The rise of the internet has changed the way clients conduct their lives; accordingly, it changes the way attorneys should approach estate planning. Digital assets that (1) have intrinsic financial value, (2) are the primary means of accessing other assets of financial value, or (3) hold unique sentimental value now comprise a significant component of many clients’ property and should be addressed in the estate planning and administration process.
Internet Effect on Planning Clients’ Estates
Years ago, the death of a client would prompt the estate planning attorney (or someone from his or her office) to sort through paper files at the decedent’s home and office and to collect the mail, as it was delivered, in an effort to create a list of bills to pay, services to cancel, assets to custody, and creditors to notify. However, in today’s digital age, a paper trail may not exist. The important information regarding bank and brokerage accounts, recurring expenses, insurance, and debts are now stored digitally on the client’s computer, smartphone, or email account. If the client’s digital files cannot be accessed promptly, important bills may go unpaid, valuable assets may be overlooked, and the estate administration process may be unavoidably delayed.
One example of how this could cause problems can be seen in creditor claim proceedings. For estates that are insolvent, state law determines the order in which creditors are to be paid and, consequently, which creditors should not be paid. If a decedent has arranged for automatic bill-paying from his or her bank account, the executor may need to act immediately to stop those payments. Not only could automatic payments overdraw an account; they could violate the ordering rule for payment of creditors if the estate is insolvent, which presents a liability risk to the executor.
While lack of access to a client’s important data is a significant problem, it is not the only problem that digital assets present to the estate planner. Not only are digital files the key to important information concerning assets of value–such as bank accounts and insurance–but in many instances, those digital files themselves have significant financial or sentimental value. If steps are not taken during the estate planning process to preserve and protect digital assets in the event of death or disability, the estate may suffer significant financial loss and precious memories of the decedent’s life may be permanently unrecoverable.
While providing a precise definition of a digital asset is nearly impossible given how fast technology changes, a current working definition would include electronic content; information or media; and the right to use that content, information, or media. The most common digital assets include:
- Email accounts.
- Online sales accounts.
- Online purchasing accounts.
- Online storage accounts.
- Domain names.
- Social networking profiles.
Often forgotten are the intellectual property rights in digital assets, which are crucial given that content and information, without the legal right to use it, is not an asset at all because it cannot be used freely without fear of legal consequence or liability.
Financial Value of Digital Assets
While some digital assets have little or no financial value themselves, others have significant intrinsic financial value or can be the key to unlocking assets with value. For example, a domain name, which is an identification string used to identify the location of a particular website, often has little or no value to third parties. However, a domain name can have significant value if it is tied to a popular internet search word or phrase, words or phrases used for selling goods or services, or a company brand name. Over the last few years, several domain names have sold for significant value. For example, Fund.com sold for $9,999,950 in 2008, Insure.com sold for $16 million in 2009, and Sex.com sold for $13 million in 2010 (after selling for $14 million in 2006).
Most personal blogs also tend to have little or no financial value, but some blogs generate significant revenue through the sale of advertisements on the blog’s web page or through subscription sales. In November of 2011, America’s top ten most valuable blogs had an estimated aggregate value of $785 million. The most valuable blog in 2011 was Gawker.com, which was valued at $318 million, with $53.6 million in advertising revenue in 2010. Drudge.com was valued at $93 million, with $13 million of revenue earned in 2010. In February 2011, AOL agreed to purchase The Huffington Post–one of the most heavily visited news websites in the United States–for $300 million. The Huffington Post earned $31 million in revenue in 2010.
Non-Financial Value of Digital Assets
In addition to potentially significant financial value, some digital assets have unique sentimental value that may be very important to the family and friends of a decedent. Long gone are the days when special photographs, diaries, and letters are kept in a shoebox or albums stored on a bookshelf. Instead, many people now store these items in a computer and never print them. Photographs are stored in online photo accounts or on social media sites. Family trees are created and stored in online genealogical accounts, such as Ancestry.com. A decedent’s correspondence may comprise only emails or text messages instead of handwritten letters. Blogs have replaced diaries, and Twitter fees and Facebook posts share a person’s thoughts and track his or her day-to-day activities. If heirs and loved ones lack knowledge of or the ability to access these digital assets, a decedent’s life story could be lost.
Another non-financial reason for planning for digital assets is to prevent the disclosure of secrets or hurtful information or material. For example, digital assets may reveal the existence of an extra-marital affair or an illegitimate child. As this information may cause significant emotional distress to a decedent’s family, he or she may prefer to suppress this information. By designating appropriate people to take care of (or delete) certain information or accounts, the decedent can avoid the exposure of such private details.
Proper planning for digital assets can also help to prevent online identity theft. In 2011 alone, approximately 270,000 people were victims of identity theft. After death or upon disability, the risk of identity theft increases because the deceased or incapacitated person is unable to monitor his or her online accounts, thereby giving criminals more freedom to hack into online accounts to obtain personal information needed to assume an identity.
Addressing Digital Assets in Estate Planning
Estate planning for digital assets brings to mind the old adage that an ounce of prevention is worth a pound of cure. Planning ahead for the disposition and transfer of digital assets upon death or disability may be the only adequate method of preserving the value of the client’s digital assets for his or her intended beneficiaries. In the absence of prior planning, the client’s fiduciary, working with a data forensics expert, could possibly recover some digital assets upon the client’s death or disability, but the delay and cost involved in such an undertaking is substantial and may be easily avoided with appropriate planning.
The first step to preserving and protecting a client’s digital assets is to create a comprehensive inventory of those assets. Few estate planning attorneys would forgo having a new client inventory and identify his or her important valuable assets such as bank accounts, retirement assets, and life insurance. Today, a comparable inventory of digital assets is just as necessary. Because clients may overlook the many types of digital assets that they own, the estate planning attorney should provide a comprehensive checklist of questions or prompts that will compel a client to identify his or her digital assets fully. The importance of cataloging digital assets cannot be overstated, given that it is difficult, if not impossible, for heirs, fiduciaries, and family members to discover many digital assets without actual knowledge that the assets exist and where to look for them. Finding a digital asset without knowing where to look has been compared to finding a needle in a haystack, because digital assets are often designed to be hidden from public awareness to protect against unauthorized access and to preserve the value of the intellectual property associated with them. An example of a comprehensive inventory for client use can be found in Exhibit 1.
The next step is to devise a method for transferring the value associated with those digital assets to the client’s desired beneficiaries. The appropriate planning method to preserve digital assets in the event of death or disability depends on the complexity of the client’s digital assets, his or her technological fluency, and the client’s trust of online resources. As with all estate planning, one size does not fit all. For most clients, a two-step process should be sufficient to transfer and preserve most of the client’s digital assets. This can be done by:
- Transferring ownership of digital assets to an entity such as a trust or LLC, when possible.
- Maintaining an online storage account or, at a minimum, a secure list of digital assets and passwords to provide fiduciaries with access to the client’s digital assets.
Although this point is further discussed below, it bears mentioning here: the terms and conditions of certain websites and digital asset providers prevent anyone other than the individual use from accessing the user’s account, regardless of whether the fiduciary has proper authority and regardless of whether the fiduciary has the user’s password. Before the fiduciary attempts to access a deceased or disabled client’s digital assets, it is crucial that these terms and conditions be reviewed and the consequences for breach of these terms and conditions be discussed with counsel.
Transfer Ownership of Digital Asset to Entity
Transferring ownership of digital assets to an LLC, corporation, partnership, or trust is probably the most effective way to preserve the value and accessibility of the client’s digital assets upon his or her death or disability, although such a transfer is not always possible. Most have no such limitations, but some digital asset providers (e.g., iTunes) limit ownership and use of accounts to individuals, and it is currently not possible to hold such assets through an entity or trust. Where such a transfer is permitted, it invites fewer headaches if ownership and use of valuable digital assets are transferred to an LLC, corporation, or partnership, rather than to a trustee.
Although the terms of service of a particular digital asset provider may permit non-individuals to own or operate the digital asset and may not specifically distinguish between trusts and corporate entities, ownership of digital assets by a trustee is far less common than ownership by a corporate entity. As a result, there may be a delay in processing trustee succession while the service provider’s staff reviews legal documents that are unfamiliar to them and interprets (with very little, if any, reported case law or other legal guidance to go on) how stringent privacy laws should be applied in the context of a trust.
If the client personally owns any digital assets that he or she uses in connection with a business, ownership should be transferred immediately to the business entity. Otherwise, the death of a client may mean the loss of the digital asset and its use by the company. If the client’s digital asset provider does not allow the asset to be owned by an entity, the client should change digital asset providers to one that recognizes the importance that digital assets play to a company. Digital assets are too important to the identity, growth, and success of a business to risk their total loss to a business upon the death of the business owner.
In some instances, it is not possible to transfer an existing digital asset to an entity, because the type of account available to entity owners differs from the type of account available to individual owners. In that case, the business entity may need to acquire a new, identical, or similar digital asset that is properly titled in the name of the entity. For example, Facebook provides personal profiles/timelines to its individual users but provides a business account, page, or group to a user that is an entity. Personal profiles/timelines cannot be used for selling or for commercial gain, so it is imperative that a client’s marketing initiatives are conducted via a business account. Facebook will convert a personal page to an entity page on request. While this situation is not ideal, it may be the only reasonable option, and if the transition happens while the business is still young and growing, the loss of value resulting from the switch may not be significant.
Online Storage Accounts
The next step is to provide a means by which fiduciaries will be able to identify and access the client’s digital assets upon death or disability. Online storage accounts provide one means of cataloguing digital assets. These companies offer services to allow users to store digital assets and information about digital assets, as well as personal notes and emails to be delivered after the client’s death, for a monthly or yearly fee. Many allow designated persons to access the owner’s digital assets in the event of death or disability, and most will store copies of important documents and frequently used data. Upon the client’s death or disability, a person designated by the client would be able to access the online storage account, allowing for convenient access to important documents and information.
Currently popular online storage accounts include legacylocker.com, secureasafe.com, and deathswitch.com. Legacylocker.com enables users to save online account information in a digital safety deposit box. Users can store passwords for all of their online accounts in their safe deposit box and assign a beneficiary for each account. Legacylocker.com also allows users to store important documents, which will be “accessible 24/7, from anywhere in the world, in a safe and secure repository.” Clients are offered a free trial account with unlimited storage and beneficiaries at a cost of $29.99 per year or $299.99 for a lifetime subscription.
Securesafe.com enables users to store important documents, create a secure list of online accounts and passwords, and designate which accounts get passed to which beneficiaries. A user can access his or her account and view saved documents at anytime using an iPad of iPhone. A user is allowed to store up to 50 passwords and 10 MB of data for free; an unlimited package is available for $12.90 a month.
Deathswitch.com enables users to create “last words” email messages and specify recipients to receive those messages on the triggering of a “deathswitch.” The deathswitch is an automated system that prompts a user for his or her password on a regular schedule. If the user fails to enter the password for some period and after several additional prompts, the system concludes that the user is dead or critically disabled. The user’s pre-scripted messages are then automatically emailed to the designated recipients. The content that a user might include in such a message is not limited to passwords, instructions, or loving messages sent from the beyond. Messages could be used to get the “last word in an argument” or to “confess secrets that were unspeakable during a lifetime.” Deathswitch.com allows a user to send one email to one recipient at no charge. For $19.95 per year, a user can write 30 emails and include attachments.
One advantage of online storage accounts is that they tend to offer state-of-the-art security. For example, SecureSafe.com claims to offer “more privacy than a bank.” It further claims that its applications are “designed following NIST security standards,” its operating system and third-party applications are continually updated, two data centers handle data recovery management, and its accounts are monitored by “top security experts.” These accounts also allow a designated person to access digital assets immediately, without knowing a single password. When the user dies or becomes disabled, the designated person is provided with all the information necessary to access the user’s accounts and to deal with them in accordance with the account holder’s wishes.
These accounts also have their disadvantages. Information stored in an online storage account needs to be updated whenever new digital assets are acquired or deleted, or when passwords change. In order for an online storage account to function as intended, the information held in the account must be accurate and up-to-date. Cyber security best practices include frequent changing of passwords; following that rule necessitates updating the online storage account to reflect the new passwords. There is also no guarantee that the company hosting the online storage account will still be in business when the critical time comes. Most of these companies are startups with little or no capital. If a company fails to make a profit, it can dissolve or declare bankruptcy. While there should be concern about what happens to information stored in an online storage account if the host goes out of business, the information is unlikely to be misappropriated. The more probable drawback is that a user may not be able to access his or her data.
If the client uses an online storage account to secure digital assets and information, he or she needs to tell a fiduciary–preferably in writing–that the account exists. Although some online storage services will email a user’s authorized designee directly and give him or her instructions on how to access digital assets in the event of the account owner’s death or disability, this feature is not always offered or used. It is imperative that the fiduciary has another means of learning that the account exists and how to access it, or the online storage account will serve no purpose. If a user is not comfortable disclosing the existence of the online storage account to the fiduciary during the user’s lifetime, the user could make the disclosure in a writing left in the custody of his or her estate planning attorney.
Digital Asset Inventory
At a minimum, the estate planner should advise his or her client to create an inventory listing digital assets and passwords. In addition to detailing information regarding the client’s online presence, accounts and passwords, the inventory should also detail the client’s computer hardware, software, and file structure systems.
To be secure, the inventory should be an electronic file, encrypted with a complex password. (A complex password is one using a variation of upper and lower letters and numbers.) Normal password protections of an MS Word or other MS Office document are easily circumvented, so best practices are to use a software package designed to store confidential documents and passwords, such as KeePass, SecuBox, or Web Confidential. The properly encrypted electronic inventory file can then be stored on a home computer, smartphone, or USB drive or it can be uploaded to the cloud. The complex password to access the electronic list may be written on a piece of paper stored with original estate planning documents or in a safe-deposit box. Again, it is imperative that this password be kept up-to-date. If a user changes the password and fails to replace the written, now outdated password, the person designated to access the list will be unable to do so.
Because the estate planning attorney will not have access to the electronic file containing the inventory, he or she may safely store the password, as only a person having both the password and the file can access the inventory. Before agreeing to hold the password, however, the attorney should consider the risk that someone could claim that the attorney disclosed the password without authorization. In addition, an attorney should never have custody of both the electronic file and the password. As with all confidential information, the password should be stored securely by the attorney to avoid inadvertent or unauthorized disclosure.
Electronic lists are easy to use, inexpensive, portable, and easily accessible. However, the electronic list must be kept updated as passwords and digital assets change. There is also a risk of data loss if the file is store only on a device that may be lost or broken.
Accessing the Client’s Digital Assets
Even in the best case scenario–i.e., where the decedent had inventoried all digital assets, usernames, and passwords for his or her fiduciary–the administration of a deceased or disabled person’s digital assets can be extremely complicated. Before attempting to access any digital assets of a deceased or incapacitated person, the fiduciary and his or her attorney should carefully review the terms and conditions of use of all digital assets. Federal and state laws criminalize certain types of unauthorized access to computers or data. If the fiduciary is not authorized to access digital assets under the digital asset provider’s terms of service, then accessing the deceased or disabled person’s digital assets may be a crime, even if the fiduciary is expressly authorized to access the digital asset by the relevant estate planning documents and even if the decedent gave the fiduciary his or her username and password.
For example, Yahoo’s terms of service provide that a deceased user’s rights to his or her account terminate at death and, accordingly, his or her fiduciaries are not authorized to use or view the Yahoo.com account. A fiduciary who accesses the decedent’s Yahoo mail in violation of the terms of service does so without appropriate legal authorities. This kind of unauthorized access is a crime, thanks to broad anti-hacking and electronic data security laws.
All 50 states have criminal laws prohibiting unauthorized access to electronic data. Federal law, specifically the Computer Fraud and Abuse Act (CFAA), criminalizes intentional access of a computer without authorization or exceeding authorization and thereby obtaining financial data or information from a protected (e.g., private) computer. In fact, the U.S. Department of Justice (DOJ) has stated that violating a term of service on Facebook or Match.com is a federal crime under the CFAA. The DOJ has also stated, however, that it does not intend to prosecute “minor” violations. The DOJ did prosecute a mother under the CFAA who posed as a 17-year-old and cyber-bullied her daughter’s classmate, which violates MySpace’s terms of service prohibiting lying about identifying information, including age. While there is no reported case of the DOJ or any state prosecuting a fiduciary for unauthorized access to a deceased or disabled person’s digital assets, some threat of criminal penalty remains. Estate planning attorneys should warn fiduciaries of this risk.
In light of these issues, state legislatures are increasingly providing express statutory authority to allow executors and personal representatives to access and control certain digital assets of a deceased person. Five states (Connecticut, Idaho, Indiana, Oklahoma, and Rhode Island) have statutes that give the personal representative or executor limited access to certain digital assets, and three additional states (Nebraska, Ohio, and Oregon) are considering similar legislation. While these state laws may be well-intentioned, they do conflict with the Federal CFAA, making their validity unclear.
In January 2012, the Uniform Law Commission approved a committee to study the question of a fiduciary’s power and authority concerning digital assets of a disabled or deceased person. The Uniform Law Commissioners identified that:
"There is considerable uncertainty concerning how a fiduciary can access such property when administering a decedent’s estate or the affairs of an incapacitated person. When an individual dies or becomes incapacitated, fiduciaries need to find, access, value, protect, and transfer the individual’s valuable or significant property. Fiduciaries need clear powers to act on behalf of the individual in the digital world.:
Leaders from the American Bar Association and American College of Trusts and Estate Counsel are working together with the Uniform Law Commissioners to find a way to resolve these issues.
Recovering Digital Assets that are Legally Accessible to the Fiduciary
After creating a comprehensive list of known digital assets, the fiduciary should begin to protect and preserve those digital assets. The method for doing so varies, depending on the type of digital asset in question.
Prompt access to the client’s email account can often be critical to paying bills on time, identifying bank accounts with liquidity, and discovering valuable digital and non-digital assets. If prompt access is not obtained, emails could be lost as most free email services delete messages if the account has not been accessed for four to nine months and will delete a person’s entire account if not accessed for eight to 12 months. When, or if, the fiduciary is able to access the deceased or disabled person’s email account, the fiduciary should immediately change the password, choosing a highly complex password to prevent unauthorized access.
If the fiduciary can access the email account legally and knows the username and password, the fiduciary should search messages to identify digital and non-digital assets. If the fiduciary finds information regarding digital assets but not the passwords necessary to custody those assets, he or she may use the “forgot my password” feature available on most websites to have the password (or password reset instructions) emailed to the client’s account.
If the fiduciary does not have the user’s password and username but is confident that he or she has legal authority to access the account, the fiduciary may be able to access the email account from the user’s home or work computer, tablet, netbook, or smartphone. In some cases, the username and password data may be saved on the device or may automatically populate when one correct character is typed. If the email account is through an internet service provider (i.e., phone or cable company), the provider will usually reset the password at the fiduciary’s request, on presentation of supporting documentation such as letters of office or a death certificate.
Assuming the fiduciary is able to gain access to the email accounts, he or she should review new emails regularly (generally every week) during the period of estate administration to identify additional assets, creditors, or other relevant information. When the period of audit on the estate tax return is closed (or, if no estate tax return is due, then after the probate estate has been closed), the email account should be deleted. If the fiduciary is not able to access the email account legally, the email account should be deleted promptly to prevent unauthorized access.
"In rare cases we may be able to provide the Gmail account content to an authorized representative of the deceased user...we take our responsibility to protect the privacy of people who use Google services very seriously. Any decision to provide the contents of a deceased user’s email will be made only after a careful review, and the application to obtain email content is a lengthy process."
Accordingly, the fiduciary should not count on receiving a copy of the email account contents promptly (if at all).
For example, in 2004, the family of deceased U.S. Marine Justin Ellsworth requested a copy of his Yahoo email messages (after first unsuccessfully requesting his password), to better understand his last words and thoughts before death. Yahoo refused, citing user privacy concerns. The Ellsworth family then obtained a court order directing Yahoo to release the contents of the account. Yahoo complied, and Justin’s father was sent a CD containing all messages Justin received, but not those that he had sent, which were deleted consistent with Justin’s account settings.
Computers and Smartphones
For some clients, important data regarding recurring expenses, digital and non-digital assets, taxes, and insurance are stored not on the internet, but on the hard drive of a home computer. Clients who are always on the go may opt to store this information instead on a smartphone, netbook, or tablet. Few information technology experts would say that this method of storage is secure; however, it is not uncommon.
The fiduciary may be unable to access the device itself or important files stored on it without a password that the fiduciary does not know. The fiduciary could spend countless hours guessing the password; it is probably most efficient, however, to engage the services of a data forensics expert. For anywhere from several hundred to a few thousand dollars, a data forensics expert can protect, preserve, and access most secure data files store on a computer, smartphone, or similar device’s hard drive.
Online Sales Accounts
If the deceased or disabled individual ran an online business (or simply sold occasional items online), current sales may be pending on online sales accounts such as eBay, Craigslist, Amazon, or Etsy at the time of his or her death or incapacity. In addition, funds from online sales may be sitting in related payment entities, such as PayPal or Western Union.
Timely access to sales accounts could be critical to preserve the value of the decedent’s business and to avoid breach of contract actions. If it is unknown whether the decedent maintained an online sales account, the fiduciary should check the decedent’s email accounts and text messages for alerts about sales transactions and should review bank records for deposits from online transactions. A fiduciary should arrange for the completion of in-process sales; refund incomplete sales; and, if desired or appropriate, prevent future sales from occurring.
Most online sales marketplaces allow the fiduciary to access the decedent’s account. However, the fiduciary generally may not transfer the account to another. For example, eBay, under its user agreement, does not allow the transfer of a personal sales account without eBay’s special consent.
For an online business, the fiduciary should contact the web-hosting agency to have access transferred to the fiduciary.
Websites and Blogs
Because personal webpages and blogs are intentionally made to be shared, a decedent’s family and friends will likely know if a decedent was maintaining one. A fiduciary may also discover evidence of blog by checking credit card statements and email accounts for payment of site hosting fees. The fiduciary may also discover webpages and blogs by simply Googling the decedent’s name.
If the decedent paid for webpage and blog hosting, the fiduciary can usually have the password reset and can gain full access. Some (but not all) free webpages and blog hosting services also allow a fiduciary to reset the password.
Most free webpage and blog hosting accounts are generally not transferable under their terms of service contracts, and fiduciaries may not be able to access the accounts at all. If a fiduciary is denied access to a free account, in many cases a copy of the content may be sufficient to satisfy the family’s desire to preserve its sentimental value. After the content has been copied, the fiduciary should request that the account be closed.
Social media accounts
Rarely does a fiduciary need to continue the actual use of a social media account because the benefit of social media is primarily personal to the individual, allowing him or her to connect and engage with other people. Most social media services, including Facebook, MySpace, Twitter, and LinkedIn, do not allow an assignment or transfer of a user’s account, including a transfer of the account to an appropriate fiduciary upon death or disability. The fiduciary’s choices for the user’s account are to (1) request the deactivation or deletion of the account or (2) leave the account as is. Facebook also allows the appropriate fiduciary or family member to turn the account into a memorial page, which prevents the addition of further “friends” and allows current friends to post messages in remembrance.
For most clients today, an estate plan that does not address digital assets is an inadequate estate plan. The potential administrative burden on the fiduciary, to identify and marshal elusive digital assets without a proper roadmap, is tremendous. Add to that the potential financial losses that may occur if digital assets with significant intrinsic value are never found (or are inaccessible), or if pending online orders from a client’s business are not promptly filled, and the result could be devastating. At a minimum, estate planners should be aware of these issues and should discuss them with their clients, encouraging clients to assemble a comprehensive inventory of digital assets and passwords. It may be possible after the fact, with the help of a data forensics expert and a great deal of diligent legwork, to pull some of the digital pieces together but, as with most aspects of estate planning, by far the simpler and more effective approach is to be informed and plan ahead.
This article was originally published in Estate Planning magazine, Volume 40, Number 5, May 2013. Copyright © 2013.