By -

Good password habits are like most habits; hard to form, easy to break. Everyone has their own unique formula to access countless applications and programs as our lives become increasingly digitised. Solicitors are navigating these challenges in real time, as a NSW-led reform proposal aims to find the right balance between data access and privacy.

Once upon a time, passwords were written on a sheet of paper, kept inside a manila folder, and tucked away in a filing cabinet.

For the very brave, the handful of important combinations of numbers, letters and symbols were folded inside a wallet. Chances are the passwords were loose adaptions of each other, but under no circumstances could they include clues to birthdays or addresses. You guarded them like your house keys.

“Tell nobody” was the resounding warning.

Now, experts are urging people to scrap this “old-fashioned” way of treating access to their data, as it creates hurdles for solicitors working in data protection, privacy, risk management and wills and estates.

Accessing our digital lives, including everything from vaccination certificates and social media accounts to online banking (to name a few), all require passwords. Often, that also involves two-factor authentication in the form of Face ID, a phone call or text message. These passwords require regular updating, and we are prompted with emails or mobile alerts reminding us to do so. They need capital letters, numbers, and special characters. Even the best of us can mess it up.

Data protection and privacy lawyer Toby Blyth, partner at Colin Biggers & Paisley, has spent many years reading about, monitoring and analysing how people access their data, trying to “spot the problems just over the horizon” to best serve his clients. He tells LSJ that, while there is growing awareness about digital privacy, our identity in cyberspace has become impossible to control.

“In the olden days, people would do things like have a trusted friend who had a list of passwords. Problem with that is two things. One, the friend might use it and might not be so trusted. But two, the mosaic problem has grown now: there is no way I remember every password. We use cookies for that, which is great, but I don’t even remember where I’ve logged in,” Blyth explains.

“One thing I would like lawyers to do is get out of the 18th century idea of thinking in terms of paper. Things have changed dramatically. It’s not just the way we communicate, but the meta personality you have now over the internet in cyberspace. There is a presence you have that is hard to tie down in an old-fashioned way.

“Lawyers need to start thinking about that in terms of risk management, general commercial advice, asset planning, wills and estates. Every area of the law is being affected by this already, some people just haven’t noticed it”.

Darryl Browne, Principal of Browne Linkenbagh Legal Services, a firm specialising in wills and estates, has seen this shift play out in his practice, creating new challenges when administering an estate or managing the affairs of a person who has lost capacity.

“Under the old scheme, if a person had some really important information, people would put it in an envelope, seal it, sign it and give it to the solicitor who would put it in safe custody. If we do that now, two weeks after we’ve given the envelope, the username or password has changed,” Browne says.

“Once upon a time, the attorney’s and the executor’s jobs were particularly easy. They’d find the filing cabinet and find the manila folder. The worst thing would be the filing cabinet would be locked but the key would be in the top drawer of the desk. It wasn’t all that hard. But now, you have attorneys and executors taking on onerous jobs. It has been made a lot harder.

“I think the solution is that clients need to be informed of the issue, and they need to work out how they want to handle it. It’s a risk management issue.”

image description

‘Indiana Jones and the chasm of data’

Currently, no Australian jurisdiction has legislation that specifically deals with access to digital records in the event of death or loss of decision-making capacity. Several countries have taken steps to introduce such a scheme, including the model law adopted in several US states.

In July 2020, the then Council of Attorneys General agreed to form a Working Group to consider a nationally consistent approach to this issue and to make an access scheme a priority for 2022. The current Council met in Melbourne in August and agreed to a targeted consultation process to determine how digital records such as social media accounts should be accessed if the account holder dies or becomes incapacitated.

Targeted stakeholder consultation will take place from now until October this year and follows the report of the NSW Law Reform Commission (NSWLRC), released in 2019, which recommended the creation of a statutory scheme. In August, the NSWLRC released a new consultation paper calling for submissions from interested individuals and organisations.

NSW Attorney General Mark Speakman says this complex area of law requires “great sensitivity” to ensure any scheme strikes the right balance between access and privacy.

“Most people go online to work, to socialise and for entertainment, but few of us consider what happens to our digital assets once we are gone or are no longer able to make decisions,” Speakman says.

“Social media accounts such as TikTok, Snapchat, Twitter, Facebook and Instagram, along with other digital assets such as eBook libraries and music collections, are likely to outlive their owners, but access to them can vary according to the platform.”

Toby Blyth, partner at Colin Biggers & Paisley Toby Blyth, partner at Colin Biggers & Paisley

The really interesting point is that executors and heirs want everything but the person that is leaving the estate might not want everything handed over. You have this real tension between openness and compartmentalisation. We shouldn’t discount the importance of privacy and secrecy.

Blyth considers the reforms are a step in the right direction and will make it easier to access the social media accounts and other online assets Speakman mentions. However, they rely on parties being present in the jurisdiction and assets like cryptocurrency are not amenable to this, because they don’t physically exist anywhere.

“The Bitcoin problem is a disaster because whatever a government says, no exchange will hand over your private key. They don’t have it. We had problems about five years ago with a man who threw out an old laptop and then was searching the rubbish tip because it had his private keys to a lot of cryptocurrencies,” Blyth tells LSJ.

“It’s a great start, we are halfway across the chasm, but we are a little like Indiana Jones at the moment with a lot of the parts of the rope bridge missing.”

Digital custodians

Browne explains the “custodians” of digital records are usually overseas, as Blyth mentioned with the cryptocurrency example. Browne says this creates extra layers of complication, delay and cost while administering estates.

“The custodians are almost always offshore so it’s like dealing with an asset in another country: it involves a lot of extra complications and issues because you’re often dealing with the law in that country rather than the law of the country where the person is residing,” he says.

Browne tells LSJ about an ongoing matter where he is acting for a woman whose deceased husband purchased bitcoin before he passed away. The couple jointly owned most of their assets, including the home and bank accounts, and the husband had a superannuation fund that his wife could access without requiring probate. She didn’t need to prove the will.

“The agency through whom he purchased the Bitcoin is in Singapore. The agency is basically saying ‘we’re not going to give you any information’. She is saying, ‘I’m the wife, here is the death certificate and the marriage certificate’. But they weren’t prepared to deal with her,” Browne says.

“She now has to get probate for the estate even though probate wouldn’t otherwise be necessary, simply for the purpose of dealing with bitcoin. She may need to get probate in Singapore but it’s not like the bitcoin exists anywhere, so even getting probate in Singapore might not be sufficient.”

image description

While the NSW Supreme Court can make an order, the question stands of how far that overseas corporation in another jurisdiction will reach across cyberspace?

To remedy these challenges, Browne is calling for a global solution and collaboration from other countries to implement more streamlined legislation. “What needs to happen is, there needs to be an international convention which basically says, ‘this is the situation worldwide’.”

“We can all forget that the US is made up of 54 jurisdictions. If we think our federation is hard, theirs is much harder. Some of the states in the US have passed legislation which is generally consistent. Canada and some of its provinces have passed legislation. But the US and the Canadian models are slightly different. And the model that has been proposed by the NSW Law Reform Commission is slightly different again.”

Blyth asserts that while this could be “useful wedge” to bridge the gap, it will likely be met with resistance.  “A lot of the big internet companies… are not just going to roll over and consent to a legislated government to government remedy for this. Where I see some real resistance is the giants: Google and Facebook for example,” Blyth argues.

Darryl Browne, Principal of Browne Linkenbagh Legal Services Darryl Browne, Principal of Browne Linkenbagh Legal Services

Under the old scheme, if a person had some really important information, people would put it in an envelope, seal it, sign it and give it to the solicitor who would put it in safe custody. If we do that now, two weeks after we’ve given the envelope, the username or password has changed.

‘Unscrambling an omelette’

To address these data access problems at the source, Browne and Blyth agree the process needs to start with more considered estate planning. However, this can be fraught with risk as attorneys and wills and estates executors can be exposed to liability. How do you allow access and protect the risk?

“It has to start when you’re getting instructions from the person who has got the information and talk to them about the sorts of issues that can arise. Because the problem will arise at a time when they may have lost mental or functional capacity or because they’re deceased. Both of those then cause problems for the person who’s got the responsibility of trying to manage their person or their property, or administer the estate,” Browne explains.

“The executor’s obligation is to collect the assets for the estate and distribute it to the beneficiary. Let’s say the executor doesn’t do their job properly because they don’t go and find out about the bitcoin because it is all too hard and expensive. They are exposing themselves to liability to the beneficiary.”

“A greater risk is being put on the people who have got this fiduciary duty to act in the best interests of the person who is living but incapable or the person who is deceased and their beneficiaries.”

Blyth says working in risk management can be like trying to “unscramble an omelette”. He says how individuals and companies start their data protection and privacy plans will often govern how they end.

“The really interesting point is that executors and heirs want everything but the person that is leaving the estate might not want everything handed over. You have this real tension between openness and compartmentalisation. We shouldn’t discount the importance of privacy and secrecy,” Blyth says.

“Let’s be honest here, nobody would want their other half or their family to see every single thing they do online. People compartmentalise their identity for a reason.”