9137 / What measures should be taken to maintain security of digital assets before and after death?

When estate planning for digital assets, it is important to maintain the security of the assets while ensuring authorized access to the digital estate after the user’s death. This may consist of asset or account information, passwords, encryption, and other security measures to maintain both security and access.

(a) General considerations

In order to balance these dual interests, the following general considerations should be kept in mind:

1. Security of digital assets. The digital assets themselves must be kept secure to ensure that they will be available—both to the user while alive and to whoever is authorized to deal with the assets after the user’s death.


2. Security of access information or credentials. Typically, online digital accounts are secured by a password or other security features intended to ensure only the user, or someone authorized by the user, will have access to the asset and its management.


3. Accessibility when needed after death. While maintaining the security of digital assets during the user’s lifetime is essential, that security is useless if no one can access the assets after the death of the user. Therefore, it is vital to make sure that someone (digital fiduciary, executor, or administrator, or other trusted person) will have the information needed to access the digital assets after death.


4. Updating the information to keep it current. Passwords and other security features typically need to be updated periodically to maintain the security of the associated account. Some software, app, and online service providers require a user to change or create a new password on a regular basis (e.g., every 30, 60, or
   90 days). Because of the constantly changing nature of digital security measures, it is essential that the access information for a digital fiduciary be kept up to date at all times.

(b) Types of secure digital assets, access information, and digital security measures

1. Types of digital assets. The types of digital assets that may be protected by various types of security measures include the following:

Digital accounts, including any online accounts, operating systems, and profiles.

Software and apps installed on a personal electronic device.

Protected files and folders stored on a personal electronic device.

Encrypted hardware, including computers, smartphones tablets, and other physical storage media (such as external hard drives, flash drives, and CD- or DVD-ROMs). Protected hardware may require manually recording any passwords, PINs, or other information needed to access the device.

2. Types of access information. Some or all of the following types of access information (or credentials) may be needed to ensure security and access for a user’s digital assets:

• 
  
  
  
  • Identification information, such as the user’s unique username, user ID, logon [login] name, or account number. This may be chosen by the user or assigned by the provider, and it often consists of the user’s email address or phone number.
  
  
  • Security access information, which may consist of an identifying password, passcode, passphrase, PassMark, PIN (personal identification number), security questions, two-step verification, or biometric data—or some combination of them. (These are discussed below.)
  
  
  • Additional personal information, which may be the user’s email or phone number (if it is not the same as the user’s unique account ID) or other personally identifying information, such as the user’s date of birth or social security number (or part of it).
  
  
  • Social media profiles, which are increasingly becoming an optional (and sometimes the only) way to create an account and access smartphone apps and websites that require registration.
  
  
  
  

3. Types of digital security measures [and credentials]. Security measures can range from simple passwords or PINs to biometric data that recognizes the user through unique physical characteristics. The main types of digital security measures are listed below:

• 
  
  
  
  • Passwords. There are still the most common type of security feature, consisting of a string of characters (letters, numbers, and/or symbols), which often have specific requirements for validity (e.g., 8 to 14 characters, with at least one capital letter, one lowercase letter, one number, and one symbol).
  
  
  • Passphrases. A passphrase is a type of password that consists of a series of random words, simple phrases, or sentences that are easy to remember, but hard to hack.
  
  
  • PassMarks. A PassMark is a type of enhanced security feature that typically consists of an image containing a phrase, as well as confidential challenge questions. (PassMarks are increasingly used by financial institutions to prevent fraud and identity theft.)
  
  
  • Security or challenge questions. Confidential security or challenge questions are questions often chosen by a user from a list of questions (or even written by the user) that are unique and relate to personal information others would be unlikely to know. They are typically much more personalized than ‘mother’s maiden name’ or ‘city of birth.’
  
  
  • Two-step authentication. Two-step (or two-factor) verification or authentication (sometimes called 2FA) is a more secure solution that requires two different methods to authenticate a user. (For example, some online accounts now require a password as well as a code sent, at the time of logon, to a smartphone as a text message, or through an app installed on the user’s phone.)
  
  
  • Biometric security. These are designed to use an individual’s unique physical traits to confirm identity. They include fingerprints, facial recognition, iris scans, and voice recognition.
  
  
  
  

(c)  Keeping track of passwords and other access information or credentials

Keeping track of multiple accounts with all the different security features and changing access to information can be a challenge. There are a number of ways to do this, though some methods are less secure and more difficult than others. The most common ways to keep track of accounts and access information are the following:

1. Password management systems. There are a number of password management systems and services (both free and commercial), which may consist of apps for smartphones or tablets, software for computers, and websites, that securely store usernames, passwords or credentials, and other sensitive information, and can automatically retrieve them and securely log into the user’s online accounts.

They encrypt login and password information, which is stored in a file (or vault) on the user’s own device or online. The user has a master password to unlock or decrypt the data, making it easy to retrieve and update password information. Many also can create new strong passwords to better protect the user’s accounts and have the ability to synchronize any updated information to all of the user’s authorized devices.

This makes it much easier to save and manage a large number of passwords and credentials than some of the other methods discussed below. Some popular password management systems and services are LastPass, Dashlane, True Key, Sticky Password, Keeper, RoboForm, OneLogin, and PasswordBox.)¹

2. Other methods of storing passwords and login information. There are other ways to store and keep track of account access information and credentials, though each have diminishing utility as the number of accounts and passwords a person needs seems to continue to increase. Each of the methods listed below must be manually updated whenever password or account information changes, which may not ensure that all the information is updated with current information in case of the user’s death.

Text file or spreadsheet, which lists accounts and corresponding access information. The user may want to save the list in a password-protected document.

Checklist used for digital assets estate planning,² which will list the most important categories of accounts and their access information. This may be in either hard copy or electronic format.

Sealed envelope or safe deposit box, with a hard copy list of account and access information. For added security, the information can be divided into two separate documents—one with usernames and the other with passwords. These would be kept separately, either in different locations or by different trusted individuals. This could also be used in conjunction with a password management system, to store the master password.

---

Planning Point: Clients should be advised to avoid keeping passwords in a will or formal estate planning document, as these documents may be subject to public inspection or otherwise be made available to third parties. Further, relying solely on memorizing passwords comes with the risk of forgetting the passwords and provides no means of passing that information on after the user’s death. Some service providers’ terms of service (or federal or state law) may also prohibit sharing passwords with even a trusted third party. Jason Carr, M.S., M.Ed.

---