Business owners need to safeguard access to commercially valuable data.
The late twentieth century composer and conductor Leonard Bernstein wrote his much anticipated memoir “Blue Ink,” leaving it hidden behind various levels of passwords. In the 26 years since his death, no one has been able to decrypt the manuscript.
This is an example, albeit an unusual one, of a commercially valuable asset locked in a digital vault. Other copyrighted material, domain names, software licenses, customer lists, profiles and preferences, financial data, and even frequent flyer miles all may be hidden behind one or multiple layers of passwords known only to the business owner.
If the business owner dies or becomes disabled, especially unexpectedly, a business can be thrown into chaos. Access to digital assets and accounts is only one challenge to be faced–but a very important one. How should businesses be managing this new risk?
The first place to start is preparation of a complete inventory of the firm's digital assets and the user names and passwords needed to access them. Of course, the list needs to be updated frequently (vendors and customers change frequently) and this very powerful information should be securely stored.
Terms of Service Agreements: Every data vendor requires users to sign a service agreement or click on the “I agree” box indicating consent to their Terms of Service (TOS) agreement. User rights are determined by that language which probably no one bothers to read (I'm guilty too!).
Two matters every business owner needs to know about each TOS: Who else can be authorized to access data and whether the user “owns” that data or merely has a “license” to use it for a period of years or for life. If that data isn't owned, access dies with the user. Even during life, the user may not be able to sell or transfer it, even if the company is sold.
Business owners often have a key, highly trusted employee who knows the user names and passwords. Such an arrangement might be a practical necessity, but it is not without risk. One risk is employee theft. Business annals are full of stories of trusted employees stealing sensitive information that has monetary value. But there is also another risk, believe it or not, of violating federal law. The “Stored Communications Act” makes it a federal crime for anyone to “intentionally access … without authorization a facility through which an electronic communication service is provided.”
If you are relying on a key employee to access your data–either day-to-day or as your successor in case of death or disability–you should make sure that person is officially authorized according to TOS provisions. Otherwise, if something goes wrong with a transaction performed through that service provider, the employee might face criminal charges as well as being sued civilly.
The owner's potential problems may compound if business and personal information are mixed in the same digital account. Hillary Clinton's use of a private server for both State Department and personal matters is Exhibit A of the dangers or at least potential embarrassment attached to mixing the two.
What if an unprepared owner dies or becomes disabled? Since 2007, Indiana law has provided a mechanism for a fiduciary representing the account holder to access his or her digital assets. This law was a good pioneering effort, but its scope is limited and, therefore, an inadequate solution. Much better would be the “Uniform Fiduciary Access to Digital Assets Act.” This uniform law, already enacted in several states, was considered by the Indiana legislature last year but not acted on. The legislation has not been considered this year. Individual business owners should contact their state legislators and express their interest in this legislation.
What issues confront even the business owner who plans ahead? Preparation of a complete inventory of vendors, user names and passwords will work best if it is kept up to date. But danger lurks in such a powerful document. How can it be protected from the wrong hands and eyes? A potential safeguard is to use one of the many firms providing password management. Another benefit provided by these firms is the assistance they provide in organizing and managing access to your digital assets. Some possible vendors include LastPass, Dashlane, 1Password and KeePass. Another idea might be to keep the inventory in a safe deposit box or filed with a corporate trustee or perhaps with the company's CPA.
In short, it's of critical importance to your business to organize and manage your digital assets.
Calvin Bellamy is a partner in the Merrillville office of the law firm of Krieg DeVault LLP.