Column

Fiduciaries’ Access to Digital Assets

Introduction

As people carry out a variety of activities using computers and other digital devices, and as they inhabit a number of ‘places’ online, they develop things of value that are expressed in digital form. These ‘things’ take many forms: bank accounts, non-bank payment accounts, gambling receipts, auction holdings, virtual life empires, the list expands over time. Some of these assets are in known computer systems with known proprietors, others are in the cloud – meaning in some computer system or systems somewhere in the world, controlled by somebody in a meshwork of contracts.

So long as the power stays on, the digital assets are immortal. The people who create and deal with them are not. The people are subject to other frailties as well: mental or physical incapacity, insolvency, unwillingness to manage their affairs. These elements of the human condition are of course known to the law, which has developed the capacity to deal with them.

When frailties, or mortality, strike, people’s affairs are turned over to others, individuals or institutions, with powers set out by law or by contract that must be exercised in good faith in the interests of the people or those they have designated. The individuals or institutions involved can be thought of collectively as fiduciaries, though their titles in particular circumstances may be ‘executor’, ‘trustee’, ‘attorney’ or the like.

Questions have arisen whether the power of fiduciaries over people’s digital assets is clear and whether its exercise needs an express legal framework. While some Canadians are starting to explore these questions, more work has been done in the United States, notably through the Uniform Law Commission’s Drafting Committee on Fiduciary Access to Digital Assets. The ULC Committee is developing a Uniform Act on the topic, known familiarly as FADA. This note explains the key issues on the table for the ULC Committee and asks if a similar effort should be undertaken in Canada.

The U.S. Draft Uniform Act

What fiduciaries?

The ULC Committee’s draft bill deals with four kinds of fiduciaries: executors of estates, ‘conservators’ – we might call them ‘guardians’ – appointed by a court to look after some or all of the affairs of someone incapable of doing so personally, attorneys (whom the bill calls ‘agents’) under powers of attorney, and trustees under the usual laws of trusts. At one point the Committee intended to create access powers to be put into the state statutes governing particular types of fiduciary, but the plan now is for a free-standing bill to deal with all four types.(The draft linked to here was discussed at a November meeting of the Drafting Committee and revisions are likely in its next iteration.)

The draft bill does not deal with trustees in bankruptcy, presumably because they are governed by federal law and the bill is a matter for state law only. Trustees in bankruptcy may not have the same kind of fiduciary obligations as the others, either. Their relationship to the person whose assets are in question is different, though they also have a need of, and right to, all the bankrupt’s assets except as excluded by law.

What assets?

It is not surprising that it has been difficult to agree on a definition of ‘digital asset’, what one might call the entry-level question for the topic. We are not necessarily talking of a legal ‘thing’, certainly nothing that has to be unique and transmissible. A book-entry asset would suffice. In a sense, any electronic record can be a digital asset. Economic value is not required; sentimental value is often important. The ULC project is not limited to forms of intellectual property, though IP is often expressed in digital form these days.

Such an asset may be stored on the person’s own computing device or in the cloud, or on a server belonging to a service provider like Amazon.com, PayPal or Facebook. While the November draft of the ULC bill referred to assets on a ‘digital device’ or to which the owner had access online, I am inclined to think that the medium is no part of the message here. A digital asset may be anywhere that electronic records are stored. The fiduciary may need access to the physical device to get at the digital assets, of course.

(I have seen learned discussions of why ‘digital’ is preferable to ‘electronic’ – the latter being a particular technology and the former a reference to the essential nature of the asset, the code itself. However, many statutes in Canada and elsewhere tend to treat the terms as synonymous. We just need to be clear whether we are thinking of the asset, the medium or the language of communication. The ULC has a standard definition of ‘record’ that covers both tangible and intangible records. For the current project – and article – we are talking of the intangible ones.)

What access?

We may conclude that just about anything expressed in digital code may be a digital asset, and that fiduciaries should have access to it, unless there is some clear reason why they should not. The ULC Committee has been debating whether the default position is access or no access and whether limits to access should be contractual or statutory. It seem to be moving to a position that the fiduciary of whatever kind should be presumed to have access to digital assets on the same basis as to physical assets. Without such a presumption, there is likely to be a void, i.e. there will be assets to which no one has access rights. However, some debate is still heard whether digital assets should be out of bounds for some fiduciaries (notably conservators or agents) without an express grant of authority.

In any event, the fiduciaries’ access must be subject to any limits that are expressed. Just as a testator may provide for separate executors for different physical assets, likewise different digital assets may be subjected to the control of different fiduciaries. Some commentators (and vendors) argue for the need for ‘digital executors’, for example. At least two reasons for a separate person suggest themselves. First, the fiduciaries need to be capable of dealing with digital assets, and not all traditional fiduciaries may be equally comfortable in the digital world. Second, there may be special reasons to keep the digital assets, or some of them, out of the hands of the general fiduciaries. Some activities may be sensitive. This need for special discretion is not new to online assets, but it seems regularly to come up in discussions of them.

The powers given to the four kinds of fiduciaries are largely identical (though the November draft did not consistently treat access to digital assets as the default). Fiduciaries are given the power to access, manage, ‘deactivate’ and delete digital assets. It has been suggested that the status of a trustee is a bit different, since the trustee is the legal owner of assets subject to the trust. It is not just a question of access. However, where the trust deed grants legal title over property in bulk, the trustee still has the same need as other fiduciaries to discover the property and secure it, along with ensuring that its ownership is duly transferred.

The general powers in the Act are subject to the state law of general application, so no mention is needed of the authority to sell assets, for example. Also, the general powers are exercised in order to carry out the duties of a fiduciary under the state law. The committee considered the example of a deceased person who was member of a golf club. The executor may ‘step into the shoes’ of the deceased, but not his or her golf shoes: there is no room at the tee, or the club dance, for the executor. That limit may go without saying in the new Act.

What timing?

The Uniform Act as drafted would apply only to fiduciaries whose appointments arise after the Act comes into force in the applicable state or from court proceedings begun after that date. The November draft is silent on its application to powers of attorney, probably because the draft covers only powers of attorney that expressly convey power over digital assets. If that is broadened to any power of attorney, then a transition rule will be needed. The same is true for deeds or declarations of trust.

It may be that this very cautious approach originates in the Act’s desire to assert that the deceased or protected person has ‘consented’ to the fiduciaries’ access to the digital assets, in order to comply with the federal statutes discussed below. No retroactive consent would have to be found for actions taken before the statute came into force.

Nevertheless this policy strikes me as unduly timid and makes the bill unlikely to be helpful to many current situations. The draft bill says it applies only to wills made after it comes into force, which would make it irrelevant for most estates possibly for decades. Its use for powers of attorney may sometimes be deferred as well, if the creation of the document and not the start of the agent’s powers must come after the in-force date for the statute to apply.

The Act is being designed in part because there is a legal gap, or at least legal uncertainty, with respect to the right of fiduciaries to get access to digital assets. If that gap is serious, then the law should provide certainty sooner rather than later, rather than risk leaving assets that no one can access. To the extent that the statute is about consent, the consent is a statutory creation, a legal fiction of sorts. It might as well start when it can do the most good. Anyone who wants to limit fiduciary access can do so now. In the absence of such a limit, fiduciaries should have broad access as soon as possible.

The main challenge: US federal statutes

Readers of the draft US uniform statute will be struck by fairly complex provisions about information in the hands of an ‘electronic communications service’ or a ‘remote computing service’, and distinguishing between records of e-communications and the contents of such communications. These provisions are driven by US federal law dating from the 1980s, notably the Stored Communications Act, 18 U.S Code s. 2702 (enacted as part of the Electronic Communications Privacy Act) This provision prohibits any person providing an electronic communication service or a remote communications service to the public from divulging the contents of any communication it holds.

The big American Internet businesses, the email providers, the e-commerce businesses and the social media, are concerned that the federal law will prevent them from giving fiduciaries access to their records, even if state law requires it. (If they just do not want to be bothered, they are not saying so publicly.) Many of these companies {‘from Amazon to Yahoo!’) have representatives attending the Drafting Committee meetings. While s. 2702(b) allows for disclosure with the consent of the sender or recipient of the information, no law and no jurisprudence ensures that ‘consent’ pursuant to state law, especially consent deemed to exist by state statute, will effectively bring a disclosure into subsection (b).

The providers fear not only prosecution for violation of the provision, but also class actions brought by, for example, senders of messages that might be disclosed to fiduciaries. The right to civil action is expressly given by s. 2707.

It has been informally suggested that the ULC adopt the statute, have one state pass it then bring a test case, to establish for everyone’s benefit whether state-based consent satisfies the federal law. This is not a speedy strategy for getting widespread adoption of the Act or certainty to fiduciaries. Little hope is offered that the federal law itself could be altered to guarantee fiduciary access. If the federal law were amended, it seems more likely to be tightened than for an exception to be created.

The Act allows for disclosure of some records of communications other than their contents. For this reason the draft uniform Act creates different rights of access to records about communications in the hands of the services named in the federal statute and to the contents of the communications. Where the federal Act permits disclosure (i.e. of non-contents records), the Uniform Act is likely to require it, since disclosure will not violate federal law. Whether a state law requirement would bind a service provider in its operation under federal law is an open question.

Another federal statute on the minds of the ULC Committee is the Computer Fraud and Abuse Act, 18 U.S. Code s. 1030, notably subsection (a)(2). The CFAA prohibits unauthorized access to computers. Again, no exception is provided for those with authority under state law. However, the liability under the Act would fall on the fiduciaries and not on the service providers, so if the fiduciaries are comfortable proceeding, the service providers are not opposing a state law that would give them the authority.

The CFAA also applies to direct access to a digital device by the fiduciary, without any involvement of a service provider. Fiduciaries want to be sure that cracking a password to get into the computer of the deceased or of a protected person will not lead to prosecution. We do not know what position federal prosecutors would take on the effectiveness of state-law consent on the need for authority under the CFAA.

Canadian law

Canadian fiduciaries do not face the same challenges under our federal law. Section 342.1 of the Criminal Code of Canada penalizes access to a computer service ‘fraudulently and without colour of right’. Fiduciaries acting under provincial law would almost certainly not infringe on that standard. A ‘colour of right’ does not have to be under federal law only.

One may ask, then, why Canadian jurisdictions might need legislation on this topic. Is it not clear that someone acting on someone else’s behalf has all the powers necessary so to act, really all the powers of the person him- or herself, at least for the purposes of administering the person’s affairs? Who doubts it? Can a program of education suffice, to alert people that they need to ensure that their fiduciaries are capable of accessing their digital assets – have a list of accounts and passwords, for example.

Should the position of digital estate intermediaries like Legacy Locker/Password Box be clarified, either to allow them to serve as a kind of fiduciary or to regulate them in that role? Different commercial entities offer different services, but some appear to do what offline fiduciaries do as well. To the extent that they are simply a secure repository of methods of accessing the assets, later made available to the usual fiduciaries, they probably need no particular regulation.

One consideration that might favour legislation is that many if not most of the online services with which Canadians may have digital assets are based in the United States. Certainly the major online retailers and social media sites are there. It is they, more than the brick-and-mortar institutions, that need an incentive to deal with fiduciaries’ requests for access. (There is less reluctance to deal with such matters than there used to be. For example, since the ULC process began, Google has introduced an Inactive Account Manager to deal with the disposition of digital assets on Google sites after the owner’s death.)

If the service providers have the US federal barriers in mind, or just come to look for statutory authority in the US Uniform Act, then Canadian fiduciaries may find it helpful to be able to point to a similar source of authority. The interpretation of terms of service that make consent relevant – on the strength of the US statute – may be influenced by the legal position of fiduciaries under their local law.

The future

The US Drafting Committee is expected to meet again in March, 2014, then a redrafted bill will be put to the ULC’s annual meeting during the summer. If it is adopted, the states will be encouraged to enact it. There is some taste for the project in the US. Several states have their own, non-uniform, statutes. A Uniform Act may find a warm welcome..

The Uniform Law Conference of Canada is keeping an eye on the topic, but has not launched its own project. Comments on this article will come to its attention. What does Canada need?

Comments

  1. The Drafting Committee of the Uniform Law Commission met on March 21-22, 2014, to consider a new draft of the Uniform Fiduciary Access to Digital Assets Act (FADA). The text is coming simpler and better defined, the scope more harmonized among different classes of fiduciaries, and the whole picture clearer. A collection of memos of the Committee and related documents are online here.

    There is still some debate whether the fiduciary’s right to access digital assets should be a ‘hot power’ (i.e. available only if expressly given in the constituting document) or a default power. At present access would require express statement in a power of attorney and in a ‘conservation’ order (i.e. appointment of a guardian for someone with a legal incapacity). The main reason for requiring the application to digital assets to be express is that it becomes easier to claim that there is ‘consent’ for disclosure of the contents of records held by custodians subject to the US federal laws referred to in th discussion above.

    The Committee is increasingly inclined (in my opinion) to have the rules on access apply to documents constituting a fiduciary relationship whenever they were created, and not only to documents made after the Act comes into force. This is good news, since the statute is intended to fill a perceived gap in authority over the digital assets.

    Some late debate touched on the nature of digital assets: would they include bank accounts, as distinct from the records of bank accounts? Is the money a digital asset? It was agreed that a digital record of a physical holding would not make the holding a digital asset. So a bar of gold bullion at the bank whose ownership was shown on the bank’s computer did not become a digital asset.

    Other kinds of holdings may be less clear. It seems to me (not speaking for the Committee, of course) that digital photographs and texts are digital assets. Securities entitlements under Article 8 of the Uniform Commercial Code (and under the Securities Transfer Acts of various Canadian provinces) are – in my view – digital assets. I wonder about ‘money’, since one’s money at the bank has always been just a debt of the bank to the customer, not any right to specific bills or coins. Is not an account receivable a digital asset?

    The principle of the meeting was that digital assets included digital records of entitlement or ownership, but not the underlying asset unless it too was in digital form. The record of a liability may also be a ‘digital asset’ for this purpose, since a fiduciary needs to know about (in order to manage) the debts of the beneficiary.

    The Uniform Act is scheduled for final reading at the annual meeting of the Uniform Law Comission in July.

  2. The Uniform Law Commission has now approved the final text of the Fiduciary Access to Digital Assets Act and recommended it for enactment by the states. A brief report on the statute is here.