Digital Update: Status of Revised Uniform Fiduciary Access to Digital Assets

Act and Alternative Planning Solutions

American Bar Association Real Property Trust and Estate Law Section

May 13, 2016

Karin Prangley Brown Brothers Harriman & Co., Chicago, Illinois

I. Why the Need for a Uniform Law?

A. Proper planning for digital assets is complicated by certain obstacles to access. The first obstacle is lack of awareness—the fiduciary may not even know that an asset exists. Beyond that hurdle is the question of the fiduciary’s authority to marshal digital assets. Proper authorization goes beyond merely having the username and password. This obstacle is not only serious, it is also counterintuitive to many estate planners accustomed to the plenary authority of legally appointed fiduciaries: there is potential criminal liability for access by a legally appointed fiduciary. Obstacles include:

1. Usernames and passwords. Most online accounts are password protected and the passwords can be reset only with access to the account holder’s email account. Many fiduciaries will simply be unaware of the usernames and passwords relevant to the deceased or disabled person’s digital assets.

2. Added security measures. Some individuals plan ahead and make lists of usernames and passwords for their spouses or named fiduciaries. But what about security questions? Some accounts require not only the username and password but also answers to questions that perhaps only the account holder would know: name of first grade teacher; make and model of first car; favorite food; etc. Some smartphones are not accessed with PINs or passwords, but with a unique swipe pattern invented by the phone’s owner. Stay tuned, because soon we will see fingerprint, retina scan, and biometric security measures in place.

3. Inadequate laws. Only a few states have enacted legislation addressing fiduciary access to digital assets (See Section V for a complete discussion).

4. The terms of service (TOS). The account provider’s TOS agreements are frequently silent as to fiduciary access or postmortem options, or they simply prohibit transfer altogether (postmortem or otherwise).

(a) Yahoo’s policy specifies: “We know that dealing with the loss of a relative is very difficult. To protect the privacy of your loved one, it is our policy to honor the initial agreement that they made with us, even in the event of their passing. At the time of registration, all account holders agree to the Yahoo TOS. Pursuant to the TOS, neither the Yahoo account nor any of the content therein are transferable, even when the account owner is deceased. As a result, Yahoo cannot provide passwords or access to deceased users’ accounts, including account content such as email. Yahoo does have a process in place to request that your loved one’s account be closed, billing and premium services suspended, and any contents permanently deleted for privacy.” Options Available When a Yahoo Account Owner Passes Away, Yahoo! Help, http://tinyurl.com/q76cvg8.

(b) As further discussed in Section VI of this outline, Google and Facebook both allow account holders to designate individuals who may have limited access or control of their accounts following death. In the absence of such a designation, Facebook will

allow a personal representative or family member to obtain content with a court order via “Special Request.” See How do I Submit a Special Request for a Deceased Person’s Account on the Site?, Facebook, http://tinyurl.com/k2ldyb6 (once the account is “memorialized,” Facebook will not allow anyone except the user (who is then of course deceased) to log into the Facebook account. It will allow verified family members to request that the account be removed from Facebook). Google’s policy provides that in certain circumstances, authorized representatives may gain access to the content in the deceased user’s account. https://support.google.com/accounts/contact/deceased?hl=en.

5. Encryption. Encryption can stymie efforts to properly administer an estate. One often cited example of this was Leonard Bernstein, who died in 1990, leaving the manuscript for his memoir entitled “Blue Ink” on his computer in a password protected file. To this day, apparently no one has been able to break the password and access the document. Helen Gunnarsson, Plan for Administering Your Digital Estate, 99 Ill. B.J. 71 (2011).

6. Copyright, commercial privacy and data protection statutes. There are other bodies of law that might impede a fiduciary from downloading or distributing another person’s digital files: such action may violate copyright law, the limited common law of privacy, trade secret law and the federal and any state personal data protection statutes. For example, Massachusetts has a data security statute which requires encryption of personal information “owned or licensed [held by permission]” by any person. See 201 CMR 17.00 (2010) (generally effective March 1, 2010, which requires businesses to encrypt sensitive personal information on Massachusetts residents that is stored on portable devices such as PDAs and laptops or on storage media such as memory sticks and DVDs). According to the National Conference of State Legislatures, 46 states have enacted a data breach or privacy law of some kind.

7. Federal and state computer fraud and abuse acts. All states and the U.S. Congress have enacted laws that criminalize (or at least, create civil liability for) unauthorized access to computers. What does “unauthorized” mean? A widow may believe that if her husband gave her his username and password with the intent that she would be able to access the data after his death, she has been authorized to access the data, but the decedent’s authorization is not sufficient. If the digital asset provider’s TOS do not authorize a fiduciary to access a deceased or disabled user’s account, then access by that fiduciary is unauthorized and, consequently, a criminal act. Only the service provider’s TOS can “authorize” the fiduciary’s access.

(a) All fifty states have criminal laws prohibiting unauthorized access to electronic data. A helpful chart of such laws can be found at: http://www.ncsl.org/research/telecommunications-and-information-technology/computer-hacking-and-unauthorized-access-laws.aspx

(b) The Computer Fraud and Abuse Act (“CFAA”), enacted in 1986, makes it a federal crime intentionally to access a computer without authorization or exceeding authorization and thereby obtain financial data or information from a computer system. 18 U.S.C. §1030.

2

(c) Although “without authorization” is not defined, the term “exceeds authorized access” is defined 18 U.S.C. §1030(e)(6) in the CFAA to mean: “[t]o access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” This second prong, wherein a user who has access, but exceeds his or her authority by accessing other files or information on the system, like the first, is designed to prohibit something nefarious: computer trespass. Although the state statutes vary in their coverage, they also typically prohibit “unauthorized access.”

(d) Unfortunately, the fact that a fiduciary is “authorized” by the owner or state law to use a computer or to act for an account user may not be an absolute bar to CFAA prosecution, even if it should be. By accessing another’s digital accounts or assets online, the fiduciary may be violating the account provider’s TOS. That renders the access unauthorized and, consequently, violative of the CFAA.

(e) The concern is that some federal prosecutors may use the CFAA to prosecute defendants based solely on violations of a website’s TOS.

(f) The U.S. Department of Justice has stated that violating a term of service on Facebook or Match.com is a federal crime under the CFAA; however, it is not the Department’s intention to prosecute “minor” violations. U.S. v. Nosal, 642 F.3d 781(9th Cir. 2011); see also, Cyber Security: Protecting America’s New Frontier, Hearing Before the Subcomm. on Crime, Terrorism, and Homeland Sec., House Comm. on the Judiciary, 112th Cong. (2011) (statement of Richard Downing, Deputy Chief, Computer Crime and Intellectual Prop. Sec., Crim. Div., Dep’t of Justice).

(g) What constitutes a “minor” violation? The Aaron Swartz case is the most recent, highly publicized example of when in fact such prosecution does occur. See Andrea Peterson, The Law Used to Prosecute Aaron Swartz Remains Unchanged a Year After His Death, Washington Post (Jan. 11, 2014), http://tinyurl.com/otpk3d2. Aaron Swartz was a self-described internet activist who committed suicide in 2013, while facing prosecution for downloading, without permission, 4.8 million academic articles from the JSTOR digital library system.

(h) In 2006, a mother who created a fake “MySpace” profile in violation of MySpace’s TOS, in order to bully a child who subsequently committed suicide, was prosecuted and convicted solely under the CFAA. That is, there was no underlying state law violation that applied to her conduct. Ultimately, the trial judge overturned her conviction, ruling that the conscious violation of a website’s TOS, alone, is not automatically a criminal violation of the CFAA. U.S. v. Drew, 259 F.R.D. 449 (C.D. Cal. 2009).

8. The Stored Communications Act. Congress enacted the Stored Communications Act (“SCA”) in 1986, as a part of the Electronic Communications Privacy Act (“ECPA”). See generally 18 U.S.C. §§ 2701-2711; See also Orin S. Kerr, A User’s Guide to the Stored Communications Act, and a Legislator’s Guide to Amending It, 72 Geo. Wash. L. Rev. 1208. (2004).

(a) The Stored Communications Act prohibits certain providers of

3

communications services to the public from disclosing the content of its users’ communications to a government or nongovernment entity (different rules apply to each), except under limited circumstances which are akin to the warrant required under the Fourth Amendment for a governmental search.

(b) If the provider of the electronic communications service provides it only to employees or students, and not to the general public, that provider is not subject to the SCA and cannot use its provisions as a shield against a fiduciary’s request or law enforcement for copies of communications or access to an account.

(c) Private social media account contents with photos, videos, or posts may all be “communications” protected by the SCA. See Rudolph J. Burshnic, Applying the Stored Communications Act to the Civil Discovery of Social Networking Sites, 69 Wash. & Lee L. Rev. 1259 (2012).

(d) The SCA applies different rules to government/law enforcement entities requesting information than to others, such as fiduciaries. Under the SCA, law enforcement officials can, under certain circumstances, force or compel the provider who is otherwise covered and subject to the SCA to divulge the contents of an account.

(e) A fiduciary, however, can never compel the provider to divulge the same information. The public communications provider may voluntarily disclose the communications to a fiduciary, but only if an exception to the SCA’s blanket prohibition against disclosure applies. 18 U.S.C. § 2702(b). The relevant exception for fiduciaries permits service providers to disclose communications with the “lawful consent” of “the originator” or an addressee or intended recipient of such communication[s], or the subscriber. 18 U.S.C. § 2702(b)(3). Whether a fiduciary can provide such lawful consent on behalf of the originator is a very important question that remains the subject of debate.

(f) Facebook asked one court, in its memo supporting Facebook’s motion to quash a civil subpoena for information contained in a deceased user’s profile and account, to alternatively hold that the fiduciary had lawful consent and to order Facebook to disclose the requested content. In 2012, a federal judge in California granted Facebook’s motion to quash a subpoena from representatives of former beauty queen Sahar Daftary’s estate to gain access to her Facebook account. In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, C 12-80171 LHK (PSG) (N.D. Cal.; Sept. 20, 2012). Sahar’s personal representative brought a civil action against Facebook to release the contents of her Facebook account in an effort to prove her state of mind at the time of her alleged suicide. The SWA permits disclosure where there has been lawful consent, but does not mandate it—the ruling stated that civil subpoenas do not compel disclosure under the SWA, and that Facebook was within its rights to deny the request for disclosure. The court stated that “nothing prevents Facebook from concluding on its own that Applicants have standing to consent on Sahar’s behalf and providing the requested materials voluntarily.” A more recent ruling minimized extraneous statements in that case: “The court’s remarks on this point may have been dictum.” Negro v. Navalimpianti USA, Inc., 230 Cal. App. 4th 870, 23 (Oct. 21, 2014).

(g) Negro also discusses an important point for fiduciary access under

4

the SCA, that is, whether the consent of the account holder to disclose under the SCA could be imputed (i.e., not actually given but constructive or implied). In Negro, an employee and his email provider, Google, sought to quash a subpoena served on Google by the employee’s former employer. The motion to quash argued that Negro’s consent to disclose electronic communications protected under the SCA was not in fact given, but was imputed or implied, which the motion argued is not effective consent under the SCA. The court determined that consent under the SCA cannot be imputed, it must actually be given by the account holder. At some point in the litigation, a Florida court ordered Negro actually to consent to Google’s disclosure of his emails and he did so. The motion to quash argued that Negro’s consent was compelled by the court, and therefore invalid. The motion to quash also argued that even if Negro’s consent is valid, a provider has the discretionary authority under the SCA to decline to produce the contents in the account (i.e., because the language of the SWA is permissive, where lawful consent has been given, rather than compulsory), which trumps the court’s authority to compel. The court denied the motion to quash, indicating that consent to disclosure was actually given and valid, even though mandated by an order of a different court. Interestingly, the court also held that, contrary to the permissive-rather-than-compulsory language of the SCA, the SCA does not provide a basis for an electronic communications service provider to refuse to produce a user’s emails or other stored electronic communications where consent of the account holder has been provided.

(h) Some suggest that Negro leads to the conclusion that consent must be expressly granted by the account holder and not by a fiduciary. However, Negro was a civil discovery case and did not expressly discuss the long-standing concept of a fiduciary stepping into the shoes of a decedent or principal, so an argument could be made that it should not apply to the fiduciary’s ability to consent to disclosure. No court has yet applied the ruling in Negro to the fiduciary context.

(i) The original, 2014 version of the Uniform Fiduciary Access to Digital Assets Act (available at http://www.uniformlaws.org/shared/docs/Fiduciary% 20Access%20to%20Digital%20Assets/2015_RUFADAA_Final%20Act_2016mar8.pdf and hereafter as “UFADAA”), provides that a fiduciary has the lawful consent of the account holder to disclosure of protected electronic communications. UFADAA, §8(a)(2). The Revised Uniform Fiduciary Access to Digital Assets Act (available at http://www.uniformlaws.org/shared/docs/Fiduciary%20Access%20to%20Digital%20Assets/ 2015_RUFADAA_Final%20Act_2016mar8.pdf and referred to hereafter as “RUFADAA”) does not include this language. Under RUFADAA, disclosure of the content of electronic communications is permissible only when compelled by a court or when the account holder him/herself, during life, has provided consent. RUFADAA §7.

B. Status quo and the need for a uniform law. Under these evolving standards, a fiduciary cannot gain authorized access (no matter the use or purpose and no matter if the account owner gave the fiduciary the password) if the TOS of the applicable digital asset provider prohibit it.

1. If the fiduciary accesses the user’s account without authorization (i.e., in violation of the TOS), the fiduciary is in violation of the CFAA.

5

2. The SCA worries online service providers sufficiently that they are not likely to extend access to fiduciaries under their TOS. A surviving spouse may be willing to take the risk of logging on to an account with the password given to him or her by the account holder, but trust companies and other professional fiduciaries are far less comfortable violating state and federal criminal statutes. An attorney advising a fiduciary is faced with the dilemma of counseling his or her client either to commit a crime or to shirk his or her fiduciary duties.

3. Penalties for unauthorized access can be steep. A federal jury in Massachusetts awarded a plaintiff significant monetary damages in a civil action brought under the SCA. The defendant had been given the plaintiff’s email account password, so she could access it to read consultation reports when the two parties practiced medicine together. When the defendant left the practice and a business dispute arose, she used the plaintiff’s unchanged password to access the account for reasons connected to the business dispute. The plaintiff sued, alleging her later access was unauthorized under the SCA. Despite very thin testimony to support the damages claim, the jury awarded the plaintiff $450,000 for the unauthorized intrusion. Jury Verdict Form at 1-3, Cheng v. Romo, No. 11-cv-10007-DJC, 2013 WL 2245312 (D. Mass.); Cheng v. Romo, No. 11-1007-DJC, 2012 WL 6021369, at *1-3 (D.Mass. Nov. 28, 2012).

4. Providers are allowed to divulge non-content information, such as a catalog of the user’s name, address, connection records, IP address and account information, because the SCA prohibits the disclosure of only the content of the electronic communications (i.e, the email message itself). In most situations, the content of electronic communications is what a fiduciary really needs to administer the estate effectively.

5. An ongoing Massachusetts case provides a good example of a recent struggle for a fiduciary to obtain the content of the decedent’s email account. Ajemian vs. Yahoo!, Inc., 83 Mass.App.Ct. 565, 576-77 (2013). In Ajemian, Yahoo refused to accept a co-administrator’s authority to access his deceased brother’s Yahoo emails, even though the surviving brother had opened the account and had shared access to it, but had forgotten the password. Yahoo attempted to dismiss the Massachusetts declaratory action based on the California forum selection provision in its TOS, and claimed that the emails were not property of the Massachusetts estate, among other arguments. The appeals court refused to enforce the restrictive TOS, but remanded the case to the probate court to determine whether or not the emails were an asset of the estate, and whether or not the SCA barred Yahoo from disclosing their content. The court’s opinion discusses and differentiates between “clickwrap” agreements (requiring the user to click an “I agree” box), and “browsewrap” agreements where the terms are posted but the user need not confirm having read them. The court concluded that without evidence that the account holder agreed to the TOS, they were not enforceable against anyone, especially not against the estate’s co-administrators, who were not parties to the TOS.

II. 2014 UFADAA

The ambiguity surrounding a fiduciary’s access to digital assets made it an ideal subject of study for the Uniform Law Commission (“ULC”). In January of 2012, the ULC approved a study committee on a fiduciary’s power and authority concerning digital assets of a disabled or

6

deceased person. The study committee formed a drafting committee to create a free-standing act that would vest personal representatives, trustees, guardians/conservators, and agents under a power of attorney with the authority to access digital assets.

A. The ULC approved the Committee’s final draft of UFADAA in July 2014, and in October of 2014 it became available to the public in final form for adoption in interested states. That final form version of UFADAA is available at http://www.uniformlaws.org/shared/docs/ Fiduciary%20Access%20to%20Digital%20Assets/2014_UFADAA_Final.pdf. Delaware adopted an earlier draft version of UFADAA in 2014 before the October final draft became available.

1. UFADAA provides that the account holder’s executor/personal representative has the same authority over digital assets as the account holder, is an authorized user of the digital asset under computer fraud and unauthorized access laws, and “has the lawful consent of the account holder” to access the digital asset unless the account holder expresses a contrary intent (i.e., the account holder would have to OPT OUT to prevent her personal representative from gaining access).

2. UFADAA does not apply to employer email systems or assets.

3. If a fiduciary has access under UFADAA and substantiates authority as specified, the custodian of the digital asset (i.e., the online service provider) must comply with the fiduciary’s request for access, control or a copy of the digital asset. UFADAA thereby mandates what the SCA merely permits with respect to disclosure of the content of protected electronic communications.

4. A trustee has similar authority over digital assets owned by the trust. Under Delaware’s version of UFADAA, if there is a directed trustee, the “adviser” (the person with authority to direct the trustee) has similar authority over digital assets owned by a trust.

5. A guardian or conservator may obtain similar authority over the digital assets of the ward if a court so orders (after an opportunity for hearing under the state’s guardianship or conservatorship law).

6. An agent acting under a power of attorney has similar authority over the digital assets of the principal, but with respect to the content of electronic communications the power of attorney must expressly grant this authority. That is, the principal must OPT IN with respect to electronic communications content.

7. UFADAA provides that TOS that restrict fiduciary access are void as against public policy unless the user, in a manner that is separate from his or her agreement to the TOS necessary to open the account, expressly OPTS OUT. A provision in a will restricting fiduciary access (i.e., OPTING OUT) would also be honored.

8. UFADAA provides that a choice-of-law provision in a TOS agreement is unenforceable to the extent that the choice of law would uphold a term of service that restricts fiduciary access.

7

III. Why UFADAA didn’t work: PEAC and Provider Opposition

A. In the 2015 legislative session, UFADAA was introduced in 27 states. Such a high number of introductions in its first year speaks to the pressing need for legislation on this issue. Yet none of these introductions has led to enactment. In most cases, the bill died in committee. Why?

B. Lobbyists for many large providers of electronic communications services to the public (Yahoo!, Facebook, AOL and Google were the most commonly seen, often with a representative of their trade association, Netchoice) vehemently opposed UFADAA in nearly every state in which it was introduced. It goes without saying that these corporations are well funded. Proponents of UFADAA—the ULC and bar associations—were, if not outmanned, certainly outgunned.

C. Opponents to UFADAA have publicly articulated three arguments. For purposes of simplicity, these three arguments are imputed to online service providers, but it is unknown whether each of the providers has embraced all three arguments. (There is a fourth, which was not loudly voiced, and that is cost; certainly, for online service providers to comply with UFADAA, they would incur administrative costs. Just as banks and trust companies must retain staff who can review will and trust provisions, so would online service providers need to retain staff to respond to fiduciaries’ requests for information, review the provisions of documents to determine whether the account holder had opted in or opted out of fiduciary access, etc. These costs were never part of providers’ business models and would, if UFADAA were enacted, now have to be absorbed.) To see an explanation of the three publicly touted arguments as articulated by the provider’s own trade association and lobbying organization, see letter from Carl Szabo, Policy Counsel of Netchoice, to the Hawaii Senate Commerce and Consumer Protection Committee, available at http://netchoice.org/wp-content/uploads/NetChoice-Opposition-to-HI-SB-467.pdf

1. Privacy: The providers publicly complained that UFADAA ignores the privacy interests of third parties. Fiduciaries, they argue, should not be given access to the content of communications sent to an account holder from someone else simply because these communications are accessible in the account holder’s digital records. The examples they use are confidential patient records, law firm files, or other sensitive information. It’s not just third-party privacy that irks the providers. The providers also dismiss UFADAA by stating that the majority of their users do not want their own fiduciaries to have access to the content of their electronic communications. The providers very successfully styled themselves as the benevolent guard dogs of user privacy, the champions of their customers’ private thoughts and communications. In testimony before legislative bodies, the providers argued that they were there to represent their millions of account holders, and that they had conducted a survey and determined that account holders do not want fiduciary access by default. (The survey results are available at http://netchoice.org/library/decedent-information/#poll; notably, the questions include things like “should estate attorney make decision about sharing private communications?”) Ironically, if anyone testifying before the legislative bodies on this issue could claim to represent account holders, surely it was the bar associations (who literally represent account holders as their estate planning clients and can speak more reliably to the

8

preferences that account holders express when making an informed choice after obtaining individualized legal advice); the bill’s opponents represent only their shareholders, who are the people on the opposite end of those contracts of adhesion (TOS) from account holders. The providers note that on the issue of user privacy, they are perfectly aligned with the position of the American Civil Liberties Union, who articulated several privacy based objections to UFADAA. See letter to Chairwoman Walsh and Professor Cahn of the UFADAA Drafting Committee from Allison Bohm, Advocacy & Policy Strategist, American Civil Liberties Union, http://www.uniformlaws.org/shared/docs/Fiduciary%20Access%20to%20Digital%20Assets/2013jul3_FADA_Comments_ACLU.pdf.

2. Federal Preemption. The providers assert that disclosure to a fiduciary under UFADAA will place a provider in violation of the SCA. The providers argue that it is anything but clear that a fiduciary can stand in the shoes of the user for purposes of providing the necessary consent. The providers believe that the Negro case (discussed in Section IV) makes clear that consent under the SCA can be given only personally by the account holder him/herself. Thus, the providers argue that disclosure to a fiduciary in compliance with UFADAA will place them in violation of the SCA, notwithstanding limiting language throughout the text of UFADAA making clear that providers are NOT required to disclose, under UFADAA, anything that they are not permitted to disclose under the SCA.

3. Improperly Voids Contracts. Finally, certain providers have publicly argued that UFADAA improperly voids contracts with their existing users, namely, the providers’ TOS agreements and account settings that restrict fiduciary access. Section 8 of UFADAA voids, as against public policy, any restrictions in TOS agreements that restrict fiduciary access except if such restrictions were (i) agreed to separate and apart from the TOS agreement required to open the account itself, and (ii) executed after a certain specified effective date. This argument was not advanced as forcefully as the first two, perhaps because it is difficult to argue seriously that account holders really intend agreement to the TOS when they click “agree” in order to open an account; even providers recognize that nobody reads TOS and that account holders are in no position to negotiate those terms.

D. The PEAC Act: Netchoice drafted a model act offered as an alternative to UFADAA—the Privacy Expectation Afterlife Choices Act, pronounced as the “peace act” but abbreviated as the PEAC Act. The full text of the PEAC Act is available at http://netchoice.org/library/privacy-expectation-afterlife-choices-act-peac/.

1. The PEAC Act was proposed as a legislative alternative to UFADAA in roughly half of the states where UFADAA was introduced.

2. A modified version of the PEAC Act was enacted in Virginia, revising Virginia’s previous law on access by a minor decedent’s personal representative to digital accounts held by the minor and adding rules governing access to digital property by a personal representative in other situations. See Va. Code Ann. §§ 64.2-109 and 64.2-110.

3. The PEAC Act, in its unmodified form, allows the personal representative of a decedent’s estate to obtain access to a log of the electronic communications of the decedent (i.e., a list of each person with whom the decedent sent or received electronic communications

9

within the last year), but only with a court order. The personal representative may also access the content of electronic communications, but only with (i) a court order and (ii) express consent by the account holder (i.e., OPTING IN).

4. The PEAC Act (again, in its unmodified form) also contains a broad indemnification and release; a provider will not be held liable in any civil or criminal action for good faith compliance with a court order issued under the PEAC Act and will be indemnified by the requestor for any damages the provider suffers in connection with disclosure.

5. For more information on the PEAC Act and the differences between UFADAA and the PEAC Act, see Prangley, War and PEAC in Digital Assets: The Providers’ PEAC Act Wages War with UFADAA, 29 Probate & Property 4 (July/August 2015). See also Exhibit C to these materials, which contains a comparison chart of UFADAA, PEAC and RUFADAA.

6. In California (a very important state on this issue—many TOS include a California forum selection provision), the PEAC Act was introduced for enactment and UFADAA was not. However, following its introduction, the California PEAC Act was substantially revised from its original version. The bill is still pending as of the date of this outline. The latest version is available at http://www.leginfo.ca.gov/cgi-bin/postquery?bill_number=ab_691&sess=CUR&house=B&author=calderon_%3Ccalderon%3E

IV. Breaking the Stalemate: the Revised Uniform Fiduciary Access to Digital Assets Act (“RUFADAA”)

A. Perhaps no one can summarize the 2015 stalemate on UFADAA better and more poetically than ULC Commissioner Turney Berry, who stated “[w]e were facing people who don’t normally lose: privacy advocates; the ACLU; the Center for Democracy; and Technology. We were also facing a consortium of internet providers who [have] very effective lobbyists and are accustomed to getting their way. We fought them to a draw, which was, I think, shocking to them.” Transcript to Third Session, Revised Uniform Fiduciary Access to Digital Assets Act, Friday Morning, July 11, 2015, ULC’s 124th Annual Conference, Williamsburg, Virginia.

B. Simply put, everyone involved in the legislative attempt to provide or prohibit fiduciary access to digital assets learned that it would be very time consuming, expensive and exhausting to get either UFADAA or the PEAC Act enacted in the states.

C. In May of 2015, representatives from the providers contacted former ULC employee Terry Morrow to request a “re-group.” On May 13, 2015, half-a dozen representatives from the ULC met in Washington D.C. with counsel from some of the large providers—lobbyists were deliberately excluded. At that initial meeting, it was decided to tweak UFADAA to reduce opposition to enactment. After representatives from the UFADAA drafting committee and certain providers had gone through about a dozen drafts, a new consensus emerged among providers, privacy advocates and the trusts and estates bar. This new consensus was introduced at the 124th annual meeting of the ULC in Williamsburg, Virginia (July 10-16, 2015) as the Revised Uniform Fiduciary Access to Digital Assets Act (“RUFADAA”). RUFADAA was

10

revised by the ULC’s style committee following the Williamsburg meeting and was finalized for enactment in the states in October of 2015.

D. The changes between UFADAA and the draft RUFADAA cannot be illustrated via a simple redline. RUFADAA is organized differently and is a complete rewrite of UFADAA. The chart comparing UFADAA, the PEAC Act and RUFADAA provides a helpful overview and can be found as Exhibit C to this outline. The differences are:

1. RUFADAA includes an entirely new section on fiduciary duties. Although the section unnecessarily reiterates the basic fiduciary duties that other law imposes (and that members of the trusts and estates bar well know), the section was added to clarify to providers the stringent legal duties that apply to fiduciaries and to provide comfort to would-be RUFADAA opponents that a fiduciary cannot simply behave recklessly when managing the digital assets of the deceased or disabled person.

2. In understanding RUFADAA, it is important to distinguish between (i) digital assets that are not electronic communications protected under the SCA, and (ii) the content of electronic communications (a subset of digital assets) protected under the SCA. Digital assets that are not electronic communications include public blogs, webpages, online purchasing accounts, Bitcoin and domain names. Electronic communications (as described more fully in Section IV) protected under the SCA include the content of email messages and text messages.

3. UFADAA and RUFADAA provide a fiduciary with similar access to the digital assets of the deceased or disabled person other than the content of electronic communications. UFADAA grants broad authority to fiduciaries to access such digital assets. RUFADAA grants the fiduciary full access to digital assets other than the content of electronic communications except that: (i) the custodian of the digital asset may require specific identification of the account and evidence linking the account to the principal (via documentation or court order); and (ii) any TOS restricting fiduciary access will be upheld, absent a conflicting provision in the user’s estate planning documents or an online tool/setting.

4. UFADAA grants broad authority for a personal representative to access the content of electronic communications of a decedent (except where the decedent expressed a contrary intent or where the SCA prohibits disclosure) and grants broad authority for a court-appointed custodian or guardian to obtain access, via order of that same court, to the content of electronic communications of a protected individual (again, except where the protected person expressed a contrary intent or where the SCA prohibits disclosure). Only in the case of an agent acting under a power of attorney does UFADAA require express authorization of the fiduciary by the account holder, under the governing document, before the fiduciary can gain access to the content of electronic communications. Thus, under UFADAA, many of the default provisions favored fiduciary access—that is, the account holder had to OPT OUT to prevent access. Under RUFADAA, the default is flipped to an OPT IN approach—no fiduciary has access to the content of protected electronic communications under RUFADAA unless (i) the governing document expressly authorizes fiduciary access, or (ii) the account holder otherwise consented to fiduciary access via an online tool. There is a slightly different rule for conservators/guardians. Under RUFADAA, a provider need not disclose the content of protected electronic

11

communications of the ward without the express consent of the ward (a simple court order is not sufficient), but a provider may suspend or terminate an account for good cause if requested by the conservator/guardian.

5. RUFADAA’s OPT IN approach allows account holders to express their intent to grant fiduciary access to digital property either via the estate planning documents or via an online tool. RUFADAA provides that if there is a conflict between the online tool/account setting and the deceased or disabled person’s governing estate planning documents, the online tool/account setting prevails.

(a) An “online tool” is defined as an electronic service provided by a custodian that is distinct and separate from the TOS required to open the account (i.e., not “click through”). Google’s Inactive Account Manager and Facebook’s Legacy Contact feature are two examples of such online tools (and the only examples known to the authors as of the date of this outline).

(b) Google’s Inactive Account Manager feature allows a Google user to designate up to 10 individuals to receive the contents of his or her Google accounts in the event the account has been inactive for a designated period selected by the user. The user may instead choose to have the account terminated after the designated period of inactivity.

6. As a practical matter, the OPT IN approach means RUFADAA will be helpful in relatively few situations—people frequently die intestate, and testators whose wills pre-date UFADAA are unlikely to contain express grants of authority regarding digital property. The OPT IN, rather than OPT OUT, approach means providers have no cost-savings incentive to create online tools or encourage their use. These factors skew in favor of the wealthy—wealthy individuals are more likely to do their estate planning and more likely to engage competent counsel to assist them; they are therefore more likely to have digital assets language in their wills. The status quo burdens families who can least afford to lose value in an estate or to incur added costs to ensure its proper administration; RUFADAA offers some relief, but only to those who are aware of the issue and take affirmative steps to plan.

7. RUFADAA permits the fiduciary to obtain a catalog of electronic communications (as opposed to the content of those communications)—including protected communications under the SCA—without the express prior consent of the account owner, even though the content of the protected electronic communications may be provided only with express prior consent. A catalog of electronic communications is defined as a log of “information that identifies each person with which a user has had an electronic communication, the time and date of the communication, and the electronic address of the person.” RUFADAA § 2(4). Providers referred to this as the “outside of the envelope” information (to/from information, time and date, but not the subject line and not the substantive text of the communication); essentially, it is equivalent to seeing a phone bill with dates, times, and phone numbers to which (or from which) calls were placed, but without information about the content of the telephonic discussions.

8. UFADAA rarely mentions a court order, except with respect to court-appointed guardians/conservators. In fact, one of the original missions of the UFADAA drafting

12

committee was to provide an out-of-court mechanism whereby a fiduciary would gain access to the digital assets of a deceased or disabled person, to reduce the burden on the judiciary to be involved in every situation. Under RUFADAA, in contrast, a custodian/provider may request a court order in nearly every instance, to clarify and determine whether (i) the user had a specific account with the custodian, (ii) disclosure of the content of electronic communications of the user would not violate the SCA or other applicable law, (iii) the user actually consented to disclosure of the content of electronic communications (where an online tool is not used), and (iv) disclosure of the content of electronic communications is reasonably necessary for administration of the estate.

E. As of April 1, 2016, approximately 30 states have enacted or are in the process of considering enacting RUFADAA.

1. Alabama= Introduced (SB164/HB269)

2. Arizona= Introduced (HB2467/SB14)

3. Colorado= Introduced (SB 88)

4. Connecticut= Introduced (HB5606)

5. Florida= ENACTED (SB494)

6. Hawaii= Introduced (HB2115/SB22)

7. Idaho= ENACTED (SB 1303)

8. Illinois= Introduced (HB4648)

9. Indiana= ENACTED (SB253)

10. Iowa= Introduced (SF2112)

11. Maine= Introduced (LD1177)

12. Maryland= Introduced (SB239/HB507)

13. Michigan= ENACTED (HB5034)

14. Minnesota= Introduced (HF200)

15. Mississippi= Introduced (SB2478)

16. Nebraska= Introduced (LB829)

17. New Jersey= Introduced (AB3433)

18. Oklahoma= Introduced (SB1107)

13

19. Oregon= ENACTED (SB1107)

20. Pennsylvania= Introduced (SB518)

21. South Carolina= Introduced (SB908)

22. Tennessee= ENACTED (SB326)

23. Utah= Introduced (HB383)

24. Washington= Introduced (SB5029)

25. West Virginia= Introduced (HB4400)

26. Wisconsin= ENACTED (AB695)

27. Wyoming= ENACTED (SF34)

F. Facebook and Google have endorsed RUFADAA; and so far have not opposed RUFADAA like they did UFADAA. In fact, representatives from certain providers and Netchoice have appeared to testify in state legislatures in support of RUFADAA.

V. Planning in the evolving environment

A. Although there has been significant movement in implementing RUFADAA in the states, it may be awhile before there is a multi-state legislative solution in place granting fiduciary access to digital assets. Even then, the express consent of the account holder is paramount to ensure fiduciary access to the content of electronic communications. Accordingly, proper planning is more important than ever.

B. The first step in the planning process is to assess whether the client would like to preserve all/some/none of his digital assets following death or disability. Some clients, despite obtaining legal advice as to its importance, do not want to grant access to their fiduciaries with respect to some or all of their digital assets. Many clients do not have a preference, but it is the estate planning attorney’s task to inform the client of the repercussions and potential financial and emotional loss that may be suffered if digital assets are not preserved. Some clients do not want the content of their electronic communications disclosed, even if they do want to preserve other digital assets.

C. If the client does not want his fiduciary to have access, warn the client that, without legislation granting account holders the power to choose one way or the other, it may not be possible to restrict completely a fiduciary’s access to digital assets following death or disability. Although many digital asset providers currently restrict fiduciary access to digital assets following death or disability, such restrictions may change in future. It is too soon to tell whether TOS, estate planning documents and specific disposition instructions that expressly restrict a fiduciary’s access to the digital assets will be honored without specific enactment of a statute like RUFADAA in the relevant state.

14

1. For a client that does not want his fiduciary to access electronic communications or other digital assets, consider:

(a) Encouraging client to use only those digital assets that allow the user to specify (in a separate, not “click-through” format) that his data will not be available following death or disability. Digital asset providers that allow an account owner to select such an option are very limited. Google, though use of its Inactive Account Manager, is one of the rare options.

(b) Including a provision in the estate planning documents providing that the fiduciary shall have no or limited access to digital assets. See, e.g., Appendix A.

(c) Urging client to conduct his digital and online life so that the data that he wants to protect is inaccessible to anyone except himself, both during life and following death or disability.

(i) Sensitive information in the client’s inbox and sent mail folders should be deleted frequently.

(ii) Information that needs to be retained can be downloaded to a USB drive or secret cloud storage and highly encrypted before deletion. If a USB drive is used, a back-up USB drive should be kept (USB drives fail from time to time).

(iii)Ensure highly complex usernames and passwords (guess-proof) are being used.

(d) Consider appointing a special digital fiduciary to destroy digital assets following death or disability or specifically bequeathing digital assets to a trusted person for destruction.

D. If the client does want to preserve digital assets, then the appropriate planning method depends on the complexity of the client’s digital assets, his technological fluency and his trust of online resources. As with all estate planning, one size does not fit all. It bears repeating that the TOS of certain providers currently prevent anyone other than the user from accessing the user’s account, regardless of whether the fiduciary can demonstrate that he is acting as the user’s legal successor and regardless of whether the fiduciary has the user’s password. Before the fiduciary attempts to access digital assets, the TOS must be reviewed and the consequences for breach of the TOS discussed with counsel. In most instances, four steps should be taken:

1. Client’s significant digital assets of value should be owned by a business entity or trust, if possible. Many digital asset providers recognize the importance of digital assets to a business and will allow an entity to own the digital asset. For example, Southwest Airlines owns and operates a webpage, blog, Twitter account and Facebook page. However, entities usually cannot hold free web-based email accounts or individual social-media accounts.

15

2. Create an inventory of digital assets, usernames and passwords. See, e.g., Exhibit B (sample questionnaire prompting client to make such a list). If the fiduciary does not know about the existence of the digital asset, access becomes a moot point.

3. Counsel the client to select only (or primarily) those digital asset providers that allow the digital asset to be accessed by the fiduciary following death or disability or to be owned by a business entity or trust (e.g., Google’s Inactive Account Manager).

4. Add special language to powers of attorney for property, wills, and revocable trusts authorizing fiduciary to access digital assets. See, e.g., Exhibit A.

(a) Under current law, the TOS of a digital asset provider restricting fiduciary access to digital assets currently supersede provisions in an estate planning document expressly authorizing fiduciary access. In other words, these provisions currently have no effectiveness and can be ignored by digital asset providers who refuse to allow fiduciaries to access the deceased or disabled person’s digital assets. (Nevertheless, it is better to have authorization language to point to when explaining to a judge why the fiduciary accessed an account in violation of a TOS agreement.)

(b) If and when RUFADAA is adopted in the states, the only mechanisms for providing the necessary consent for a fiduciary to access to the user’s protected electronic communications following death are (i) including language in the estate planning documents that authorize fiduciaries to access digital assets, and (ii) using an online tool—a setting within the account whereby the account owner can consent to disclosure of his electronic communications following death or disability. Even if RUFADAA is not adopted in every state, it is much more likely that a provider will disclose to a fiduciary the content of protected electronic communications if the fiduciary can show that the account owner provided written consent under the SCA in his estate planning documents.

E. Fiduciary selection: The tech-savvy client should select a fiduciary competent to administer his digital assets. This may mean selecting a special fiduciary for the sole purpose of administering digital assets.

1. The fiduciary should be familiar with digital assets and have the technological competency to work effectively with an IT expert, if necessary.

2. If a client has sensitive digital assets/information (for example, an online extramarital relationship), appointment of a special fiduciary may be appropriate.

3. For young clients who appoint their parents or individuals of substantially greater age as fiduciaries, appointment of a contemporary as special fiduciary to deal with social media may be appropriate.

16

Exhibit A

TO GRANT Broad Access to Digital Property

Will or Trust:

ABBREVIATED:

My Personal Representative or Trustee shall have the power and authorization to access, take control of, conduct, continue, or terminate my accounts on any website, including any social networking site, photo sharing site, micro blogging or short message service website or any email service website. All such websites may release my log-on credentials, including username and password, to my Personal Representative or Trustee, and the website shall be indemnified and held harmless by my estate for any damages, causes of action or claims that may result from this disclosure. This authority is intended to constitute “lawful consent” to a service provider to divulge the contents of any communication under The Stored Communications Act (currently codified as 18 U.S.C. §§ 2701 et seq.), to the extent such lawful consent is required, and a Personal Representative or Trustee acting hereunder shall be an authorized user for purposes of applicable computer-fraud and unauthorized-computer-access laws.

COMPREHENSIVE:

My Personal Representative or the Trustee may take any action (including, without limitation, changing a terms of service agreement or other governing instrument) with respect to my Digital Assets and Digital Accounts as my Personal Representative or the Trustee shall deem appropriate, and as shall be permitted under applicable state and Federal law. My Personal Representative or the Trustee may engage experts or consultants or any other third party as necessary or appropriate to effectuate such actions with respect to my Digital Assets or Digital Accounts, including, but not limited to, such authority as may be necessary or appropriate to decrypt electronically stored information or to bypass, reset or recover any password or other kind of authentication or authorization. If my Personal Representative or the Trustee shall determine that it is necessary or appropriate to engage and delegate authority to an individual pursuant to this paragraph, it is my request that [DIGITAL ASSET FIDUCIARY] be engaged for this purposes. This authority is intended to constitute “lawful consent” to a service provider to divulge the contents of any communication under The Stored Communications Act (currently codified as 18 U.S.C. §§ 2701 et seq.), to the extent such lawful consent is required, and a Personal Representative or Trustee acting hereunder shall be an authorized user for purposes of applicable computer-fraud and unauthorized-computer-access laws. The authority granted under this paragraph shall extend to all Digital Assets and Digital Accounts associated with or used in connection with the Business (as defined herein). The authority granted under this paragraph is intended to provide my Personal Representative or the Trustee with full authority to access and manage my Digital Assets and Digital Accounts to the extent permitted under applicable state and Federal law and shall not limit any authority granted to my Personal Representative or the Trustee under such laws. “Digital Account” means an electronic system for creating, generating, sending, sharing, communicating, receiving, storing, displaying or processing information which provides access to a Digital Asset stored on a digital device, regardless of the ownership of such digital device. “Digital Asset” shall include files created, generated, sent, communicated, shared,

received or stored on a digital device, regardless of the ownership of the physical device upon which the digital item was created, generated, sent, communicated, shared, received or stored.

Durable Power of Attorney. The attorney-in-fact shall have (a) the power to access, use, and control my digital devices, to include but not be limited to, desktops, laptops, tablets, storage devices, mobile telephones, smartphones, and any similar digital device which currently exists or may exist as technology develops for the purpose of accessing, modifying, deleting, controlling, or transferring my digital assets, (b) the power to access, modify, delete, control, and transfer my digital assets, wherever located and to include but not be limited to, my emails received, email accounts, digital music, digital photographs, digital videos, software licenses, social network accounts, file sharing accounts, financial accounts, banking accounts, domain registrations, web hosting accounts, tax preparation service accounts, online stores, affiliate programs, other online accounts, and similar digital items which currently exist or may exist as technology develops, and (c) the power to obtain, access, modify, delete, and control my passwords and other electronic credentials associated with my digital devices and digital assets described above. This authority is intended to constitute “lawful consent” to a service provider to divulge the contents of any communication under The Stored Communications Act (currently codified as 18 U.S.C. §§ 2701 et seq.), to the extent such lawful consent is required, and an attorney-in-fact acting hereunder shall be an authorized user for purposes of applicable computer-fraud and unauthorized-computer-access laws.

TO RESTRICT Access to Electronic Communications Protected Under the Stored Communications Act

Will: Despite any provision herein to the contrary, my Personal Representative shall have no power or authorization to access, view, take control of or terminate any of my electronic communications, as defined under 18 U.S.C. §§ 2701 et seq., including any data or information in my email account, social networking profile, blog or short message service, or any copy of the contents thereof, and any electronic communications service that has custody of my electronic communications shall be under no obligation to release any of my electronic communications to my Personal Representative or any other person.

Sample Provision in Client Exit Memo Regarding Updating Digital-asset Inventory

As we previously discussed, it may not be possible for your named personal representative and agent to gain full access to all of your digital property, such as online accounts and email. The law on this issue is evolving and we anticipate changes in the near future that will grant your representatives increased access to your digital property. For this reason, we recommend that you update the inventory of your digital property (which, as you may recall, includes your usernames, passwords, and security questions and answers) as this information changes. That way, your representatives may access your digital property as the law increasingly allows them to do so. Many of our clients also find that it is advantageous to revisit the inventory of their digital property annually, as this information can change rapidly.

2

SAMPLE STAND-ALONE DIGITAL ASSET AUTHORIZATION

3

Exhibit B

Digital Asset Inventory

Computer and Phone Information. List all of your personal and professional computers, tablets, netbooks and smartphones and identify the username and password to access each device.

Email Information. List all of your email addresses, describe what activities the email address is used for (e.g., personal, professional or to receive unwanted messages) and indicate the password.

Social Networking Profiles. List the usernames and passwords to each of your social networking profiles such as Linked In, Facebook and Twitter. In the event of your death or disability, should your profile be deleted? If not, who should be responsible for continuing your profile and what would you like for them to do with it?

Blogs, Webpages and Domain Names. List all of your blogs, domain names and webpages and indicate the registrar/host for each. In the event of your death or disability, should these sites be continued? If so, how and by whom?

Online Financial Information. List each bank and brokerage account for which you have online access and indicate your username and password for each account, as well as any security questions and answers necessary to access the account. If you have a PayPal or other online purchasing account, list your username and password.

Digital Photos. If you take photos digitally, describe where you store your photos, list any photo sharing websites that you use and indicate your username and password for each site.

Other Online Accounts/Information. List any other online accounts or digital information that may be important or valuable. If relevant, describe what you would like to happen to that account or information if you die or become disabled.

Privacy of Sensitive Information. Is there any sensitive information in the online accounts listed above that should be kept secret from some of your family and friends? If so, how should that information be handled and by whom?