As the exponential growth in the storage of asset and liability information on digital platforms and devices continues unabated, the ability to gather critical asset and liability information following a death is becoming ever more complicated. Fiduciaries responsible for post-death administration must collect, secure, inventory and value all assets and account for all debts, expenses and administrative costs. The inability to access critical information that’s stored digitally significantly increases the risk that fiduciaries will fail to meet these obligations and therefore risk exposure to personal liability for any losses that may occur.
In response to this relatively new need for fiduciaries to gain access to critical asset and liability information stored on digital platforms, the Uniform Law Commission (ULC) issued the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA) in 2015.1 As of this writing, RUFADAA has been enacted in 45 states, the District of Columbia and the U.S. Virgin Islands.2 Only California, Oklahoma, Louisiana, Delaware and Massachusetts haven’t enacted RUFADAA, though a bill to enact it is currently pending in the Massachusetts legislature.3 The fact that RUFADAA has been enacted so quickly and in so many states without amendments or changes to the ULC language is evidence of just how challenging it is for the law to keep up with the pace of change in the digital world. It’s also evidence of the significant political influence that large technology companies have over our legislative process.
Getting Access
The ability to access one’s accounts via the Internet has only been available to consumers since 1995.4 It took a few years for the concept of online banking to truly take hold, but a 2019 survey conducted by the American Bankers Association found that roughly 73% of banking customers access their accounts via online and mobile platforms.5
Online banking and investment accounts aren’t the only online platforms that fiduciaries may need to access post-death. A 2019 survey found that the average email address was connected to more than 130 online accounts in which digital asset and liability information might be stored.6 While the vast majority of digital accounts are unlikely to include asset and liability information (think social media accounts and accounts connected to e-commerce sites or online subscriptions), a fiduciary can’t be certain it’s accounted for all assets and liabilities without comprehensive access.
In the era that preceded this explosive growth in the use of digital storage for personal information, fiduciaries responsible for the post-death administration of estates and trusts (and the attorneys who represented them) relied primarily on income tax returns, the decedent’s personal files and documents arriving in the U.S. mail to obtain asset and liability information. However, with more and more asset and liability information being stored electronically, these paper-based methods are far less comprehensive than they once were.
When a physical paper trail of asset and liability information is either incomplete or non-existent, the fiduciary will need to obtain electronic copies of documents that may be stored on personal computers, tablets or smartphones, in the cloud or on some other digital storage device. As nearly every digital storage device requires a password, the absence of the password needed to unlock the device could make it nearly impossible for a fiduciary to access critical information.
Using a password to unlock a digital storage device is unlikely to be a problem for a fiduciary (assuming that the fiduciary has the password). However, accessing a digital account stored on the server of a commercial Internet service provider (ISP) is more problematic. This is because “free” email accounts (and all of the data and digital information stored therein) that are available from ISPs such as Yahoo and Google are typically owned by the ISP and licensed to the user for as long as the user is alive. Because these licenses typically expire on the user’s death, access to the account and all of the digital data stored therein is ordinarily cut off as soon as the ISP learns of the user’s death. This is true even if the fiduciary can access the account with the deceased user’s username and password.
SCA and CFAA
When an individual goes online to create an account with an ISP, that individual must “sign” an electronic contract known as a click-through terms-of-service (TOS) agreement. TOS agreements contain various provisions related to ownership, use and transferability of digital content that’s stored on and accessed via the digital platform(s) owned by the ISP. For example, when a user “signs” a TOS agreement to create a Gmail account, Google grants a license to the user that’s “personal” and “non-assignable” to anyone else, including, presumably, a fiduciary acting on behalf of the user.7 Many TOS agreements for commercial ISPs are governed by the federal Stored Communications Act (SCA)8 and the federal Computer Fraud and Abuse Act (CFAA).9
The SCA governs the actions of the ISPs and potentially subjects them to civil penalties and fines if they disclose the digital communications of their users without proper authorization. In most cases, fiduciaries can’t compel ISPs to disclose any digital communication governed by the SCA because doing so would violate the user’s privacy and potentially subject the ISP to liability for each disclosure. A simple example of a digital communication or record would be an email that a user sends from their Gmail account. If Google were to release a copy of that email to an unauthorized user, including the deceased user’s fiduciary, Google would be in violation of the SCA.
The CFAA is a federal criminal statute that prohibits intentional access to a computer “without authorization” or in a manner that “exceeds authorization” provided for in the TOS agreement.10 While fiduciaries have authority under state law to take possession or control of trust and estate assets, the licenses to access and use digital content stored by a digital content provider such as an ISP typically expire at death. Because the licenses to use and access the digital content stored on ISP servers are typically personal and non-assignable to anyone else, including a fiduciary,11 the CFAA (or a comparable state criminal statute) could potentially be used to prosecute a fiduciary who accesses a deceased user’s account even though access to the account may be necessary for the fiduciary to carry out its duties.
Uniform Statute
These conflicts between the federal statutes that govern click-through TOS agreements and the state statutes that govern the actions of fiduciaries led the ULC to begin working on a uniform statute. The goal was to allow fiduciaries to gain access to asset information stored on digital platforms without subjecting fiduciaries to liability for violations of the CFAA and other applicable state and local statutes governing unauthorized use of computers. The first attempt by the ULC, the Uniform Fiduciary Access to Digital Assets Act (UFADAA), sought to give personal representatives and executors implicit authority to access a decedent’s digital assets post-death in much the same way that they would be authorized to open a decedent’s mail. Opposition to UFADAA was swift and overwhelming because ISPs and privacy advocates were concerned that giving such broad authority to fiduciaries to access digital records would undermine a decedent’s privacy post-death.12 While privacy was certainly a valid concern, the potential cost of complying with UFADAA likely caused much greater anxiety among the ISPs and tech companies that lined up to oppose it.
In response, RUFADAA came about as a compromise among privacy advocates, consumer advocates, the National Academy of Elder Law Attorneys and the large tech firms that had staunchly opposed UFADAA.13 The primary and very significant difference between RUFADAA and UFADAA is the requirement that users must consent to the disclosure of their digital communications before ISPs can be required to disclose any digital content to a fiduciary.14 The language of RUFADAA provides for a three-tier system under which decedents may authorize access to their online accounts.15
The first (and most effective) tier is via an online tool agreement that the user executes (or clicks through) directly with the ISP. Such tools are separate and apart from the TOS agreements that govern the creation and use of the account, and the use of the online tool agreement will effectively override any contrary direction by the user in a will, trust or other governing document.16 Google, for example, allows its users to designate an individual to serve as an “Inactive Account Manager” who can access a deceased user’s Gmail account for limited purposes and for a limited period of time following a user’s death.17 The Inactive Account Manager can be a family member, a close friend or a trusted advisor. It doesn’t have to be the fiduciary responsible for post-death administration.
The second tier for fiduciary access requires the user to include enabling language in their will or trust that specifically authorizes (or prohibits) the disclosure to the fiduciary of digital asset information stored on the server of an ISP.
In the absence of an online tool or enabling language in the deceased user’s will or trust, the third tier for fiduciary access is effectively the provisions of the TOS agreement itself. In most cases, this will mean no access.
Challenges With RUFADAA
RUFADAA defines the term “digital asset” as “an electronic record in which an individual has a right or interest. The term doesn’t include an underlying asset or liability unless the asset or liability is itself an electronic record.”18 Knowing how RUFADAA defines the term “digital asset” is important to understanding what isn’t deemed to be a digital asset under the statute. Because most underlying assets that fiduciaries will identify or uncover using the access afforded to them by RUFADAA won’t be digital in nature, the definition also speaks to the limitations of RUFADAA.
For example, even if an individual opens a bank account online using a digital application, funds the account via electronic transfers, receives monthly statements and other account notifications electronically and accesses the account on a digital platform, the account itself isn’t a digital asset as defined by RUFADAA. The fiduciary who will need to collect and secure that account following the owner’s death will simply need to know that the account exists and that it belongs to the estate or trust. When underlying assets were excluded from the statutory definition of a “digital asset,” the drafters of RUFADAA acknowledged that the overwhelming majority of digital assets, as defined by RUFADAA, have little or no economic value and that the statute itself is strictly limited to providing access to digitally stored information about underlying assets, but not necessarily to the underlying assets themselves.
As fiduciaries are ultimately responsible for collecting and securing all of the underlying assets in the estates and trusts that they administer, the growing absence of paper statements and documents is making access to much needed electronic records a much more critical component of post-death administration. Put differently, RUFADAA is designed to provide fiduciaries with access to the electronic paper trail that will hopefully lead the fiduciary to underlying estate and trust assets that have value and that need to be collected, secured, valued and, ultimately, sold or distributed in accordance with the terms of the estate plan.
For users who don’t employ an online tool and don’t include the necessary enabling language in their estate plan documents, RUFADAA will be of little or no value to their fiduciaries, who will be at the mercy of the terms of the click-through TOS agreement that likely terminated access to the online account immediately on the user’s death. Further, even if the enabling language has been included in the decedent’s will, the executor or personal representative will still need to know where or on what platform the deceased user kept their digital asset information. In addition, if the executor needs to rely on RUFADAA to obtain access to digital asset information that will be necessary to identify, collect and secure non-probate assets (assets titled in a revocable trust, for example), the executor may be required to initiate a formal probate proceeding even in situations in which a formal probate may not otherwise be required. While some ISPs may accept a certified copy of the will as proof of authority, other ISPs may require additional documentation, like a court order, before they grant access.19
Six Suggestions
This isn’t to say that RUFADAA isn’t a good start. It certainly is, but it’s important for users, fiduciaries and the attorneys who represent them to be aware of its limitations and the risks associated with acting as a fiduciary for individuals who’ve fully embraced the use of digital platforms to store critical information about their assets and liabilities. To work around the limitations of RUFADAA and reduce the risks for fiduciaries in need of access to critical asset and liability information post-death, consider the following suggestions:
Advise clients to keep and maintain a secure list of all digital accounts (especially email accounts), how to access them and passwords for all digital storage devices (for example, computers, tablets and smartphones). Clients should store the list in a place where the fiduciary, a trusted advisor or a family member can locate it post-death and should update it regularly.
Help clients set up and use the online tool agreements (like Google’s Inactive Account Manager) offered by most commercial ISPs and social media sites to provide post-death access to digital accounts for the fiduciary, a trusted advisor or a family member.
Individuals shouldn’t use a work email account for access to personal digital content of any kind. Most companies won’t allow a fiduciary to access a deceased employee’s email account, which will likely contain confidential information that’s solely the property of the deceased user’s employer.
Clients should consider creating and maintaining a separate, dedicated email account with a reputable commercial ISP for access to all personal digital account information and online content.
Update estate plan documents to include language that specifically authorizes fiduciary access to digital asset information as prescribed by RUFADAA.
For clients who’ve chosen to go paperless with their asset and liability information, arrange for the receipt of comprehensive paper statements to be mailed out once a year along with paper copies of annual income tax reporting documents.
Effectively Transmit Information
While we’re unlikely to ever live in a completely paperless world, most clients are using far less paper and storing more and more critical information on digital devices and electronic platforms. Advise clients to use every tool at their disposal to ensure that the information needed to administer their estate plans is as effectively transmitted to the fiduciaries and the beneficiaries as the estate plans themselves.
Endnotes
1. “Fiduciary Access to Digital Assets Act, Revised,” Fiduciary Access to Digital Assets Act, Revised—Uniform Law Commission, Uniform Law Commission
(March 21, 2021), www.uniformlaws.org/committees/community-home?CommunityKey=f7237fc4-74c2-4728-81c6-b39a91ecdf22.
2. Ibid.
3. Ibid.
4. Wayne Thompson, “Wow! 20 Years of Internet Banking,” Wells Fargo Stories, Wells Fargo (May 18, 2015), stories.wf.com/wow-two-decades-of-banking-online/#:~:text=On%20May%2018%2C%201995%2C%20Wells,and%20bank%2Dprovided%20floppy%20disks.&text=One%20example%3A%20The%20owners%20of,online%20banking%20at%20Wells%20Fargo.
5. Mike Townsend, “Survey: Bank Customers Preference for Digital Channels Continues to Grow,” American Bankers Association (Nov. 5, 2019), www.aba.com/about-us/press-room/press-releases/survey-bank-customers-preference-for-digital-channels-continues-to-grow.
6. Nate Lord, “Uncovering Password Habits: Are Users’ Password Security Habits Improving? (Infographic),” Digital Guardian (Sept. 29, 2020), digitalguardian.com/blog/uncovering-password-habits-are-users-password-security-habits-improving-infographic.
7. “Google Terms of Service—Privacy & Terms,” Google (March 31, 2020), policies.google.com/terms.
8. 18 U.S.C.A. Section 2701.
9. 18 U.S.C.A. Section 1030(a)-(c).
10. Ibid.
11. Supra note 7.
12. Joseph Ronderos, “Is Access Enough?: Addressing Inheritability of Digital Assets Using The Three-Tier System Under The Revised Uniform Fiduciary Access To Digital Assets Act,” 18 Tenn. J. Bus. L. (2017).
13. https://trace.tennessee.edu/transactions/vol18/iss3/5.
14. Jeffrey Levine, “How RUFADAA Is Changing Digital Estate Planning,” Nerd’s Eye View | Kitces.com (Aug. 8, 2018), www.kitces.com/blog/rufadaa-digital-estate-planning-rights-three-tiers-online-tool-fiduciary/.
15. Supra note 12.
16. Ibid.
17. Ibid.
18. “About Inactive Account Manager,” Google Account Help—About Inactive Account Manager, Google, support.google.com/accounts/answer/3036546?hl=en.
19. Betsy Simmons Hannibal, “The Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA)” (Feb. 5, 2021), www.nolo.com/legal-encyclopedia/ufadaa.html.