Recent headlines declaring that sharing your Netflix password is a federal crime may have been a bit off the mark, and were certainly alarming. But the recent Ninth Circuit Court of Appeals holding in U.S. v. Nosal (II) may have some bearing in estate administration when a personal representative uses the login and password of the decedent to access online accounts, as noted by the dissent opinion in the case.
The federal Computer Fraud and Abuse Act (the “Act”) makes it a crime when a person “knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access.” More broadly, it also criminalizes “intentional access of a protected computer without authority.” A protected computer has been defined as a computer affected by or involved with interstate commerce – so, essentially, all computers (when you use a computer to make a purchase in another state from a company’s website located in another state, you are involved with interstate commerce). What’s more, all fifty states have similar statutes criminalizing this conduct at the state level.
The case before the Ninth Circuit did not involve an estate, or for that matter, any fiduciary activity. (When a personal representative administers the estate of a decedent, he or she acts in a fiduciary capacity – a higher standard of care applied when acting for another’s benefit.) Rather, the case involved a former employee using the password of a still-current employee who shared it with him for the purpose of accessing the employer’s computer system to obtain proprietary information to establish a competing business.
Still, the actual holding of the case may give personal representatives pause. Despite its assertion that “this appeal is not about password sharing,” the Court held that a person acts “without authorization” under the Act if he or she accesses a computer system without the permission of, or when prior permission has been revoked by, the owner of the computer system. This includes not just the person whose account it is (the account user), but also the person who hosts the account (for example, Google, Facebook, or as the headlines noted, Netflix). As the dissenting opinion points out, if this definition of “without authorization” extends to other sections of the Act – like the much broader one noted above criminalizing intentional access without authorization – then people who “share their passwords notwithstanding the fact that websites and employers have polices prohibiting it” may be in violation of the Act even though such conduct is “ubiquitous, useful, and generally harmless.” In essence, the dissenting opinion points out that the Court’s holding could make millions of people criminals when they watch videos of last night’s game on their employer’s computer, share their bank account password with a spouse to pay a bill, or monitor their children’s Facebook account using that child’s password, or – relevant to this blog post –share one’s email account password with the person who will administer his or her estate, because almost all such accounts are governed by user agreements (those lengthy messages from online companies everyone agrees to without reading) prohibiting such activities.
The majority opinion noted that the facts and context surrounding the activity matter when applying the standard established in its decision. The conduct of a personal representative authorized to access the online account or computer system of a decedent who does so in the performance of his or her duties to administer the estate – a process governed by state law and fiduciary standards – should not be held equivalent to that of a former employee gaining access to a former employer’s computer system after his access has been explicitly revoked, and for nefarious purposes. While one should hope courts will indeed take facts and circumstances into account when applying this criminal statute, the law remains unsettled.
This uncertainty is one of many reasons why people should have a will. Wills drafted today should contain provisions expressly authorizing a personal representative to have access to the decedent’s online accounts. Such express authorization would go a long way in protecting a personal representative if his or her access to an online account becomes an issue. Additionally, Delaware’s Fiduciary Access to Digital Assets and Digital Accounts Act may help those without a will by vesting a fiduciary with deemed consent and authorization.