An Adobe PDF version of this document is available here.

January 28, 2015

Re: Proposed revisions to the ECPA and to the CFAA to clarify that fiduciaries may exercise authority over a person’s digital assets

Dear Chairmen Flake and Issa:

The American College of Trust and Estate Counsel (“ACTEC”) respectfully submits this letter to request revisions to the Electronic Communications Privacy Act (the “ECPA”) and the Computer Fraud and Abuse Act (the “CFAA”). ACTEC requests revisions to clarify that fiduciaries are authorized to administer a person’s digital assets. For example, the personal representative appointed to administer a deceased person’s estate should be able to access the decedent’s digital assets, including the contents of the deceased person’s electronic communications, to carry out his or her fiduciary duties in administering the deceased person’s estate without violating federal privacy laws or criminal laws.

ACTEC is a professional organization of approximately 2,600 lawyers from throughout the United States. Fellows of ACTEC are elected to membership by their peers on the basis of professional reputation and ability in the fields of trusts and estates and on the basis of having made substantial contributions to those fields through lecturing, writing, teaching, and bar activities. ACTEC offers technical comments about the law and its effective administration but does not take positions on matters of policy or political objectives. From time to time, based on the extensive experience that Fellows of ACTEC have with estates, trusts, powers of attorney, guardianships, conservatorships, and taxes, ACTEC comments on existing laws and offers recommendations to improve the implementation of existing laws.

Should you or your staff have any questions concerning this letter or its recommendations, please contact James D. Lamm, Chair of ACTEC’s Digital Property Task Force, at (612) 632-3404 or James.Lamm@gpmlaw.com.

Fiduciaries have an impact on the financial lives of United States citizens. This proposal focuses on four important fiduciaries: (1) a personal representative (also known as an executor) appointed to administer a deceased person’s estate; (2) a conservator (also known as a guardian of the estate) appointed to administer the estate of a living person who is unable to manage the person’s financial affairs; (3) an agent appointed to act under a living person’s power of attorney; and (4) a trustee appointed to administer a trust.

Unless limited by an applicable governing instrument created by the owner or by a court order, the fiduciaries described above generally have the same powers over assets that an absolute owner would have. In exercising their powers, these fiduciaries are subject to duties and obligations established under state law and an applicable governing instrument, and the fiduciaries are liable for any breach of their duties. These fiduciary duties, plus the ability of a person or appropriate court to limit the scope of a fiduciary’s powers, provides a limited and appropriate environment in which fiduciaries may exercise authority over the person’s digital assets, while also respecting the privacy and intent of the person. Indeed, respecting the person’s privacy and intent are paramount in fulfilling such fiduciary duties.

Fiduciaries need access to a person’s assets and to relevant information about the person’s assets in order to carry out their fiduciary duties. Typical fiduciary duties include preparing a complete inventory of the assets, preparing periodic accounts of the assets, paying debts and expenses, defending and prosecuting claims, preparing and filing applicable tax returns, and properly managing and distributing the assets. Technology has changed how fiduciaries carry out their duties. Traditionally, when a person became incapacitated or died, the person’s fiduciary would go to the person’s home, look through the person’s paper records, and monitor the U.S. mail coming to the person’s home for delivery of bills, account statements, and other important financial information needed to carry out the fiduciary’s duties. Today, the person’s bills and account statements may be delivered by email; the person’s important financial records may be stored in smartphones, computers, or “in the cloud”; and the person’s tax return filings and financial transactions may have been done electronically.

“Digital assets” include electronically stored information, Internet domain names, virtual currencies like Bitcoin, and online accounts such as email accounts, social networking accounts, banking and investment accounts, shopping accounts, Web pages, blogs, photo-sharing accounts, video-sharing accounts, video game accounts, file storage accounts, and more. Some types of digital assets have financial value, and some types of digital assets have sentimental value. Other types of digital assets may have neither financial value nor sentimental value, but they may contain a record of the person’s communications or financial transactions. Fiduciaries need access to all of a person’s assets—including digital assets—in order to efficiently and effectively carry out their fiduciary duties.

Two current federal laws are significant obstacles for fiduciaries dealing with digital assets as they carry out their fiduciary duties. The privacy protections of the ECPA are an obstacle for fiduciaries needing access to the contents of a person’s electronic communications stored in online accounts. And, the criminal laws on “exceeding authorized access” of the CFAA and the ECPA are an obstacle for fiduciaries needing access to a person’s online accounts if the provider’s Terms of Service agreement or use policies limit or prohibit fiduciary access.

To further its objective of protecting the contents of a person’s electronic communications from unauthorized disclosure, the ECPA at 18 U.S.C. § 2702(a) prohibits a provider of an electronic communication service to the public or a provider of a remote computing service to the public from knowingly divulging the contents of a person’s electronic communications unless an exception to the ECPA’s privacy protections is met. Under 18 U.S.C. § 2707, the provider could face civil damages of no less than $1,000 per violation.

The exceptions are set forth in 18 U.S.C. § 2702(b) and are eight in number, two of which bear upon the matter at hand. First, under 18 U.S.C. § 2702(b)(1), the provider may divulge the contents of a person’s electronic communication “to an addressee or intended recipient of such communication or an agent of such addressee or intended recipient.” Second, under 18 U.S.C. § 2702(b)(3), the provider may divulge the contents of a person’s electronic communication “with the lawful consent of the originator or an addressee or intended recipient of such communication.”

Although these two exceptions do not specifically refer to a fiduciary of the originator and do not specifically authorize a fiduciary of the originator, addressee, or intended recipient to provide “lawful consent” to the provider on behalf of the person, it appears that fiduciary authority to authorize further disclosures of the contents of a person’s electronic communication was the legislative intent when the ECPA was enacted. In Senate Report 99-541 from the Committee on the Judiciary, the analysis of § 2702 states that:

• The exceptions to the general rule of nondisclosure provided in subsection (b) fall into three categories. The first category are those disclosures which are authorized by either the sender or receiver of the message. Either the sender or the receiver can directly or through authorized agents authorize further disclosures of the contents of their electronic communication. (Emphasis added)

Despite this legislative history, some providers adamantly refuse to divulge the contents of a person’s electronic communications to a fiduciary. The lack of specific references to fiduciaries (other than to a fiduciary of the addressee or intended recipient of the electronic communication) in the above exceptions plus the potential civil damages have created a significant chilling effect on providers when dealing with fiduciaries requesting the contents of a person’s electronic communications. As a result, fiduciaries are unable to reliably obtain access to the contents of a person’s electronic communications, which can include important information about the person’s assets and financial transactions that are necessary to efficiently and effectively carry out the fiduciary’s duties.

Under the CFAA, 18 U.S.C. § 1030(a)(2), and the ECPA, 18 U.S.C. § 2701(a), the government may charge a person with a crime when that person “exceeds authorized access” based upon violations of a Web site’s Terms of Service agreement or use policies. As such, the CFAA and the ECPA inadvertently criminalize authorized fiduciary behavior. A person’s fiduciary who accesses an online account of the person could be charged with a crime under the CFAA or the ECPA merely because the provider’s Terms of Service agreement limits access to the user. Most troubling is the fact that providers typically retain the right to change their Terms of Service agreements at any time and without notice to their users. So, fiduciary access to a person’s online account may be a permitted act one day but may become a criminal act the next day—without notice and without an act of Congress—if the provider chooses to change its Terms of Service agreement to limit or prohibit fiduciary access.

As written, the CFAA’s and the ECPA’s criminal laws on unauthorized access create a significant chilling effect on fiduciaries who attempt to access a person’s online accounts to obtain relevant information about the person’s assets in order to carry out their fiduciary duties. Fiduciaries could be charged with a crime when attempting to access a person’s online accounts merely because one or more of the person’s providers in their Terms of Service agreements or use policies choose to limit or prohibit fiduciary access.

Because fiduciary access to digital assets is fundamental to carrying out a fiduciary's duties, ACTEC recommends revisions to the ECPA and to the CFAA to clarify fiduciary access and authority.

First, ACTEC recommends revising the ECPA by adding to the list of permissible recipients of the contents of a communication set forth in 18 U.S.C. § 2702(b) a new subparagraph (9), to read as follows:

• (9) to an agent (or other fiduciary) of the originator, addressee, or intended recipient of such communication or to an agent (or other fiduciary) of the subscriber in the case of a remote computing service.

Second, ACTEC recommends revising the CFAA by adding a definition of “authorization” to clarify fiduciary access and authority. As described above, under 18 U.S.C. § 1030(a)(2) of the CFAA and under 18 U.S.C. § 2701(a) of the ECPA, the government may charge a person with a crime when that person “exceeds authorized access.” A definition of “authorization” could be added to the list of definitions in 18 U.S.C. § 1030(e) and to the list of definitions in 18 U.S.C. § 2711 to clarify that a person’s fiduciary has the same authority to access as the person has.

For the CFAA, ACTEC recommends adding the following “authorization” definition as a new subparagraph (e)(6) to 18 U.S.C. § 1030 (the subsequent definitions in paragraph (e) would shift to accommodate it):

• (6) the term “authorization” of a person means a grant of permission by the person that has not been revoked and that is evidenced either electronically or by a writing signed by or on behalf of the person that has been authenticated as an act by or on behalf of the person including, but not limited to, a grant of permission by any fiduciary representing the person under state law. Authorization can be given either expressly or implicitly pursuant to federal or state law or court order. Authorization granted to a person shall extend to: (1) any fiduciary representing the person under state law to the extent of the fiduciary’s powers and (2) any other person granted permission by any fiduciary to the extent of the fiduciary’s powers. An attorney-in-fact or any other fiduciary who has broad powers to manage the assets of another person has implied authorization to access the person’s information to same extent as the person’s authority to access the information.

For the ECPA, ACTEC recommends adding the following “authorization” definition as a new paragraph (5) to 18 U.S.C. § 2711:

• (5) the term “authorization” of a person means a grant of permission by the person that has not been revoked and that is evidenced either electronically or by a writing signed by or on behalf of the person that has been authenticated as an act by or on behalf of the person including, but not limited to, a grant of permission by any fiduciary representing the person under state law. Authorization can be given either expressly or implicitly pursuant to federal or state law or court order. Authorization granted to a person shall extend to: (1) any fiduciary representing the person under state law to the extent of the fiduciary’s powers and (2) any other person granted permission by any fiduciary to the extent of the fiduciary’s powers. An attorney-in-fact or any other fiduciary who has broad powers to manage the assets of another person has implied authorization to access an electronic communication of the person to the same extent as the person’s authority to access the electronic communication.

Because fiduciaries play an essential role in our economy and because fiduciary access to relevant information about a person’s assets—including digital assets—is fundamental to efficiently and effectively carrying out their fiduciary duties, ACTEC respectfully requests your help in revising the ECPA and the CFAA to clarify that fiduciaries may exercise authority over a person’s digital assets, while also respecting the privacy and intent of the person.

Respectfully submitted,

Kathleen R. Sherby
ACTEC President 2014-2015