2021 Colorado Code
Title 15 - Probate, Trusts, and Fiduciaries
Article 1 - Fiduciary
Part 15 - Revised Uniform Fiduciary Access to Digital Assets Act
§ 15-1-1515. Fiduciary Duty and Authority

1. The legal duties imposed on a fiduciary charged with managing tangible property apply to the management of digital assets, including:
   1. The duty of care;
   2. The duty of loyalty; and
   3. The duty of confidentiality.

2. A fiduciary's or designated recipient's authority with respect to a digital asset of a user:
   1. Except as otherwise provided in section 15-1-1504, is subject to the applicable terms of service;
   2. Is subject to other applicable law, including copyright law;
   3. In the case of a fiduciary, is limited by the scope of the fiduciary's duties; and
   4. May not be used to impersonate the user.

3. A fiduciary with authority over the property of a decedent, protected person, principal, or settlor has the right to access any digital asset in which the decedent, protected person, principal, or settlor had a right or interest and that is not held by a custodian or subject to a terms-of-service agreement.
4. A fiduciary acting within the scope of the fiduciary's duties is an authorized user of the property of the decedent, protected person, principal, or settlor for the purpose of applicable computer-fraud and unauthorized-computer-access laws, including article 5.5 of title 18, C.R.S.
5. A fiduciary with authority over the tangible, personal property of a decedent, protected person, principal, or settlor:
   1. Has the right to access the property and any digital asset stored in it; and
   2. Is an authorized user for the purpose of computer-fraud and unauthorized-computer-access laws, including article 5.5 of title 18, C.R.S.

6. A custodian may disclose information in an account to a fiduciary of the user when the information is required to terminate an account used to access digital assets licensed to the user.
7. A fiduciary of a user may request a custodian to terminate the user's account. A request for termination must be in writing, in either physical or electronic form, and accompanied by:
   1. If the user is deceased, a certified copy of the death certificate of the user;
   2. A certified copy of the letter of appointment of the representative or a small-estate affidavit or court order, court order, power of attorney, or trust giving the fiduciary authority over the account; and
   3. If requested by the custodian:
      1. A number, username, address, or other unique subscriber or account identifier assigned by the custodian to identify the user's account;
      2. Evidence linking the account to the user; or
      3. A finding by the court that the user had a specific account with the custodian, identifiable by the information specified in subparagraph (I) of this paragraph (c).

8. A domiciliary foreign personal representative is not required to comply with the provisions of section 15-13-204, or with any other provision of article 13 of this title, as a condition to obtaining disclosure of a digital asset pursuant to this part 15.
9. A foreign conservator is not required to comply with the provisions of section 15-14-433 as a condition to obtaining disclosure of a digital asset pursuant to this part 15.

History. Source: L. 2016: Entire part added,(SB 16-088), ch. 71, p. 187, § 1, effective August 10.

The original version of UFADAA incorporated fiduciary duties by reference to “other law.” This proved to be confusing and led to enactment difficulty. Section 1515 specifies the nature, extent and limitation of the fiduciary's authority over digital assets. Subsection (1) expressly imposes all fiduciary duties to the management of digital assets, including the duties of care, loyalty and confidentiality. Subsection (2) specifies that a fiduciary's authority over digital assets is subject to the terms-of-service agreement, except to the extent the terms-of- service agreement provision is overridden by an action taken pursuant to Section 1504, and it reinforces the applicability of copyright and fiduciary duties. Finally, subsection (2) prohibits a fiduciary's authority being used to impersonate a user. Subsection (3) permits the fiduciary to access all digital assets not in an account or subject to a terms-of- service agreement. Subsection (4) further specifies that the fiduciary is an authorized user under any applicable law on unauthorized computer access.

Subsection (7) gives the fiduciary the option of requesting that an account be terminated, if termination would not violate a fiduciary duty.

This issue concerning the parameters of the fiduciary's authority potentially arises in two situations: 1) the fiduciary obtains access to a password or the like directly from the user, as would be true in various circumstances such as for the trustee of an inter vivos trust or someone who has stored passwords in a written or electronic list and those passwords are then transmitted to the fiduciary; and 2) the fiduciary obtains access pursuant to this act.

This section clarifies that the fiduciary has the same authority as the user if the user were the one exercising the authority (note that, where the user has died, this means that the fiduciary has the same access as the user had immediately before death). This means that the fiduciary's authority to access the digital asset is the same as the user except where, pursuant to Section 1504, the user has explicitly opted out of fiduciary access. In exercising its responsibilities, the fiduciary is subject to the duties and obligations established pursuant to state fiduciary law, and is liable for breach of those duties. Note that even if the digital asset were illegally obtained by the user, the fiduciary would still need access in order to handle that asset appropriately. There may, for example, be tax consequences that the fiduciary would be obligated to report.

However, this section does not require a custodian to permit a fiduciary to assume a user's terms-of-service agreement if the custodian can otherwise comply with Section 1506.

In exercising its responsibilities, the fiduciary is subject to the same limitations as the user more generally. For example, a fiduciary cannot delete an account if this would be fraudulent. Similarly, if the user could challenge provisions in a terms-of-service agreement, then the fiduciary is also able to do so. , 987 N.E.2d 604 (Mass. 2013).

Subsection (2) is designed to establish that the fiduciary is authorized to obtain or access digital assets in accordance with other applicable laws. The language mirrors that used in Title II of the Electronic Communications Privacy Act of 1986 (ECPA), also known as the Stored Communications Act, 18 U.S.C. Section 2701 (2006); , Orin S. Kerr, , 72 Geo. Wash. L. Rev. 1208 (2004). The subsection clarifies that state law treats the fiduciary as “authorized” under state laws criminalizing unauthorized access.

State laws vary in their coverage but typically prohibit unauthorized computer access. By defining the fiduciary as an authorized user in subsection (4), the fiduciary has authorization under applicable law to access the digital assets under state computer trespass laws.

Federal courts may look to these provisions to guide their interpretations of ECPA and the federal Computer Fraud and Abuse Act, but fiduciaries should understand that federal courts may not view such provisions as dispositive in determining whether access to a user's account violated federal criminal law.

Subsection (5) clarifies that the fiduciary is authorized to access digital assets stored on tangible personal property of the decedent, protected person, principal, or settlor, such as laptops, computers, smartphones or storage media, exempting fiduciaries from application for purposes of state or federal laws on unauthorized computer access. For criminal law purposes, this clarifies that the fiduciary is authorized to access all of the user's digital assets, whether held locally or remotely.

D dies with a will that is silent with respect to digital assets. D has a bank account for which D received only electronic statements, D has stored photos in a cloud-based Internet account, and D has an e-mail account with a company that provides electronic- communication services to the public. The personal representative of D's estate needs access to the electronic bank account statements, the photo account, and e-mails.

The personal representative of D's estate has the authority to access D's electronic banking statements and D's photo account, which both fall under the act's definition of a “digital asset.” This means that, if these accounts are password-protected or otherwise unavailable to the personal representative, then the bank and the photo account service must give access to the personal representative when the request is made in accordance with Section 1508. If the terms-of-service agreement permits D to transfer the accounts electronically, then the personal representative of D's estate can use that procedure for transfer as well.

The personal representative of D's estate is also able to request that the e-mail account service provider grant access to e-mails sent or received by D; ECPA permits the service provider to release the catalogue to the personal representative. The service provider also must provide the personal representative access to the content of an electronic communication sent or received by D if the user has consented and the fiduciary submitted the information required under Section 1507. The bank may release the catalogue of electronic communications or content of an electronic communication for which it is the originator or the addressee because the bank is not subject to the ECPA.

X creates a power of attorney designating A as X's agent. The power of attorney expressly grants A authority over X's digital assets, including the content of an electronic communication. X has a bank account for which X receives only electronic statements, X has stored photos in a cloud-based Internet account, and X has a game character and in-game property associated with an online game. X also has an e-mail account with a company that provides electronic-communication services to the public.

A has the authority to access X's electronic bank statements, the photo account, the game character and in-game property associated with the online game, all of which fall under the act's definition of a “digital asset.” This means that, if these accounts are password-protected or otherwise unavailable to A as X's agent, then the bank, the photo account service provider, and the online game service provider must give access to A when the request is made in accordance with Section 1510. If the terms-of-service agreement permits X to transfer the accounts electronically, then A as X's agent can use that procedure for transfer as well.

As X's agent, A is also able to request that the e-mail account service provider grant access to e-mails sent or received by X; ECPA permits the service provider to release the catalogue. The service provider also must provide A access to the content of an electronic communication sent or received by X if the fiduciary provides the information required under Section 1509. The bank may release the catalogue of electronic communications or content of an electronic communication for which it is the originator or the addressee because the bank is not subject to the ECPA.

T is the trustee of a trust established by S. As trustee of the trust, T opens a bank account for which T receives only electronic statements. S transfers into the trust to T as trustee (in compliance with a terms-of-service agreement) a game character and in-game property associated with an online game and a cloud-based Internet account in which S has stored photos. S also transfers to T as trustee (in compliance with the terms-of-service agreement) an e-mail account with a company that provides electronic-communication services to the public.

T is an original user with respect to the bank account that T opened, and T has the ability to access the electronic banking statements under Section 1511. T, as successor user to S, may under Section 1513 access the game character and in-game property associated with the online game and the photo account, which both fall under the act's definition of a “digital asset.” This means that, if these accounts are password-protected or otherwise unavailable to T as trustee, then the bank, the photo account service provider, and the online game service provider must give access to T when the request is made in accordance with the act. If the terms-of-service agreement permits the user to transfer the accounts electronically, then T as trustee can use that procedure for transfer as well.

T as successor user of the e-mail account for which S was previously the user is also able to request that the e-mail account service provider grant access to e-mails sent or received by S; and ECPA permits the service provider to release the catalogue. The service provider also must provide T access to the content of an electronic communication sent or received by S if the fiduciary provides the information required under Section 1512. The bank may release the catalogue of electronic communications or content of an electronic communication for which it is the originator or the addressee because the bank is not subject to the ECPA.