When Death Is More Than a Blue Screen

Sometimes, It's Over; Then What?

All these scenarios take into consideration the loss of data as a recoverable problem but there are some situations in which 'it really is over.' Consider all the critical information that would vanish if a key employee of your business died suddenly, and others had to locate that information. For example, crucial information might have been stored or used, online or on a particular piece of hardware, in a place that only the deceased knew. From file locations of key documents listing assets, to log-on names and screens, to passwords and security-question answers for business-related databases, much routine, day-to-day but critical information could vanish instantly. Even if the deceased used easily memorable information for passwords, will a spouse or children, much less business partners and an executor, know the childhood address, best friend and pet name that was burned into his or her brain? In today's security-conscious world, the old shortcut of leaving log-on names and passwords stored on a computer or on a Post-It note should never be used, which means ' that if this sound, often-offered advice is followed, simply booting up the laptop of someone who has died and logging on will rarely work for those left behind.

Even with that log-on information, it might not be entirely proper under the law to access the deceased employee's account. Under standard terms and conditions, many e-mail or other online accounts expire automatically on the user's death. The account often is personal to the user and, according to the legal rules, not transferable to anyone, even an employer or close family member. Once the owner of the account dies, so does the account, regardless of how important the account or information in it might be to the deceased's survivors or employer. Even the holder of a power of attorney has no authority, once the grantor of the power has passed on to a greater authority. In other words, when an employee goes, his online account often goes as well ' whether it was really his, or his employer's account.

For this reason, e-commerce and real-world firms alike should require employees to use firm-controlled and firm-managed e-mail accounts, rather than the freely available online accounts so popular with hackers, thieves and spammers. Taking this action will not only reduce the risk and incidence of problems, for instance, of false identification of business mail as spam, as the firm's mail moves away from domains populated by all sorts of bad actors, but the firm's IT department will be able to manage it more reliably. If business is conducted through third-party online accounts ' Hotmail.com or Yahoo.com addresses, for example ' consider the burden on IT staff if ordered by a court to produce all e-mail involving certain persons, or events, or for silent monitoring for inappropriate activity through an account used for company business. (See, http://news.office-watch.com?459 and http://news.office-watch.com?461.) While most established e-commerce firms appear to contact customers through addresses such as [email protected], independent of the individual account of a particular employee, it is not hard to find startups built on the founders' economizing by using free online accounts.

Yet business must go on, with or without the deceased staffer, and unless a firm has taken the precautions to require him or her to discreetly share in a legally permissible way, key electronic identifying information with trusted colleagues or professional advisors, the security features that protect files and data from the bad guys could, paradoxically, deny the continuing business easy access to the data that it needs to do any business at all. 'White hat' hackers could, in theory, restore that access, but at a cost ' and a delay that shouldn't befall a business that might already be struggling with the absence of a departed and valued colleague. We would certainly not expect a doomed individual who had time to leave a farewell message to have the presence of mind (or the desire) to spend his or her last few breaths of life talking about money, or leaving e-mail instructions for the employer (see, www.opinionjournal.com/columnists/pnoonan/?id=110008909).

Fortunately, there might be ways to avoid making a bad situation worse for those left behind. For example, estate-planning attorneys routinely have clients create memoranda of assets and other key information to assist in locating property that must be dealt with after the death of an employee. Such lists could ' and should ' easily be expanded to include critical information about online accounts and e-mail used for firm business. Web site addresses for stored e-mail, asset lists and all necessary log-on information would simplify the survivors' task. Consider the position of an executor holding a large online account in a volatile market: Short of going through the laborious probate process, the estate assets could be subject to great market risk; should he or she go into the account, without legal authorization, or sit idly by while the assets for which he or she has fiduciary responsibility dwindle until the legal authorization to act comes through?

Post-mortem e-Mail
Access Not What It Seems

Current statutory and contractual law, unfortunately, often give a deceased's legal representatives no right to act on that information in the absence of specific legally binding steps written before death. In addition, a promise by an Internet service provider to keep an account confidential will be respected. The provider may even feel legally compelled to obtain a court order to block disclosure, because the deceased may not have wanted to share his or her account information, or correspondence with others, because e-mail can reveal not only investment decisions, but also infidelities and other information that we all might agree survivors never needed to know. In the interest of preserving the corpus of financial assets, we may eternally diminish the much more lasting legacy of a person's spirit and soul with his or her loved ones.

There have even been well-publicized cases of survivors seeking e-mail, particularly parents of military personnel who died suddenly, only to find themselves thwarted by standard policies. One parent's quest to honor his slain son's desire for a scrapbook of his tour of duty even led to a courtroom victory over Yahoo!'s policies that would have blocked his access; the father relied on traditional probate law to get access to his son's messages (www.theage.com.au/news/Breaking/Slain-Marines-email-raises-legal-issues/2005/04/23/1114152332515.html). As a result, the U.S. Army issued its own memorandum providing guidance for troops on how to maintain their own posthumous privacy, while also allowing limited access to loved ones through a trusted third party who can offer limited portions of an e-mail account (www.eff.org./Privacy/Email_Internet_Web/memo_to_soldiers.php). Ownership of the medium on which the e-mail was downloaded and saved might also complicate the task of survivors, if business e-mail is saved on a personal laptop, or vice versa. According to Cindy Cohn of the Electronic Frontier Foundation, the practical solution recommended by the Army memo ' 'to make explicit plans ahead of time to grant or deny access to their private e-mail accounts ' whether that involves handing passwords to a trusted friend or loved one, leaving word with their families that they would like the privacy of their e-mail respected even after death, or any number of other options' is 'good advice for soldiers and their families, but it applies to everyone with an e-mail account.' Cohn adds: 'No one likes to think about dying, much less what might happen to your personal e-mail after your death. But making arrangements now prevents putting your loved ones through unnecessary stress or forcing your Internet service provider into the unwelcome position of deciding who gets access to your digital estate.'

(Editor's note: See also the following articles from the e-Commerce Law & Strategy archives:

• 'Internet Assets of a Decedent: Tax and Estate Planning Issues Raised By the Internet,' July 2006;
• 'Slain Soldier's e-Mail Spurs Legal Debate,' June 2005; and
• 'Have You Inherited a Deceased Employee's e-Mail? Here's a Discussion on What to Do,' June 2005.
• For an article discussing general disaster-recovery plans for e-businesses, see, 'How Safe Is The Store? A Disaster-Recovery Plan Is a Security Blanket e-Businesses Need,' in the December 2004 edition.)

Invest in Planning
And Save a Lot

Business firms, however, will have a very different post-mortem agenda. Firms in e-commerce simply need to maintain access to information and communications, without interruption. As mentioned above, the 'practical' solution that solves the immediate needs of business users, that is to say ' simply going into the account with access information provided by the deceased, might be in violation of the boilerplate contract governing the account.

For example, consider the case of the operator of a 'niche internet business,' who died without providing his son any information about it (www.theage.com.au/news/Breaking/Slain-Marines-email-raises-legal-issues/2005/04/23/1114152332515.html). According to his surviving son: 'When he died last year at 71, he left no provision for the business. I couldn't access his accounts or pay suppliers, and I couldn't shut the business down. People run their lives through Outlook, but I couldn't access that either, so I couldn't reach his customers to inform them that he'd died.' Although the father had done normal estate planning: 'My father didn't factor his online business into his life plan. ' The business, Beyond Batik, kept right on rolling when he died, and I got lots of angry notes. I couldn't get to the finances. Now, I'm fighting to shut down the bank account, and I've gotten stuck with overdraft charges. All these problems could have been avoided if my father had made provisions for them in his will.'

Because the cost of acquiring customers can be quite high, no firm in e-commerce should allow a key individual's death to deprive it of future business from its best source ' existing customers. In the real world, the survivors will continue to receive paper mailings, sale notices and even billings to maintain the connection. An e-commerce firm, in contrast, typically has no cost-efficient way to reach the successor of the deceased. While most firms maintain real-world addresses, it certainly would be inefficient to send snail mail to all customers who have not ordered recently. Some might have passed on, but others might just have decided to shop elsewhere.

An account owned by a business, however, rather than by an individual, does not suffer these risks. An e-commerce firm in particular will likely want to maintain its customer base, because the decedent's company may have had a long purchasing history, and even individuals often have established a pattern of purchasing gifts that survivors might want to continue purchasing (such as if the firm alerted them of regularly scheduled purchases). Other practical suggestions appear in an AARP article, 'Life Online: Accessing Family Accounts in Cases of Emergency' (www.aarp.org/learntech/computers/life_online/accessing_family_accounts.html). According to the AARP: 'Whether at home or at work, the largest challenge to tech-access preparation in the event of an emergency is extracting the wealth of undocumented information maintained in our memory. You may want to begin simply with an inventory of your online accounts, then augment that list with Web site addresses, user IDs and passwords. If any of these accounts have particular activity histories or pending actions, it could be worth taking the time to capture that information to document what's been done to date. Then share this list and information with someone who may need to follow in your electronic footsteps. And while employees' work-place information is usually managed by the organization, supervisors and individuals may want to inventory what they use on the job and how others may need to access it in the event of personal emergency situations. Remember to safeguard this information by making paper or electronic copies, but you may want to avoid protecting it behind a secret password!'

Another critical business need for maintaining online accounts following the death of key employees can be found in the mundane notice provisions of boilerplate online agreements, and the simplest of customer-registration procedures. One law-school professor told me that certified mail never brought good news, and the same can be said of e-mail notifications: They will usually report problems with an order or payment, or a late or missed payment; therefore, it is in no one's interest, whether, an individual or a business, for them to be or to become undeliverable and unread. But if that notice goes to an online e-mail account, and in the name of an employee rather than the name of his or her employer, then it might never be seen until the lawsuit is filed that could have been prevented if anyone had read the e-mail notice, and acted on it. At the most basic level, if procedures are not in place to monitor a deceased employee's e-mail inbox, and to notify senders of the address of the person taking over the deceased's duties, messages could quickly accumulate into an unmanageable kludge of data.

Another practical step that can help those left behind, whether family or work colleagues, is as simple as having a printed set of contact information that can be found much more easily than trying to get a court's permission to access a deceased's address book. If business contacts (much less your closest friends) can't be identified to be notified of your condition when you are ill, much less when you are gone, then your firm could lose all the business relationships that had been established. On a personal level, the individuals who cared about you might never learn about your demise and final services in time to attend. Less dramatically, simply following up on orders and customer satisfaction may grind to a halt if it occurred only through e-mail addresses that cease to function when an employee dies.

Conclusion

Although the balance between the online rights of the deceased and the needs of one's survivors has yet to be struck, that question poses special concerns for e-commerce firms because of the policies that make it difficult for those left behind to gain access not only to the financial accounts of the deceased, but also to the deceased's contacts lists, and names of and contact information for business acquaintances. Rather than rely on what a court might permit after death ' and the legal fees and delay it might take to get there ' firms whose employees rely on e-mail (or other forms of electronic communication, such as instant messaging or even text messaging) should require employees to make that information readily available and accessible to the firm. Even if no one is listening to hear, 'You've got mail,' it may still be there waiting for your firm's reply ' and the price of inaction could be far more costly than a clogged inbox. An employee might die, but (as countless defendants have learned from inappropriate statements discovered in e-mail), e-mail, and the need to reply, can live forever.

Everyone who has worked with a computer, even before the arrival of the Internet, knows the sickening feeling of loss. Without warning, hours of your work suddenly vanish from the screen. You hope (and pray) that perhaps it's been saved in a backup or temp file ' but often it's not. As your internal soundtrack turns up the volume on Don Henley and Glenn Frey, you realize that your carefully crafted project is 'already gone' ' and that it's not the time for a victory song. Instead, you will have to painstakingly recreate the work you had already done ' but didn't get a chance to (or even forgot to) save before the crash signaled by the apparently ubiquitous 'blue screen of death.'

Fortunately, this problem is an easy one to fix ' before the fact. Periodic automatic save features can be turned on in many programs, such as Word, and 'Control S' has become an automatic part of typing for many people. On a systemwide basis, network administrators can generate minute-by-minute backups ' many thanks to David, Steve and the Help Desk at my firm, because their efforts have often saved me during computer or system crashes and blackouts.

Beyond the user level, many articles have been written about firms' disaster-recovery policies. Vendors also will sell you many solutions for 'typical' disaster-recovery projects. After Katrina, some of those solutions have been tested, by the few who read the articles, and had authority to take action. Finally, if the work was important enough, good IT support will keep trying to recover the data, because 'it ain't over 'til it's over'; data reside in many nooks and crannies on systems, and can often be found, if the need warrants searching through today's massive storage capacity to find it.

Sometimes, It's Over; Then What?

All these scenarios take into consideration the loss of data as a recoverable problem but there are some situations in which 'it really is over.' Consider all the critical information that would vanish if a key employee of your business died suddenly, and others had to locate that information. For example, crucial information might have been stored or used, online or on a particular piece of hardware, in a place that only the deceased knew. From file locations of key documents listing assets, to log-on names and screens, to passwords and security-question answers for business-related databases, much routine, day-to-day but critical information could vanish instantly. Even if the deceased used easily memorable information for passwords, will a spouse or children, much less business partners and an executor, know the childhood address, best friend and pet name that was burned into his or her brain? In today's security-conscious world, the old shortcut of leaving log-on names and passwords stored on a computer or on a Post-It note should never be used, which means ' that if this sound, often-offered advice is followed, simply booting up the laptop of someone who has died and logging on will rarely work for those left behind.

Even with that log-on information, it might not be entirely proper under the law to access the deceased employee's account. Under standard terms and conditions, many e-mail or other online accounts expire automatically on the user's death. The account often is personal to the user and, according to the legal rules, not transferable to anyone, even an employer or close family member. Once the owner of the account dies, so does the account, regardless of how important the account or information in it might be to the deceased's survivors or employer. Even the holder of a power of attorney has no authority, once the grantor of the power has passed on to a greater authority. In other words, when an employee goes, his online account often goes as well ' whether it was really his, or his employer's account.

For this reason, e-commerce and real-world firms alike should require employees to use firm-controlled and firm-managed e-mail accounts, rather than the freely available online accounts so popular with hackers, thieves and spammers. Taking this action will not only reduce the risk and incidence of problems, for instance, of false identification of business mail as spam, as the firm's mail moves away from domains populated by all sorts of bad actors, but the firm's IT department will be able to manage it more reliably. If business is conducted through third-party online accounts ' Hotmail.com or Yahoo.com addresses, for example ' consider the burden on IT staff if ordered by a court to produce all e-mail involving certain persons, or events, or for silent monitoring for inappropriate activity through an account used for company business. (See, http://news.office-watch.com?459 and http://news.office-watch.com?461.) While most established e-commerce firms appear to contact customers through addresses such as [email protected], independent of the individual account of a particular employee, it is not hard to find startups built on the founders' economizing by using free online accounts.

Yet business must go on, with or without the deceased staffer, and unless a firm has taken the precautions to require him or her to discreetly share in a legally permissible way, key electronic identifying information with trusted colleagues or professional advisors, the security features that protect files and data from the bad guys could, paradoxically, deny the continuing business easy access to the data that it needs to do any business at all. 'White hat' hackers could, in theory, restore that access, but at a cost ' and a delay that shouldn't befall a business that might already be struggling with the absence of a departed and valued colleague. We would certainly not expect a doomed individual who had time to leave a farewell message to have the presence of mind (or the desire) to spend his or her last few breaths of life talking about money, or leaving e-mail instructions for the employer (see, www.opinionjournal.com/columnists/pnoonan/?id=110008909).

Fortunately, there might be ways to avoid making a bad situation worse for those left behind. For example, estate-planning attorneys routinely have clients create memoranda of assets and other key information to assist in locating property that must be dealt with after the death of an employee. Such lists could ' and should ' easily be expanded to include critical information about online accounts and e-mail used for firm business. Web site addresses for stored e-mail, asset lists and all necessary log-on information would simplify the survivors' task. Consider the position of an executor holding a large online account in a volatile market: Short of going through the laborious probate process, the estate assets could be subject to great market risk; should he or she go into the account, without legal authorization, or sit idly by while the assets for which he or she has fiduciary responsibility dwindle until the legal authorization to act comes through?

Post-mortem e-Mail
Access Not What It Seems

Current statutory and contractual law, unfortunately, often give a deceased's legal representatives no right to act on that information in the absence of specific legally binding steps written before death. In addition, a promise by an Internet service provider to keep an account confidential will be respected. The provider may even feel legally compelled to obtain a court order to block disclosure, because the deceased may not have wanted to share his or her account information, or correspondence with others, because e-mail can reveal not only investment decisions, but also infidelities and other information that we all might agree survivors never needed to know. In the interest of preserving the corpus of financial assets, we may eternally diminish the much more lasting legacy of a person's spirit and soul with his or her loved ones.

There have even been well-publicized cases of survivors seeking e-mail, particularly parents of military personnel who died suddenly, only to find themselves thwarted by standard policies. One parent's quest to honor his slain son's desire for a scrapbook of his tour of duty even led to a courtroom victory over Yahoo!'s policies that would have blocked his access; the father relied on traditional probate law to get access to his son's messages (www.theage.com.au/news/Breaking/Slain-Marines-email-raises-legal-issues/2005/04/23/1114152332515.html). As a result, the U.S. Army issued its own memorandum providing guidance for troops on how to maintain their own posthumous privacy, while also allowing limited access to loved ones through a trusted third party who can offer limited portions of an e-mail account (www.eff.org./Privacy/Email_Internet_Web/memo_to_soldiers.php). Ownership of the medium on which the e-mail was downloaded and saved might also complicate the task of survivors, if business e-mail is saved on a personal laptop, or vice versa. According to Cindy Cohn of the Electronic Frontier Foundation, the practical solution recommended by the Army memo ' 'to make explicit plans ahead of time to grant or deny access to their private e-mail accounts ' whether that involves handing passwords to a trusted friend or loved one, leaving word with their families that they would like the privacy of their e-mail respected even after death, or any number of other options' is 'good advice for soldiers and their families, but it applies to everyone with an e-mail account.' Cohn adds: 'No one likes to think about dying, much less what might happen to your personal e-mail after your death. But making arrangements now prevents putting your loved ones through unnecessary stress or forcing your Internet service provider into the unwelcome position of deciding who gets access to your digital estate.'

(Editor's note: See also the following articles from the e-Commerce Law & Strategy archives:

• 'Internet Assets of a Decedent: Tax and Estate Planning Issues Raised By the Internet,' July 2006;
• 'Slain Soldier's e-Mail Spurs Legal Debate,' June 2005; and
• 'Have You Inherited a Deceased Employee's e-Mail? Here's a Discussion on What to Do,' June 2005.
• For an article discussing general disaster-recovery plans for e-businesses, see, 'How Safe Is The Store? A Disaster-Recovery Plan Is a Security Blanket e-Businesses Need,' in the December 2004 edition.)

Invest in Planning
And Save a Lot

Business firms, however, will have a very different post-mortem agenda. Firms in e-commerce simply need to maintain access to information and communications, without interruption. As mentioned above, the 'practical' solution that solves the immediate needs of business users, that is to say ' simply going into the account with access information provided by the deceased, might be in violation of the boilerplate contract governing the account.

For example, consider the case of the operator of a 'niche internet business,' who died without providing his son any information about it (www.theage.com.au/news/Breaking/Slain-Marines-email-raises-legal-issues/2005/04/23/1114152332515.html). According to his surviving son: 'When he died last year at 71, he left no provision for the business. I couldn't access his accounts or pay suppliers, and I couldn't shut the business down. People run their lives through Outlook, but I couldn't access that either, so I couldn't reach his customers to inform them that he'd died.' Although the father had done normal estate planning: 'My father didn't factor his online business into his life plan. ' The business, Beyond Batik, kept right on rolling when he died, and I got lots of angry notes. I couldn't get to the finances. Now, I'm fighting to shut down the bank account, and I've gotten stuck with overdraft charges. All these problems could have been avoided if my father had made provisions for them in his will.'

Because the cost of acquiring customers can be quite high, no firm in e-commerce should allow a key individual's death to deprive it of future business from its best source ' existing customers. In the real world, the survivors will continue to receive paper mailings, sale notices and even billings to maintain the connection. An e-commerce firm, in contrast, typically has no cost-efficient way to reach the successor of the deceased. While most firms maintain real-world addresses, it certainly would be inefficient to send snail mail to all customers who have not ordered recently. Some might have passed on, but others might just have decided to shop elsewhere.

An account owned by a business, however, rather than by an individual, does not suffer these risks. An e-commerce firm in particular will likely want to maintain its customer base, because the decedent's company may have had a long purchasing history, and even individuals often have established a pattern of purchasing gifts that survivors might want to continue purchasing (such as if the firm alerted them of regularly scheduled purchases). Other practical suggestions appear in an AARP article, 'Life Online: Accessing Family Accounts in Cases of Emergency' (www.aarp.org/learntech/computers/life_online/accessing_family_accounts.html). According to the AARP: 'Whether at home or at work, the largest challenge to tech-access preparation in the event of an emergency is extracting the wealth of undocumented information maintained in our memory. You may want to begin simply with an inventory of your online accounts, then augment that list with Web site addresses, user IDs and passwords. If any of these accounts have particular activity histories or pending actions, it could be worth taking the time to capture that information to document what's been done to date. Then share this list and information with someone who may need to follow in your electronic footsteps. And while employees' work-place information is usually managed by the organization, supervisors and individuals may want to inventory what they use on the job and how others may need to access it in the event of personal emergency situations. Remember to safeguard this information by making paper or electronic copies, but you may want to avoid protecting it behind a secret password!'

Another critical business need for maintaining online accounts following the death of key employees can be found in the mundane notice provisions of boilerplate online agreements, and the simplest of customer-registration procedures. One law-school professor told me that certified mail never brought good news, and the same can be said of e-mail notifications: They will usually report problems with an order or payment, or a late or missed payment; therefore, it is in no one's interest, whether, an individual or a business, for them to be or to become undeliverable and unread. But if that notice goes to an online e-mail account, and in the name of an employee rather than the name of his or her employer, then it might never be seen until the lawsuit is filed that could have been prevented if anyone had read the e-mail notice, and acted on it. At the most basic level, if procedures are not in place to monitor a deceased employee's e-mail inbox, and to notify senders of the address of the person taking over the deceased's duties, messages could quickly accumulate into an unmanageable kludge of data.

Another practical step that can help those left behind, whether family or work colleagues, is as simple as having a printed set of contact information that can be found much more easily than trying to get a court's permission to access a deceased's address book. If business contacts (much less your closest friends) can't be identified to be notified of your condition when you are ill, much less when you are gone, then your firm could lose all the business relationships that had been established. On a personal level, the individuals who cared about you might never learn about your demise and final services in time to attend. Less dramatically, simply following up on orders and customer satisfaction may grind to a halt if it occurred only through e-mail addresses that cease to function when an employee dies.

Conclusion

Although the balance between the online rights of the deceased and the needs of one's survivors has yet to be struck, that question poses special concerns for e-commerce firms because of the policies that make it difficult for those left behind to gain access not only to the financial accounts of the deceased, but also to the deceased's contacts lists, and names of and contact information for business acquaintances. Rather than rely on what a court might permit after death ' and the legal fees and delay it might take to get there ' firms whose employees rely on e-mail (or other forms of electronic communication, such as instant messaging or even text messaging) should require employees to make that information readily available and accessible to the firm. Even if no one is listening to hear, 'You've got mail,' it may still be there waiting for your firm's reply ' and the price of inaction could be far more costly than a clogged inbox. An employee might die, but (as countless defendants have learned from inappropriate statements discovered in e-mail), e-mail, and the need to reply, can live forever.