October 2, 2023 By Sue Poremba 4 min read

More than two hundred years ago, Benjamin Franklin said there is nothing certain but death and taxes. If Franklin were alive today, he would add one more certainty to his list: your digital profile.

Between the data compiled and stored by employers, private businesses, government agencies and social media sites, the personal information of nearly every single individual is anywhere and everywhere.

When someone dies, that data becomes the responsibility of the estate; but what happens to the privacy rights around that information? What is an organization’s level of responsibility to follow data privacy regulations when the owner is deceased, and does that change if the person was a customer, a client or an employee?

Data as property: Who owns it?

The first hurdle in posthumous data protection is defining ownership. Any organization with data stored in a public cloud has had to address the question of data ownership in relation to cybersecurity: Whose job is it to protect data in the cloud?

“When using a cloud-based vendor, many businesses think that they are retaining ownership of their data in these third-party services agreements — but this is often not the case,” Jon Roskill wrote in Forbes. End-user licenses often have wording that shifts data ownership away from the consumer and passes it along to the vendor.

Data ownership is a very slippery slope. Businesses are frequently sold, and when that happens, the data is business collateral. It doesn’t matter if the data was generated by customers; it becomes the property of the new owners.

If we can’t define data ownership, we also can’t allow data to be inherited. The idea of digital inheritance is still in its infancy, Dan Demeter, senior security researcher, and Marco Preuss, deputy director of GReAT, both with Kaspersky Lab, told an audience at RSA Conference 2023, but right now, there are no clear sets of procedures or laws around how to pass your digital rights to the next of kin.

Perhaps the biggest obstacle to defining data as property is that data can be anywhere and is often redundant. When a user shares personally identifiable information (PII) with a vendor, they’ll never know for sure where that data ends up or how often the data may have been replicated. Sets of data that specifically identify an individual could be stored on-premise with one company but are backed up and replicated on four off-site data centers in different countries. Now you aren’t just dealing with the vendor’s right of ownership but also laws governing data in each location.

Data never dies

The default assumption is that when a person dies, it doesn’t matter what happens to their digital assets. They aren’t going to need them. Managing someone else’s digital remains is a huge undertaking, often requiring death certificates and proving your relationship. Even then, you may just be scraping the surface of what’s actually out in the wild. And what do you do with the data you recovered? The task is so overwhelming, and there is nothing tangible to collect or defend.

Your loved one will die. Their digital assets will live on. Without the ability to monitor accounts or put surroundings around their personal data, a dead person’s PII becomes an appealing target for identity thieves and account hijackers. Overall, attacks due to account takeovers increased by 131% in 2022, according to research from Sift.

“The nature of account takeover attacks also makes them easy to scale — having access to one set of compromised credentials often opens the door to multiple accounts, giving fraudsters several sources to steal from,” a Sift blog post stated.

Digital accounts once belonging to someone who has passed away become literal ghost accounts. They are dormant and unwatched. No one keeps a vigilant watch on inactive accounts, and threat actors know that. This becomes a serious cyber risk for whoever holds the data. A single compromised account can offer long-term access to the corporate network, opening the door to ransomware attacks or financial theft.

Most data privacy regulations won’t offer any protection, either. They offer privacy coverage for identifiable persons; a dead person does not qualify as identifiable. An exception to this is health care information because that often includes records for another (living) person.

Protecting your deceased customers and employees

You can’t protect what you don’t know. Yes, that’s a cliche by now, but it’s also easy to forget. So while everyone in the company is alive and well, it is time to begin a comprehensive inventory of assets.

This must be a lifelong process, said Demeter and Preuss, because building one’s digital assets is a lifelong process.

Users need to create an inheritance plan. Maybe no one is going to physically inherit your digital assets, but chances are, someone will need to access accounts. Within the work environment, this is especially true for business continuity. Passwords, user names and MFA keys must be available.

The privacy gamechanger: AI

Artificial intelligence is going to force lawmakers and organizations to rethink the rules around data privacy for dead people. Any type of digital asset can be turned into fake information or regenerated to bring someone digitally back to life. Generative AI is already being used to build avatars of the deceased, called ghostbots, using available data to recreate their voice and personalities to make it seem like they are alive. But while dead people don’t have privacy rights, ghostbots are clearly blurring the lines of when data privacy should end.

While currently, ghostbots don’t seem to be a security risk; it really is just a matter of time until threat actors use AI to take identity theft to the next level. Organizations are better off without ghost data that could put them at greater risk of a data breach. But is that data handed off to the next of kin, or is it deleted?

Everyone has a digital legacy to protect. We just need to figure out the best way to do it while protecting the privacy of the deceased and their loved ones.

More from Data Protection

Cost of a data breach: Cost savings with law enforcement involvement

3 min read - For those working in the information security and cybersecurity industries, the technical impacts of a data breach are generally understood. But for those outside of these technical functions, such as executives, operators and business support functions, “explaining” the real impact of a breach can be difficult. Therefore, explaining impacts in terms of quantifiable financial figures and other simple metrics creates a relatively level playing field for most stakeholders, including law enforcement.IBM’s 2024 Cost of a Data Breach (“CODB”) Report helps…

Cost of data breaches: The business case for security AI and automation

3 min read - As Yogi Berra said, “It’s déjà vu all over again.” If the idea of the global average costs of data breaches rising year over year feels like more of the same, that's because it is. Data protection solutions get better, but so do threat actors. The other broken record is the underuse or misuse of technologies that can help safeguard data, such as artificial intelligence and automation.IBM’s 2024 Cost of a Data Breach (CODB) Report studied 604 organizations across 17…

Cost of a data breach: The industrial sector

2 min read - Industrial organizations recently received a report card on their performance regarding data breach costs. And there’s plenty of room for improvement.According to the 2024 IBM Cost of a Data Breach (CODB) report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.These figures place the industrial sector in third place for breach costs among the 17 industries studied. On average, data breaches cost industrial…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today