Email is a valuable tool while you’re alive and could be just as important for your survivors when you die. Email systems store valuable information about many online accounts that contain information of financial and sentimental value, e.g., banking, credit card, investment, utilities and tax information as well as stored photos and videos. Furthermore, personal email accounts are often used to help change login credentials to such accounts.
Here are some things you ought to know about email:
TOS. The terms of service (“TOS”) of email service providers govern how much help they will give to family members of deceased subscribers in accessing the subscribers’ accounts. The TOS govern in the absence of state legislation or court orders. The key point is that providers differ markedly in how they balance the privacy interests of their deceased subscribers with the needs of the next of kin or estates of deceased members. Some are accommodating in providing access, others aren’t. Here’s a summary of leading email providers:
- Yahoo. Yahoo does not permit access to a member’s email account after it has been notified of the death. (LINK See also, “No Right of Survivorship and Non-Transferability” in TOS Section 28 LINK ).
- iCloud. iCloud has provisions similar to Yahoo’s – no right of survivorship. (LINK)
- Outlook. People trying to recover data from Outlook can follow Microsoft’s Next of Kin procedure and provide the requested documentation.
- Gmail. Google provides an online setting for users to specify whether anyone can access their email if the account is inactive for a given period and, if they can, to designate the authorized representatives. (LINK) Even if that isn’t done, Google permits people to request content from the deceased user’s account but won’t provide passwords or other login information. (LINK)
- AOL. The AOL TOS provide that the member may not assign the contract to anyone else. (LINK)
RUFADAA .The National Conference of Commissioners on Uniform State Laws drafted and approved the Revised Uniform Fiduciary Access to Digital Assets Act (“RUFADAA”) which has been adopted in over half the states. It establishes a framework for determining whether a “fiduciary” can access digital assets. Email is classified as “electronic communications” (Section 1.7). Information relating to electronic communications can include “content,” i.e., including the body of emails (Section 7), or just a “catalogue” of metadata including date/time sent, sender, and recipient (Section 8). This is the priority:
- Online Tool. If the email provider (called a “custodian”) offers an online tool where a user can set preferences for access to the account after death, those instructions govern. This could include content (Section 4(a)).
- Will, Trust, or Power of Attorney. The user can specify who has access by a will, trust, power of attorney, or other document (Section 4(b)). Preferences set in online tools prevail if there are conflicts with those documents, but the documented preferences govern over default TOS.
- TOS. In the absence of the use of online tools or specific directions, the TOS govern.
- RUFADAA. If the TOS doesn’t provide specific guidance on access to the account after death of the subscriber, the defaults under the RUFADAA govern.
Federal and State Privacy and Anti-Hacking Laws. The Stored Communications Act (“SCA”) (part of the Electronic Communication Privacy Act of 1986) makes unauthorized access to stored electronic communications illegal when they are held by electronic communication services providers. People accessing your email after your death require not only your authorization but that of the communications provider. However, if the provider’s TOS state that the account ends upon your death, anyone accessing your account after your death is unauthorized and the access is illegal – even if the chances or prosecution may be unlikely. There is also the Computer Fraud and Abuse Act which covers hacking into computers.
This notion of unauthorized and hence illegal access can negatively impact several strategies that your family or estate might otherwise consider in the event of your death:
- Stored Logins. If your laptop or personal computing device is set up so you can access your email without entering your email password each time, your personal representative could use those devices to login to your email.
- Finding Stored Email Passwords. When personal representatives have access to your personal computing devices, they may be able to find stored passwords by searching the drives for files containing words like “password,” “Login,” “Username,” or the domain name of your email provider (e.g., “Gmail.com”).
- Resetting Email Passwords. A person familiar with the background of a deceased email subscriber might be able to reset the decedent’s email password by answering the security questions asked during the process, e.g., mother’s maiden name. If two-factor authentication has been specified for the email account, the person resetting the password could need access to the decedent’s cell phone.
Note that locally-stored content is not covered by the SCA because the data would no longer be held by a communications service provider and the provider’s authorization would not be required to access that content. (LINK)
Court Order. If the provider won’t voluntarily cooperate with your personal representative to provide access to your email account, the representative may still be able to gain access to email content by obtaining a court order requiring the provider to produce information – even though you did not give prior consent and the TOS provide otherwise. This could be an expensive and time-consuming process with no guaranteed results.
Best Practices. These are best practices to make the job of managing your estate easier:
- Online preferences. Preferences for post-death access set using a provider’s online tools will prevail over other instructions you may leave. Use those tools if available.
- Documented Preferences. Leave signed written preferences for the type and scope of post-death access. Written authorization greatly reduces the risk that any access by your personal representative would be considered “unauthorized.” However, as discussed above, it doesn’t eliminate the risk when online access after your death would violate the TOS.
- Local Copy. Email content stored locally is probably not covered by the provider’s TOS nor by Stored Communications statutes. Store any email content to which you want the representative to have access on a local device.
- List of Login Credentials. If you leave a complete and current list of your current online accounts your personal representative won’t have to use your email to reset the password to gain access.
Third Party Privacy. If your email content implicates third-party privacy concerns, be sure your personal representative is aware of the obligations and risks involved. Third-party privacy concerns could include:
- Lawyers or paralegals: attorney-client communications, attorney work product
- Doctors, nurses, and other healthcare professionals: HIPAA or health-related information
- Teachers or other educational professionals: student confidentiality
Closing Email Accounts. Open email accounts can pose risks of identity theft and impersonation, and personal representatives should close the accounts once they are no longer needed.
Time. Email service providers may deactivate accounts and delete the related content if accounts aren’t used for a given period so personal representatives should not put off accessing or trying to access the email information for too long.
Caveat: This posting is a summary of factors impacting access to your email information after your death, and TOS and legislation can change. It’s always a good idea to read the actual TOS of your email provider and research your own state law to determine how access to your email would be determined in the event of your death. Also, this posting covers personal email, not company-provided email.