Plan Ahead: Protect Your #DigitalFootprint
As the world turns paperless, digital assets have become the new norm. There are over 2.4 billion users of the Internet worldwide, up 566 percent since 2000.2 Among Americans, 85 percent of adults and 95 percent of teenagers use the Internet.3 Of those Americans, two-thirds of them engage in social media, e.g., Facebook, LinkedIn, or Twitter, which absorbs more than 25 percent of all time spent online. More than 50 percent of American seniors are online.4 And, a surprising 92 percent of children under the age of two have a digital presence.5
Despite the fact that the world’s digital footprint is extensive, planning for digital assets is limited. Further, digital assets are constantly changing and growing. Unfortunately, such growth is outpacing existing state and federal laws governing digital assets. Moreover, online service providers each have their own terms of service (TOS) agreements, and they are not uniform. Surrounded by an unpredictable and evolving legal landscape, it is important for clients to be aware of potential issues that may arise with respect to their digital footprint and to plan accordingly.
What are Digital Assets?
Digital assets are information created, generated, sent, communicated, received, or stored by electronic means on a system for the delivery of digital information or on a digital device. A digital asset, thus, is any item of text or media formatted into a binary source that includes the right to use it — think electronic record.6
Digital Assets: Real Value
According to a global survey conducted in 2014 by McAfee, the average person has digital assets worth approximately $35,000.7 Even though digital assets may not be the most valuable assets for clients, they can be some of the most cherished, e.g., the family’s digital photos, videos, personal blogs, information stored on social media sites, and email accounts. Nevertheless, some digital assets have substantial monetary value. For example, real estate in the virtual world “Entropia Universe” sold for $650,000; the domain name fun.com sold for approximately $10 million; and OkCoin, the largest Bitcoin exchange, transacted close to 1.9 million bitcoins (over $1 billion) in September 2014.8 Like other property, digital assets need to be managed during life and protected after death or incapacity.
Obstacles to Access by Fiduciaries
In the modern world, digital assets have largely replaced tangible ones. Documents are stored in electronic files instead of in file cabinets. Photographs are uploaded to websites instead of printed on paper. Stacks of letters are now email folders. However, the laws governing fiduciary access to these digital assets are scarce and outdated. Even if a fiduciary can determine what digital assets are held by the account holder, the fiduciary may not be able to access the digital assets. The following are three obstacles facing a fiduciary:
• Passwords and Encryption — The initial hurdle for most fiduciaries is encryption. This safety buffer can usually be solved by knowing the password. But fiduciaries rarely have passwords, and without one, many online service providers will not grant access to the fiduciary, nor are they required by law to release contents or provide access. Service providers may, in certain circumstances, voluntarily provide some content to the fiduciary; however, such a decision is entirely within their discretion. Even in the rare event a fiduciary has the password, he or she still may want to pause before accessing the online account because such action could result in criminal liability.
• Federal and State Laws — All 50 states have criminal laws prohibiting unauthorized access to digital assets, but only seven states have enacted statutes governing digital assets.9 Numerous other states have proposed legislation or are in the process of drafting legislation, including Florida. All seven of the existing state statutes grant a fiduciary access to digital assets and eliminate state criminal liability, but there is no uniformity with respect to how they treat digital assets (e.g., types of digital assets covered, whether death or incapacity is covered, and the rights and type of fiduciary covered).
Federal law is outdated. The main two federal laws governing digital assets are the Stored Communications Act (SCA) and the Computer Fraud and Abuse Act (CFAA), both passed in 1986 — the virtual dark ages. In fact, such federal laws add the following constraints on fiduciaries.
The SCA, also known as Privacy Protection Laws, penalizes the “unauthorized distribution” of electronic files and communications, including to a fiduciary or heir, unless a lawful consent exception applies. However, lawful consent only permits disclosure by an online service provider, it does not require disclosure. This issue was litigated in In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, No. C 12 80171 LHK (N.D. Ca. Sept. 20, 2012). In that case, a decedent’s family tried to compel Facebook’s release of certain account content, and the court held that the SCA allowed only voluntary disclosure and that the service provider, Facebook, was not required to disclose the account contents. The court did not rule on whether the personal representative possessed lawful consent of the decedent, but allowed Facebook to decide. The ruling permits Facebook (and other service providers) the discretion to disclose account contents, but holds they cannot be compelled. Facebook has declined to do so, thus far.
The CFAA, also known as anti-hacking laws, provides a strong barrier to fiduciary access of digital assets. The CFAA criminalizes intentional unauthorized access or exceeding authorized access, which includes the violation of a website’s terms of service agreement. Therefore, even if a fiduciary or heir was voluntarily given the username/password, accessing the online account could subject the fiduciary or heir to criminal prosecution.
• Terms of Service Agreements — Terms of service agreements (those pesky small-print documents that pop up when establishing an account that users typically check the “agree” box without reading) are another obstacle to access. Many prohibit a user from allowing another to access his or her account. For example, both TOS agreements for Facebook and Microsoft’s Hotmail specifically prohibit sharing passwords and accessing another’s account even with permission from the account holder. The U.S. Department of Justice declares it a crime under the CFAA to violate a website’s TOS agreement; however, they have pronounced a restraint against prosecuting minor violations.10 Unfortunately, though, they have not expressed what constitutes a minor violation.11 Fiduciary access to an incapacitated or deceased person’s online accounts may be a crime under the CFAA, if it “exceeds authorized access” as described in a website’s TOS agreement. It is disturbing that logging on to your spouse’s account could result in a felony. As absurd as that may sound, leaving the matter to prosecutorial discretion may not provide much comfort to fiduciaries who wish to avoid potential liability, especially to professional fiduciaries that tend to be sensitive about liability and reputation risks.
These obstacles leave account holders uncertain about the future of their digital assets, online service providers fending for themselves when drafting their TOS agreements, and fiduciaries choosing whether to risk civil liability if they refuse to manage digital assets or criminal liability if they perform their duties.
Current State of the Law — and a Solution?
The National Conference of Commissioners on Uniform State Laws passed the Uniform Fiduciary Access to Digital Assets Act (UFADAA) on July 16, 2014. The primary purpose of UFADAA is to grant fiduciaries the authority to access, control, and manage digital assets, while maintaining the account holder’s privacy and intent. In other words, it fills a void by creating a legal right where none had existed.
The UFADAA is model legislation that can be enacted by state (not federal) legislatures and does not become law until approved and enacted by such states. An issue that the drafting committee had to overcome was the supremacy clause and the U.S. Supreme Court’s interpretation. The Supreme Court has long held that state laws in conflict with federal laws are preempted by federal law. To ensure that UFADAA would be enforceable by fiduciaries against online service providers, the committee had to craft a law that would not be directly in conflict with federal law and would survive constitutional challenge.
UFADAA covers four types of fiduciaries: 1) personal representatives/executors, 2) conservators/guardians, 3) agents under a power of attorney, and 4) trustees. It specifically defines a fiduciary as an authorized user, which should avoid liability for the fiduciary under the CFAA as well as applicable state laws that prohibit unauthorized access. With respect to TOS agreements, UFADAA provides that “fiduciary access, by itself, will not be deemed a violation of a TOS agreement or deemed unauthorized transfer of an account.” In addition, it provides that fiduciaries have lawful consent, which would allow service providers to voluntarily disclose information under the SCA; however, even with lawful consent, it is important to note a fiduciary cannot compel disclosure by the service provider.
UFADAA presumes that the interest to manage both digital and nondigital assets is similar and relies on a well-established existing state law pertaining to fiduciaries’ rights over nondigital assets — the right to “step into the shoes” of a decedent to manage the assets. Accordingly, the UFADAA intends to grant the fiduciary the same authority as the account holder over the digital assets.
The UFADAA applies only to fiduciaries, as defined. A family member or heir of the account holder may seek to access the account, but, unless such person is a fiduciary, the UFADAA does not cover such actions.
What to Do? What to Do!
As discussed above, fiduciaries face many obstacles with respect to digital assets that do not apply to traditional assets. Therefore, proactive planning for these assets is necessary. There are two critical steps a client should take.
First, identify and create an inventory (hard copy or electronic) of all digital assets. The inventory can and should be updated regularly. A different plan for each category of digital asset may be needed. Many applications exist to help clients plan for their digital assets. For clients who change their password frequently and/or use many different passwords (both recommended for security purposes), applications such as 1Password, LastPass, Dashlane , etc., store all passwords with access to the list through only one main password. The future may bring more simplicity as fingerprints may become the new form of password. There are also several third-party storage providers for digital assets that act as electronic safe deposit boxes and only release information upon the user’s death or incapacity. These allow clients to easily update information during life and grant their personal representative or guardian immediate access upon death or incapacity. However, privacy concerns exist because these storage providers are targets for identity theft. In addition, this is a relatively new industry and there are no guarantees these companies will still be in business at a client’s passing.
Second, provide the fiduciary access to the digital assets. During life, a client may wish to grant an individual the ability to have immediate access by creating an account with multiple users or appointing an agent through a durable power of attorney. If using a durable power of attorney, a provision granting access to administer digital assets (which could be specific to certain types of digital assets or broad applying to all digital assets) should be explicitly included. Currently, no states have modified their power of attorney statutes to include digital assets. Additionally, a review of the TOS agreement is essential because it may trump any lifetime planning. Your client may also wish to create backup files of tangible media through DVDs, CDs, flash drives, external hard drives, or a cloud service.
After death, a last will and testament or revocable trust can give a fiduciary access to a decedent’s digital assets. The will or trust can specifically devise digital assets and appoint a fiduciary (such as a digital personal representative or digital trustee) to administer the digital assets. Another option is to draft a separate letter of instruction with respect to digital assets or incorporate it by reference into a will or trust to the extent allowed under state law. For example: “I have prepared a memorandum with instructions concerning my digital assets and their access, handling, distribution, and disposition. I direct my personal representative to follow my instructions concerning my digital assets.” Because the Florida Probate Code only permits separate writings regarding tangible personal property, it may not be effective (yet).13 P erhaps it could be incorporated by reference under F.S. §732.512. Regardless, such a provision would only be effective if directly included in a will or trust, so also consider incorporating a definition of digital assets (you may want to use the UFADAA’s definition until the time Florida adopts one). Your client’s will or trust should specifically provide which digital assets are under the fiduciary’s control and where or how to dispose of them after death. Explicit directions are more likely to convince the service providers to grant the fiduciary access.
The following is sample language to consider including as part of fiduciary powers:
To access, use, and control my digital devices, including but not limited to, desktops, laptops, tablets, peripherals, storage devices, mobile telephones, smart phones, and any similar devices, which currently exists or may exist as technology develops for the purposes of accessing, modifying, deleting, controlling, or transferring my digital assets.
To access, modify, delete, control, and transfer my digital assets, including but not limited to, emails received, email accounts, digital music, digital photographs, digital videos, software licenses, social network accounts, file sharing accounts, web hosting accounts, tax preparation services accounts, online stores, affiliate programs, other online accounts, and similar digital items which currently exist or may exist as technology develops. To obtain, access, modify, delete, and control my passwords and other electronic credentials associated with my digital devices and digital assets described above.
Advisors need to be familiar with the evolving federal and state laws relevant to digital assets and the importance of planning for a client’s digital assets under the applicable laws. The estate planning norm of the future will include granting a fiduciary the right to manage digital assets.
Each client’s digital footprint increases exponentially every day. Amidst the developing legal landscape, it is important that your clients establish a plan to protect and secure their digital footprint. Such a plan is essential to 1) make a transition easier (or perhaps possible) for their family or fiduciary in the event of death or incapacity, 2) prevent identity theft, 3) prevent financial loss, and 4) protect their digital assets with sentimental value ( e.g. , photographs, videos, blogs).
1 MSNBC, What Happens on the Internet Every 60 Seconds, June 16, 2011, http://technolog.msnbc.msn.com/_news/2011/06/16/6874191-what-happens-on-the-internet-every-60-seconds.
2 Abena Hagen, Secure Your Digital Legacy by Planning Ahead, The Digital Beyond (July 31, 2014), http://www.thedigitalbeyond.com/2014/07/secure-your-digital-legacy-by-planning-ahead/.
3 Pew Research Center, Internet and American Life Project Demographics of Adult Internet Users (May 2013) and Teen Internet Access Demographics (Sept. 2012).
6 National Conference of Commissioners on Uniform Laws, Uniform Fiduciary Access to Digital Assets Act §2, ¶9, Draft (June 6, 2014).
7 Evan Carroll, How Much Are Your Digital Assets Worth? About $35,000, The Digital Beyond (July 24, 2014), www.thedigitalbeyond.com/2014/07/how-much-are-your-digital-assets-worth-about-35000/.
8 Bitcoin Charts, http://bitcoincharts.com/markets/okcoinCNY.html.
9 Connecticut, Rhode Island, Indiana, Oklahoma, Idaho, Virginia, and Nevada.
10 Cyber Security: Protecting America’s New Frontier: Hearing Before the Subcomm. on Crime, Terrorism and Homeland Security of the House Comm. on the Judiciary, 112th Cong. Serial No. 112-80 (Nov. 12, 2011) (statement of Richard Downing, deputy chief, Computer Crime and Intellectual Property Section, Criminal Division, U.S. Department of Justice).
11 See Brian Fung, The Justice Department Used this Law to Pursue Aaron Swartz. Now It’s Open to Reforming It, Washington Post , Feb. 7, 2014, available at http://www.washingtonpost.com/blogs/the-switch/wp/2014/02/07/the-justice-department-used-this-law-to-pursue-aaron-swartz-now-its-open-to-reforming-it/.
12 Author has a written response from Apple iTunes that you can transfer the ownership of the account at death with proper documentation. Note, the new owner can access the account, but cannot transfer purchases to another account , e.g., move the music from the decedent’s account to a child’s separate account.
13 Fla. Stat. §732.515.
Mark R. Parthemer is a managing director and senior fiduciary counsel for the southeast region of Bessemer Trust, a wealth management firm for high net-worth individuals. He oversees the firm’s estate planning and fiduciary services from Miami to Washington, D.C. He also leads Bessemer’s Advanced Implication Modeling Team.
Sasha Klein is a vice president and fiduciary officer/counsel for the southeast region of Bessemer Trust. She manages all facets of trust administration services for Florida and chairs Bessemer’s Special Investment Discretionary Distribution Committee.
This column is submitted on behalf of the Tax Section, Cristin C. Keane, chair, and Michael D. Miller and Benjamin Jablow, editors.