October 2, 2023 By Sue Poremba 4 min read

More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile.

Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere.

When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights around that information? What is an organization’s level of responsibility to follow data privacy regulations when the owner is deceased, and does that change if the person was a customer, a client or an employee?

Data as property: Who owns it?

The first hurdle in posthumous data protection is defining ownership. Any organization with data stored in a public cloud has had to address the question of data ownership in relation to cybersecurity: Whose job is it to protect data in the cloud?

“When using a cloud-based vendor, many businesses think that they are retaining ownership of their data in these third-party services agreements — but this is often not the case,” Jon Roskill wrote in Forbes. End-user licenses often have wording that shifts data ownership away from the consumer and passes it along to the vendor.

Data ownership is a very slippery slope. Businesses are frequently sold, and when that happens, the data is business collateral. It doesn’t matter if the data was generated by customers; it becomes the property of the new owners.

If we can’t define data ownership, we also can’t allow data to be inherited. The idea of digital inheritance is still in its infancy, Dan Demeter, senior security researcher, and Marco Preuss, deputy director of GReAT, both with Kaspersky Lab, told an audience at RSA Conference 2023, but right now, there are no clear sets of procedures or laws around how to pass your digital rights to the next of kin.

Perhaps the biggest obstacle to defining data as property is that data can be anywhere and is often redundant. When a user shares personally identifiable information (PII) with a vendor, they’ll never know for sure where that data ends up or how often the data may have been replicated. Sets of data that specifically identify an individual could be stored on-premise with one company but are backed up and replicated on four off-site data centers in different countries. Now you aren’t just dealing with the vendor’s right of ownership but also laws governing data in each location.

Data never dies

The default assumption is that when a person dies, it doesn’t matter what happens to their digital assets. They aren’t going to need them. Managing someone else’s digital remains is a huge undertaking, often requiring death certificates and proving your relationship. Even then, you may just be scraping the surface of what’s actually out in the wild. And what do you do with the data you recovered? The task is so overwhelming, and there is nothing tangible to collect or defend.

Your loved one will die. Their digital assets will live on. Without the ability to monitor accounts or put surroundings around their personal data, a dead person’s PII becomes an appealing target for identity thieves and account hijackers. Overall, attacks due to account takeovers increased by 131% in 2022, according to research from Sift.

“The nature of account takeover attacks also makes them easy to scale — having access to one set of compromised credentials often opens the door to multiple accounts, giving fraudsters several sources to steal from,” a Sift blog post stated.

Digital accounts once belonging to someone who has passed away become literal ghost accounts. They are dormant and unwatched. No one keeps a vigilant watch on inactive accounts, and threat actors know that. This becomes a serious cyber risk for whoever holds the data. A single compromised account can offer long-term access to the corporate network, opening the door to ransomware attacks or financial theft.

Most data privacy regulations won’t offer any protection, either. They offer privacy coverage for identifiable persons; a dead person does not qualify as identifiable. An exception to this is health care information because that often includes records for another (living) person.

Protecting your deceased customers and employees

You can’t protect what you don’t know. Yes, that’s a cliche by now, but it’s also easy to forget. So while everyone in the company is alive and well, it is time to begin a comprehensive inventory of assets.

This must be a lifelong process, said Demeter and Preuss, because building one’s digital assets is a lifelong process.

Users need to create an inheritance plan. Maybe no one is going to physically inherit your digital assets, but chances are, someone will need to access accounts. Within the work environment, this is especially true for business continuity. Passwords, user names and MFA keys must be available.

The privacy gamechanger: AI

Artificial intelligence is going to force lawmakers and organizations to rethink the rules around data privacy for dead people. Any type of digital asset can be turned into fake information or regenerated to bring someone digitally back to life. Generative AI is already being used to build avatars of the deceased, called ghostbots, using available data to recreate their voice and personalities to make it seem like they are alive. But while dead people don’t have privacy rights, ghostbots are clearly blurring the lines of when data privacy should end.

While currently, ghostbots don’t seem to be a security risk; it really is just a matter of time until threat actors use AI to take identity theft to the next level. Organizations are better off without ghost data that could put them at greater risk of a data breach. But is that data handed off to the next of kin, or is it deleted?

Everyone has a digital legacy to protect. We just need to figure out the best way to do it while protecting the privacy of the deceased and their loved ones.

More from Data Protection

Data security tools make data loss prevention more efficient

3 min read - As businesses navigate the complexities of modern-day cybersecurity initiatives, data loss prevention (DLP) software is the frontline defense against potential data breaches and exfiltration. DLP solutions allow organizations to detect, react to and prevent data leakage or misuse of sensitive information that can lead to catastrophic consequences. However, while DLP solutions play a critical role in cybersecurity, their effectiveness significantly improves when integrated with the right tools and infrastructure. Key limitations of DLP solutions (and how to overcome them) DLP…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

What is data security posture management?

3 min read - Do you know where all your organization’s data resides across your hybrid cloud environment? Is it appropriately protected? How sure are you? 30%? 50%? It may not be enough. The Cost of a Data Breach Report 2023 revealed that 82% of breaches involved data in the cloud, and 39% of breached data was stored across multiple types of environments. If you have any doubt, your enterprise should consider acquiring a data security posture management (DSPM) solution. With the global average…

Cost of a data breach: The evolving role of law enforcement

4 min read - If someone broke into your company’s office to steal your valuable assets, your first step would be to contact law enforcement. But would your reaction be the same if someone broke into your company’s network and accessed your most valuable assets through a data breach? A decade ago, when smartphones were still relatively new and most people were still coming to understand the value of data both corporate-wide and personally, there was little incentive to report cyber crime. It was…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today