Death and Taxes

CISO-in-a-Box CISO-in-a-Box

Death and Taxes. With enough lawyers you can avoid most of the taxes, but as sure as I am typing these words, and you are reading them, every one of us is going to die[*]. While we each have a will to cover our possessions and assets, how many of us include in that document what to do about digital assets? More to the point - if someone dies and leaves no will, the law is reasonably straightforward about what to with their possessions and finances. But our legal system has not yet really begun to address consistently what to do with the dear departed’s Facebook or Twitter accounts, their email, websites, and so on.

These are digital assets but there’s not necessarily a physical item that corresponds to any of them. To make sure these are handled according to my wishes after I die, I have made a “data will.” Note: I am not a lawyer and this is not legal advice. If you want your “data will” to be enforceable as part of your actual, legal last will and testament, you must consult a lawyer.

What’s in a data will? This will differ in the details for everyone but I think these major sections are a good starting point. First and foremost, passwords. If you are using some kind of password management tool (as I suggest!), this will be easy. You will only need to tell your survivors where the password data resides, and what is the master password to gain access to it. If there’s no password manager wrangling all your individual passwords, you’ll have to list them all in this document, or an attachment.

The password list or manager also provides a map of where you had an online presence and business or personal relationships, which will help in other ways. If some of your online accounts have two-factor authentication such as an app on your phone that generates a 6-digit code when logging in from a new device, etc., make sure the document details where to find that, and how to use it. Also, include information on how to unlock your phone!

Email is still a fundamental service in the online world, especially when it’s the focal point for most sites’ password-reset processes. So make sure your document includes an abundance of information as to where your email is delivered, how to log into it, and pointers to the password manager entries for the email password (or the email password itself).

You may wish some of your online accounts and services to continue running. For example, you may host a family website, or use a backup service that includes your spouse’s or other family members’ data. Instructions as to what should be kept going vs. what can safely be shut down will be useful here.

Also consider that any auto-pay arrangements, such as monthly or annual billing to a certain credit card or via PayPal, might not be obvious to your loved ones. Make these arrangements explicit in this document. Finally, how to notify online friends & colleagues of your death. Many of us are members of virtual communities that might not have visibility to other more traditional ways our death would be communicated, such as local obituaries or even Facebook pages. If you are a member of professional mailing lists or other such niches of cyberspace, make sure your survivors will know how to send a notification to those communities.  You may have been working on a joint project at the time of your death: it’s only polite to let the team know you won’t be at the next meeting.

Once you have completed this awesome document, you have two main things to worry about: How to make sure it has the desired effect once it’s needed, and how to keep it safe, meanwhile. I mentioned above that if you want it to be legally enforceable, then you need to consult with a lawyer as to how to make it part of, or an attachment to, your will. Be sure to confirm whether or not it will become part of the public record - if so, you will want to work with your lawyer to conceal the passwords and other sensitive information in your document.

As for the security of the document while you’re still alive, I refer back to the three most basic concepts of information security: Confidentiality, Integrity and Availability. All three of those apply here, with very high stakes. You need to be sure the document is not disclosed to anyone unauthorized, that it is not altered without your knowledge, and that your survivors can get to it after your death without serious obstacles. There are many ways to accomplish each of these three things, but what I will delve into a future post is document storage “in the Cloud”, and how that can address all three of these concerns. this article originally appeared in the September 2016 edition of The Empty Closet.

[*] - except maybe Peter Thiel but really... who wants to be a vampire?

This article was updated on 2023-05-12 10:00:18

CISO-in-a-Box

Infosec geekosaurus.  All opinions my own.

Information security since 2005.  IT... well into my second millenium.