Colorado Code
Part 15 - Revised Uniform Fiduciary Access to Digital Assets Act
§ 15-1-1515. Fiduciary Duty and Authority

Source: L. 2016: Entire part added, (SB 16-088), ch. 71, p. 187, § 1, effective August 10.
The original version of UFADAA incorporated fiduciary duties by reference to "other law." This proved to be confusing and led to enactment difficulty. Section 1515 specifies the nature, extent and limitation of the fiduciary's authority over digital assets. Subsection (1) expressly imposes all fiduciary duties to the management of digital assets, including the duties of care, loyalty and confidentiality. Subsection (2) specifies that a fiduciary's authority over digital assets is subject to the terms-of-service agreement, except to the extent the terms-of- service agreement provision is overridden by an action taken pursuant to Section 1504, and it reinforces the applicability of copyright and fiduciary duties. Finally, subsection (2) prohibits a fiduciary's authority being used to impersonate a user. Subsection (3) permits the fiduciary to access all digital assets not in an account or subject to a terms-of- service agreement. Subsection (4) further specifies that the fiduciary is an authorized user under any applicable law on unauthorized computer access.
Subsection (7) gives the fiduciary the option of requesting that an account be terminated, if termination would not violate a fiduciary duty.
This issue concerning the parameters of the fiduciary's authority potentially arises in two situations: 1) the fiduciary obtains access to a password or the like directly from the user, as would be true in various circumstances such as for the trustee of an inter vivos trust or someone who has stored passwords in a written or electronic list and those passwords are then transmitted to the fiduciary; and 2) the fiduciary obtains access pursuant to this act.
This section clarifies that the fiduciary has the same authority as the user if the user were the one exercising the authority (note that, where the user has died, this means that the fiduciary has the same access as the user had immediately before death). This means that the fiduciary's authority to access the digital asset is the same as the user except where, pursuant to Section 1504, the user has explicitly opted out of fiduciary access. In exercising its responsibilities, the fiduciary is subject to the duties and obligations established pursuant to state fiduciary law, and is liable for breach of those duties. Note that even if the digital asset were illegally obtained by the user, the fiduciary would still need access in order to handle that asset appropriately. There may, for example, be tax consequences that the fiduciary would be obligated to report.
However, this section does not require a custodian to permit a fiduciary to assume a user's terms-of-service agreement if the custodian can otherwise comply with Section 1506.
In exercising its responsibilities, the fiduciary is subject to the same limitations as the user more generally. For example, a fiduciary cannot delete an account if this would be fraudulent. Similarly, if the user could challenge provisions in a terms-of-service agreement, then the fiduciary is also able to do so. See Ajemian v. Yahoo!, Inc. , 987 N.E.2d 604 (Mass. 2013).
Subsection (2) is designed to establish that the fiduciary is authorized to obtain or access digital assets in accordance with other applicable laws. The language mirrors that used in Title II of the Electronic Communications Privacy Act of 1986 (ECPA), also known as the Stored Communications Act, 18 U.S.C. Section 2701 et seq. (2006); see, e.g. , Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It , 72 Geo. Wash. L. Rev. 1208 (2004). The subsection clarifies that state law treats the fiduciary as "authorized" under state laws criminalizing unauthorized access.
State laws vary in their coverage but typically prohibit unauthorized computer access. By defining the fiduciary as an authorized user in subsection (4), the fiduciary has authorization under applicable law to access the digital assets under state computer trespass laws.
Federal courts may look to these provisions to guide their interpretations of ECPA and the federal Computer Fraud and Abuse Act, but fiduciaries should understand that federal courts may not view such provisions as dispositive in determining whether access to a user's account violated federal criminal law.
Subsection (5) clarifies that the fiduciary is authorized to access digital assets stored on tangible personal property of the decedent, protected person, principal, or settlor, such as laptops, computers, smartphones or storage media, exempting fiduciaries from application for purposes of state or federal laws on unauthorized computer access. For criminal law purposes, this clarifies that the fiduciary is authorized to access all of the user's digital assets, whether held locally or remotely.
Example 1--Access to digital assets by personal representative. D dies with a will that is silent with respect to digital assets. D has a bank account for which D received only electronic statements, D has stored photos in a cloud-based Internet account, and D has an e-mail account with a company that provides electronic- communication services to the public. The personal representative of D's estate needs access to the electronic bank account statements, the photo account, and e-mails.
The personal representative of D's estate has the authority to access D's electronic banking statements and D's photo account, which both fall under the act's definition of a "digital asset." This means that, if these accounts are password-protected or otherwise unavailable to the personal representative, then the bank and the photo account service must give access to the personal representative when the request is made in accordance with Section 1508. If the terms-of-service agreement permits D to transfer the accounts electronically, then the personal representative of D's estate can use that procedure for transfer as well.
The personal representative of D's estate is also able to request that the e-mail account service provider grant access to e-mails sent or received by D; ECPA permits the service provider to release the catalogue to the personal representative. The service provider also must provide the personal representative access to the content of an electronic communication sent or received by D if the user has consented and the fiduciary submitted the information required under Section 1507. The bank may release the catalogue of electronic communications or content of an electronic communication for which it is the originator or the addressee because the bank is not subject to the ECPA.
Example 2--Access to digital assets by agent. X creates a power of attorney designating A as X's agent. The power of attorney expressly grants A authority over X's digital assets, including the content of an electronic communication. X has a bank account for which X receives only electronic statements, X has stored photos in a cloud-based Internet account, and X has a game character and in-game property associated with an online game. X also has an e-mail account with a company that provides electronic-communication services to the public.
A has the authority to access X's electronic bank statements, the photo account, the game character and in-game property associated with the online game, all of which fall under the act's definition of a "digital asset." This means that, if these accounts are password-protected or otherwise unavailable to A as X's agent, then the bank, the photo account service provider, and the online game service provider must give access to A when the request is made in accordance with Section 1510. If the terms-of-service agreement permits X to transfer the accounts electronically, then A as X's agent can use that procedure for transfer as well.
As X's agent, A is also able to request that the e-mail account service provider grant access to e-mails sent or received by X; ECPA permits the service provider to release the catalogue. The service provider also must provide A access to the content of an electronic communication sent or received by X if the fiduciary provides the information required under Section 1509. The bank may release the catalogue of electronic communications or content of an electronic communication for which it is the originator or the addressee because the bank is not subject to the ECPA.
Example 3--Access to digital assets by trustee. T is the trustee of a trust established by S. As trustee of the trust, T opens a bank account for which T receives only electronic statements. S transfers into the trust to T as trustee (in compliance with a terms-of-service agreement) a game character and in-game property associated with an online game and a cloud-based Internet account in which S has stored photos. S also transfers to T as trustee (in compliance with the terms-of-service agreement) an e-mail account with a company that provides electronic-communication services to the public.
T is an original user with respect to the bank account that T opened, and T has the ability to access the electronic banking statements under Section 1511. T, as successor user to S, may under Section 1513 access the game character and in-game property associated with the online game and the photo account, which both fall under the act's definition of a "digital asset." This means that, if these accounts are password-protected or otherwise unavailable to T as trustee, then the bank, the photo account service provider, and the online game service provider must give access to T when the request is made in accordance with the act. If the terms-of-service agreement permits the user to transfer the accounts electronically, then T as trustee can use that procedure for transfer as well.
T as successor user of the e-mail account for which S was previously the user is also able to request that the e-mail account service provider grant access to e-mails sent or received by S; and ECPA permits the service provider to release the catalogue. The service provider also must provide T access to the content of an electronic communication sent or received by S if the fiduciary provides the information required under Section 1512. The bank may release the catalogue of electronic communications or content of an electronic communication for which it is the originator or the addressee because the bank is not subject to the ECPA.