Digital information has become a pervasive, vital part of everyday life. Most of us have e-mail accounts, online bank and brokerage accounts, cloud storage for pictures and documents, social networking accounts and loyalty programs that we access on a regular basis. Moreover, managing these accounts is challenging because of the need to use numerous passwords.
For financial advisors, for whom risk management is a core service, digital assets represent the additional challenge of keeping client information safe both while they are alive and after they pass away.
Cybersecurity, meanwhile, is a tangible issue that advisors must be acquainted with. As is illustrated with each headline about hackers stealing information from government agencies or large corporations, cyber-criminals continually adapt to stay ahead of law enforcement, creating a very real threat to clients.
An Ounce of Prevention …
Clients face numerous challenges when it comes to managing their digital data. They may, for example, get locked out of their online accounts because of inactivity or because they entered the wrong password. They may forget passwords and log-in names or become overwhelmed by the sheer number of accounts they’re forced to juggle.
But there are some steps clients can take to manage their digital information efficiently and safely:
1. Avoid accessing sensitive data and websites through a public Wi-Fi Internet connection.
2. Always log out of a website when you’re done accessing it.
3. Keep software and apps up to date so you always have the latest security fixes.
4. Erase any data on phones, tablets, laptops and other devices before disposing of them.
5. Always review account statements, and if clients are in doubt about an e-mail they receive, they should go directly to the sending website.
6. Clients should not put personal information in an e-mail. Instead, they should share sensitive information with their advisor over the phone.
7. Be selective in what e-mails are saved to a folder.
8. Regularly empty the digital trash.
9. Clients should read the privacy policies of the websites they use and determine how personal information is stored and used.
10.The security settings of PCs, smartphones, tablets and other devices used to access the Internet should be checked regularly.
Clients should use a different password for each of their accounts, which means they will have a lot of passwords to remember and keep safe. A client may choose to create a list of sites with corresponding usernames and passwords. If so, the list itself should be password protected so, in practice, the client needs to remember only one password. Similarly, the client could create two separate lists: one with the username and a second list with passwords. The list or lists can be stored on a USB thumb drive and kept in a safe at home or in a safe deposit box. One challenge with keeping lists is ensuring that they are updated with new passwords and new sites or accounts.
Another option for storing passwords is to use a commercial password keeper, which typically can be used as an app on a smartphone or tablet and through an online site. These products not only manage passwords, but they also can generate passwords for individual accounts. When using such an app, the user needs to remember one password. After opening the app on his or her phone, the client can access the site directly through that app. Numerous companies offer these apps and websites, some of which are free.
Creating safe, secure passwords that are easy to remember is a third challenge in safeguarding electronic data. Many of the password keeper sites have a function that will create a random password, but it is often difficult to remember since it is actually a random sequences of letters, numbers and symbols. A15-digit random password may be: Kpz?V7zFng7_4sM.
An alternative is to create passwords that are based on a formula or a phrase that is easy to remember, but hard to recreate. For example, the phrase “I work at Atlantic Trust on the 37th floor!” would be a way to remember the password “IwaATot37thf!”. Similarly, the phrase “the Patriots are the 2015 Super Bowl champs” would be a way to remember the password “P!at2015SBc”.
There are a couple of additional rules to consider regarding password management. First, be sure to change passwords at least twice a year, particularly for accounts that a hacker may watch, such as those used for e-mail or social media. Second, take advantage of two-step verification when available. This utilizes a single-use security code sent to your phone or e-mail that you need to input before logging in.
The United States Computer Emergency Readiness Team (www.us-cert.gov) is a resource clients may also find useful. It offers tips and advice on security issues for non-technical computer users.
Hopefully, clients have an estate plan in place. In connection with cybersecurity, clients and their advisors should consider whether their current powers of attorney include provisions relating to accessing digital assets and accounts.
Failing To Prepare, Preparing To Fail
Why is there a need to plan for digital assets? First, advisors and their clients need to prevent the theft of a client’s identity and assets when he or she dies. Second, fiduciaries need to identify and gather assets to ensure their proper disposition after a client passes away. Third, information needs to be kept secure for emotional reasons. Family pictures stored in the cloud, for example, may have no significant financial value, but they often do have sentimental value among family members.
Tools and strategies for the administration of digital assets upon a client’s death are still in their infancy. Last year, the National Commission on Uniform State Laws approved the Uniform Fiduciary Access to Digital Assets Act, which vests fiduciaries with “at least the authority to manage and distribute digital assets, copy or delete digital assets and access digital assets.”
In addition to state law, many websites are governed by an electronic agreement covering the terms of service. Many clients simply click “accept” when creating a new account and do not look at the terms. In connection with a fiduciary gaining access to a deceased person’s account, terms may state that the account is nontransferable. However, some sites are making inroads on this issue. Facebook, for example, is creating a “living will” program that will allow users to appoint a “legacy contact” or otherwise decide what happens to their accounts when they die.
Cybersecurity and digital planning present numerous challenges for our clients and their advisors. Clients need to deal with a constant flow of new information as passwords change, websites change and accounts are opened and closed. Estate planning for digital assets is still an evolving process. Strategies for how to dispose of digital assets and accounts, including the potential efficacy of trust ownership and powers of attorney, should be a part of estate planning discussions.