Over the past few decades, the number of people who own digital assets has increased dramatically. If you own a smart phone, then you almost certainly own digital assets. The prevalence and value of digital assets has raised questions about who has the right to access and control this form of property if the owner is deceased or becomes incapacitated. It’s a classic case of technology outpacing the law, but the law in Pennsylvania has finally caught up.
We can see the effects of the inexorable migration toward all things digital in many aspects of our lives—some good, like online banking and being able to telecommute during a pandemic; and some bad, like cyber security threats and identity theft. If you’re not sure whether you own digital assets, it may be eye-opening to review the following list to see the types of information that are encompassed by the term “digital assets.”
1. Social media (e.g., Facebook, Twitter, Snapchat, Instagram, Tik Tok, LinkedIn, YouTube, Zoom);
2. Financial accounts (e.g., bank, investment, retirement, tax returns, student loans);
3. Retail accounts (e.g., PayPal, Amazon, iTunes, Starbucks, frequent flier, rewards points, home security, genealogy, and online gaming);
4. Medical records (e.g., doctor, hospital, health insurance, life insurance, genetics);
5. Electronic communications (e.g., e-mail, text, video, instant messaging, and overlap with social media);
6. Business assets (e.g., blogs and web sites, including trademarks and copyrights);
7. Online storage (e.g., DropBox, Carbonite, iCloud, Google Drive);
8. Cryptocurrencies (e.g., Bitcoin, Ethereum, Litecoin, etc.).
This list is not meant to be all-inclusive, but it illustrates the breadth, value, and significance of digital assets. Digital assets have become, for better or worse, essential to our functioning society and they play a key role in to how we manage our finances, conduct business, communicate with friends and colleagues, and protect our privacy.
Digital Assets under Federal and State Law
Given their value and ubiquity, it is not surprising that there are laws in place to protect digital assets. The Computer Fraud and Abuse Act (“CFAA”), a federal law enacted in 1986 and most recently amended in 2008, makes it a crime to access computers and similar devices (e.g., cell phones) without authorization, or to act in a way that exceeds the level of authorization granted. One of the criticisms of the CFAA, which is sometimes referred to as the federal “anti-hacking” law, is that “authorization” is not adequately defined, making it difficult to determine whether conduct does or does not violate the law. The U.S. Supreme Court recently agreed to hear a case involving this issue, so clarification may be forthcoming within the next year. Another criticism of the CFAA is that violations of a website’s Terms of Service agreement, which are the overly long, arcane legal agreements between the service provider and the end user, can be treated as crimes under the CFAA. Most people are loath to read Terms of Service agreements, but heedlessly clicking past the fine print can create a trap for the unwary. When it comes to estate planning considerations, the CFAA does not exempt the activities of a fiduciary, such as an agent under a power of attorney, an executor under a will, a trustee of a trust, or a court-appointed guardian of the estate unless their conduct is expressly authorized. Thus, a fiduciary who accesses digital assets without lawful consent from the owner could be accused of violating the CFAA.
Another federal law concerning digital assets is the Stored Communications Act (“SCA”), which was enacted in 1986. The SCA relates to online data, such as e-mail, held by internet service providers and other third parties. The SCA makes it a crime to access such online data without authorization or to exceed the level of access authorized. As with the CFAA, the level of authorization required under the SCA is not always clear and tends to depend on facts that are specific to the situation. Although the SCA does permit the disclosure of “non-content” information (e.g., activity logs) and disclosures by private service providers (e.g., employers), it does not include an exception that would permit fiduciaries, absent lawful consent, to access the online records of a decedent or an incapacitated person. Therefore, under the SCA, as is the case with the CFAA, a fiduciary who accesses online data without the owner’s authorization could be accused of violating federal law.
Pennsylvania also has a law dealing with computer offenses which, among other things, criminalizes computer hacking in a very broad sense and makes it illegal to access an electronic system or network without authorization. The offenses covered by the act include accessing a system or network for the purpose of committing fraud or theft; disrupting services; altering or controlling data; disclosing private data; committing unlawful duplication or computer trespass; distributing a computer virus; and falsifying or forging e-mail. A violation of Pennsylvania’s computer offenses law requires some level of intent to commit wrongdoing. In contrast, under the CFAA and SCA, because there is no intent requirement, the act of unauthorized access is, by itself, a crime. But like the CFAA and SCA, the Pennsylvania computer offenses law does not create an exception that would grant fiduciaries automatic access to electronic records, despite the fact that digital assets are just another form of property, the management of which is part of a fiduciary’s main responsibility. One might logically assume that an executor who, acting with the best of intentions but without authorization, signs on to a decedent’s cloud storage account, downloads the decedent’s photos and email, and distributes those documents to the decedent’s family could do so lawfully. However, without prior authorization from the account owner, this executor would have not only violated the CFAA and the SCA, but would have also committed computer trespass and unlawful duplication under Pennsylvania law.
Even a fiduciary in possession of the owner’s login credentials could unwittingly commit a crime when attempting to access the owner’s digital assets without express authorization. On the other hand, many family members without the owner’s login credentials are simply denied access to the digital assets of a loved one by the internet service provider or third-party custodian on the grounds that the requesting party lacked lawful consent from the owner and that granting such access would therefore violate federal law and the custodian’s Terms of Service agreement. Recognizing the need for a legislative fix, the Uniform Law Commission began working in 2011 on a law that, when adopted by states, would permit authorized representatives to access digital assets without fear of violating state and federal law. The Commission’s efforts culminated in 2015 with the Revised Uniform Fiduciary Access to Digital Assets Act. Nearly 40 states adopted the uniform act in the first two years following its release.
Pennsylvania’s Uniform Fiduciary Access to Digital Assets Act
Pennsylvania enacted its version of the Revised Uniform Fiduciary Access to Digital Assets Act on July 23, 2020 (“Act”), with an effective date of January 19, 2021, making it the 48th state to adopt a version of the uniform law. The Act provides two methods by which the owner of digital assets may authorize a third party to access those assets. The Act also establishes procedures and protections that help to guide the custodian’s response to requests for digital assets from a fiduciary or a designated recipient.
The first method for authorizing a third party to access digital assets is through the use of an “online tool.” The Act defines an online tool as an electronic service provided by a custodian that allows the owner to provide directions for disclosure of digital assets to a third person. It is loosely analogous to a beneficiary designation that one might establish for a retirement account. By using an online tool, the owner of digital assets can direct the custodian to permit a “designated recipient” to access those assets. An example of an online tool is Google’s Inactive Account Manager, which allows an account owner to designate a person to whom notice should be given if the account becomes inactive and to whom digital assets may be disclosed. The Act provides that the directions given by the account owner using an online tool will override contrary provisions in a Terms of Service agreement, but will override contrary provisions in estate planning documents only if the direction in the online tool may be updated or canceled by the account owner at any time.
The second method for authorizing a third party to access digital assets is for the account owner to give lawful consent to a fiduciary under a will, trust, or power of attorney. This method is always available as a backup to using an online tool and, for most people, will probably be the preferred method for dealing with digital assets. In cases where an account owner has not used an online tool to name a designated recipient, or when a particular custodian does not offer an online tool, using a will, trust, or power of attorney to authorize a fiduciary to access digital assets is the only option. As suggested above, if authorization is granted using both an online tool and under the account owner’s estate planning documents, the specific authorization established using the online tool will override the general authority granted to a fiduciary, so long as the online tool allowed the account owner to update or delete his or her directions at any time, which will almost certainly be the case. For example, where a will grants the executor blanket access to the decedent’s digital assets, but the decedent has used an online tool to prohibit access to a particular email account, that restriction will prevail unless the online tool was, in essence, locked.
The Act does not expand the rights of the fiduciary beyond those rights that the account owner possessed, nor does it diminish the account owner’s rights while the account owner is alive and not incapacitated. The Act also makes it clear that if the account owner has not used an online tool to name a designated recipient and has not granted access to a fiduciary under the account owner’s estate planning documents, then the custodian’s Terms of Service agreement and federal law will continue to control and, generally speaking, in the absence of a court order, will prevent access to the account owner’s digital assets. It is also worth noting that the Act does not extend to digital assets of an employer used by an employee in the ordinary course of business. Thus, while it may be possible to request disclosure of e-mail content from Yahoo!, the same cannot be said of the e-mail sent and received on the servers of one’s employer.
As noted above, the Act also establishes procedures for the custodian to disclose digital assets to an authorized fiduciary or designated recipient. Upon receiving a request for access, the custodian has the discretion to do any of the following:
1. Grant a fiduciary or designated recipient full access to the user’s account;
2. Grant a fiduciary or designated recipient partial access to the user’s account, sufficient to perform the tasks with which the fiduciary or designated recipient is charged; or
3. Provide a fiduciary or designated recipient a copy of any digital asset which, on the date the custodian received the request for disclosure, the user could have accessed if the user were alive and had full capacity and access to the account.
According to the comments from the Uniform Law Commission, the rationale for providing the custodian with these options is that each custodian has a different business model and so each should have some flexibility to determine how to respond most effectively to requests for access to digital assets. In addition to affording some flexibility, the disclosure procedures of the Act provide certain protections for custodians. For example, a custodian may assess a reasonable administrative charge for the cost of disclosing digital assets. In addition, if the user had deleted certain assets, the custodian is not required to recover and disclose those assets. Similarly, if an account owner authorized only partial disclosure of digital assets, and if efforts to segregate those assets creates an undue burden on the custodian, the custodian may request a court to intervene and issue an order setting forth which assets must be disclosed.
In addition to the general disclosure procedures noted above, the Act sets forth specific requirements for disclosures that are authorized under wills, powers of attorney, trusts, and guardianships. In each case, the Act identifies the requisite documents that must be submitted to the custodian in order for the custodian to then disclose the digital assets to which the fiduciary is entitled pursuant to the relevant authorization. The Act makes an important distinction between two categories of digital assets: the content of electronic communications and all other digital assets. Unless the relevant estate planning document specifically authorizes the custodian to divulge the content of electronic communications (e.g., e-mail), the custodian will only be able to grant access to “other digital assets.” However, if the account owner has authorized the disclosure of digital assets but not the content of electronic communications, the custodian will still be able to provide a “catalog of electronic communications,” which is essentially a log of e-mail transmissions that lists the date and time of the e-mail, as well as the name and e-mail address of the sender/recipient, but not the actual content of the e-mail.
Generally speaking, the types of documents that must be submitted to the custodian as prerequisites for disclosure are what one might expect. In every case, a written request for disclosure is required, and the request must indicate whether the disclosure should be in physical or electronic form. If disclosure is requested pursuant to an authorization granted in a will, the executor must provide a certified death certificate and a certified copy of letters testamentary showing the appointment of the executor. If the content of the decedent’s e-mail is requested, a copy of the will must also be provided, along with any other account-related information requested by the custodian. If disclosure is requested pursuant to an authorization granted in a power of attorney, the agent must provide a copy of the power of attorney, a certification under penalty of perjury that the power of attorney is still in effect, as well as any other account-related information requested by the custodian. Similar requirements exist for trusts and guardianships and in cases where a fiduciary intends to terminate an account.
Once a custodian receives a request for disclosure, the custodian must comply with the request within 60 days. If the custodian fails to comply within that time period, the fiduciary or designated recipient may apply to the court for an order directing compliance. So long as the custodian has made a good faith effort to comply with the Act, the custodian, as well as its officers, employees, and agents, will be immune from liability.
Relevance for Estate Planning
It’s clear to see that the Act has significant ramifications for estate planning. By establishing procedures for access and disclosure, the Act encourages individuals who own digital assets to take proactive steps in order to ensure that the assets are handled in the manner the owner intends. Unless an account owner authorizes access using an online tool, the only alternative, absent requesting a court order, is to provide lawful consent using a will, trust, or power of attorney. If lawful consent is provided, the fiduciary will be able to manage the owner’s digital assets and access, transfer, and close the owner’s digital accounts. When acting in this capacity, the fiduciary’s conduct is subject to the same duties that apply with respect to other assets that are held and managed in a decedent’s estate or pursuant to a power of attorney: the fiduciary must act with a duty of care, a duty of loyalty, and a duty of confidentiality. In addition, the fiduciary’s authority continues to be limited by the applicable Terms of Service agreement, as well as other applicable laws.
Finally, it is worth emphasizing that if someone dies without a will, there is no provision under state law to permit the administrator of the estate to access the decedent’s digital assets. The only remedy in a case like this would be for the administrator of the estate to seek a court order, which is likely to be time-consuming and expensive. This contrasts sharply with many other aspects of estate administration, where state law effectively acts as a backup in the event a person dies without a will, setting forth, for example, who is entitled to serve as administrator and who is entitled to inherit property. Thus, unless one intends to rely solely on online tools, it is essential that lawful consent to access digital assets be granted in an estate plan, or risk that the assets will not be disclosed and will be lost to the digital ether.
This update was prepared by attorney Doug Smith, who practices in the areas of estate planning, estate administration, tax law, and business and non-profit planning. It does not constitute legal advice and has been prepared for informational purposes only. Please contact Doug directly with questions about how these provisions affect you.