Digital Access After Death Determined by Varying Federal, State Laws

To deal with the locked-out fiduciaries and family members, a handful of states are passing “digital decedent” laws, which authorize fiduciaries to give the lawful consent that federal laws require on behalf of deceased users. The Uniform Law Commission (ULC) -- a group responsible for creating standardized model laws for states to adopt -- has also created a Fiduciary Access to Digital Assets Drafting Committee to author a model law in the hopes that states will adopt it and abandon their own legislation.

The CFAA and the SCA have “a chilling effect” on fiduciaries and family members looking to gain access to the electronic communications of their dearly departed, said Jim Lamm, an estate lawyer with the Gray Plant Mooty law firm in Minnesota, among the many states without digital decedent laws. The CFAA criminalizes terms-of-service violations, and many terms of service prohibit users from allowing other people access to their accounts. A user leaving his login information for a fiduciary or family member is technically violating terms and committing a crime under the CFAA, Lamm said. Rep. Zoe Lofgren, D-Calif., this month introduced a bill to decriminalize terms violations under the CFAA, after Internet activist Aaron Swartz committed suicide in the midst of his CFAA prosecution (WID Jan17 p1).

Under the SCA, Internet companies are prohibited from sharing user data unless faced with a warrant, subpoena or court order from a law enforcement official or when they received requests from court-appointed fiduciaries and have that user’s “lawful consent,” Lamm said. “But it is not clear ... if I'm dead, [whether] my spouse, my children, my fiduciary can give consent.” While Internet companies are required to release the data to law enforcement, they are not required to release the data to fiduciaries, Lamm said. “I can’t get it unless Facebook is feeling benevolent."

Facebook is “only able to consider requests for account contents of a deceased person from an authorized representative,” and the company tells users, “the application to obtain account content is a lengthy process and will require you to obtain a court order.” Facebook had no comment for this story. Google tells users that “in rare cases we may be able to provide the contents of the Gmail account to an authorized representative of the deceased person.” The company said the process for authorized representatives with court orders to gain access to a deceased user’s Gmail contents is “lengthy,” involves “multiple waiting periods” and “does not guarantee that we will be able to assist you.” Google’s commitment to protecting user privacy “means putting our users first when we receive requests for their personal information, even when it’s from a grieving family,” a spokesman said.

On a Web page about deactivating Twitter accounts belonging to the deceased, Twitter tells users they can submit information to have an account deactivated, but the company is “unable to provide login information for the account to anyone regardless of his or her relationship to the deceased.” A spokesman said Twitter will release user data if it’s presented with “a subpoena, court order, or other valid legal process.” The company has “a government affairs team that is constantly in dialogue with national and state policymakers,” he said. File-sharing service Dropbox told us the company works “with the families of deceased users on a case-by-case basis regarding account data. The result in any particular case will depend on the governing laws and applicable court orders."

Estate attorneys are hopeful that federal laws will be reformed to allow fiduciaries to access digital accounts belonging to the deceased, said Suzanne Walsh, chair of the ULC’s drafting committee and estate attorney with Cummings & Lockwood in Connecticut, the first state to develop a digital decedent law. “No one has abandoned hope” that SCA and CFAA will get reformed as the drafting committee “tiptoes” around the federal laws, she said: “It has to happen” at the federal level as well as at the state level “to really work well.” The federal laws could be amended to allow fiduciaries to express lawful consent on behalf of users that are either deceased or no longer able to care for themselves, Walsh said. “If the state law makes me an authorized user ... then the federal law could recognize that."

Five State Laws, Eight Bills

Five states have digital decedent laws, and at least eight more are considering adopting them, our review found. Idaho, Indiana, Oklahoma and Rhode Island have enacted digital decedent laws since 2005, when Connecticut passed the first-of-its-kind law. This year, legislatures in Maryland, Nebraska, New Hampshire, New Jersey, New York, North Dakota, Oregon and Virginia are considering digital decedent bills, and the North Carolina Bar Association is drafting a digital decedent bill to have introduced there.

To handle the intersection between state and federal laws, some states’ statutes say their existing laws don’t require online services to provide user information “in violation of any applicable federal law.” Laws in Connecticut, Indiana and Rhode Island, as well as the New York bill and the North Carolina draft, include that language. Including this language has no legal effect on the barriers to access created by the CFAA and SCA, Lamm said. “But they still may be helpful in convincing online account providers that fiduciaries are ‘authorized’ to receive information."

Two laws and six bills include identical language that grants fiduciaries “the power, where otherwise authorized, to take control of, conduct, continue, or terminate any accounts of a deceased person on any social networking website, any microblogging or short message service website or any email service websites.” This language first appeared in the Oklahoma law, which was enacted in 2010, and appears in the 2011 Idaho law as well as bills in Maryland, Nebraska, New Hampshire, New Jersey, New York and North Dakota.

Lamm described this definition of digital asset as “woefully inadequate.” Older laws, such as those in Connecticut and Rhode Island, “just talk about email,” and the Oklahoma and Idaho laws reference social media but don’t “include Flickr or file sharing services like Dropbox,” he said. These categories of digital assets are “the tip of the iceberg. It’s an important tip, but only” the beginning, he said. The laws should be written to be technology-neutral in anticipation of unpredictable technological advances, but crafting the laws to be neutral “is the big challenge,” Lamm said. Drafters are “trying to be thinking way ahead ... but who knows what data [will be collected] and where it will be stored,” he said. The Virginia bill defines a digital asset -- to which a fiduciary would be granted access -- as “text, images, multimedia information, or other personal property stored in an analog or digital format” including “words, characters, codes, or contractual rights necessary to access the digital assets.” The North Carolina draft bill’s definition of digital assets includes “email, documents, images, audio, video, and similar digital files which currently exist or may exist as technology develops."

Some state legislation requires companies to retain user data for two years after receiving a request for the data from a fiduciary. Indiana law as well as bills in Oregon and Virginia and the draft in North Carolina include this data retention requirement. These requirements “might not be practical or workable” because of companies’ policies as well as the push for more limited data retention policies by privacy advocates, Walsh said. For instance, a Twitter spokesman said that once the company receives notification and confirmation that an account holder has died, the site deactivates the account and retains the deactivated account data for 30 days.

Uniform Law Commission

As states write their own laws, the ULC’s drafting committee is working on a model bill that states could adopt to officially grant fiduciaries the power to express lawful consent in place of a deceased user, which “gets us around the SCA, and we're hoping it gets us around the CFAA,” Walsh said. The group -- meeting in February to discuss its most recent draft of the model bill -- has a roster including observers from Facebook and Google. The current draft breaks down power to access digital assets based on the type of court-appointed fiduciary that is involved.

The drafting committee will consider if a court order should be necessary at February’s meeting, Walsh said. There are many cases when a deceased user won’t have a court-appointed fiduciary, such as when a person dies without leaving a will, she said. While most unofficial representatives can obtain the necessary court order, there are a number of circumstances -- including geographic or financial limitations -- when obtaining a court order is “beyond some people’s means,” Walsh said. Until there’s a federal law or a court ruling demonstrating that these state laws make it legal for fiduciaries to access accounts belonging to the deceased, Internet companies will play it safe when there’s no court order, she said. “You want the comfort of a court ruling or a statute. That’s Business 101."

The committee will also discuss at February’s meeting the role of terms-of-service agreements as they relate to contract law, Walsh said. “We're not really sure to what extent these privacy policies are contracts” and create legally binding obligations between users and companies who promise to keep their users’ data secure, she said: “If those privacy policies are contracts, we have to figure out to what extent we can vary” them, so that fiduciaries can access the data without violating the contract.

These laws raise serious privacy concerns, NetChoice Executive Director Steve DelBianco wrote members of state legislatures considering the bills. The group’s members include AOL, Facebook, Yahoo and other media and Internet companies (http://xrl.us/bn6wwd). The laws would give “estate representatives the power to disregard the express privacy choices” of users, DelBianco said. Users indicate their privacy priorities by choosing “online services based on the strong privacy protections and data deletion policies in the Terms of Service,” he said: Creating a default probate law that overrides those privacy protections minimizes the impact of consumer choice.

The laws could also force companies to “violate their obligation to prevent unauthorized access,” DelBianco wrote. Online services are, on their own, finding new ways to deal with accounts belonging to deceased users -- such as Facebook’s “Memorialize” feature -- he said. “Creating a patchwork of conflicting state and federal laws will obstruct that kind of innovation by online services.” DelBianco urged state legislatures to hold off on their own bills until the ULC has completed its draft legislation.

Walsh said she hopes states will wait for the ULC to finish its draft. Though individuals from state bar associations have participated in the ULC process and could use those conversations to shape state laws sooner, Walsh said the committee hopes “that they will see what we're trying to do, and, as a result, hold off” on moving their own legislation forward in their states.

Maryland lawmakers plan to do just that, said an aide to Maryland state Sen. Katherine Klausmeier, who introduced the state’s digital decedent bill earlier this month and held a hearing in the fall on the issue. Klausmeier will “wait and see” before pushing the legislation, her aide said. “I understand that some of the online providers have concerns that a bill like this could conflict with existing federal law, but I hope that the Uniform Law Commission can come up with a solution that deals with that issue while also allowing individuals to have some sort of control over their digital assets after they die,” Klausmeier said in a statement. “This bill brings up an important issue but it is a little before its time.”