Where do your Passwords go when you Die?
Christopher J. Barretto
Disclaimer: We are not lawyers and one should consult one’s own legal counsel when planning your estate. The views and opinions expressed in this article are those of the author’s and the author’s only. These views do not necessarily reflect the actions nor positions one may take.
It’s a topic that none of us wants to face. However, in an ever-growing online world, it is something one needs to prepare for before it occurs. What happens to all of those online accounts when I die? Who gets the passwords? How does this all work?
The key to making it a smooth process is proper planning. Proper planning for anything is usually the best approach and the dissemination of your online accounts after you pass away is no exception. This all starts with the generation of a will. If one does not have a will, one’s estate may be passed on to an intestacy.
Inside the will is where you will name who takes over your estate. Aspects of this can become more complicated than that (marriages, family changes, etc.) but the beneficiary is still the most important person in the process.
We asked Attorney Peter Herbst, whose practice focus is on estate planning and estate administration, a few questions regarding this complicated process:
Q: Who are the direct recipients of online accounts/passwords when an individual passes away? Is there a chain of custody? Is there a discernable difference between the beneficiary versus executor?
A: Generally speaking, if there is an account to be accessed when someone passes away, that account should be accessible to the personal representative of the individual’s estate unless the account’s terms of service prohibit such access. This is an evolving area of the law, but we did just get confirmation in October of 2017 from the Massachusetts Supreme Judicial Court (“SJC”) that the Stored Communications Act does not prohibit a service provider from disclosing the contents of an account to a Personal Representative. In that case, Yahoo refused to hand over the contents of the account to the Personal Representative partially on that basis. However, as that case demonstrates, the terms of service do matter: the SJC, while finding that the Stored Communications Act does not prohibit the disclosure, remanded the case for further determination on whether Yahoo’s terms of service prevented the release of information.
Unless an account holder utilizes a service such as Google’s inactive account manager and designates a specific individual with access after their passing, the personal representative of the estate is generally the person who should seek access.
There are different ways in which one can manage the process of recovering online account passwords. Password Management tools (1Password, Dashlane, etc.) are increasingly being utilized due to the accumulation of passwords over a user’s lifetime. Many of these tools contain features that will give another individual access to this library of passwords when certain criteria are met.
One example feature within the product 1Password is called its Emergency Access Feature. This feature allows someone to designate one or more trusted family members to be able to access their password vault in an emergency.
Q: Is a will the only governing body that can detail chain of custody when it comes to online accounts/passwords?
A: I would like to distinguish between online accounts as an asset and passwords. Take a 20th-century example with someone’s home. If a person gives you the keys to the house to access it, when that person dies, the fact that you still have the capability to unlock the front door doesn’t mean you still have the legal right or ownership to do so. As part of the estate planning we do for clients, we have them sign an “Authorization and Consent for Release of Electronically Stored Information” that expressly designates representatives who have the right to access their accounts. Some service providers will argue that a user may not provide their login credentials to any other person.
What about multifactor authentication one might ask? This can prove tough if the user chooses SMS, for an example, to provide two-factor authentications. However, if one uses security keys such as physical tokens, these can be passed on, as they are physical devices that provide multifactor authentication.
The major players like Google and Facebook have proprietary ways of managing inactive accounts once someone dies. Google has a tool called the ‘Inactive Account Manager’ and Facebook offers memorialization services. Memorialization requests do, however, require date of death. Facebook also offers a setting called a ‘Legacy Contact.’ This contact will be able to gain full access to an account when the originating account holder passes away. This ‘Legacy Contact’ must also be a Facebook user. Other sub-settings within this setting exist such as providing annual reminders to review one’s legacy contact. At the end of this article are links that provide further details on these specific features.
Q: Besides a will, what other kinds of documentation should an individual prepare in terms of their online identity?
A: Not all wills are created equal when it comes to this area of the law. One drafting pointer with wills is that you want to empower your personal representative with as many powers as necessary so that it is clear that they have authority to act on your estate. For example, in Massachusetts, if your will is silent on whether your personal representative has the power to sell real estate, then the personal representative must petition the probate court for something called a “License to Sell” which can delay the sale of real estate and potentially add several thousand dollars of administrative expenses.
Just as a will should empower a personal representative to sell real estate, you may also want to address electronic assets powers in your will. Our latest wills include over a page of authorizations just on Digital Accounts, Digital Assets and Digital Devices. Whether it’s an online account, laptop or cell phone, domain registration account, or email account, we want to give the personal representative all the power to access that account. However, we still warn clients that some service providers – such as Yahoo – still will not grant access based on their terms of service.
While wills deal with the scenario where someone has passed away, it’s also important to plan for who can access accounts when someone loses the ability to do so for another reason such as for a short-term medical issue or a long-term scenario such as dementia. In our planning, we empower an attorney-in-fact under a Power of Attorney with authority to access online accounts and assets during the person’s life to address this.
The bottom line is that each online service has its own methodology when a user passes away. Taking the time to review those settings when one creates an account with the service is important and it might save you and your loved ones added agony to an already sad set of circumstances.
Even in death, you can make these transitions easier for your loved ones by pre-planning online account access.
LINKS:
https://www.facebook.com/help/991335594313139
https://support.google.com/accounts/answer/3036546?hl=en
REFERENCES:
Nguyen, N. (n.d.). You’re Going To Die Someday. Who Do You Trust With All Your Passwords? Retrieved January 03, 2018, from https://www.buzzfeed.com/nicolenguyen/digital-death-plan-passwords?utm_term=.ou4VjYMaA#.tvXY31x76
