Introduction
Ryan Coleman passed away suddenly and tragically in his sleep at the age of twenty-four on Christmas Day.1 His initial death certificate stated that the cause of death was “pending further study.”2 The autopsy report ultimately came back inconclusive—Ryan had died of unknown causes.3 Left with questions unanswered, Ryan’s parents, Gregory and Adrienne, reached out to Apple in hopes of retrieving data from Ryan’s iPhone.4 After Apple turned them away, they petitioned the Surrogate’s Court of New York, Westchester County, seeking a court order granting them access to Ryan’s digital assets as personal representatives of his estate.5 They set out to identify and collect any unknown assets, determine whether Ryan suffered from any medical conditions that his younger siblings may also have, and decide whether to pursue any legal action on behalf of Ryan’s estate.6 The court denied their request because Ryan died without a will and failed to express his consent to disclose the contents of his digital assets before his death.7 It is because of Ryan’s supposed “choice” to die intestate that Ryan’s parents must now grapple with the reality that they may never receive the answers to those unanswered questions.8
Technology has drastically altered the ways in which humans interact and connect. The statistics are staggering: 72% of American adults use social media;9 93% of American adults use the internet;10 85% of Americans own a smartphone;11 and approximately 15% of Americans are invested in cryptocurrency.12 Banks and financial institutions have urged their customers to “go paperless,” opt for direct deposit, and pay their bills online in an effort to save the environment and reduce clutter.13 While an estimated 45% to 74% of Americans still prefer a paper trail for billing statements,14 paperless billing adoption rates are rising.15 Thus, it is likely that consumer preferences will shift and that the trend in future years will depart from traditional paper. This is especially true as the world navigates the repercussions of the recent COVID-19 pandemic, which has forced many businesses to become more digitally connected and embrace a virtual work environment.16 Given the increase in mobile access and improvement in computer literacy, consumers inevitably feel it is more convenient to digitize their statements and payment processes.17
A reliance on digital assets has created unique challenges in the law. “Digital assets” are defined as “electronic record[s] in which an individual has a right or interest.”18 As technology advances to accommodate changes in consumer choices, trusts and estates law has tried to keep pace with these developments, and estate planning attorneys have modified their practices.19 The Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA) is one attempt at addressing the issue of digital assets in estate administration.20 This Note argues that RUFADAA, while a step in the right direction, falls short of achieving its ultimate goal, especially in the manner in which courts currently construe the statute. Placing an unjustifiably heavy reliance on privacy concerns, the Act overshadows the fiduciary’s responsibility to properly and efficiently administer the estate.
This Note proceeds in three Parts. Part I discusses the rationales behind these two competing interests, chronicles the history behind RUFADAA, and outlines its interplay with other relevant laws and policies.21 It then highlights the ways in which the law obstructs rather than facilitates administration of the estate, including a failure to effectuate the decedent’s intent.22 Part II illustrates why the postmortem right to privacy is misguided and proposes an amendment to RUFADAA that may relieve the burden weighing on fiduciaries.23 It then examines several scenarios in which courts should be more willing to grant fiduciaries access to the contents of a decedent’s communications.24 Finally, Part III explores the ways in which individuals can escape the confines of the statute through education, creative lawyering, and the execution of various consent documents.25
I. Background
A. A Fiduciary’s Duty to Act in the Best Interests of the Estate Versus the Decedent’s Right to Postmortem Privacy
A personal representative is an individual appointed to manage the legal affairs and administer the estate of a deceased person.26 Granted fiduciary authority, personal representatives are tasked with making decisions that will honor the decedent’s wishes and benefit her intended beneficiaries.27 They are confronted with the duty of settling and distributing the decedent’s estate in a manner “as expeditiously and efficiently as is consistent with the best interests of the estate.”28 Importantly, to the extent that any causes of action survive the death of the decedent, personal representatives possess the standing to sue on behalf of the estate.29
In order to successfully preserve and administer the estate, representatives must first identify all of the decedent’s assets30 and obtain actual possession.31 In fact, fiduciaries may face liability for negligently losing property, including failing to collect money owed to the decedent in a prompt manner.32 Personal representatives employ numerous strategies to take inventory of assets, including searching through filing cabinets and opening mail delivered to the decedent’s home address.33 Fiduciaries are also invited to delve through the contents of a decedent’s safe-deposit box in order to find her last will and testament, cash, collectibles, jewelry, and other documentary evidence of assets, such as insurance policies, deeds, contracts, bills of sale, and promissory notes.34
Fiduciaries are similarly obligated to “marshal and protect the decedent’s digital assets.”35 A difficulty, however, has emerged: where individuals die with password-protected digital accounts, a personal representative might not even know that an asset exists.36 The average user has approximately ninety digital accounts;37 thus, the likelihood that a fiduciary overlooks the existence of one is high.38 Even where an individual dies testate, it is unlikely that any useful “tracking” information will be written in their will; because a traditional will becomes a matter of public record upon the testator’s death, specific enumeration of digital assets jeopardizes the entire estate plan by risking the security of assets left to beneficiaries.39 The ultimate result is that assets remain “unfound,” wreaking identity theft issues and causing the estate to suffer economic loss.40 This concern is exacerbated further if, for example, the deceased “ran an online business and is the only person with access to incoming orders, the servers, corporate bank accounts, and employee payroll accounts.”41
Estate planning practitioners and scholars argue it is imperative that fiduciaries should be granted access to a decedent’s digital accounts.42 They maintain that, although a catalogue of communications43 might provide sufficient information for most fiduciaries to perform essential tasks, the process can be significantly prolonged or even impossible for the fiduciary who needs to dig beneath the surface to find certain accounts.44 Given that many people now opt to receive billing and financial statements via email, a fiduciary might have to open the actual email to obtain the necessary information.45 Rather than waiting for a representative employed by the service provider to relay information—i.e., engaging the services of an intermediary—fiduciaries should enjoy broad powers to view these communications because they are bound by a duty of confidentiality.46 Ultimately, a person’s digital assets can add significant monetary value to her estate, reveal her otherwise unknown preferences and wishes, and include family photos and videos or contact information that may identify her next of kin, an especially important consideration when that person dies intestate.47
1. The First Attempt: The Uniform Fiduciary Access to Digital Assets Act
Recognizing that access to a decedent’s digital accounts is a priority, the Uniform Law Commission issued the Uniform Fiduciary Access to Digital Assets Act (UFADAA) in 2014.48 UFADAA is model legislation that only becomes binding law once approved and enacted by each state legislature.49 UFADAA grants the fiduciary the same rights and powers that the decedent would have enjoyed had she been alive.50 The personal representative “steps into the shoes” of the decedent and is granted unfettered access to the content of the decedent’s electronic communications, except as expressly prohibited by the decedent.51 UFADAA goes one step further in curbing the power of service providers to deny fiduciary access: any provision in a terms-of-service agreement to that effect would be void as against public policy, unless the decedent agreed to such provision by an “affirmative act” distinct from her assent to the terms-of-service agreement.52
Less than one year later, privacy advocacy groups and technology media giants vehemently opposed UFADAA, arguing that digital assets should be treated in a special manner distinct from physical records for the following reasons: (1) online accounts are usually password protected; (2) digital accounts store content by default rather than by active choice; and (3) costs associated with saving and storing digital content are minimal.53 In differentiating between tangible assets and their digital counterparts, civil liberty organizations contended that most people intentionally throw away tangible correspondence and “snail mail”; however, given that digital assets offer unlimited storage, people are not equally as incentivized to discard the clutter that would otherwise be kept on their desks.54 Critics also claimed that disclosure of digital assets could compromise the privacy interests of third parties who communicated with the decedent, harnessing the philosophy that, unlike physical letters, emails and text messages replaced instantaneous communications that would otherwise be in person or over the phone.55
A separate, more personal apprehension is that the private communications stored in a decedent’s digital account may contain sensitive information about the very person—the executor or administrator of the estate—who will be given access to the account following her death.56 Offensive remarks may not be informative and may merely incite hostility, doing more harm than good, especially where the decedent never desired the message to leave the sanctity of her communication with the intended recipient.57
Unfortunately, little data about actual consumer preferences for postmortem privacy has been collected.58 NetChoice conducted an online survey of 1,012 adults in 2015, concluding that over seventy percent of Americans believe their private online communications and photos should remain private following their death.59 However, as one scholar identifies, the results of this survey might be unreliable because the questions asked were phrased in terms of “control” rather than “access.”60
2. A “Win” for Tech Companies: The Revised Uniform Fiduciary Access to Digital Assets Act
Notwithstanding the high number of bill introductions, UFADAA was only enacted into law in Delaware.61 Most responsible for the lack of widespread acceptance were the efforts of a coalition composed of internet-based businesses and privacy advocacy organizations that expressed their opposition to the law.62 These groups offered their own more limited model legislation, prompting the Uniform Law Commission to revise UFADAA so that a fiduciary only has authority over the content of a decedent’s electronic communications, including private emails and text messages, if the user explicitly consented to disclosure.63 A user can direct for or against disclosure in a variety of permissible ways, including by will, trust, power of attorney, or “other record.”64 Notably, RUFADAA65 represents a shift in power from personal representatives to service providers, thus explaining the widespread support from technology companies.66 In the absence of explicit consent, only a court order directing disclosure can provide access to a communication’s content;67 otherwise, the fiduciary is out of luck.68 Hence, RUFADAA creates a default rule of nondisclosure with regard to the content of e-communications.69 On the other hand, the Revised Act is prided for providing a default rule of disclosure with respect to a user’s catalogue of communications,70 provided that the fiduciary complies with a custodian’s request for information.71
B. Other Relevant Players
In addition to state privacy legislation, two federal laws—the Stored Communications Act72 (SCA) and the Computer Fraud and Abuse Act73 (CFAA)—regulate the administration of digital assets.
The SCA, enacted as Title II of the Electronic Communications Privacy Act of 1986, is a federal criminal law that regulates the disclosure of “stored wire and electronic communications and transactional records” held by third-party internet service providers.74 In enacting this statute, Congress was responding to the concern that unauthorized third parties could gain access to digital accounts, intentionally desiring to harm the subscriber or expropriate her personal information.75 Congress had in mind a particular class of people—anonymous hackers and agents of government surveillance—and, therefore, its action was not targeted at fiduciaries who are selected by either the testator or the courts to administer an estate.76 Given that a fiduciary “is hardly the sort of trespasser envisioned by the SCA,” many scholars believe that, under the SCA, a fiduciary can provide lawful consent on behalf of the decedent to gain access to her electronic communications.77 While there is always the possibility that fiduciaries may abuse their privileges, this risk is also inherent in the administration of intangible assets and, thus, is intrinsic to all instances of estate administration.78 Unlike anonymous hackers, fiduciaries are also constrained by an additional safeguard—laws that impose duties of loyalty and confidentiality.79
This reasoning was embraced in Ajemian v. Yahoo!, Inc., a decision by Massachusetts’s court of last resort that expanded the scope of fiduciary powers.80 In 2006, forty-three-year-old John Ajemian died in a bicycle accident with no will, leaving behind a Yahoo email account with no record of its password and no instructions for its use or deletion.81 Ajemian’s siblings, who were appointed as the personal representatives of his estate, requested access to the account in order to arrange memorial services and identify his assets.82 When Yahoo declined to turn over the contents of the email communications given the restrictions enumerated in its terms-of-service agreement, Ajemian’s siblings commenced an action seeking a declaration that the email account was property of the estate, their case rising all the way to the Massachusetts Supreme Judicial Court (SJC).83
The SJC determined that the SCA’s lawful consent provision allowed personal representatives to provide consent on a decedent’s behalf to release electronic communications, even without the explicit authorization of the decedent herself.84 Engaging in statutory interpretation, the court noted that Congress elected not to use language of “express consent” and cited legislative history illustrating that Congress intended for the SCA to apply to “unauthorized interception of electronic communications” rather than estate administration.85 The SJC also relied on the presumption against preemption, finding that Congress did not intend to impinge on state probate law and that restricting the definition of consent to “express” consent would preclude fiduciaries from performing their duties in a digitized world.86
Notably, the U.S. Supreme Court denied Yahoo’s petition for certiorari.87 Congress has also remained silent on the issue of interpretation and has not amended the Act to explicitly include or exclude personal representatives.88 Consequently, until the federal government provides clarity on this subject, either through a Supreme Court opinion or statutory amendment, the SJC’s ruling carries enormous weight in articulating fiduciaries’ powers. In effect, the SCA does not prohibit service providers from releasing stored emails to personal representatives who request them; thus, any potential hurdles arise under state law or the other relevant federal law at issue—the CFAA.
The CFAA criminalizes the unauthorized access of a computer and the acquisition of any data thereon.89 A violation can arise in two scenarios: (1) in the context of an outsider who trespasses into a computer with no permission whatsoever; or (2) if an individual exceeds his given authorization.90 However, given that the fiduciary must obtain the account holder’s consent and may also need the internet service provider’s authorization in order to obtain the requisite permission and thus avoid violation of the CFAA, a fiduciary feels compelled to comply with the custodian’s terms-of-service agreement or else risk criminal prosecution.91 Since many terms-of-service agreements prohibit the use of another user’s login credentials, a fiduciary may violate the CFAA when he logs into an account using the decedent’s username and password, even with permission from such user.92 Consequently, the interplay between the CFAA and state probate law gives rise to a web of mutually conflicting duties and creates a catch twenty-two—on the one hand, the fiduciary is charged with managing an account holder’s digital property, which he cannot do without risking criminal liability, thereby inducing a chilling effect; on the other hand, however, the fiduciary has an obligation to uphold the law and refrain from committing criminal misconduct, which he cannot do by fulfilling a decedent’s wishes to manually access her digital accounts.93
2. Custodians and Terms-of-Service Agreements
Section 4 of RUFADAA establishes a three-tiered procedure by which a decedent may authorize her executor to access her online accounts.94 In particular, Section 4 serves to offer a solution in the event that the user provides conflicting directions—either purporting to limit or authorize access—in various documents and agreements.95
The first tier provides that custodians can create an “online tool,” distinct from terms of service, through which users can adjust their account settings and designate recipients whom they trust to obtain access to their communications.96 Facebook users, for example, may designate a “legacy contact” who has the authority to share a final message, publish the details of a memorial, and view previous posts, all of which may aid a fiduciary in locating the decedent’s friends and family.97 Google’s “inactive account manager” feature enables users to set a trusted contact that will be notified of the account’s inactivity and can receive access to any data the user chooses to share, including Drive and Mail.98 These mechanisms remain at the top of the hierarchy—if a user has provided direction through an online tool, such instruction will supersede conflicting directives, including those in a will.99 At the second tier, the user can authorize access to their assets post-death through a will, trust, power of attorney, or other authorization form.100 Finally, absent any use of an online tool or execution of a legal document, the third tier provides that the custodian’s terms of service apply.101
C. Lingering Challenges Fiduciaries Face: Are We Really Fulfilling the Decedent’s Intent?
An overemphasis on a decedent’s intent to preserve the privacy of her digital communications often overshadows the decedent’s competing but equally important intent to have her assets identified, preserved, and distributed among her beneficiaries.102
1. Predators Who Prey on the Dead’s Dormant Accounts
The clash between a decedent’s interests in privacy and efficient estate distribution is most apparent with non-mail-generating assets, which are difficult to trace and often remain undiscoverable.103 If the succession representative cannot access the decedent’s digital assets, then “bills may go unpaid, valuable assets may be overlooked, and estate administration may be unavoidably delayed.”104 Where a fiduciary has no inkling of knowledge that an asset exists, he can continue digging, but where assets are hidden, they are in jeopardy of being deemed “unclaimed” or “abandoned” property.105
Unclaimed property refers to any property or accounts that have not generated any activity for an extended period of time.106 Studies estimate that the total value of unclaimed property in the United States is approximately $49.5 billion.107 As a result, it is entirely likely that beneficiaries who stand to inherit from a decedent’s estate never get to see the entire pot of funds. Devisees and distributees can only claim such property once the dormancy period, usually between three to five years,108 expires and financial institutions report and escheat the funds to the state.
In the interim, however, identify theft is a real cause for concern,109 leading to the depletion of assets before discovery and, thus, financial loss to the estate—a result clearly unintended by the decedent.110 Recent cases in the news highlight the ways in which various bank employees abuse their authority to identify inactive bank accounts and embezzle funds.111 While many of these criminals are caught and indicted, one is left to wonder how many of these incidents go undetected. In these cases, the potential threat of non-discovery of the assets by the fiduciary is even greater, as the funds could disappear before the dormancy period lapses.
2. The Failure of Terms-of-Service Agreements to Reveal Intent
Under the current regime, courts are forced to conclude that the absence of any affirmative consent to provide access to digital assets is functionally equivalent to the intent to deny disclosure; accordingly, access to digital assets is forbidden in both scenarios.112 In In re Coleman, a twenty-four-year-old young adult named Ryan died of unknown causes, and his parents petitioned to acquire access to his iCloud account.113 Ryan’s parents, as administrators, sought access to the account for the following reasons:
(1) to determine if there were any medical issues that Ryan’s siblings may also have, (2) to determine if there were any causes of action on behalf of Ryan’s estate, (3) to identify and collect digital and non-digital assets, and (4) [to] marshal digital assets as a part of estate administration.114
The New York court denied their request, “balancing Ryan’s interests in his not having consented to the disclosure of the content of any of these digital assets.”115 Since Ryan left no will granting his fiduciaries access to his digital accounts, Apple’s terms-of-service agreement governed.116
There is further evidence to suggest that a default rule of nondisclosure does not evince a person’s true preferences. In 2017, a survey of two thousand U.S. consumers found that ninety-one percent of people consent to terms of service without reading them.117 In distinctly looking at people ages eighteen to thirty-four, researchers found that the rate skyrocketed to ninety-seven percent.118 A year earlier, two professors conducted an experiment among undergraduate students to decipher the extent to which people would blindly surrender their rights.119 The professors created a fictitious social networking site called “NameDrop” and drafted an accompanying terms-of-service agreement with two “gotcha clauses”: users would agree to give up their firstborn child as payment and have their data shared with the National Security Agency.120 Ninety-three percent of users “clicked to accept” the agreement.121 True, many users would not expect an extreme clause like the above to permeate a real terms-of-service agreement. Still, the experiment stands for the proposition that many people are uneager to read the fine print, thereby defeating the notion that most people are actively interested in protecting their privacy.122 Further, this exercise highlights that exaggeration of, and overreliance on, the privacy interest is unsound. It could very well be that the average user, who did not read the privacy terms, “may have preferred to transfer all of the account’s contents to her survivors at death so that they could learn about her life.”123 In other words, it is unclear whether we successfully fulfill a decedent’s intent with respect to postmortem access of her assets by enforcing the terms-of-service agreement.124 Hence, in Ryan’s case, we lack sufficient information to assume he would have favored a rule of nondisclosure as opposed to disclosure.
II. Argument
When New York adopted RUFADAA, the legislature articulated its intent by reasoning that
[a]s a practical matter, there should be no difference between a fiduciary’s ability to gain access to information from an online bank or other Internet-based business and the fiduciary’s ability to gain access to information from a business with a brick-and-mortar building. This measure would amend the [New York Estates Powers and Trust Law] to restore control of the disposition of digital assets back to the individual and removes such power from the service provider.125
Despite this broad acknowledgement, however, RUFADAA falls short of its intended purpose; service providers are left with considerable amounts of power beyond what is necessary to protect the decedent’s interest in privacy.
A. The Right to Postmortem Privacy Is Misplaced
Analyzing the rights of the dead in other contexts yields the conclusion that the right to privacy after death is misplaced. A dead person, for example, may not be libeled or slandered in the United States.126 Consequently, an executor may only pursue a defamation claim, alleging damage to reputation, for an incident that arose prior to the decedent’s death.127 The rationale behind this rule is that dead victims do not suffer the harm and humiliation that often accompany defamation, including the “inexplicable cold stares,” “job applications refused,” and “invitations not received.”128 The law is similarly unconcerned with the perspectives of outsiders who may feel the effects of such harm and encounter ostracism or ridicule, as the law does not recognize a civil right of action by surviving spouses and family members.129
The four privacy torts outlined in the Restatement (Second) of Torts—including (1) intrusion upon seclusion; (2) public disclosure of private facts; (3) disclosure of information that places the plaintiff in a false light; and (4) appropriation of name or likeness—are similarly unavailable remedies to dead people.130 The rationale here is that tort law is designed to compensate victims, and “when a person dies, the law finds no harm that can be compensated.”131 Under common law principles, the right to privacy is deemed a personal right that extinguishes at death, while property rights live on.132
Further, decedents also lack privacy protection for their testamentary documents.133 Once a will is probated, the instrument becomes a public record and its contents can be read by the general population.134 All of the private financial information found within those documents, including personal property owned by a decedent, the estate’s value, and the amount of funds in bank accounts, becomes public knowledge.135
Interestingly, the decedent’s right to attorney-client privilege also does not completely survive death, as a decedent’s personal representative may waive her attorney-client privilege in any proceeding to establish the validity of her will or interpret the will’s language.136 Importantly, the representative’s right of waiver is not unfettered, as the waiver must be in the best interest of the estate and must not tarnish the decedent’s reputation.137 Thus, in this setting the fiduciary’s right is limited, embracing a more balanced approach, in an effort to protect the value of “full and frank” communication between a client and her attorney.138 Yet, the law still recognizes that personal representatives might benefit from being privy to certain communications in order to carry out the decedent’s intent.139
In relation to medical privacy, the result is the same: personal representatives are able to obtain access to a decedent’s medical records, which often contain confidential information.140 Postmortem medical examinations or autopsy reports, for instance, reveal sensitive information about whether the cause of death may be attributed to nature, homicide, suicide, or accident.141
Finally, a fiduciary may ultimately access a decedent’s tangible assets that are hidden under the couch or stuffed under clothes in drawers in the decedent’s home—items presumably intended to be concealed.142 In fact, estate administrators are encouraged to delve through hiding places if they suspect items are secretly stashed somewhere.143 However, where those same exact communications are stored electronically on a password-protected computer or phone,144 the law treats them differently and denies access in an inconsistent manner. Indeed, the safe-deposit box can be squarely analogized to the social media account, as the password safeguarding the digital account merely resembles the key that would typically unlock a safe-deposit box, albeit intangibly.145
All of this is not to say that users of digital accounts do not and should not have an expectation of privacy post-death; instead, it is to illustrate the illogical discrepancy between posthumous privacy rights in connection with digital assets as compared to other contexts. To the extent the fear is that this information will be disseminated and known beyond the fiduciary, such a fear is unfounded, since fiduciaries are generally bound by duties of care and confidentiality.146 Fiduciaries are obligated, both legally and ethically, to act in good faith. Additionally, “a fiduciary owes a duty of undivided and undiluted loyalty to those whose interests the fiduciary is to protect.”147 Thus, a fiduciary may be suspended or removed for waste or improper application of an estate’s assets, for imprudent management of assets, or for any other form of misconduct, including dishonesty, improvidence, or other behavior demonstrating he is unfit for the position.148
The foregoing examples highlighting the scarcity of postmortem privacy rights, coupled with the reality that fiduciaries are constrained by duties of confidentiality and loyalty, lead to the conclusion that the fear of invading a decedent’s privacy in the digital assets realm is overstated.
B. Catalogue of Communications: Why the Default Rule Is No Default at All
Section 8 of RUFADAA provides that “[u]nless the user prohibited disclosure of digital assets or the court directs otherwise, a custodian shall disclose to the personal representative of the estate of a deceased user a catalogue of electronic communications sent or received by the user and digital assets.”149 The provision requires fiduciaries to submit documentation, including a certified copy of the user’s death certificate and the letters of appointment verifying their status as the personal representative.150 The Uniform Law Commission champions this provision as a victory for advocates of default access and disclosure.151 However, subsection (4) of that same section provides a qualification whereby, if requested by the custodian, a personal representative must also provide:
(A) a number, username, address, or other unique subscriber or account identifier assigned by the custodian to identify the user’s account;
(B) evidence linking the account to the user;
(C) an affidavit stating that disclosure of the user’s digital assets is reasonably necessary for administration of the estate; or
(D) a finding by the court that:
(i) the user had a specific account with the custodian, identifiable by the information specified in subparagraph (A); or
(ii) disclosure of the user’s digital assets is reasonably necessary for administration of the estate.152
Indeed, in all cases, no matter whether in reference to the catalogue or content of communications, the custodian has the ability to request that the fiduciary obtain a court order finding that disclosure is reasonably necessary.153 In articulating the rationale behind subsections (4)(A) and (4)(B), the Uniform Law Commission prudently explains that, since some online accounts are created anonymously, additional information might be necessary to link the decedent with the account.154 Subsections (A) and (B) thus have a legitimate purpose within the statutory scheme. Subsections (C) and (D), however, impose undue burdens on fiduciaries by potentially and unnecessarily requiring them to further justify and defend their request for access.
In practice, the exception swallows the rule, as custodians will err on the side of caution and will frequently opt to use this escape device, especially since there is no cost and only the potential for gain155—in other words, subsection (4)(D) effectively serves as a de facto shield against liability.156 Anecdotal evidence demonstrates that custodian-representatives will almost always exercise their right to request a court order or other identifying information to avoid culpability for improper disclosure.157 Thus, even if access to the catalogue of communications is ultimately granted, to the extent that custodians request more information, the entire purpose for a default rule is eroded.158 Such default access is commensurate with no access at all when fiduciaries must jump through hoops, including bearing the burden of unreasonable delay due to litigation or repeated correspondence with the custodian.159 Too much authority is left with custodians and, accordingly, this provision of RUFADAA should be amended to repeal subsections (4)(C) and (4)(D).
A clear example of a service provider’s abuse of this right can be seen in the case of a seventy-two-year-old widow, Peggy Bush, who was commanded by Apple to obtain a court order to retrieve her dead husband’s password so that she could continue to play games on her iPad.160 Peggy expressed her shock at the system’s strict application: “I thought it was ridiculous. I could get the pensions, I could get benefits, I could get all kinds of things from the federal government and the other government. But from Apple, I couldn’t even get a silly password.”161 Even though Peggy’s daughter provided Apple with the iPad serial number, evidence that her father’s will named the widow as his sole beneficiary, and a notarized death certificate, the Apple representative still demanded a court order.162
C. Claims Pursued or Defended by the Estate: The Need for Disclosure of Content
Under the current scheme, fiduciaries are expected to garner access to valuable decedent information in an overly complex and roundabout way. Fiduciaries must scavenge through a catalogue of communications in search of any “suspicious” or curious activity that may “tip off” the existence of a potential asset; only then can fiduciaries embark on the process of requesting access to the communication’s content by seeking a court order.163
Take, for example, the existence of a savings account at Chase Bank. Imagine that the consumer, Mary, has opted for paperless statements and does not receive any mail sent directly to her home address; the account is, thus, non-mail-generating. Let us assume that this customer receives these statements to a Gmail email account. Unless Mary has disclosed the existence of this asset in her will or directly told the executor or administrator of her estate, or an acquaintance thereof, the fiduciary has absolutely no reason to believe that this account exists.164 Under a policy favoring nondisclosure of the content of the decedent’s digital assets, in order to discover that this account even exists, the fiduciary must first contact a Google representative, requesting access to the decedent’s catalogue of communications; then, he must review the catalogue for any “suspicious” indicator. Once he has identified the consistent receipt of emails “FROM: Chase” on the fifteenth day of every month, he must then go back to the custodian again to request the content of the communications. It is likely that the custodian-representative will still be unsatisfied and will require that the fiduciary obtain a court order affirming the necessity of the disclosure in order to reasonably administer the estate.165 This entire process endures for weeks, if not months, if one is lucky.166 Seeking the catalogue of communications in this manner becomes the equivalent of an unnecessary middleman. If the fiduciary could have avoided contacting the representative twice and pursuing a court order, ample time and court resources could have been spared. Moreover, it is also worth noting that, even if the fiduciary did have a hunch that the account existed from the very beginning, he still may not have succeeded in securing the account’s funds if he did not have readily available evidence linking Mary to the account.167
Fiduciaries should have access to those communications in order to diligently litigate claims on behalf of the estate, with the goal of either preserving the current assets or increasing the value of the estate. Under current law, the default rule favors nondisclosure, and fiduciaries are tasked with obtaining a court order directing such disclosure.168 It may be true that in instances where the fiduciary’s sole goal is to identify potential distributees, locate all of the assets, and divvy them up accordingly, a mere catalogue of communications suffices. However, where the fiduciary chooses to pursue a viable cause of action on behalf of the estate or is forced to defend the estate, disclosure of the content of communications is more appropriate in certain circumstances and courts should be more willing to grant access. Most importantly, wrongful death actions, cases of undue influence, and situations involving digital business accounts often require intimate knowledge of the facts to prove, which are more likely to be found in the content, and not catalogue, of communications.
Under the current statutory regime, where court intervention is necessary to obtain a court order as requested by a custodian, courts have established heightened pleading standards. Courts often require personal representatives to include the following in their petition: (1) identification of the specific digital asset sought and where it is stored; (2) a statement articulating the basis for the fiduciary’s knowledge of the account’s association with the decedent; (3) information about whether the decedent consented to disclosure; and (4) an explanation of why disclosure of such assets is reasonably necessary to administer the estate.169
Thus, there is a high likelihood that courts will dismiss meritorious petitions merely because they fail on their face to plead sufficient allegations according to courts’ standards. It is true that courts, in practice, dismiss petitions by fiduciaries without prejudice, leaving open the opportunity for them to investigate further and replead their claims.170 Nonetheless, it is likely that fiduciaries, facing the likely prospect of defeat, will forgo the trouble of trying to secure a court order.171 This creates the risk that a fiduciary might potentially forfeit a viable cause of action because it requires an inordinate amount of effort or because the fiduciary might not have all the information available prediscovery to meet the heightened pleading standard, especially when the estate is small in size.172 Indeed, a custodian can refuse to disclose “non-protected assets” alleging blanket protection under the SCA and privacy concerns, playing a game of chicken and waiting to see whether the fiduciary will actually pursue a court order.173 Even if RUFADAA’s language is not amended, it is still within courts’ powers to relax pleading standards and be more lenient in finding any of the four factors listed above. A fiduciary’s good-faith allegation that access to the content of a decedent’s communications is reasonably necessary to (1) prove a wrongful death claim; (2) establish undue influence; or (3) conduct business, if the digital account is a business account, should suffice. Alternatively, where the communications are especially confidential or private in nature, judges could order an in camera review to ascertain what information, if any, is useful.174
Where death is due to natural causes, access to content is unnecessary; however, where the cause of death is determined to be suicide or homicide, a potentially meritorious cause of action for wrongful death is likely.175 In cases of suicide, for example, it could be that the decedent felt compelled to take her own life due to cyberbullying, sexual abuse or rape, or through assisted suicide. In each of these scenarios, the current trend has been to recognize the viability of a claim against the perpetrator.176 In cases of homicide, it is even more clear that a successful wrongful death claim can be pursued.177 Social media communications become increasingly important to prove evidence of foul play.178 In these situations, good-faith allegations declaring the cause of death to be homicide, including intentional killings and failure-to-warn by negligent tortfeasors, should be sufficient to persuade courts to award access to the contents of electronic communications.
Petitioners who sought access on these very grounds in the past have been met with opposition, as seen in In re Facebook, Inc.179 In 2012, the mother of a former British model named Sahar Daftary sought access to her deceased daughter’s Facebook account in order to obtain information about her daughter’s state of mind leading up to her death—information that was instrumental in proving that she did not commit suicide but rather was murdered by an estranged significant other.180 Sahar died after falling from the twelfth floor balcony of her husband’s apartment.181 Police initially arrested her husband for murder, but later released him without charges, as the postmortem examination failed to demonstrate any conclusive evidence of assault.182 Nonetheless, Daftary’s mother, Anisa, maintained that her daughter—who had told police she was raped only months before—admitted to her in confidence that she was “treated like a slave” by her husband.183 Her mother had hoped the Facebook messages would reveal her daughter’s emotional state prior to her death, but the court found that the executor lacked lawful consent to access her digital assets under the SCA, thereby granting Facebook’s motion to quash the subpoena and effectively forcing her to forfeit any potential wrongful death claim.184 Had this same fact pattern arisen today, under RUFADAA, a court should find for the petitioner and grant an order requiring service providers to disclose the communications. First, under the reasoning of Ajemian v. Yahoo!, the SCA no longer serves as a barrier to access.185 Second, any evidence that may maximize the size of the estate through a wrongful death claim is “reasonably necessary” to administer the estate.
Undue influence occurs when a favored beneficiary abuses his confidential relationship with the testator by exerting his own dominant influence in procuring execution of the testator’s will.186 Where a will does not reflect the wishes of the testator due to undue influence, the will may be invalidated.187 The influence must control the deceased’s mental state, overcoming her power of resistance and coercing her to adopt the will of the other person and dispose of her property in a manner inconsistent with her true preferences.188 Access to a decedent’s digital accounts may provide evidence that is useful in proving not only whether the decedent possessed the requisite health and mental capacity to sign a will,189 but also whether she was unduly influenced or coerced by a favored beneficiary.190 Fiduciaries should have the authority to obtain access to communications that have been alleged in good faith to reveal any evidence of undue influence. In practice, then, the application of such a rule would mean that the objectant contesting admission of the will to probate on undue influence grounds would attempt to compel the personal representative to produce such evidence during discovery.191
Many businesses utilize Facebook, Twitter, and LinkedIn accounts as well as webpages and blogs as mechanisms for advertising and fulfilling customer orders.192 A lack of fiduciary access to these accounts is especially worrisome where the deceased was the sole individual with control over internet servers, incoming orders, corporate bank accounts, and employee payroll accounts.193 For example, “[b]ids for items advertised on eBay may go unanswered and lost forever.”194
In 2017, a man requested authority to access his deceased spouse’s Google email account in an effort to “close any unfinished business.”195 The Surrogate’s Court, New York County, denied his request without prejudice, advising that disclosure is only warranted if reasonably necessary for the administration of the estate and holding that “unfinished business” is insufficient to meet that standard.196 In that same year, another fiduciary sought access to a decedent’s business email account in order to determine the value of his business.197 Here, too, a court denied the petitioner access to the content of the communications, expressing a concern that “unfettered access to a decedent’s digital assets may result in an unanticipated intrusion into the personal affairs of the decedent or disclosure of sensitive or confidential data” that was unrelated to his business.198 However, this insistence on privacy in the workplace is inconsistent, given that, in order to protect their business assets, employers are permitted to monitor employees’ electronic communications for “legitimate business purpose[s],” which is a “catch-all with potentially broad interpretation.”199 If we place limitations on an employee’s expectation of privacy in the workplace while alive, the privacy right afforded to a dead person’s business account should not be absolute either. Finally, any concerns about the discovery of sensitive personal messages are mitigated in the context of business accounts, which are usually reserved for matters relating to commercial transactions.
III. Analysis
A. Avoiding the Perverse Outcomes of RUFADAA
Under the current interpretation of RUFADAA, a fiduciary’s duty to act in the best interests of the estate is significantly hampered, as the failure to discover monetary assets is counterproductive to fulfillment of the decedent’s wishes.200 Furthermore, if a fiduciary may be held liable for negligently breaching his duty to collect and prevent losses of the assets, it becomes unclear the extent to which fiduciaries must dig for assets until they can give up.201 Acknowledging that application of RUFADAA can produce contrary results, the following two Sections outline tools that fiduciaries can employ to argue that certain factual situations fall outside the scope of RUFADAA entirely (i.e., navigating around the law) or fall within the constructs of the law and its enumerated exceptions (i.e., navigating within the law).
To evade the application of RUFADAA altogether, practitioners can strategically argue about the proper way in which the statute should be interpreted. In 2004, when a twenty-year-old U.S. marine was killed in Iraq, his father tried to recover his email account in order to create a scrapbook and settle the internal affairs of the estate.202 Yahoo denied the request because the terms of service only allowed disclosure of login credentials to account holders.203 The following year, an Oakland County probate judge ordered Yahoo to provide the email account’s contents and Yahoo acquiesced, its compliance resulting in a violation of its privacy practices.204 Presumably, the court found convincing the father’s Petition to Produce Information, which claimed that the email account “may contain information relating to the administration, settlement and internal affairs of the Estate . . . that may be useful in determining the assets and liabilities of the Estate.”205 This case—decided prior to the promulgation of RUFADAA—would surely not come out the same way if the same facts were to arise today.206 Nonetheless, it does reflect a blurring of the lines and a lack of clarity in distinguishing personal property from other intangible assets like digital property.207 For instance, a New York court has held that digital photos qualify as personal property and not as electronic communications, thereby falling outside the purview of New York’s equivalent of RUFADAA and remaining capable of disclosure despite a lack of consent.208 In the absence of a will, access to photos is valuable in that it can assist the fiduciary in identifying the decedent’s relatives and pointing toward potential heirs of the estate—the people who stand to inherit under the statute of descent.209
Similarly, courts have found that entries made while using two applications, Google Calendar and Contacts, do not qualify as electronic communications and are, therefore, beyond the statute’s reach, since they do not involve any transfer of information between two or more parties.210 Calendar information can reveal the occurrence of business meetings while contact lists can provide the fiduciary with a mechanism through which to search for people with the same last name as the decedent.
As new technological innovations emerge, courts will be called upon to determine which digital assets can be classified as electronic communications.211 Lawyers will need to craft creative arguments about statutory meaning and legislative intent in determining which assets can be disclosed.212 It is not uncommon for a person’s photo library to include screenshots of text messages, Facebook posts, and emails. The New York court’s opinion does not distinguish between “clean photos” and those that reveal more sensitive information,213 but presumably that kind of sorting process would be tedious and inadministrable. In the absence of a vetting process, access to photographs can divulge more insightful information than one bargained for.
In alignment with the second tier established under Section 4 of RUFADAA, estate planning attorneys should be educated about the ramifications of RUFADAA and should regularly ask their clients about their preferences for inserting language granting consent in their wills.214 Additionally, to address the “Ryans”215 of the world, minors, other young people, and those who die intestate, users can sign and notarize a form, often called an “Authorization and Consent for Release of Electronically Stored Information,” that has the same effect of providing consent.216
At the first tier, users can utilize the online tools employed by various technology companies by altering their settings. Surprisingly, other than Google and Facebook, service providers have not developed and marketed the use of an online tool.217 Perhaps the justification for this lack of development is that technology companies are unincentivized to change their behavior given that RUFADAA operates as a safety net and effectively shields them from liability.218 Because under the current regime companies can routinely deny fiduciary access at minimal to no cost—other than overhead costs associated with customer service teams who handle fiduciary requests—there is no meaningful inducement to motivate any modification in behavior.219 Nonetheless, technology companies, like Apple, that do not make available some sort of online tool, should consider doing so in order to restore power to the user and effectuate decedent intent.220
A more effective solution, aimed at accurately capturing decedent intent at the third tier, is to require users to enumerate their preferences regarding a fiduciary’s ability to access assets upon their death at the time of the account’s creation through a clickwrap agreement.221 Sign-up pages separate from the terms-of-service agreement could inquire about a “legacy contact” or “trusted contact,” making it a required field before confirmation.222 For existing accounts, a pop-up window could appear on the user’s screen, preventing the user from continuing to their digital account until they affirmatively click a “nondisclosure” or “disclosure” box.223 By checking off “disclosure,” the user would thereby override the default rule of “nondisclosure” laid out under RUFADAA. A potentially concerning obstacle, though, is that users will disregard the message by not reading it and arbitrarily picking a choice in haste224 or that they will choose the “nondisclosure” option because they are ignorant as to the importance of such a choice in the estate planning and administration process in the first place. If people quickly glance at or brush over privacy policies and terms-of-service agreements without deliberate thought, there is also no reason to believe they would treat this mandatory sign-up process any differently, thus casting doubt on the credence of “click-on” procedures. It could be argued, then, that in the context of inconsistent choices—for example, where the user utilizes the service provider’s tool to opt for nondisclosure but executes a will that opts for disclosure—the judgment of a testator should prevail over the “random” clicking on a website. Perhaps the only effective solution, at least for now, is to educate users about the consequences of assigning a “legacy contact” or the equivalent.
Conclusion
The law addressing a fiduciary’s access to a decedent’s digital assets is still a work in progress. Protection of a decedent’s postmortem privacy right must be balanced against the fiduciary’s duty to locate and preserve all the assets, prevent waste, and distribute the estate to the decedent’s intended beneficiaries. The law, as it currently stands, hinders estate administration by placing an onerous burden on fiduciaries to seek out court orders to obtain access to either the catalogue or content of communications. It is within courts’ powers to shift this trajectory by reading the scope of RUFADAA more narrowly and breathing life into the “reasonably necessary for administration of the estate” prong. In the meantime, however, estate planning practitioners should be more proactive in advising their clients to express their digital asset wishes explicitly in their estate planning documents.