As of the date of this posting, seven states have recently passed laws and at least eighteen other states are considering new laws granting fiduciary access to an incapacitated or deceased person’s online accounts and other digital property. The Uniform Law Commission has a Drafting Committee currently working on a Fiduciary Access to Digital Assets model act. How will these state laws interact with federal law, especially the privacy protections under the Stored Communications Act? In other words, do state laws attempting to grant fiduciary access to the contents of online accounts protected by the federal Stored Communications Act have no effect (or a limited effect) because of federal preemption or supremacy?
Based on the analysis below, I believe that a court would conclude that state fiduciary laws, in general, and the relevant provisions of the November 2013 draft of the Fiduciary Access to Digital Assets model act, in particular, are not in conflict with and are not preempted by the federal Stored Communications Act.
Below, I will describe: (1) some background information on the Stored Communications Act, (2) why fiduciaries need access to the contents of online accounts; and (3) my thoughts on federal preemption and supremacy.
Background Information on the Stored Communications Act
When I refer to the Stored Communications Act, I’m referring to Title II of the Electronic Communications Privacy Act of 1986, codified as 18 U.S.C. §§ 2701 through 2712. The Act creates privacy rights to protect the contents of certain electronic communications and files from disclosure by certain providers of electronic communication services and remote computing services. These privacy protections are a significant obstacle for fiduciaries and family members seeking access to the contents of an incapacitated or deceased user’s online accounts because, if the Act applies, the online account service provider is prohibited from disclosing the account contents to them—unless an exception under § 2702(b) of the Act is met.
The Stored Communications Act does not apply to everything on the Internet. In general, the Act protects the contents of an electronic communication service or a remote computing service provided to the public. So, a private electronic communication service isn’t protected, like an employer that provides e-mail accounts only to its employees. But, the Act does protect electronic communication services and remote computing services provided to the public, so it applies to the contents of e-mail accounts like Microsoft Outlook (formerly known as Hotmail), Google Gmail, or Yahoo! Mail, and it applies to certain social networking account contents like Facebook, Google+, or MySpace, among others. Note that the Act only protects electronic communications and files that are “restricted in some fashion”—so, for social networking accounts like Facebook, the Act protects contents that are restricted so that only your “friends” can view them, even if you have hundreds or thousands of friends, but it doesn’t protect contents that everyone can see. See Ehling v. Monmouth-Ocean Hospital Service Corp., No. 2:11–cv–03305 (D.N.J. Aug. 20, 2013); Crispin v. Christian Audigier, Inc., 717 F.Supp.2d 965 (C.D. Cal. 2010).
If the Stored Communications Act applies, the service provider is prohibited by § 2702(a) of the Act from voluntarily divulging the contents of the electronic communications or files unless an exception is met. If one of the exceptions applies (e.g., the “lawful consent” exception under § 2702(b)(3) of the Act), then the service provider may voluntarily disclose the contents of the electronic communications and files protected under the Act. But, you cannot compel the service provider to disclose that information, even by bringing a civil action against the service provider. See In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, No. C 12–80171 LHK (N.D.Cal. Sept. 20, 2012) (a previous posting of mine describes this case involving the estate of Sahar Daftary); compare with Ajemian v. Yahoo!, Inc., 83 Mass.App.Ct. 565 (2013) (appellate court remanded the case to the probate court for further proceedings on whether the Stored Communications Act prohibits disclosure of the contents of Yahoo! e-mail accounts to the executor of a deceased user’s estate).
What would happen if a service provider violates the Stored Communications Act? Under § 2707 of the Act, the affected online account subscriber or other person aggrieved by the violation may bring a civil action against the service provider. The affected party can sue the service provider for actual damages suffered and, if the violation is willful or intentional, the court may assess punitive damages against the service provider. If the affected party’s civil action is successful, the court may assess reasonable attorney’s fees and other litigation costs against the service provider. The minimum amount of statutory damages for violating the Stored Communications Act is $1,000. A majority of federal courts that have addressed this issue have concluded that the affected party does not need to first prove that he or she suffered actual damages before being entitled to the statutory damages of $1,000. See Shefts v. Petrakis, No. 10–cv–1104 (C.D. Ill. Mar. 14, 2013); Pure Power Boot Camp, Inc. v. Warrior Fitness Boot Camp, LLC, 759 F.Supp.2d 417 (S.D.N.Y. 2010); Freedman v. Town of Fairfield, No. 3:03CV01048 (D. Conn. Sept. 19, 2006); In re Hawaiian Airlines, Inc., 355 B.R. 225 (D. Haw. 2006); Cedar Hill Assocs., Inc. v. Paget, No. 04 C 0557 (N.D. Ill. Dec. 9, 2005); but see Van Alstyne v. Electronic Scriptorium, Ltd., 560 F.3d 199 (4th. Cir. 2009). Proof of actual damages is not required before being entitled to either punitive damages or attorney’s fees. Van Alstyne at 209.
Why Fiduciaries Need Access to the Contents of Online Accounts
After a person becomes incapacitated or dies, someone needs to: (1) take inventory of the person’s assets; (2) pay the person’s debts, taxes, and expenses; and (3) either preserve the person’s property during the period of incapacity or transfer the person’s property to the person’s beneficiaries after death. In general, these tasks are handled by one or more duly-appointed fiduciaries, including: (1) an attorney-in-fact acting under a power of attorney; (2) a court-appointed guardian or conservator of a living person; (3) a trustee of a trust; or (4) a court-appointed executor (also known as a personal representative) of a deceased person’s estate. In addition, some assets may pass at death according to a transfer-on-death beneficiary designation or according to a right of survivorship held by a joint owner of an asset, for example. A person’s duly-appointed fiduciary has powers, duties, and authority to act on the person’s behalf granted under a governing instrument (e.g., a last will and testament, a trust, or a power of attorney) and under state law.
For example, when a person dies owning real estate, bank accounts, brokerage accounts, online account contents, and other property, an executor is appointed by the applicable state court to act on behalf of the decedent’s probate estate. The executor is the deceased person’s alter ego, standing in the shoes of the decedent. Under § 3–711 of the Uniform Probate Code, the executor “has the same power over the title to property of the estate that an absolute owner would have, in trust however, for the benefit of the creditors and others interested in the estate. This power may be exercised without notice, hearing, or order of court.” Under § 3–703 of the Uniform Probate Code, the executor “is under a duty to settle and distribute the estate of the decedent in accordance with the terms of any probated and effective will and this code, and as expeditiously and efficiently as is consistent with the best interests of the estate.”
Fiduciaries have an obligation to gather information on valuable property for federal and state tax reporting purposes, including reporting it in any applicable income tax returns, as required by 26 U.S.C. § 6012(b) and any applicable state laws, and reporting a complete schedule of all valuable property and its fair market value in an estate tax return after death, if required by 26 U.S.C. § 6018(a) or any applicable state laws.
Traditionally, after a person became incapacitated or died, the duly-appointed fiduciaries would go to the person’s home; look through the person’s paper records; and watch the person’s U.S. mail for bills, account statements, and other important information needed for the administration process. However, many bills and account statements are now delivered by e-mail; checkbook registers, tax returns, receipts, and other important records may be kept only electronically on local storage media or in the cloud; and bill payments and other financial and business transactions might be done entirely over the Internet.
Now more than ever, fiduciaries need access to an incapacitated or deceased person’s electronically stored information, e-mail accounts, and other online accounts to fully accomplish their fiduciary duties to an incapacitated or deceased person. And, these fiduciaries often need to act quickly to meet federal and state tax filing requirements and the requirements of state courts and state fiduciary laws to promptly inventory and protect the person’s property. Acting quickly is especially important for online accounts because some service providers will close the person’s account and delete the person’s data if the account has not been accessed for several months. And, as I’ve written about previously, federal and state criminal laws on unauthorized access to computers have a significant chilling effect on fiduciaries who may want to use the person’s username and password to directly access the person’s online accounts and retrieve the account contents, because it may be a crime to do that! We need clear authority for fiduciary access to online accounts and digital property to keep administration costs down, to provide for a smooth administration, and to ensure no valuable or significant property is overlooked.
As I’ve written many times, planning ahead for incapacity and death is essential for online accounts and digital property. There are at least four significant digital property obstacles for fiduciaries if the person does not plan ahead: (1) passwords; (2) encryption; (3) criminal laws regarding unauthorized access to computer systems; and (4) data privacy laws, especially the Stored Communications Act.
Seven states have recently passed new laws and, as of the date of this posting, at least eighteen other state legislatures have been considering new laws on fiduciary access to digital property to help overcome some of these obstacles. And, the Uniform Law Commission is currently working on a Fiduciary Access to Digital Assets model act to provide a clear, consistent, and comprehensive law that states can adopt in the future to help overcome some of these obstacles—I think this consistency would be especially helpful to service providers.
My Thoughts on Federal Preemption and Supremacy
All of the background information above leads us to the question posed at the beginning of this posting (finally!). Do state laws attempting to grant fiduciary access to the contents of online accounts protected by the federal Stored Communications Act have no effect (or a limited effect) because of federal preemption or supremacy?
As of the date of this posting, I’m not aware of any court answering this question with respect to any of the seven existing state laws on fiduciary access to digital property or with respect to any of the general state fiduciary laws involving a power of attorney, guardianship, conservatorship, trust, or executor of a decedent’s probate estates. So, what follows are my initial thoughts about how a court might approach this question.
Let’s begin with Cipollone v. Liggett Group, Inc., 505 U.S. 504 (1992), in which the U.S. Supreme Court said that, “Consideration of issues arising under the Supremacy Clause ‘start[s] with the assumption that the historic police powers of the States [are] not to be superseded by…Federal Act unless that [is] the clear and manifest purpose of Congress.’” Id. at 516 (quoting Rice v. Santa Fe Elevator Corp., 331 U.S. 218, 230 (1947)). In general, the historic police powers of the states include reasonable regulations to protect the health, safety, morals, and general welfare of the public (including protecting state citizens against corporate misconduct, which is also one of the purposes of the Stored Communications Act). See, e.g., Jacobson v. Massachusetts, 197 U.S. 11 (1905).
Now, let’s walk through three main ways that courts have reviewed related state laws and federal laws under the concepts of federal supremacy or preemption: (1) does the federal law have an express preemption provision; (2) does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation; and (3) does the federal law actually conflict with state law? See Cal. Fed. Sav. & Loan Ass’n, 479 U.S. 272, 280–281 (1987).
1. Does the federal law have an express preemption provision?
First, does the federal law have an express preemption provision? In the case of the Stored Communications Act, the answer is “no”—there is no provision in the Act that expressly preempts state laws or regulations. Contrast that with the express preemption provision of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), codified as 42 U.S.C. § 1320d–7(a)(1), which states that HIPAA’s provisions “shall supersede any contrary provision of State law.” Congress clearly chose to trump and displace any state laws that conflicted with HIPAA’s privacy rule regarding protected health information. However, Congress chose not to include any statutory preemption language in the Stored Communications Act.
2. Does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation?
Second, does the federal law fully occupy the field of regulation so that there is no room for supplementary state regulation? In the case of the Stored Communications Act, the answer is “no.” The Stored Communications Act includes both criminal offenses (§ 2701(a) of the Act) and civil causes of action (§ 2707(a) of the Act) for unauthorized access to or prohibited disclosure of certain electronic communications and files. All fifty states have enacted laws regarding computer hacking or unauthorized access. And, refer to the Compilation of State and Federal Privacy Laws by Robert Ellis Smith for a comprehensive list of state laws on privacy, electronic surveillance, identity theft, etc. These state laws are within the scope of the historic police powers of the states, mentioned above, including reasonable regulations to protect the health, safety, morals, and general welfare of the public. Clearly, there is concurrent federal and state authority regarding criminal offenses and civil causes of action for unauthorized access to or prohibited disclosure of certain electronic communications and files, and the federal Stored Communications Act does not fully occupy the field of regulation.
3. Does the federal law actually conflict with state law?
Third, does the federal law actually conflict with state law? Courts have generally found actual conflicts if: (a) “compliance with both federal and state regulations is a physical impossibility” (Florida Lime & Avocado Growers, Inc., v. Paul, 373 U.S. 132, 142–143 (1963)) or (b) the state law is an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress” (Hines v. Davidowitz, 312 U.S. 52, 67 (1941)). Specifically, let’s look at Sections 8(a)(i) and 8(a)(ii) of the November 2013 draft of the Uniform Law Commission’s Fiduciary Access to Digital Assets (FADA) model act to see if either of these provisions would actually conflict with the Stored Communications Act.
Section 8(a)(i) of the FADA model act says that, “A fiduciary with authority over digital assets or electronic communications of an account holder…has the same authority as the account holder.” Section 8(a)(ii) of the FADA model act says that, “A fiduciary with authority over digital assets or electronic communications of an account holder…has the lawful consent of the account holder.”
While § 2702(b)(3) of the Stored Communications Act says that a user can provide “lawful consent” for the provider to divulge the contents of an electronic communication or file and § 2707 of the Act says that a user can bring a civil action for violations of the Act, the Act is silent regarding who can enforce the user’s rights while the user is incapacitated or after the user dies. The Act does not expressly authorize or expressly prohibit a duly-authorized fiduciary to act on behalf of a user.
3.a. Is compliance with both federal and state regulations a genuine or physical impossibility?
So, does the difference between the Stored Communications Act and the FADA model act rise to the level of “impossibility” and result in federal law actually conflicting with state law? I believe the court would conclude that the answer is “no.” In Thoughts on Preemption in the Wake of the Levine Decision, by Erika Fisher Lietzan and Sarah E. Pitlyk, regarding the “impossibility” analysis, the authors state “It is not enough that state law prohibits something that federal law permits, or vice versa. In each of these scenarios, a party could still comply with both laws by refraining from the conduct in question. In order for a court to find that it is genuinely impossible to comply with both state and federal law, one body of law must require something that the other prohibits. (footnotes omitted)” 13 J. Health Care L. & Pol’y 225, 227 (2010). For example, the article cites the case of Mich. Canners & Freezers Assn’ v. Agric. Mktg. & Bargaining Bd., 467 U.S. 461 (1984), which noted that a Michigan state law in question empowered people to do precisely what the federal law forbid them to do. But, the court noted that, “Because the Michigan Act is cast in permissive rather than mandatory terms…this is not a case in which it is impossible for an individual to comply with both state and federal law.” Id. at 477–478.
With respect to online accounts, there is no genuine or physical impossibility between the Stored Communications Act and the FADA model act. The FADA model act does not compel service providers to disclose the contents of the electronic communications and files protected under the Stored Communications Act. Disclosure is still voluntary for the service provider under the Stored Communications Act. In other words, a service provider that is skeptical of the effect of the FADA model act’s statement that a duly-appointed fiduciary has the “lawful consent” of the account holder could choose not to disclose the contents of the account holder’s electronic communications and files (on the other hand, a written authorization signed by the account holder personally that signifies “lawful consent” should satisfy the service providers). However, service providers also could conclude, based on the FADA model act or other existing or future state fiduciary laws (whether those state fiduciary laws mention online accounts specifically or not), that the duly-appointed fiduciary is the alter ego of the account holder and stands in the shoes of the account holder for purposes of the Stored Communications Act, and the service provider could choose to disclose the account contents to that fiduciary. Support for this position comes from a statement made by the court in In re Request for Order Requiring Facebook, Inc. to Produce Documents and Things, No. C 12–80171 LHK (N.D.Cal. Sept. 20, 2012), “Of course, nothing prevents Facebook from concluding on its own that Applicants [the duly-appointed fiduciary acting on behalf of Sahar Daftary's estate] have standing to consent on Sahar’s behalf and providing the requested materials voluntarily.” Because disclosure is voluntary, complying with both the Stored Communications Act and the FADA model act is not a genuine or physical impossibility for service providers. It’s also important to note that the quotation above comes from an order of the U.S. District Court, Northern District of California, because the Terms of Service contracts for Facebook, Apple, Google, LinkedIn, Twitter, WordPress, Yahoo!, YouTube, and other service providers state that any disputes with those companies must be resolved in a court in the same jurisdiction.
3.b. Is the state law is an obstacle to the accomplishment and execution of the full purposes and objectives of Congress?
That leaves the question of whether the state law is an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress,” and I believe the court would conclude that the answer is “no.” Fiduciaries play an important and necessary role in the U.S. legal system for our personal and business lives, especially when dealing with an incapacitated or deceased person’s valuable or significant property, including digital property. A duly-appointed fiduciary acts as a person’s alter ego, standing in the shoes of the person. The person’s online account contents and other digital property are directly relevant to the fiduciary’s duties when acting on behalf of the incapacitated or deceased person’s estate and property, and the FADA model act is carefully tailored and limited to provide duly-appointed fiduciaries the authority and powers needed to act on behalf of a user’s online accounts and digital property within the scope of the fiduciary relationship. I would think differently about a state law that attempted to say the person’s spouse or other family members were granted access to an incapacitated or deceased person’s online accounts and digital property, without the accompanying fiduciary duties and limitation in scope so that it’s relevant to that person’s involvement.
It’s important that someone is able to collect and administer the person’s digital property and enforce the person’s rights in that digital property, including privacy rights under the Stored Communications Act, and the person’s duly-appointed fiduciary is the appropriate agent to do this under U.S. laws. Who else would have authority to bring a civil cause of action under § 2707 of the Stored Communications Act for an incapacitated or deceased user other than the user’s duly-appointed fiduciary? So, I don’t see how these two sections of the FADA model act would be an “obstacle to the accomplishment and execution of the full purposes and objectives of Congress” under the Stored Communications Act.
Based on my reading of the cases and analysis described above, I don’t think that a court would conclude the federal Stored Communications Act would actually conflict with the FADA model act or similar state fiduciary laws.
As I was reading through the cases on federal preemption and supremacy, I found the paper Congress’s Power to Preempt the States written by Professor Stephen Gardbaum in 2005 (and his 1994 paper The Nature of Preemption) to be a helpful resource for thinking through how a court today may (or should) think through these issues. In his paper, Professor Gardbaum proposes a new and simplified framework to analyze issues of federal supremacy and preemption. He asserts that Congress can preempt state law, but it must do so expressly in the federal law. He also asserts that, if there is no express preemption of state law by Congress in a federal law, the federal law will only supersede state law if there’s an actual conflict between them, as a result of the Supremacy Clause.
The bottom line is I believe that a court would conclude that state fiduciary laws, in general, and the relevant provisions of the November 2013 draft of the Fiduciary Access to Digital Assets model act, in particular, are not in conflict with and are not preempted by the federal Stored Communications Act. Ultimately, however, it will be up to the applicable courts to decide these issues.
Until that happens, hopefully a balance can be achieved for fiduciaries to receive the online account contents needed to carry out their fiduciary duties to an incapacitated or deceased person and for service providers to receive the assurances they need to respect a user’s privacy rights and to avoid potential civil damages for improper disclosures. Of course, I still prefer planning ahead for passwords, online accounts, and digital property, including having a written authorization signed by the account holder personally to signify “lawful consent,” rather than relying on the effect of state laws.
Finally, as with anything else in my blog, the views expressed are my personal views alone and do not necessarily represent the views of my law firm.