Access to digital assets - Florida's new law for fiduciaries: what are digital assets and why are they relevant?

• Author: Brunner, S. Dresden

Do you use Facebook, LinkedIn, or Twitter? PayPal or Amazon? Do your clients bank online? Use Google or Yahoo? Have an iTunes account? Smartphone? These are examples of digital assets, and they likely have personal value, if not also some financial value, to you and your clients.

Because digital assets have financial and/or personal value to their owners, they need to be identified and protected, both to preserve value and privacy. The identification of digital assets and the planning necessitated by these types of assets affects many different aspects of clients' lives. It also affects a broad spectrum of attorney practice areas, such as business planning and dissolution, divorce, probate, taxation, and intellectual property. This article explains Florida's new law that governs access to digital assets by fiduciaries: guardians, agents under power of attorney, personal representatives, and trustees.

Generally, digital assets relate to data, information, and intellectual property that is transmitted or stored on electronic devices, such as smartphones or computers. Digital assets can include email accounts, social media accounts, domain names, online businesses run through eBay, gaming characters, digital currency such as Bitcoins, digital photographs, online banking, PayPal accounts, and other similar items.

How Federal Laws and Terms-of-Service Agreements Protect Digital Assets

Current federal laws, along with terms-of-service agreements (TOSA), protect access to digital assets--or limit that access by fiduciaries.

* Federal Laws--Federal laws prohibit the unauthorized access of computer systems (i.e., hacking) and prohibit unauthorized access to certain types of protected data (i.e., privacy laws). The Stored Communications Act (SCA) (1) establishes privacy rights and prohibits service providers from knowingly divulging the contents of certain electronic communications and files.

The SCA, in part, concerns access to the digital assets, making it a crime for anyone to "intentionally access" without authorization a facility through which an electronic communication service is provided" as well as to "intentionally exceed" an authorization to access that facility." (2) Thus, someone who has authorization to access the facility or is acting within the limits of his or her authorization is not engaging in criminal behavior. Moreover, the SCA does not apply to "conduct authorized ... by a user of that service with respect to a communication from or intended for that user." (3) Further, the SCA concerns actions by the service provider. It treats access to the contents of a communication and to noncontent records of communications differently. It prohibits a service provider from knowingly divulging the contents of a communication that is stored by or carried or maintained on that service unless disclosure is made (among other exceptions) "to an addressee or intended recipient of such communication or an agent of such addressee or intended recipient" or "with the lawful consent of the originator or an addressee or intended recipient of such communication, or the subscriber in the case of remote computing service." (4) The act permits disclosure of "customer records" that do not include content either with lawful consent from the customer or "to any person other than a governmental entity" (5) (among other exceptions). Thus, unlike the contents, the provider is permitted to disclose the noncontent records of the electronic communications to anyone except the government, and may disclose the noncontent records to the government with the customer's lawful consent or in certain emergencies.

This distinction between noncontent and content can be thought of as the difference between the envelope and the letter within the envelope. The protected content is the letter. The noncontent records are the envelope that identifies the addressee, address, postmark, subject line, and sender.

The privacy protections of federal law do not apply to private email service providers, such as employers and educational institutions. (6) Additionally, most employers are not considered custodians because an employer typically does not have a TOSA with an employee. (7) Any digital assets created through employment generally belong to the employer.

These privacy protections work well so long as the client is alive and has capacity to access and control the digital assets. But what happens when the client becomes incapacitated and can no longer access the accounts or dies? These privacy protections are viewed by some as being substantial barriers for family members and fiduciaries who seek to access the contents of a deceased or incapacitated user's online accounts. The service providers see the privacy protections as restrictions on their ability to disclose electronic communications to anyone, unless certain exceptions are met. Their reasoning is that, if the SCA applies, the online account service provider is prohibited by law from disclosing the contents of the communications and files.

The Computer Fraud and Abuse Act (CFAA) prohibits unauthorized access to computers. (8) Like the Stored Communications Act, the CFAA protects against anyone who "intentionally accesses a computer without authorization or exceeds authorized access." (9) The CFAA is designed to protect computers in which there is a federal interest from certain threats and forms of espionage and from being used to commit fraud. (10) The law imposes penalties for the unauthorized access of...