Access to Digital Assets – Florida’s New Law for Fiduciaries: What Are Digital Assets and Why Are They Relevant?
Do you use Facebook, LinkedIn, or Twitter? PayPal or Amazon? Do your clients bank online? Use Google or Yahoo? Have an iTunes account? Smartphone? These are examples of digital assets, and they likely have personal value, if not also some financial value, to you and your clients.
Because digital assets have financial and/or personal value to their owners, they need to be identified and protected, both to preserve value and privacy. The identification of digital assets and the planning necessitated by these types of assets affects many different aspects of clients’ lives. It also affects a broad spectrum of attorney practice areas, such as business planning and dissolution, divorce, probate, taxation, and intellectual property. This article explains Florida’s new law that governs access to digital assets by fiduciaries: guardians, agents under power of attorney, personal representatives, and trustees.
Generally, digital assets relate to data, information, and intellectual property that is transmitted or stored on electronic devices, such as smartphones or computers. Digital assets can include email accounts, social media accounts, domain names, online businesses run through eBay, gaming characters, digital currency such as Bitcoins, digital photographs, online banking, PayPal accounts, and other similar items.
How Federal Laws and Terms-of-Service Agreements Protect Digital Assets
Current federal laws, along with terms-of-service agreements (TOSA), protect access to digital assets — or limit that access by fiduciaries.
• Federal Laws —Federal laws prohibit the unauthorized access of computer systems (i.e., hacking) and prohibit unauthorized access to certain types of protected data (i.e., privacy laws). The Stored Communications Act (SCA)1 establishes privacy rights and prohibits service providers from knowingly divulging the contents of certain electronic communications and files.
The SCA, in part, concerns access to the digital assets, making it a crime for anyone to “intentionally access” without authorization a facility through which an electronic communication service is provided” as well as to “intentionally exceed” an authorization to access that facility.”2 Thus, someone who has authorization to access the facility or is acting within the limits of his or her authorization is not engaging in criminal behavior. Moreover, the SCA does not apply to “conduct authorized…by a user of that service with respect to a communication from or intended for that user.”3 Further, the SCA concerns actions by the service provider. It treats access to the contents of a communication and to noncontent records of communications differently. It prohibits a service provider from knowingly divulging the contents of a communication that is stored by or carried or maintained on that service unless disclosure is made (among other exceptions) “to an addressee or intended recipient of such communication or an agent of such addressee or intended recipient” or “with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service.”4 The act permits disclosure of “customer records” that do not include content either with lawful consent from the customer or “to any person other than a governmental entity”5 (among other exceptions). Thus, unlike the contents, the provider is permitted to disclose the noncontent records of the electronic communications to anyone except the government, and may disclose the noncontent records to the government with the customer’s lawful consent or in certain emergencies.
This distinction between noncontent and content can be thought of as the difference between the envelope and the letter within the envelope. The protected content is the letter. The noncontent records are the envelope that identifies the addressee, address, postmark, subject line, and sender.
The privacy protections of federal law do not apply to private email service providers, such as employers and educational institutions.6 Additionally, most employers are not considered custodians because an employer typically does not have a TOSA with an employee.7 Any digital assets created through employment generally belong to the employer.
These privacy protections work well so long as the client is alive and has capacity to access and control the digital assets. But what happens when the client becomes incapacitated and can no longer access the accounts or dies? These privacy protections are viewed by some as being substantial barriers for family members and fiduciaries who seek to access the contents of a deceased or incapacitated user’s online accounts. The service providers see the privacy protections as restrictions on their ability to disclose electronic communications to anyone, unless certain exceptions are met. Their reasoning is that, if the SCA applies, the online account service provider is prohibited by law from disclosing the contents of the communications and files.
The Computer Fraud and Abuse Act (CFAA) prohibits unauthorized access to computers.8 Like the Stored Communications Act, the CFAA protects against anyone who “intentionally accesses a computer without authorization or exceeds authorized access.”9 The CFAA is designed to protect computers in which there is a federal interest from certain threats and forms of espionage and from being used to commit fraud.10 The law imposes penalties for the unauthorized access of stored data, devices, and computer hardware.11 The Department of Justice has stated that the CFAA is broad enough in scope to permit the federal government to prosecute someone if the person violates the access terms of a website’s TOSA or usage policies.12
• Terms-of-Service Agreements —If the provider’s TOSA prohibits third parties from accessing the account, when the fiduciary does so — even with the account holder’s authorization — he or she violates the TOSA and thereby exceeds his or her authorized access to the service provider’s system.
How Florida Laws Protect Digital Assets While Permitting Access to Fiduciaries
The Florida Computer Crimes Act13 and F.S. Ch. 934 (addressing security of communications and surveillance) cover computer-related crimes and the security of communications, and are modeled after the federal Stored Communications Act. Neither addresses the ability of a fiduciary to legally access, duplicate, or control digital assets. Upon an account holder’s death or incapacity, many questions arise: How does a fiduciary identify and locate that person’s digital assets? Who has control or ownership? How is an account accessed when no one has the decedent’s password? Does the original TOSA control whether a successor may gain access to an account?
Resolution of these issues requires a balancing of the fiduciary’s duty to identify and access the digital assets and the custodian’s duty to protect the original account holder’s privacy and not divulge information that could be a violation of state or federal computer security laws.
• Florida Fiduciary Access to Digital Assets Act —In the 2016 Florida legislative session, the Florida Fiduciary Access to Digital Assets Act14 was passed to provide fiduciaries with the ability to access the digital assets of the decedent, principal, ward, or trust, as if the fiduciary were the computer account holder, with some limitations. The overall purpose of the act is twofold.
“First, it provides fiduciaries the legal authority to manage digital assets and electronic communications in the same manner that they manage tangible assets and accounts….Second, [it] provides…custodians of digital assets and electronic communications the legal authority they need to interact with the fiduciaries of their users while honoring the user’s privacy expectations for his or her personal communications.”15
The act closely follows a new uniform state law drafted by the Uniform Law Commission and supported by the internet service provider industry. The RPPTL Section of The Florida Bar adapted the model act for consideration by the Florida Legislature.
The act establishes the ability of the digital asset owner, called the “user” in the act, to direct disclosure of digital assets. It also sets the order of preference for the user’s direction. From that point, the rights of a fiduciary to obtain content of electronic communications is outlined, as well as access to all of the user’s other digital assets. The result is that an authorized fiduciary will be an authorized user for purposes of criminal laws prohibiting unauthorized access to electronic accounts. For purposes of privacy laws prohibiting email service providers from disclosing an account holder’s records without the account holder’s consent, the act provides that an authorized fiduciary has the lawful consent of the account holder.
The act introduces the concept of an “online tool” for directing fiduciary access. An online tool is defined as “an electronic service provided by a custodian which allows the user…to provide directions for disclosure or nondisclosure of digital assets to a third person.”16 The service must be distinct and separate from the TOSA. Two examples are Facebook’s Legacy Contact and Google’s Inactive Account Manager. The act provides that a direction regarding disclosure using an online tool supersedes a contrary direction in a will, trust, power of attorney, or TOSA (provided the online tool is available at all times). In the absence of an online tool directive, the user’s direction in a will, trust, power of attorney, or other record prevails over the blanket TOSA, and if there is no written direction other than the TOSA, the TOSA will control.17
The act addresses four different types of fiduciaries and the manner in which each may access the content of electronic communications, the noncontent of electronic communications, and other digital assets that are not electronic communications. The chart accompanying this article offers a quick reference; situational examples are provided herein from the legislative history.18
• Agent Under a Power of Attorney — With respect to the contents of electronic communications, the agent under a power of attorney must be specifically authorized by the principal to access the contents of the principal’s electronic communications.19 Because a power of attorney contains the consent of the user, federal privacy laws should not prevent the agent from exercising authority over the content of electronic communications. There should be no question that an explicit delegation of authority in a power of attorney constitutes authorization from the user to access digital assets and provides “lawful consent” to allow disclosure of electronic communications from a custodian pursuant to applicable law. Both authorization and lawful consent are important because 18 U.S.C. §2701 addresses intentional access without authorization, and 18 U.S.C. §2702 allows a provider to disclose with lawful consent.
An agent acting pursuant to a power of attorney granting specific authority over digital assets or general authority to act on behalf of a principal is permitted access to the catalog of a principal’s electronic communications and any other digital assets (and not the contents of electronic communications), unless otherwise directed by the principal, a court, or the power of attorney.20
• Example 1: Access to Digital Assets by Agent — X creates a power of attorney designating A as X’s agent. The power of attorney expressly grants A authority over X’s digital assets, including the content of an electronic communication. X has a bank account for which X receives only electronic statements. X has stored photos in a cloud-based internet account; and X has a game character and in-game property associated with an online game. X also has an email account with a company that provides electronic communication services to the public.
A has the authority to access X’s electronic bank statements, the photo account, and the game character and in-game property associated with the online game, all of which fall under the act’s definition of a “digital asset.” This means that, if these accounts are password-protected or otherwise unavailable to A as X’s agent, then the bank, the photo account service provider, and the online game service provider must give access to A when the request is made in accordance with §740.009. The custodian may require specific identification of the account and evidence linking the account to the principal. If the TOSA permits X to transfer the accounts electronically, then A as X’s agent can use that procedure for transfer as well.
As X’s agent, A is also able to request that the email account service provider grant access to emails sent or received by X. This act permits the service provider to release the catalog and, because the power of attorney expressly granted authority over the contents of electronic communications sent or received by X, the service provider also must provide A access to the content of an electronic communication. The custodian may require specific identification of the account and evidence linking the account to the principal. The bank may release the catalog of electronic communications or content of an electronic communication for which it is the originator or the addressee because the bank is not a custodian providing a remote-computing service to the public.21
• Guardian of a Ward —A guardian is not permitted to access the contents of a ward’s electronic communications absent consent by the ward. A guardian is permitted, however, to access all of the ward’s other digital assets pursuant to letters of guardianship or a court order, unless directed otherwise by a court or by the user.22 The custodian may request specific identification of the account and evidence linking the account to the ward. The custodian may suspend or terminate an account for good cause if requested by the guardian of the property. This section establishes that the guardian must be specifically authorized (not implicitly authorized) to access the ward’s digital assets and electronic communications.
• Example 2: Access to Digital Assets by Guardian — C is seeking appointment as the guardian of the property for P. P has a bank account for which P received only electronic statements; P has stored photos in a cloud-based internet account; and P has an email account with a company that provides electronic communication services to the public. C needs access to the electronic bank account statements, the photo account, and emails.
Without a court order that explicitly grants access to P’s digital assets, including the catalog of electronic communications, C has no authority pursuant to this act to access the electronic bank account statements, the photo account, or the emails. The contents of the email account may not be disclosed without the express consent of P (granted prior to incapacity). The service provider may suspend or terminate an account for good cause if requested by C as P’s guardian. The bank may release the catalog of electronic communications or content of an electronic communication for which it is the originator or the addressee because the bank is not a custodian providing a remote computing service to the public.23
• Personal Representative of Estate of Deceased User —A personal representative is not permitted to access the contents of a decedent’s electronic communications absent consent by the user or direction by a court.24 The default rule is that the personal representative is authorized to access all of the decedent’s digital assets other than the contents of electronic communications.25 If the decedent prohibited disclosure or a court directs otherwise, then the personal representative is denied access. The custodian may request a court order specifically identifying the account, finding consent, or finding that access is reasonably necessary for estate administration.
• Example 3: Access to Digital Assets by Personal Representative — D dies with a will that is silent with respect to digital assets. D has a bank account for which D received only electronic statements; D has stored photos in a cloud-based internet account; and D has an email account with a company that provides electronic communication services to the public. The personal representative of D’s estate needs access to the electronic bank account statements, the photo account, and emails.
The personal representative of D’s estate has the authority to access D’s electronic banking statements and D’s photo account, which both fall under the act’s definition of a “digital asset,” unless D opted out or a court directs otherwise. This means that, if these accounts are password-protected or otherwise unavailable to the personal representative, then the bank and the photo account service provider must give access to the personal representative when the request is made in accordance with §740.007. The custodian may request a court order specifically identifying the account and finding that access is reasonably necessary for estate administration. If the TOSA permits D to transfer the accounts electronically, then the personal representative of D’s estate can use that procedure for transfer as well.
The personal representative of D’s estate is also able to receive the catalog of emails sent or received by D on the email account. The custodian will not provide the personal representative access to the content of an electronic communication sent or received by D if D did not consent to disclose the content. The custodian may request a court order specifically identifying the account and finding consent.
The bank may release the catalog of electronic communications or content of an electronic communication for which it is the originator or the addressee because the bank is not a custodian providing a remote computing service to the public.26
• Trustee of Trust —A trustee may have title to digital assets and electronic communications when the trust itself becomes the user of a digital asset held by the trust, and when the trustee becomes a user for trustee business. A trustee that is an original user of an asset may access any digital asset — including catalog and content of electronic communications — held by the trust unless that is contrary to the terms of the trust or otherwise directed by a court.27
A trustee that is not an original user may access the content of an electronic communication in an account of the trust if the trust includes consent to such disclosure, unless prohibited by the user, the trust instrument, or a court.28 In situations involving either an inter vivos transfer of a digital asset into a trust or transfer via a pour-over will into a trust, a trustee becomes a successor user. A trustee that is not an original user may access the catalog of electronic communications and any digital assets in an account of the trust, unless prohibited by the user, the trust instrument, or a court. The custodian may require specific identification of the account and evidence linking the account to the trust. The underlying trust documents and the Florida Trust Code will supply the allocation of responsibilities between and among trustees.
• Example 4: Access to Digital Assets by Trustee — T is the trustee of a trust established by S. As trustee of the trust, T opens a bank account for which T receives only electronic statements. S transfers into the trust to T as trustee (in compliance with a TOSA) a game character and in-game property associated with an online game and a cloud-based internet account in which S has stored photos. S also transfers to T as trustee (in compliance with the TOSA) an email account with a company that provides electronic-communication services to the public.
T is an original user with respect to the bank account that T opened, and T has the ability to access the electronic banking statements. T, as successor user to S, may access the game character and in-game property associated with the online game and the photo account, which both fall under the act’s definition of a “digital asset.” This means that, if these accounts are password-protected or otherwise unavailable to T as trustee, then the bank, the photo account service provider, and the online game service provider must give access to T when the request is made in accordance with §740.03. If the TOSA permits the user to transfer the accounts electronically, then T as trustee can use that procedure for transfer as well. The custodian may require specific identification of the account and evidence linking the account to the trust.
T, as successor user of the email account for which S was previously the user, is also able to request that the email account service provider grant access to emails sent or received by S. The act permits the service provider to release the catalog, unless otherwise directed by the user, the trust, or a court. The service provider also must provide T access to the content of an electronic communication sent or received by S if the trust includes consent to disclosure of the contents of electronic communications to the trustee. The custodian may require specific identification of the account and evidence linking the account to the trust. The bank may release the catalog of electronic communications or content of an electronic communication for which it is the originator or the addressee because the bank is not a custodian providing a remote computing service to the public.29
• Manner of Disclosure — The custodian has three options for disclosing digital assets.30 First, the custodian may allow the fiduciary to access the user’s account. Second, the custodian may allow the fiduciary to partially access the user’s account if such limited access is sufficient to perform the necessary tasks. Third, the custodian may provide the fiduciary with a “data dump” of all digital assets held in the account. A custodian may assess a reasonable administrative charge for the cost of disclosing a user’s digital assets. Deleted assets need not be disclosed. A request for some, but not all, of a user’s digital assets need not be fulfilled if segregation is unduly burdensome. Instead, either party may petition the court for further instructions.
Conclusion
As a result of the Florida Fiduciary Access to Digital Assets Act, digital asset users may provide direction 1) through an online tool with the internet service provider as to who may access their digital asset, and, absent that tool; 2) by documenting who should have access to the asset and what should be done with the asset once the user is no longer controlling it personally. The Florida act also provides default rules to permit management of such assets by a fiduciary.
1 18 U.S.C. §§2701-2712.
2 18 U.S.C. §2701(a).
3 18 U.S.C. §2701(c)(2).
4 18 U.S.C. §§2702(b)(1), (3) (emphasis added).
5 18 U.S.C. §§2702(c)(2) and (6).
6 See 18 U.S.C. §2702(a)(2); James D. Lamm, Christina L. Kunz, Damien A. Riehl & Peter John Rademacher, The Digital Death Conundrum: How Federal and State Laws Prevent Fiduciaries from Managing Digital Property, 68 U. Miami L. Rev. 385, 404 (2014), available at http://goo.gl/T9jX1d.
7 See Fla. Stat. §740.002(1) (2016) (defining account as an “arrangement under a terms-of-service agreement in which the custodian carries, maintains, processes, receives, or stores a digital asset of the user or provides goods or services to the user”).
8 18 U.S.C. §1030.
9 18 U.S.C. §1030(a)(2).
10 See 18 U.S.C. §1030(a).
11 18 U.S.C. §1030(c).
12 James D. Lamm citing Richard Downing, Deputy Chief of the DOJ’s Computer Crime and Intellectual Property Section, Criminal Division, in testimony presented on November 15, 2011, before the U.S. House Committee on Judiciary, Subcommittee on Crime, Terrorism, and National Security. See Jim Lamm, Planning Ahead for Access to Contents of a Decedent’s Online Accounts (Feb. 9, 2012), http://www.digitalpassing.com/2012/02/09/planning-ahead-access-contents-decedent-online-accounts/.
13 Fla. Stat. Ch. 815.
14 Fla. Stat. Ch. 740.001, et seq. (effective July 1, 2016).
15 The Florida Senate Bill Analysis and Fiscal Impact Statement, S.B. 0494, Summary (Jan. 21, 2016), available at http://www.flsenate.gov/Session/Bill/2016/0494/?Tab=Analyses; see also National Conference of Commissioners on Uniform State Laws, Revised Uniform Fiduciary Access to Digital Assets Act (2015) Prefatory Note.
16 Fla. Stat. §740.002(16) (2016).
17 Fla. Stat. §740.003 (2016).
18 Real Property, Probate, and Trust Law Section of The Florida Bar, White Paper: Proposed Enactment of Chapter 740, Florida Statutes (2015) (on file with the Senate Committee on Judiciary), available at www.rpptl.org [hereinafter White Paper].
19 Fla. Stat. §740.008 (2016).
20 Fla. Stat. §740.009 (2016).
21 White Paper at Example 3.
22 Fla. Stat. §740.04 (2016).
23 White Paper at Example 2.
24 Fla. Stat. §740.006 (2016).
25 Fla. Stat. §740.007 (2016).
26 White Paper at Example 1.
27 Fla. Stat. §740.01 (2016).
28 Fla. Stat. §740.02 (2016).
29 White Paper at Example 4.
30 Fla. Stat. §740.005 (2016).
S. Dresden Brunner practices law in wills, trusts, and estates with the Naples firm of S. Dresden Brunner, P.A. She has served on the RPPTL Section Executive Council for 16 years and is co-vice chair of its Digital Assets Committee. She has received the section’s Rising Star Award and Annual Service Award.
This column is submitted on behalf of the Real Property, Probate and Trust Law Section, Deborah Packer Goodall, chair, and Doug Christy and Jeff Goethe, editors.
