Assets Act

On September 28, 2015, the Uniform Law Commission released the final text of the Revised Uniform Fiduciary Access to Digital Assets Act (revised UFADAA). The original UFADAA was released in 2014.

For background on why the original UFADAA was revised, read the ULC’s document explaining the proposed changes to the original UFADAA. They also prepared a helpful chart comparing the original UFADAA, the revised UFADAA, and the Privacy Expectations Afterlife and Choices Act (PEAC Act). The PEAC Act was prepared by a coalition of Internet service providers and their lobbyists, and a version of it was enacted in Virginia. The revised UFADAA addresses and resolves concerns raised by some Internet service providers and some privacy advocates who initially opposed enactment of the original UFADAA.

The ULC Web site has a document explaining why your state should adopt the revised UFADAA, and more information about the enactment status of the revised UFADAA will be posted on the ULC Web site as it becomes available

Posted in General | Tagged , , , , , | Comments Off on Revised Uniform Fiduciary Access to Digital Assets Act

Remembering Gene Hennig

My friend and colleague, Gene Hennig, passed away on August 25, 2015. I had the privilege of working with Gene at two different law firms over the past 18 years.

Gene was a business law attorney at the Gray Plant Mooty law firm and was one of Minnesota’s commissioners to Uniform Law Commission. In 2009, I started writing and speaking about an emerging area of law—estate planning for passwords, online accounts, and digital property. Gene thought that the current state laws didn’t adequately deal with these emerging issues, so Gene thought this would be a great topic for a new uniform state law. We co-authored and submitted a proposal to the Uniform Law Commission on May 31, 2011, for a uniform law on fiduciary powers and authority to access online accounts and digital property during incapacity and after death.

With Gene’s encouragement, the Uniform Law Commission appointed a Study Committee in January 2012 to consider this topic. Gene and I were both involved in that process, and the Study Committee presented its final report at the July 2012 Uniform Law Commission annual meeting. On July 17, 2012, the Uniform Law Commission appointed a Drafting Committee to prepare a uniform law on fiduciary access to digital assets, and Gene and I participated in that process together. The first reading of the Uniform Fiduciary Access to Digital Access Act (UFADAA) was at the July 2013 Uniform Law Commission annual meeting.

Gene was diagnosed with a brain tumor in November of 2013, but he continued to stay actively involved in the drafting of UFADAA. On July 16, 2014, the Uniform Law Commission approved the final version of UFADAA at their annual meeting. Gene continued to be actively involved in encouraging enactment of UFADAA. On January 20, 2015, Gene and I testified together at the Civil Law and Data Practices Committee of the Minnesota House of Representatives to explain why UFADAA is needed in Minnesota. Our local Minnesota Channel 5 Eyewitness News ran a TV segment about it. At last count, 27 states had introduced legislation based on UFADAA.

The Uniform Law Commission approved a revised version of UFADAA at their July 2015 meeting, and the final text of the revised UFADAA is expected by October 2015. The draft version of the revised UFADAA and a discussion of the changes made by the revised UFADAA are available on the Uniform Law Commission Web site.

Gene lived a full and amazing life as a lawyer, a law professor at both William Mitchell College of Law and the University of St. Thomas School of Law, a Uniform Law Commissioner, a volunteer, a family man, a world traveler (vising more than 60 countries!), and much more. You can read more about Gene’s life at the following Web sites:

Posted in General | Tagged , , , , , , , , , | Comments Off on Remembering Gene Hennig

Theft of Virtual Currency and Virtual Property

There can be significant financial value in digital property, and thieves have started to take notice. Below are a few recent news stories about stolen virtual currency and stolen virtual property.

In June 2015, armed robbers stole $1,100 worth of the popular virtual currency Bitcoin from a New York man. The man had advertised bitcoins for sale on Craigslist, and a potential buyer forced the man at gunpoint to transfer his bitcoins. This follows two other recent armed robberies in New York targeting bitcoins. In one of those robberies, a man was stabbed in an attempt to take his bitcoins. In the other robbery, $8,500 worth of bitcoins were taken at gunpoint. Because Bitcoin is anonymous—no name or Social Security number is connected to a Bitcoin address—it makes it more difficult for law enforcement to find the robbers.

In January 2015, Bitstamp—an online marketplace for buying and selling bitcoins—was compromised, and it appears that about $5.1 million of bitcoins were stolen. The compromise affected the company’s bitcoin reserves, but the bitcoins of their customers were not affected.

Also, a May 20, 2015, article by Kashmir Hill describes the theft of in-game virtual currency and virtual property from players of the online video game Diablo III. In 2012, thieves used a remote access tool to gain control of twenty to thirty computers used by other video game players, which allowed them to take the in-game virtual currency and property of those players. FBI agents tracked down the thieves, seized their computers, and arrested them on felony charges. The prosecutors alleged that the thieves sold the stolen in-game virtual currency and virtual property for over $8,000. In 2014, the thieves plead guilty to misdemeanor charges.

Posted in Video Games & Virtual Worlds, Virtual Currency | Tagged , , , , | Comments Off on Theft of Virtual Currency and Virtual Property

Can’t Remember Your Password? There’s a Pill for That!

A recent presentation by Jonathan LeBlanc, PayPal’s Global Head of Developer Advocacy, argues that passwords are insecure and need to be replaced. One replacement he suggested is a pill that you swallow containing a microchip. Then, your computer or smartphone would connect to that microchip to authenticate you instead of typing in a password.

The idea of replacing passwords with something you ingest every few days or something you permanently implant in your body isn’t new. Regina Dugan from Motorola made a similar presentation in 2013, describing vitamin authentication pills and electronic tattoos that could replace passwords. Other authentication devices might check your heart’s unique electrical activity or recognize the unique pattern of the veins in your body.

At this point, the “password pills” that these presentations describe aren’t available to buy. It’s an interesting concept for the future that companies are considering. On one hand, swallowing a password pill every day or every few days may be objectionable to some people. On the other hand, maybe the microchip could be combined with other vitamins or medications that a person is already taking regularly, which also could be a good reminder to be current on your medications—if you don’t take your daily vitamin password pill, you can’t check your email or do any online shopping!

Hopefully, these new biometric, embeddable, and ingestible authentication devices will not be a significant obstacle for fiduciaries and family members dealing with a user’s incapacity or death. Current biometric devices, such as the fingerprint reader on Apple iPhone and iPad devices, include a fallback authentication procedure (e.g., a password to type). Companies developing the next generation of these authentication devices should include fallback authentication procedures so that an incapacitated or deceased user’s fiduciaries can access the user’s devices and accounts.

Posted in General | Tagged , , , , , , , | Comments Off on Can’t Remember Your Password? There’s a Pill for That!

Appointing a Legacy Contact for a Facebook Account After Death

Facebook now allows you to appoint a “legacy contact” for your Facebook account after you die. Previously, after a user died, Facebook would not allow anyone else to access or modify the deceased user’s Facebook account, but the account could be closed or “memorialized.” Facebook also now allows you to set your account so that it’s permanently deleted when you die.

A Facebook account legacy contact can: (1) download a copy of what the deceased user shared on Facebook (photos, videos, wall posts, profile information, contact information, events, and the deceased user’s list of friends); (2) write a pinned post for the deceased user’s profile to share a remembrance or final message on behalf of the deceased user; (3) respond to new friend requests with the deceased user; and (4) update the deceased user’s profile picture and cover photo.

However, a Facebook account legacy contact cannot: (1) read or download the messages that the deceased user sent to friends (or photos that the deceased user automatically synced with Facebook but didn’t post); (2) remove friends of the deceased user; (3) change photos, postings, or other items shared on the decedent’s timeline; or (4) log in to the deceased user’s account. Although a legacy contact cannot read or download messages that the deceased user sent to friends, Facebook may provide a copy of the deceased user’s messages if the deceased user expressed clear consent to allow this in the decedent’s will or another legal consent document.

Instructions for how to add, change, or remove a Facebook account legacy contact are available here: https://www.facebook.com/help/1070665206293088. Note that your legacy contact must be an existing Facebook friend of yours.

After a Facebook user dies, if a legacy contact has been appointed, first the deceased user’s account should be memorialized. A family member or friend can submit the request to memorialize the decedent’s account using this form on Facebook’s Web site: https://www.facebook.com/help/contact/651319028315841. After the decedent’s account is memorialized, Facebook will notify the legacy contact. Although the legacy contact cannot log into the deceased user’s account, the legacy contact can take the actions described above by going to the deceased user’s memorialized profile and clicking the “manage” link in the bottom-right of the cover photo.

If you would prefer to permanently delete your Facebook account when you die, instructions to set that up are available here: https://www.facebook.com/help/103897939701143.

Posted in Social Networking Accounts | Tagged , , , , , , | Comments Off on Appointing a Legacy Contact for a Facebook Account After Death

Video Clip: Family Fights to Access Late Son’s Digital Data

Minnesota’s KSTP-TV Eyewitness News ran a video story on January 20, 2015, by Tom Hauser about the Anderson family who tragically lost their nineteen-year-old son, Jake. Their son’s death was ruled accidental, but the family wants answers about the events leading up to his death. They have tried unsuccessfully to obtain copies of Jake’s final emails, text messages, social networking posts, photos, and cell phone data from service providers.

The Anderson family started an online petition asking the Minnesota State Legislature to pass a law clearly authorizing fiduciary access to a deceased person’s digital data. At the time of this blog post, there were over 4,000 online signatures to that petition. If you’d like to show your support, the online petition is available here: http://www.gopetition.com/petitions/accessing-jakes-digital-data.html.

The video story includes an interview with Andersons and an excerpt of their testimony on January 20, 2015, before the Civil Law and Data Practices Committee of the Minnesota House of Representatives in support of a bill to enact the Uniform Fiduciary Access to Digital Assets Act (UFADAA) in Minnesota. My colleague Gene Hennig and I also testified at this committee meeting, a brief excerpt of which is included in the video story.

The full text of UFADAA is available on the Uniform Law Commission’s Web site, as well as a brief summary of UFADAA and a list of reasons why states should adopt UFADAA.

Posted in E-mail, Social Networking Accounts | Tagged , , , , , , , , , | Comments Off on Video Clip: Family Fights to Access Late Son’s Digital Data

Keeping a Secure List of Passwords, Online Accounts, and Digital Property

An important part of a comprehensive estate plan (planning ahead for incapacity and death) is preparing a complete list of your passwords, online accounts, and other digital property—and keeping it up to date. This list helps fiduciaries and family members find your valuable and significant online accounts and digital property, keep administration costs down, provide for a smooth administration, and ensure no property is overlooked.

A written list is easy for anyone to create, but it’s insecure to keep with you at all times and may be inconvenient to update. A sample written list is available on my blog—I call it “My Digital Audit.” You can download the Adobe PDF form to your own device and either edit it electronically or print it and fill it out by hand. Keep your written list in a secure location, like a safe deposit box or a home safe. Secure storage and frequent updates don’t work well together for a written list, so an electronic list or a hybrid method combining an electronic list and separate written instructions is preferable to only keeping a written list.

Personally, I prefer to use an encrypted electronic list because it’s secure, easy to update, convenient to use, and it’s on my smartphone so it’s always with me. A master password is used to access the encrypted data in the list. So, I only need to remember one master password, then I can use the electronic list to keep track of all my separate, strong passwords for each online account that I use. An electronic list can be stored on a smartphone, a computer, a portable storage device, or in the cloud.

When choosing software or a Web-based service to keep an encrypted electronic list of passwords, online accounts, and digital property, look for one that synchronizes your list among your computer, tablet, and smartphone (and the cloud, if desired) so that it’s easily accessible by you. Also, look for one that integrates with your Web browser to securely and automatically enter the username and password for your online accounts. In addition to being a time-saver, it also encourages you to use separate, strong passwords for each of your online accounts (if you’d like to learn more about strong passwords, read this article from Microsoft on Six Rules for Safer Financial Transactions Online). The ones that integrate with your Web browser also help keep your list up to date by automatically updating your list when you create a new online account or when you change an online account’s password. If the software or Web-based service stores your list in the cloud (not just stored locally on your device), make sure it encrypts your data before sending it to the cloud so that the service provider (or a hacker compromising the service provider’s security) can’t access your confidential data.

Five of the most popular free and commercial software tools to keep an encrypted electronic list are described in a January 11, 2015, article at Lifehacker.com by Alan Henry. The five encrypted electronic list tools the article describes, in alphabetical order, are: 1Password, Dashlane, KeePass, LastPass, and Roboform.

A key problem with an encrypted electronic list is that fiduciaries and family members need to know your master password in order to read your list while you are incapacitated or after you are deceased. Without the master password, the list may be practically impossible to access (e.g., if the list is protected with strong encryption and a strong password).

One idea is to use a hybrid method by keeping an encrypted electronic list of your passwords, online accounts, and digital property plus keeping a separate written instruction sheet describing how to find and access your encrypted electronic list, including the master password. Keep the separate written instruction sheet in a secure location, like a safe deposit box or a home safe.

Another idea is to use a Web-based service to both keep your encrypted electronic list and provide a mechanism for designated fiduciaries or family members to access the unencrypted list. Some of these Web-based services, in alphabetical order, are: AfterSteps, Assets in Order, BestBequest, Deathswitch, Estate Map, E-Z-Safe, PasswordBox’s Legacy Locker, and SecureSafe. However, unlike the software tools listed three paragraphs above, the Web-based services listed in this paragraph currently do not integrate with your Web browser to enter the username and password for your online accounts securely and automatically, which may make these services less convenient to use and less convenient to keep up to date. Also, if the service provider has the ability to turn over the unencrypted contents of your list to a fiduciary or family member that you designate, that means the service provider (or a hacker compromising the service provider’s security) potentially could gain access to your confidential data—this is a trade-off between convenience and security.

During your incapacity or after your death, fiduciaries and family members should read the applicable Terms of Service contract before attempting to use your password to access your online account. There are federal and state laws that penalize unauthorized access to computer systems and types of private or protected personal data. These laws provide consumer protection against fraud and identity theft but may have a chilling effect on fiduciaries and family members trying to access an incapacitated or deceased person’s online accounts.The U.S. Department of Justice asserts that 18 U.S.C. § 1030(a)(2), which is a provision of the Computer Fraud and Abuse Act (“CFAA”), is broad enough to permit the government to charge a person with a crime for violating the CFAA when that person “exceeds authorized access” by violating the access rules of a Web site’s Terms of Service contract or use policies. For example, some Terms of Service contracts prohibit you from allowing anyone else to access your online account, which may mean that a fiduciary or family member using your password to access the account is “exceeding authorized access” within the scope of the CFAA. If any of your online accounts has an access restriction like this in its Terms of Service contract, your fiduciary or family member should consider asking the service provider for a copy of your account’s contents instead of attempting to use your password to access your account.

Posted in General | Tagged , , , , , , , | Comments Off on Keeping a Secure List of Passwords, Online Accounts, and Digital Property

Video Clip: Family Wants Access to Son’s Digital Data After Death

Minnesota’s KMSP-TV Fox 9 News ran a video story on September 9, 2014, by Ted Haller about a family wanting access to their deceased nineteen-year-old son’s digital data. They have been seeking access to his text messages, e-mails, and Facebook account to find out more about the moments leading up to his tragic death.

I was interviewed for the story to comment about the current federal privacy laws that restrict disclosure of private electronic communications, how service providers could change their Terms of Service agreements to clearly authorize fiduciary access, and what online account users can do to plan ahead for incapacity and death.

The Anderson family, which was interviewed for the KMSP-TV Fox 9 News story about their nineteen-year-old son, is hoping to get 20,000 signatures to an online petition asking the Minnesota State Legislature to pass a law clearly authorizing fiduciary access to a deceased person’s digital data. If you’d like to show your support, the online petition is available here: http://www.gopetition.com/petitions/accessing-jakes-digital-data.html.

Technology is changing the way we interact with people and transact business. We are accumulating valuable and significant electronic data in our smartphones, computers, and online accounts. We need to plan ahead for our data and online accounts so that our fiduciaries and family members can access that data after we become incapacitated and after we die.

First, you should make a list of your valuable or significant data, online accounts, and digital property. This could be a written list or an electronic list stored in your smartphone, in your computer, or in an online account. Make sure to indicate where each account or digital property item is located, how to access it, and why it’s valuable or significant to you. And, make sure to keep the list up-to-date!

Second, if you have been storing valuable or significant data exclusively in online accounts (for example, your digital photos), it’s important to regularly back up that data to local storage media—to your computer’s hard drive, a USB flash drive, a CD, a DVD, etc.—so that your fiduciaries and family members will have access to that data without the additional obstacles that online accounts have. One obstacle that could be avoided is the Stored Communications Act, also known as the Electronic Communications Privacy Act, which creates privacy rights to protect the contents of certain electronic communications and files from disclosure by a provider of an electronic communication service or a remote computing service, unless an exception is met under that law. A second obstacle that could be avoided is a potential criminal charge for “exceeding authorized access” to your online accounts, under federal or state laws, if a fiduciary or family member violates the access rules of that account’s Terms of Service agreement. Some service providers prohibit you from sharing your password or allowing anyone else to access your account, but other providers do not have these prohibitions. It’s important to read the Terms of Service agreement before attempting fiduciary access to an online account.

Third, you should contact your estate planning attorney to include plans for your digital property in your estate plan. Make sure your estate plan specifies your wishes about your property and appoints a fiduciary to act on your behalf with respect to all of your property, including your digital property, during incapacity and after death. This may include preparing a durable power of attorney, a will, and a revocable living trust (if appropriate for your situation). You should contact an estate planning attorney who is licensed to practice in your state concerning your own situation and any specific tax or legal questions that you may have. And, make sure that your estate planning documents explicitly authorize the companies that hold your electronic data to release that data to your fiduciaries during your incapacity and after your death, which is important for the Stored Communications Act’s privacy protections.

Planning ahead for your digital property is essential to arrange for full access to your data, to keep estate administration costs down, to provide for a smooth estate administration, and to ensure that none of your valuable or significant digital property is overlooked. If you haven’t planned ahead, a computer forensics expert may be able to recover and access data from your smartphone or your computer. But, it may be practically impossible to retrieve the data from your online accounts if you haven’t planned ahead!

To help deal with situations where an incapacitated or deceased person did not plan ahead in the person’s estate plan, many states are now considering adopting the recently-approved Uniform Fiduciary Access to Digital Assets Act (UFADAA). Eight states so far have enacted laws on fiduciary authority regarding digital assets after death, and Delaware was the first state enactment based on UFADAA.

Contact your estate planning attorney today to include your digital property in your estate plan!

Posted in General | Tagged , , , , , , , , , , | Comments Off on Video Clip: Family Wants Access to Son’s Digital Data After Death

Delaware Enacts Fiduciary Access to Digital Assets Act

On August 12, 2014, Delaware’s governor signed into law the Delaware Fiduciary Access to Digital Assets Act, which is based on an earlier draft of the recently-approved Uniform Fiduciary Access to Digital Asset Act. Delaware’s new law takes effect January 1, 2015, and it grants access and authorization for digital assets to personal representatives, guardians, agents under a durable personal power of attorney, and trustees (and an adviser with authority to direct the trustees).

So far, Delaware’s Fiduciary Access to Digital Assets Act is the most comprehensive law of its type that has been enacted. Many other states are now considering the recently-approved Uniform Fiduciary Access to Digital Asset Act, which vests four types of fiduciaries with the authority to access, control, or copy digital assets, while respecting the privacy and intent of the account holder. Other states have previously enacted more limited laws on fiduciary access to digital assets, including:

  1. Connecticut Statutes § 45a-334a, signed into law on June 24, 2005, gives the personal representative of a deceased person’s estate the powers to access or copy the contents of the person’s e-mail accounts. Unfortunately, this law falls short of the current scope of online accounts and digital property, and it only applies to personal representatives.

  2. Indiana Code § 29-1-13-1.1, approved March 30, 2007, allows the personal representative to access or copy any of the decedent’s documents or information stored electronically by a “custodian.” It also requires the custodian to retain a deceased person’s electronic information for two years after receiving a request for access or copies. Unfortunately, the law only applies to personal representatives.

  3. Rhode Island General Laws Chapter 33-27, which became law on July 2, 2007, gives the personal representative of a deceased person’s estate the powers to access or copy the contents of the person’s e-mail accounts. Unfortunately, this law falls short of the current scope of online accounts and digital property, and it only applies to personal representatives.

  4. Oklahoma Statutes § 58-269, signed into law April 29, 2010, gives the personal representative of a deceased person’s estate the powers “to take control of, conduct, continue, or terminate” a deceased person’s e-mail account, social networking account, microblogging account, or short messaging service Web site. Unfortunately, this law falls short of the current scope of online accounts and digital property, and it only applies to personal representatives.

  5. Idaho Statutes § 15-3-715(28), signed into law March 16, 2011, gives the personal representative of a deceased person’s estate the powers “to take control of, conduct, continue, or terminate” a deceased person’s e-mail account, social networking account, microblogging account, or short messaging service Web site. Idaho Statutes § 15-5-424(3)(z) also grants similar powers to a person’s conservator. Unfortunately, these laws fall short of the current scope of online accounts and digital property, and they only apply to personal representatives and conservators.

  6. Virginia Code § 64.2–110, signed into law on March 13, 2013, gives the personal representative of a deceased minor’s estate (but not a deceased adult’s estate!) the power to assume the minor’s Terms of Service agreement for an online account “for purposes of consenting to and obtaining the disclosure of the contents of the minor’s communications and subscriber records pursuant to 18 U.S.C. § 2702.” Unfortunately, this law only applies to online accounts of deceased minors.

  7. Nevada Revised Statutes § 143.188, signed into law on June 1, 2013, gives the personal representative of a deceased person’s estate the power to direct the termination of any online account or similar electronic or digital asset of the decedent. However, this law does not address powers to access these accounts or copy the contents, and it only applies to personal representatives.

  8. Louisiana Code of Civil Procedure Article 3191, signed into law on June 19, 2014, gives the succession representative of a deceased person’s estate the power “to take control of, handle, conduct, continue, distribute, or terminate any digital account of the decedent,” unless the decedent’s will specifies otherwise. It requires a provider to provide access to the account within thirty days after receiving a copy of documents showing the representative’s authority, to the extent permitted by federal law. And, this law states that it supersedes any contrary provision in a Terms of Service contract for the decedent’s digital accounts. The term “digital account” includes social networking accounts, blogs, microblogs, short messaging accounts, email accounts, financial accounts, or any similar electronic services or records.

Posted in General | Tagged , , , , , , , | Comments Off on Delaware Enacts Fiduciary Access to Digital Assets Act