Skip Navigation
BlackBerry Blog

Post Mortem Data Protection Laws

Unless you are Elon Musk, who intends to map his brain to a computer in his lifetime, what happens when you log out of your social media accounts forever? Once someone has passed away, what security protections are in place to prevent their social media accounts from being hijacked, or worse, their identity stolen and used by fraudsters?

We also can’t help but wonder if they’ll still receive those “are you sure you want to deactivate your account, or just adjust your email notifications from Facebook?” alerts, too.

The Australian state of New South Wales is currently addressing this thorny issue, and not just concerning social media accounts, but all digital assets (cryptocurrency, anyone?) belonging to a person who has deceased. The Register article on this news from the Australian state explains:

The State’s Law Reform Commission has been tasked with probing “whether NSW needs legislation to regulate who can access the digital assets of a person who has died or is incapacitated.”

Attorney-general Mark Speakman said, “The Law Reform Commission will also look at whether additional privacy protections are needed in situations where a person hasn’t made arrangements for anyone to take control of their social media or access their private emails.”

What we’re left asking is whether a person’s requests and desires about what should happen to their online accounts and assets should be written into wills going forward. As social media is a relatively new technology, laws to protect that data in the event of one’s death are still in their infancy, but legal brawls over the issue are already happening worldwide and are sure to only become more complex in future.

Financial accounts are, of course, addressed as physical assets in a person’s estate, but what about Bitcoin accounts? What about private emails and instant messages, or encrypted photos and videos stored on a person’s cloud drives? You may think you’d be okay with your parents going through your Google Drive in the event of your untimely death, but read that line again and seriously think – do you really WANT your parents going through your Google Drive in the event of your untimely death? These are questions we’ll all eventually face, so it makes sense to start thinking about them today.

Is Your Data in Good Hands?

In the case of social media, Facebook has made a brave start at tackling the problem by allowing everyone with a Facebook account to assign one trusted person to be what they call a legacy contact. By default, the account of a deceased person is turned into a memorial account once Facebook is notified of their death, and can only be accessed (though in a very limited way) by a single legacy contact.

A legacy contact can do simple things like change the person's profile picture and cover photo, write a pinned post on the timeline to notify friends of the account holder’s passing, and respond to new friend request, but they can’t actually log into the account and see everything private in there, such as personal messages. They also can’t remove existing friends or change/delete posted content such as photo albums or wall posts. This rule also serves as an important safeguard against someone hacking the account and vandalizing it

But what about the cybersecurity aspects of other online accounts? Unless the person kept detailed records of each and every account they have online and set each one up to be accessed by a relative and deactivated upon their passing, we are left with the unfortunate reality that there will likely be dozens, if not hundreds of inactive accounts for each person left floating around the web upon their passing. And if nobody is actively monitoring their email, unauthorized password resets and account hacks will go unnoticed, possibly for years.

Account hijacking is a serious concern for the living and can lead to a fair amount of annoyance and inconvenience, but for the family of a person who has passed, an account hijack can be heartbreaking. Until data protection laws are set up to encompass this complex and highly emotive issue, it is wise for everyone set time aside to take stock of their digital assets and come up with a plan to ensure the safety (or destruction) of their digital assets upon their passing.

If you haven’t yet assigned a legacy contact for your Facebook account, you can find more information to get started here. Google’s Inactive Account Manager also has options for post-mortem account activity, which lets you specify what you want Google to do with your Google+, Blogger, Drive, Gmail and YouTube if Google detects they have been inactive for an unusual length of time – you can access the setup wizard here.

Cylance Research Team

About Cylance Research Team

Cylance Research Team

The Cylance Research team explores the boundaries of the information security field identifying emerging threats and remaining at the forefront of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats.