eReport 2025 Winter by ABA Section of Real Property, Trust & Estate Law

BUYER BEWARE:

The Importance of Conducting Environmental Due Diligence

3 Buyer Beware: The Importance of Conducting Environmental Due Diligence

By Toni Meier and Delaney Beier

6 California Wildfires: What Is the Lender’s Obligation to Release Insurance Proceeds for the Repair and Restoration of Real Property?

By Steven A. Paletz and William J. Bernfeld

8 Promises, Promises: What If a Commercial Tenant Doesn’t Pay or Perform? By

Joshua Stein

Samuel Dangremond

G. Lodise

20 What Estate Planners Should Tell Clients about Security Including Cybersecurity?

By Thomas Tietz, Brian Cluxton, and Martin M. Shenkman

Robert Steele (TE)

Articles Editor for Real Property

Cheryl Kelly (RP)

Assistant Real Property Editors

John Trott (RP)

Catherine (Kate) Williams (RP)

Sarah Dawn Cline (RP)

Articles Editor for Trust and Estate

Keri Brown (TE)

Assistant Trust and Estate Editors

Jeffrey Hopkins (TE)

Brandon Ross (TE)

Rachel Lee (TE)

Martin Shenkman (TE) Assistant Editor for Section News and Events

Amber Quintal (TE)

The materials contained herein represent the opinions of the authors and editors and should not be construed to be those of either the American Bar Association or the Section of Real Property, Trust and Estate Law unless adopted pursuant to the bylaws of the Association. Nothing contained herein is to be considered the rendering of legal or ethical advice for specific cases, and readers are responsible for obtaining such advice from their own legal counsel. These materials and any forms and agreements herein are intended for educational and informational purposes only.

Buyer Beware: The Importance of Conducting Environmental Due Diligence

By Toni Meier1 and Delaney Beier2

This article provides an overview of the environmental due diligence process in commercial real estate transactions, focusing on evaluating and mitigating environmental risks and liabilities.

In the context of commercial real estate transactions, due diligence is conducted to obtain and verify available information regarding a property’s attributes and characteristics,

physical and environmental condition, ownership, and other information relevant to the property’s potential reuse and redevelopment.3 The discussion of due diligence is often separated into environmental due diligence and real estate (or property) due diligence. While the former is conducted, in large part, to evaluate the environmental condition of a property and to satisfy the requirements for all appropriate inquiries (“AAIs”) as defined in the Comprehensive Environmental Response, Compensation and Liability Act (“CERCLA”),4 the latter is conducted to identify attributes and characteristics about a property that affect the ability to transfer or reuse a property, such as zoning, potential liens, encroachments, and building conditions.5 This article provides a general overview of the environmental due diligence process, which should begin as soon as possible to understand and potentially minimize any environmental risks and liabilities.

The environmental due diligence process typically begins with assembling the appropriate team, as gathering the team early avoids unnecessary heartache if environmental issues are discovered. Typically, this includes environmental attorneys, real

estate attorneys, and environmental consultants. It is advisable to task your legal counsel with retaining your environmental consultant and managing that relationship. Not only does this allow for the environmental consultant’s opinions to be protected from discovery by the attorney-client privilege,6 but it also allows you to have greater control over the outcome of the environmental consultant’s determination.

Additionally, environmental consultants typically provide a “form” engagement agreement including a job-specific scope of work mixed with other more general ‘form’ provisions that, if left unnegotiated, may severely limit the environmental consultant’s liability. You will be well-served to have your legal counsel negotiate the environment consultant’s agreement to best protect you, or at a minimum, to make you aware of any deficiencies or limitations in the agreement. In addition to liability limitations, consulting agreements often attempt to limit the timeframes for asserting claims potentially impacting otherwise applicable statutes of limitations or to narrow the scope of the investigation, precluding the availability of the AAI defenses.

Once retained with the properly negotiated agreement in place, the environmental consultant will likely begin the due diligence process with a Phase I Environmental Site Assessment (“ESA”). Typically, a Phase I ESA is conducted to meet the requirements for AAIs established under CERCLA and set out in the U.S. Environmental Protection Agency’s (“EPA”) regulations. A Phase I ESA is limited to a historical and “above surface” investigation.7 While there are many benefits to environmental due diligence, the biggest benefit for prospective property owners is protection from liability for environmental risks, including liability under CERCLA.

In short, CERCLA addresses the cleanup of uncontrolled or abandoned hazardous waste sites, as well as accidents, spills, and other emergency releases of pollutants and contaminants into environmental media (e.g., soil, groundwater, surface water, sediment). A party may be liable under CERCLA for cleaning up hazardous substances located at a property that it owns or operates even if the party did not own the property at the time the hazardous substances were released.8 CERCLA grants EPA, or under certain circumstances, private parties, the authority to sue any current owner or operator of a contaminated property for costs associated with cleanup.9 It is worth noting that past owners and operators are generally only liable if they owned the property at the time the hazardous substances were disposed of or otherwise released.10

Property owners, and even lessees,11 may avoid liability, however, by conducting proper environmental due diligence. When CERCLA was amended in 1986, the “innocent landowner defense” was established, which creates a shield to liability if the owner “did not know and had no reason to know” about the contamination on the property prior to the

purchase. When CERCLA was amended again in 2002, new liability protections were added, and the existing innocent landowner defense was clarified. Under the 2002 amendments, the liability protections were extended to parties who qualify as bona fide prospective purchasers, contiguous property owners, or innocent landowners who conduct AAIs into the potential contamination of the property.12 Because the liability protections are self-implementing, all an entity must do to receive the protections provided by the amendments is comply with the requirements of the statute.

Importantly, there are different conditions for each of these landowner types.13 However, there are also overlapping threshold criteria and ongoing obligations, or common elements, that all three landowner types must meet in order to obtain the liability protections afforded under CERCA. The performance of AAIs is one such common element.

40 C.F.R. § 312.20 contains the requirements for AAIs, including (1) a Phase I ESA, (2) the collection of information about the property, and (3) searches for recorded environmental cleanup liens. The collection of information about the property includes (1) interviews with past and present owners, operators, and occupants, (2) searches for recorded environmental cleanup liens, (3) reviews of federal, tribal, state, and local governmental records, (4) visual inspections of the facility and of adjoining properties, and (5) the declaration by the environmental professional providing the Phase I ESA.14 AAIs must be conducted within one year prior to the date of acquisition of the property,15 and the information collected during the environmental due diligence period must be updated within 180 days of, and prior to, the date of acquisition of the property.16

It is important to note, however, that a Phase I ESA can, but does not always, satisfy the AAIs. For example, a prospective purchaser must also conduct a search for any recorded environmental cleanup liens and any activity-use limitations on the property. Most Phase I ESA agreements will exclude such a review. For this reason, it is important to have legal counsel manage the relationship with the environmental consultant to ensure all requirements of the AAIs have been satisfied.

Based on the results of the Phase I ESA, additional investigation may be necessary to better understand the type and extent of any releases or potential releases. Typically, a finding of a recognized environmental condition, or REC, will lead the environmental consultant to recommend additional work be performed. This additional investigation is conducted via what is typically referred to as a Phase II ESA. The Phase II ESA is an investigation that often requires collection and analysis of environmental and other media samples (e.g., soil, groundwater, electrical equipment, insulation).17 A good reference of distinction between a Phase I ESA and a Phase II ESA is that a Phase I ESA is aboveground and a Phase II ESA is underground (or sub-surface).

Published in eReport, Winter 2025 © 2025 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.

Another step in the environmental due diligence process is to conduct an environmental compliance review to determine the regulatory status of the property by considering which federal, state, and local environmental laws may apply based upon the environmental conditions, operating practices, and other factors. These environmental laws could include, for example, the Clean Air Act,18 the Clean Water Act,19 the Endangered Species Act,20 the Resource Conservation and Recovery Act,21 and the Toxic Substance Control Act.22 Additionally, this review should consider any applicable state voluntary cleanup programs, state underground storage tank programs, and any wetlands determinations.

A prospective purchaser should carefully review a seller’s environmental compliance track record, including the seller’s permit history, permit conditions, and actual and potential enforcement status. Importantly, where a seller has a history of permit violations, this may subject a property to continuing and frequent investigations.

Another step in the environmental due diligence process is to determine whether any land use controls have been implemented regarding the property. These land use controls may include either institutional controls or engineering controls, used alone or in combination, to ensure protection of human health and the environment. While institutional controls are administrative or legal controls that minimize the potential human exposure to contamination by restricting the activities or use of a property or the use of a resource (e.g., groundwater), engineering controls are physical or engineered measures that may include, for example, various capping methods, vapor mitigation systems, or groundwater barriers or systems.

Starting the environmental due diligence process as early as possible is critical in allowing prospective purchasers to identify potential environmental risks and liabilities before they become deal-killers or costly problems, as well as allows parties to mitigate such risks and liabilities. We encourage clients to reach out to us if they are looking to sell or acquire property and want to minimize environmental risks and liabilities.

Endnotes

1. Toni Meier is a partner with Bradley Arant Boult Cummings LLP, where she focuses her practice on helping clients, including private citizens, corporate entities, real estate developers, utilities, and landowners, on an assortment of environmental and real estate issues. Toni helps clients negotiate and litigate complex disputes in state and federal courts, governmental agencies and municipalities in the Southwest.

2. Delaney Beier is an associate with Bradley Arant Boult Cummings LLP, where she advises clients in various industries, from large corporations to small businesses, on a broad range of environmental issues. Delaney helps clients navigate complex environmental laws and regulations, and in doing so, collaborates with a variety of federal, state, and local environmental agencies to help clients achieve desirable results.

3. Revitalization – Ready Guide – Chapter 3: Reuse Assessment, EPA (June 11, 2024), https://www.epa.gov/land-revitalization/revitalization-ready-guide-chapter-3-reuse-assessment

4. 42 U.S.C. §§ 9601 et seq.

5. Revitalization – Ready Guide – Chapter 3: Reuse Assessment, supra note 1.

6. This may also provide protection in the form of the work-product doctrine, though this protection may be limited if litigation ultimately ensues.

7. See 40 C.F.R. Part 312.

8. See generally 42 U.S.C. § 9607.

9. This is generally referred to as a cost-recovery action pursuant to 42 U.S.C. § 9607(b). CERCLA also provides for a contribution action, pursuant to 42 U.S.C. § 9613, which allows a potentially responsible party that has been required to pay response costs to assert a contribution claim against other potentially responsible parties to compel them to bear an equitable share of those costs.

10. There are a number of different ways in which this has been applied to past owners and operators.

11. In 2018, Congress passed the Brownfields Utilization, Investment, and Local Development Act, or the BUILD Act, which included revisions to CERCLA’s definition of a bona fide prospective purchaser to address lessee concerns about potential liability with the reuse of contaminated property. The revised definition now includes a person who acquires a leasehold interest in a property and meets certain criteria.

12. See generally 40 C.F.R. § 312.1.

13. Common Elements and Other Landowner Liability Guidance, EPA (Aug. 17, 2023), https://www.epa.gov/enforcement/common-elements-and-other-landowner-liability-guidance.

14. A Phase I ESA should be conducted in accordance with the ASTM International Standard E1527-21 entitled “Standard Practice for Environmental Site Assessments: Phase I Environmental Site Assessment Process.” See 40 C.F.R. § 312.11.

15. 40 C.F.R. § 312.20(a).

16. 40 C.F.R. § 312.20(b).

17. A Phase II ESA is most often conducted in accordance with the ASTM International Standard E1903-19 entitled “Standard Practice for Environmental Site Assessments: Phase II Environmental Site Assessment Process.”

18. 42 U.S.C. §§ 7401 et seq.

19. 33 U.S.C. §§ 1251 et seq.

20. 16 U.S.C. §§ 1531 et seq.

21. 42 U.S.C. §§ 6901 et seq.

22. 15 U.S.C. §§ 2601 et seq.

California Wildfires: What Is the Lender’s Obligation to Release Insurance Proceeds for the Repair and Restoration of Real Property?

By Steven A. Paletz1 and William J. Bernfeld2

This article discusses lenders obligations to release insurance proceeds for restoring real property when the post-restoration valuation of their security is unknown.

At this juncture, it is difficult to assess the breadth of damage and loss of life that has occurred as a result of the devesting fires in California. Based on initial reports, it is possible that entire communities have been destroyed and certain areas may never be rebuilt to previously levels of occupancy. This

will result in an as yet undetermined but significant loss in the value of real property in the Los Angeles area, which risks impairing lenders’ security.

Lenders will be inundated with borrower requests for release of insurance proceeds for the repair and restoration of improvements. Typically, this request is approved by lenders, as a reconstructed property would enhance the lender’s security, not impair it. However, as a result of the destruction of the California fires and the unpredictability of the rebuilding of neighboring properties, a reconstructed property may not adequately protect the secured lender.

It is common knowledge that lenders making secured real property loans require loss payee endorsements to the borrower’s casualty policy, so that the lender will control the disbursement of loan proceeds in the event of a loss. Schoolcraft v. Ross3 is the seminal California Court of Appeals case that addressed the circumstances in which a lender must release fire insurance proceeds to allow for repair and restoration. In Schoolcraft, the court held that a beneficiary of a deed of trust must (i) act in accordance with the implied covenant of good faith and fair dealing and (ii) must permit fire insurance proceeds to be utilized for the cost of rebuilding when the security is not impaired.4 In Schoolcraft, the plaintiff presented evidence that the home could be reconstructed for $14,100, and upon completion the property would have a fair market value of $20,000. The lender refused to distribute the insurance proceeds to the

borrower and the borrower eventually defaulted on the loan. The court found that the beneficiary of the deed of trust failed to act in accordance with the implied covenant of good faith and fair dealing, since beneficiary’s security was not impaired, and damages were awarded to the plaintiff.

Schoolcraft was later codified in Section 2924.7 of the California Civil Code, which reads, “The provisions of any deed of trust or mortgage on real property which authorize any beneficiary, trustee, mortgagee, or his or her agent or successor in interest, to receive and control the disbursement of the proceeds of any policy of fire, flood, or other hazard insurance respecting the property shall be enforceable whether or not impairment of the security interest in the property has resulted from the event that caused the proceeds of the insurance policy to become payable.”5 While not apparent from the text of the statute, the historical note clarifies that the language is not intended to abrogate the holding in Schoolcraft, but rather is meant to carry it forward. The statute should therefore be interpreted to mean that when the security is not impaired as a result of a loss, a lender may control the disbursement of the proceeds,6 provided it makes them available to pay the costs of restoration on demand by the borrower (assuming, in accordance with the statute, that the deed of trust or mortgage so provides).7 This ultimately derives from the implied covenant of good faith and fair dealing articulated in Schoolcraft, since It would be inequitable to allow a lender to retain proceeds, likely forcing the borrower into default and allowing lender to then recover the property through foreclosure and potentially seek a deficiency judgment.8

While in Schoolcraft the rebuilding process would have resulted in an improved value of the security, the current situation in California remains unpredictable, where entire neighborhoods have been destroyed. If a home was damaged but survived the fires, but is in a neighborhood where every other home was destroyed, is that property truly able to be occupied? Infrastructure will likely need significant repairs, and the toxicity of the neighborhood might remain for years.

So is the value of a rebuilt property higher or lower than it was prior to the fires? The Wall Street Journal reports, “The Palisades fire affected some of the wealthiest neighborhoods in Los Angeles, where Zillow estimates half of the nearly 10,000 homes are valued at $3 Million or more.”9 Looking at a home that was damaged or destroyed by the fires and had a $3 million valuation prior to the loss, if it has a mortgage of $2 million and it is rebuilt, given the condition of the neighborhood, the home might only be worth $1.5 million upon completion, putting the lender under water. This is only a hypothetical, but these are difficult issues lenders will have to confront over the next several months and years.

The grey area that will have to be addressed is the definition of the term “impairment of security,” which is the standard articulated in the Schoolcraft case. One California court, citing

Schoolcraft, developed the “debt equivalency rule,” which states that if the estimated value of the rebuilt property exceeds the value of the outstanding debt, there is no impairment of security.10 This will challenge any lender’s underwriting department, as the definition does not give any consideration to a loan to value ratio (LTV). So in theory, where a lender makes a loan with a 75% LTV, under the “debt equivalency rule,” a court could find that there’s no impairment of security where the LTV is 90% (or higher) after restoration of the property. The rule established by this California court will be put to a test in the months and years to come.

In light of the unprecedented damage to some of the wealthiest communities in the United States, it is probably best to characterize the current situation as “fluid.” Lenders are advised to remain vigilant and watch for court rulings and changes to state and municipal law that might affect their obligations to disburse loan proceeds under their loan documents.

Endnotes

1. Steven Paletz is an associate with Akerman LLP where he represents local, regional, and national developers throughout the lifecycle of a commercial real estate transaction. His clients represent a diversity of real estate sectors including residential, industrial, retail, office, mixed use, and hospitality projects. His experience includes all aspects of a real estate transaction including agreements, leases, entitlement work, financing and construction agreements. Steven has also represented lenders in connection with the drafting and negotiation of loan documents. In November of 2021, Steven was appointed as a Commissioner on the Colorado Economic Development Commission.

2. William (“Bill”) Bernfeld is a partner with Akerman LLP where he focuses his practice on real estate and commercial law. He regularly assists clients in acquisitions and dispositions, leasing, and financing of real estate projects in a variety of sectors throughout California including office, retail, restaurant, and industrial. Bill regularly works on behalf of lenders to secure permanent, construction, and distressed project financing, as well as handling asset-based and commercial lending transactions on behalf of institutional clients. Bill has also developed a niche practice in representing lenders in trusts and estates transactions. Bill’s background as a bankruptcy attorney puts him in a unique position to assist clients with distressed real estate transactions including loan workouts and other restructuring needs.

3. Schoolcraft v. Ross, 81 Cal. App. 3d 75, 146 Cal. Rptr. 57, 58 (Ct. App. 1978)

4. Id. (Emphasis added)

5. Cal. Civ. Code § 2924.7 (West)

6. § L59 LOSS PAYABLE, 3 California Ins. Law Dictionary & Desk Ref. § L59 (2024 ed.)

7. § 13:80. Rights to insurance proceeds—Prior to foreclosure, 5 Cal. Real Est. § 13:80 (4th ed.)

8. Id.

9. Wall Street Journal, January 18, 2025, 9:00 p.m. ET, U.S. Section, by Juanje Gomez, Andrea Fuller, Kate King, and Sarah Krouse (digital version)

10. People Ex Rel Dep’t of Transportation v. Redwood Baseline, Ltd., 84 Cal. App. 3d 663, 669, 149 Cal. Rptr. 11, 15 (Ct. App. 1978)

Promises, Promises: What If a Commercial Tenant Doesn’t Pay or Perform?

By Joshua Stein1

Instead of relying on standard termination of lease or acceleration of rent remedies, Landlords should consider implementing small and immediate consequences for any non-monetary tenant defaults in order to ensure enforceability of the same.

Commercial leases require tenants to pay rent, but that requirement is just the beginning. Tenants also agree to contribute to real estate taxes, maintain insurance, keep the space clean and in decent condition, report certain information to the property owner, keep the sidewalk free of junk and the windows free of ugly signs, and so on. In short, tenants promise to do all kinds of things beyond simply paying rent. Many tenants do what they promise. Some do not. In the latter case, what can a property owner do?

If you read any commercial lease, you will see that the property owner can terminate a lease if the tenant doesn’t perform its promises. The lease also says that if the tenant defaults, the owner can go into the space and remove the tenant and its belongings. The owner supposedly also has the right to change the locks or turn off the utilities. The owner might need to give the tenant a warning or two and a grace period or two to clean up its act, but eventually a tenant default entitles the property owner to exercise all kinds of draconian remedies.

Many commercial leases also say that, in the event of a default, the property owner can draw down on the tenant’s security deposit and demand that the tenant replenish it, claw back free rent benefits that the tenant received during its initial buildout, and accelerate the rent through the end of the lease. Yes, if you read a commercial lease it lays out a lot of scary things that can happen to a defaulting tenant.

Not so fast! The courts will often stand in the way of a property owner that wants to terminate a lease or take other draconian actions. The courts will conclude that the tenant’s sins weren’t bad enough to justify termination or other serious consequences. The tenant will often promise to do better. The court will often believe the tenant and give them a second chance, and a third chance, and a fourth. (In most cases, those are actually the fourth, fifth, and sixth chances, or more than that, because the property owner started out being patient but finally lost patience.)

To top it all off, this process will often happen at an excruciatingly slow pace, at least in New York City, because the courts are so overwhelmed with landlord-tenant disputes and other claims. Any landlord-tenant dispute will typically get adjourned a couple of times for a few months before the court even starts to consider it.

As the net result, property owners shouldn’t believe they actually have the right to terminate a lease or exercise other extreme rights for a tenant’s default, especially if it’s a default that the tenant can argue is no big deal. A bit of unpaid rent might not matter. Many months of unpaid rent probably would matter, but the court would probably still give the tenant more time. And the court would still take quite a while to get to that decision.

A torn awning might be an immaterial violation of the tenant’s covenant to maintain the space (and the awning) as a “Class A” restaurant, but failure to maintain insurance as the lease requires often will be deemed “material.” That is up to the judge. Many judges seem to think that property owners just own property and as a result get endless piles of money, have accumulated massive cash reserves over the years, and ought to be able to suck it up – much of which is often false.

In response, property owners ought to think about building into their leases the ability to respond to tenant defaults in ways that are less dramatic than terminating the lease or removing the tenant from the leased space.

Interest and late charges on unpaid rent, and reimbursement of the property owner’s attorneys’ fees, are the first and most obvious weapons that any property owner ought to build into its lease. It is astonishing to see how many leases, particularly older ones, don’t provide for those payments. That omission happens most often in cases where a property owner agreed to live with a tenant’s form of lease, perhaps choosing to do that to save legal fees.

Conversely, if a lease does call for interest, late charges, and reimbursement of attorneys’ fees, courts will usually enforce those requirements, though it may take a while. If a tenant realizes it will in all likelihood eventually need to pay default interest at a high rate, late charges, and attorneys’ fees, that just might create enough of an incentive to pay on time. If the tenant is short on money, an owner will want the tenant to have an incentive to pay rent before other obligations.

Tenants also assume many meaningful obligations beyond the obligation to pay rent. A concerned property owner might try to build monetary measures into the lease in order to respond to certain defaults. For example, if a tenant promises to stay open certain hours, then a court probably won’t allow the owner to terminate the lease if the tenant violates its promise, but a court might very well enforce a formulaic payment for every hour the tenant is closed when they agreed to stay open.

It helps for the property owner to include language explaining why the payment is reasonable and why it’s important for the tenant to stay open.

Many other lease-related issues could also be converted into payment obligations. As another example, instead of prohibiting the tenant from selling their lease or subleasing the space to someone else, maybe the lease could automatically allow certain transactions of those types but also require a rent adjustment if they occur. It doesn’t always need to be a binary or “yes/no” situation, in which the property owner’s main right or remedy consists of terminating the lease.

If the lease has a guarantor and the property owner wants the guarantor to maintain a certain financial strength, a court would probably not allow the property owner to terminate the lease if the guarantor falls below the required financial standard or doesn’t deliver financial reports to show the guarantor remains strong. The lease might, however, call for a rent increase or “administrative fee” to compensate the owner for (actually or potentially) taking more risk than anticipated. Or the lease could require the tenant to deliver a letter of credit or other security to plug the gap.

If the tenant allows garbage to pile up in the wrong places or at the wrong times, any lease will often allow the property owner to clean up the mess at the tenant’s expense. It might make more sense to simply allow the property owner to impose a formulaic charge for making the mess. Again, the lease should explain why it’s important that such messes shouldn’t happen and why the formulaic charge makes sense.

In short, any property owner should try to give itself an arsenal of weapons both large and small to use against a defaulting tenant. Those weapons should of course include lease termination. They should also include lesser measures that will give the owner a practical remedy for any default, given that courts won’t readily terminate leases for defaults, especially for nonmonetary defaults or any defaults deemed immaterial.

If the lease gives the tenant special rights or privileges, maybe the property owner should have the right to suspend them while the tenant is in default. As a possibly trivial example, suppose the lease allows the tenant to use fire stairs to go between floors. The property owner could (assuming the law allows it) have the right to temporarily deactivate the tenant’s access rights during a lease default. That’s minor, but it creates a tedious nuisance and minor waste of time for the tenant and the tenant’s staff. It is like the waste of time suffered when someone gets pulled over for a traffic ticket. The time lost amounts to a worse punishment than the fine paid.

As an overall goal, the property owner should try to create small and immediate consequences for bad behavior. Small and immediate consequences may be more painful than larger ones, which might not survive a court’s scrutiny. If the prop -

erty owner can and does accelerate all the rent due under the last seven years of a lease and the tenant suddenly owes six or seven figures of accelerated rent, then many tenants will just give up. That usually means camping out in the space without paying rent, and operating the tenant’s business until the marshal or sheriff arrives. If the property owner can assert draconian and very expensive remedies against the tenant, the tenant might just stop trying to comply with the lease.

Smaller consequences might suffice, at least sometimes, to train a tenant that the property owner should not always be the last to get paid after payroll, suppliers, and distributions to the tenant’s owners. The property owner is not the tenant’s partner! On the other hand, if the tenant is the property owner’s de facto partner, then the owner wants to be able to take small but serious actions to inspire the tenant to take that partnership seriously.

4855-7848-2504, v. 20

Endnotes

1. Copyright (C) 2025 Joshua Stein (joshua@joshuastein.com). The author is the sole principal of Joshua Stein PLLC (www.joshuastein. com), a member of the American College of Real Estate Lawyers, and author of a half dozen books and 500+ articles on commercial real estate law and practice. For information on his latest book, New Guide to Ground Leases, visit www.groundleasebook.com . An earlier version of this article appeared on www.forbes.com , where the author is a regular columnist on commercial real estate issues.

Leasing SCIF Space: Considerations for Landlords and Tenants

By Briana Stolley1

This article discussed the robust demand for SCIF space and the challenges both landlords and tenants face in leasing the same.

In the post COVID-19 era, the office leasing market has faced significant challenges due to remote work and hybrid models, particularly in non-trophy-class buildings. One healthy exception to the office market struggle is the continuing need for Sensitive Compartmented Information Facility (SCIF) space – which is secure space designed to protect classified information from unauthorized access, eavesdropping and other security threats.

SCIF spaces remain crucial for entities engaged in government work, defense contracting and industries handling sensitive data. Work performed in SCIF spaces cannot be performed remotely, so remote and hybrid models are not relevant for the companies that require SCIF space. These spaces may be less visible to the broader commercial real estate market, but

the demand for SCIF space is robust and continues to play a pivotal role in industries where security is important. In office building markets hit by the pandemic downturn, SCIFs are truly a hidden gem and can keep rental income streams in the black. Further, given President Donald Trump’s promises to expand markets for government services beyond the traditional hotbeds for the industry, demand for SCIF space is likely to increase across the U.S., including in markets that are traditionally unfamiliar with SCIFs. In this article, we will explore the unique challenges that landlords and tenants face in leasing these specialized spaces and how both parties can navigate the complexities involved in leasing SCIF-compliant office spaces.

What’s Special About a SCIF?

SCIFs are specifically designed to safeguard against unauthorized access, surveillance or interception of sensitive information. A SCIF space must meet specific requirements set forth by the Director of National Intelligence (DNI) and National Security Agency (NSA). These requirements ensure the space is secure against a range of security threats, including electronic surveillance, physical breaches and unauthorized access. Key features typically include:

• Physical Security: reinforced walls, ceilings and floors designed to prevent unauthorized access and soundproofing; the space may also include bulletproof windows, secure doors and specialized locks

• EMI Shielding: electromagnetic shielding to prevent data from being intercepted through radio frequencies or electromagnetic signals

• Access Control Systems: advanced access control mechanisms such as biometric scanning, proximity cards and security personnel

• Alarm and Monitoring Systems: continuous monitoring systems to detect any attempts to breach the security of the SCIF

• Environmental Controls: systems that ensure the SCIF remains within required temperature and humidity levels to protect sensitive equipment

SCIFs are not typical office space and present a number of challenges for both landlords and tenants. These challenges range from the financial costs associated with the space to the ongoing security responsibilities that must be upheld. For both parties, navigating the complexities of leasing SCIF space requires a deep understanding of the unique requirements and legal obligations involved.

Considerations for Landlords

For landlords considering leasing space for SCIF use, there are several factors to take into account. Securing a tenant for SCIF space involves a clear understanding of the unique needs of the tenant and the resources required to meet federal security requirements.

• Compliance with Security Regulations. One of the most critical aspects for landlords is ensuring that the SCIF complies with federal security standards. These standards can be complex and must meet stringent requirements for design, construction and ongoing operation. Before leasing space, landlords should ask the tenant to share the requirements of its government contract and confirm that the building can accommodate the necessary security features required by the tenant (or the tenant’s government client) or that the tenant is willing to cover the cost of thereof.

• Modification and Buildout Costs; Surrender and Removal. SCIF space requires extensive modifications to an existing building, including reinforced walls, secure doors and specialized electronic systems. These modifications are often expensive and time-consuming. Landlords need to decide whether they will handle these buildout costs or whether they will pass them on to the tenant. Landlords should also consider whether their property is adaptable to SCIF requirements. Some older buildings may have structural limitations that make it difficult or impractical to convert them into SCIF-compliant spaces. Similarly, leases should expressly deal with the required condition of the leased space upon surrender. In a market where a SCIF is not likely to be reused, landlords may desire pushing the costs of removal and restoration of the SCIF back to the tenant.

• Long-Term Commitment vs. Early Termination. Because of the high costs associated with building out and maintaining SCIF space, these leases tend to be longterm commitments. At the same time, landlords should be prepared for the possibility that the tenant may require an exit provision in the event that the government fails to renew its contract requiring the SCIF, and landlords should require the tenant to pay a termination fee as compensation for any unamortized buildout costs if an early termination occurs.

• Liability and Security Concerns. Landlords should use reasonable efforts to ensure that the building itself is protected from external threats and that proper procedures are in place for monitoring and maintaining security. Security breaches could result in significant legal and financial liabilities, particularly if classified information is compromised. Simultaneously, in the lease, landlords should expressly disclaim liability for security breaches and make it clear that this is not the landlord’s contractual responsibility.

• Tenant Responsibilities and Access Control. Landlords must carefully define in the lease agreement the responsibilities of the tenant in terms of maintaining security protocols and access controls within the SCIF. This includes specifying who has access to the facility and how sensitive information and equipment are handled. Landlords should be prepared for tenants to require in the leases that the landlord may not access the tenant’s SCIF without a representative of tenant present. Landlords should also be prepared for SCIF tenants to require that any landlord staff, including cleaning and repairmen or engineers, be qualified U.S. citizens and undergo a background check that may include fingerprinting.

Considerations for Tenants

• For tenants, leasing SCIF space is a matter of ensuring they have the appropriate infrastructure and environment to safeguard sensitive and classified information and comply with the requirements of the government contract. Here are some key considerations for tenants when negotiating a lease for SCIF space:

• Security Needs and Compliance; Accreditation. Tenants must assess their specific security needs and ensure that the SCIF space complies with all government standards for protecting classified information. All SCIFs have to be certified and accredited. The SCIF accreditation process is a series of steps (including pre-construction concept and plan approval, construction security checks and inspections) that ensure a SCIF is built to meet security requirements. The process involves a government sponsor, an accrediting official and a final inspection. Tenants should also be aware of the requirements for securing personnel who will have access to the SCIF and ensure that the landlord is capable of meeting those needs.

Tenants should require that the lease document includes such any such requirements regarding landlords personnel (citizenship requirements, background checks, fingerprinted).

• Building and Space Requirements. Before committing to a lease, tenants should thoroughly review the building’s ability to accommodate SCIF requirements. This includes evaluating the building’s existing security features (such as perimeter security and access control systems) and determining whether any modifications will be necessary to meet SCIF standards. While looking for SCIF space, tenants should strongly consider hiring a broker with specific SCIF experience. Experienced brokers can be a wealth of knowledge with respect to which buildings in a market area can accommodate the SCIF requirements, which will ensure that tenants avoid wasting time touring and pursuing opportunities that are not feasible.

• Customization and Modifications. Though some SCIF spaces are prebuilt, others may require significant modifications to meet the specific needs of the tenant. Tenants should clarify whether they are responsible for the cost of these modifications or if the landlord will bear the expense. Tenants should also ensure that they have sufficient time to complete any necessary buildout before occupying the space. If the tenant will be responsible for constructing the SCIF, the tenant should be sure to hire a contractor who regularly performs construction for tenant buildouts in SCIFs. Better yet, a tenant should consider using a contractor who has already built out SCIF space in the exact building housing the space being leased.

• Length and Flexibility of Lease Terms. Given the significant investment in both time and money involved in setting up SCIF space, lease terms for such spaces are typically long-term. Tenants must carefully evaluate the lease duration, renewal options and any exit clauses that may affect their ability to move out or expand their operations in the future. The tenant should not agree to relocation or redevelopment rights benefitting the landlord that are typically contained in boilerplate leases. At the same time, the tenant should consider the risk of a long-term lease in light of its ability to maintain and renew any particular government contract requiring the SCIF.

• Ongoing Maintenance and Security Monitoring. Tenants must have a clear understanding of who is responsible for maintaining the SCIF space and ensuring it remains secure. This includes ongoing monitoring, maintaining the physical security infrastructure and managing access to the SCIF. It’s important for the lease to clearly define these responsibilities to prevent misunderstandings.

• Insurance and Liability. SCIF spaces and the government contracts that require them often involve significant financial and operational risks, particularly

in the event of a security breach or data leak. Tenants should ensure they have adequate insurance coverage to protect against potential liabilities related to the loss or compromise of sensitive information.

Conclusion

SCIF spaces are a critical component of national security and increasingly in demand due to the rise of international conflicts, cyber threats and the growing need to protect sensitive information. Both landlords and tenants need to carefully consider the unique requirements associated with leasing SCIF space, from compliance with government security standards to the cost of modifications and the long-term nature of the lease. For landlords, the ability to provide SCIF-compliant spaces may offer a niche market, but it requires careful planning and investment. For tenants, securing the right SCIF space involves understanding the security needs of their operations and the financial investment required. For both parties, importance of clear, well-structured lease agreements is paramount.

Endnotes

1. Briana Becker Stolley is a partner at Holland & Knight’s Tysons, Virginia office, specializing in commercial real estate and finance transactions. She represents owners, developers, investors, landlords and tenants in various real estate matters, including leasing, development, and acquisitions. Briana has extensive experience with handling real estate transactions for government contract industry clients.

TRUST AND ESTATE

How to Protect Digital Assets in an Estate Plan

By Samuel Dangremond

Introduction

As the digital landscape continues to evolve, so too does the importance of digital assets in the context of estate planning. With the rise in identity theft, estimated to affect 22% of individuals over a lifetime, with losses from identity theft totaling $16.4 billion in 2021, safeguarding digital assets is vital.1

Digital assets are projected to generate more than $80 billion in revenue in 2024, and interest in certain digital assets like non-fungible tokens (NFTs) and convertible virtual currencies and cryptocurrencies such as Bitcoin is growing.2 Practitioners must proactively address digital assets as part of the estate planning process. And this is only one indicator of the growing importance. No doubt as AI expands its reach, digital assets will continue to grow in importance.

Thus, in today’s increasingly digital world, an individual’s electronic assets are an important and growing part of client’s estates. Everything from social media accounts to digital photographs to email can be considered a digital asset, and it is essential to properly account for the digital asset category in an estate plan. This requires addressing digital assets at the planning stage, assuring that estate planning documents incorporate provisions to deal with digital assets, but also guiding clients on practical steps that they might consider to secure and eventually transmit digital assets.

Despite the growth of digital assets, many clients, especially older ones (who are the most likely to be addressing estate planning) often do not appreciate the importance of digital assets or the steps necessary to take as part of the estate planning process. Most clients use digital assets every day. This use can include social media accounts, airline miles, and online investment accounts, photographs that have significant sentimental value, and more. Unfortunately, there is no simple magic bullet step to manage or dispose of digital assets. For example, every website or online service has its own methodology. Few clients understand the implications of this. Failing to address these issues may create tremendous problems for agents under durable powers of attorney, trustees, and personal representatives. Worse, it could jeopardize vital assets that clients wish to protect and transmit as part of their plans. Failing to consider

digital assets can lead to significant legal, financial, and personal challenges for clients’ heirs.

In 2024, 1.94 trillion photos are estimated to be taken worldwide, and users share approximately 14 billion images through social media platforms on a daily basis.3 All these personal images exist as digital assets in online accounts such as Facebook, Instagram, Twitter, Google Photos, Apple iCloud Photos, Flickr, and others, and an estate plan should account for them.

It is Not Just Legal Documents

Practitioners might recommend to clients to list all digital assets. This might be incorporated into the standard estate planning organizer firms use by asking for such a listing. Clients can be prompted to document their online accounts, including email and social media accounts so that practitioners can determine the scope of digital assets that they have to address in the planning. Those documents might caution clients not to indicate passwords but to use a password manager to organize them. That may lead to a discussion with clients as to how to safeguard passwords and other sensitive electronic information. While that has never been a topic of traditional estate planning, it should be now. The client can be prompted in the organizer to indicate what they would like to happen to those assets after their deaths.

Digital assets may also include:’

• Airline miles, credit card points, hotel points, and other rewards program points (American Express, for example, includes the following language in the terms and conditions of its Membership Rewards program (https://www. americanexpress.com/content/dam/amex/us/rewards/membership-rewards/mr-terms-conditions-07.17.23.pdf): When the client dies, the personal representative may be able to make a one-time points redemption, depending on their Product, by calling 1-800-AXP-EARN (297-3276))

• Photos saved to a cloud-based storage platform like Dropbox and Google Photos

• E-commerce accounts on sites like eBay and Amazon, and other sites where clients may store digital goods like e-books, music, and software, and

• Cryptocurrencies like Bitcoin and Ethereum, along with digital wallets used to manage these assets.

Advise Clients to Designate Legacy Contacts for Accounts That Offer the Ability to Add Them

Some tech companies have established ways for users to set up “legacy contacts,” meaning trusted individuals who can be authorized to access an individual’s data after that person’s death. After death, a user’s account is memorialized and a legacy contact can be given access to certain parts of the account to decide what should happen to the material within it. On Facebook, for instance, a legacy contact can share a final message

on the deceased individual’s profile and also decide who can see and post memorial tributes. Here are links on how to find the legacy contact pages for some major tech companies:

• Apple (https://support.apple.com/en-us/102631)

• Google (https://myaccount.google.com/inactive)

• Facebook (https://www.facebook.com/ help/1070665206293088)

Setting up a legacy contact is typically a straightforward process. Using Apple’s Legacy Contact process as an example, the client designates a Legacy Contact who can request access to their data after death by providing a death certificate and an “access key,” which is a QR code and a series of letters and numbers that can be printed and given to a Legacy Contact or transmitted by text message. A Legacy Contact may have access to a wide range of data, but the access will vary by provider and change over time. They may be able to access messages, photos, and files stored in iCloud, along with the client’s call history, email, health data, notes, contacts, calendars, voice memos, Safari bookmarks, and reminders. For that reason, it is important to consider carefully whom clients designate as a legacy contact.

Provide the Client’s Legal Representatives with Access to Online Accounts in a Will and Revocable Trust

As the ABA Real Property, Trust and Estate Law Section previously covered, an Executor or Personal Representative does not automatically gain access to a decedent’s online accounts without specific consent from the decedent. Nearly every state has adopted the Revised Uniform Fiduciary Access to Digital Assets Act (RUFADAA). For people who die living in one of those states, legal representatives will be able to access a decedent’s online accounts if:

1. A client has activated a setting within the online account (an online tool) in which the client provides a direction to disclose the contents of their account upon their death to their representatives, or

2. A client’s will specifically allows legal representative to access their online accounts.

Sample Language for a Digital Asset Provision in a Will

“My Executors may take any action with respect to my Digital Assets, Digital Accounts, and Digital Devices, as my Executors shall deem necessary or appropriate, and as shall be permitted under applicable state, Federal, or international law, giving due effect to the authorization provided in this paragraph. This authority shall include, but shall not be limited to, (a) the authority to access or control any Digital Device, including any computer, camera, telephone, or data storage device owned or lawfully used by me, individually or jointly, (b) the authority to manage, control, delete, or terminate any e-mail, telephone,

bank, brokerage, investment, insurance, social networking, internet service provider, retail vendor, utility or other account which was owned or lawfully used by me, individually or jointly, and (c) the authority to change my username and password to gain access to such accounts and information. I expressly authorize the disclosure to my Executors of (a) a full catalogue of my Digital Assets and Digital Accounts, including a full catalogue of my electronic communications, and (b) all content of electronic communication sent or received by me. My Executors may engage experts or consultants or any other third party, and may delegate authority to such experts, consultants or third party, as necessary or appropriate to effectuate the actions authorized under this paragraph. This authority is intended to give my ‘lawful consent’ for my Executors to take the actions described in this paragraph, to the fullest extent allowable under The Electronic Communications Privacy Act, as amended, the Computer Fraud and Abuse Act of 1986 as amended, the Gramm-Leach-Bliley Act, as amended, and any other Federal, state, or international laws that may require such consent or authorization. To the extent that a specific reference to any such law is required in order to grant my Executors the authority described in this paragraph, I hereby express my intent to reference such law, whether currently in existence or enacted or amended to require such reference after the date of this Will.”

Ensure That Legal Representatives Have Access to a Client’s Digital Asset Plan

Make sure that the client’s executor or personal representative has a list of their digital assets, including email and social media accounts. The representative should also have the passwords to access those assets and up-to-date log-in information.

Encourage Clients to Revisit Their Digital Asset Plan to Ensure It Still Accomplishes Their Goals

Just as estate planning experts recommend that clients review their will and estate planning documents every few years or upon a major life event like marriage or divorce, individuals should keep their digital asset plan current. This requirement means keeping a digital asset plan separate from a will and other estate planning documents and reviewing it at least once a year to ensure the accounts and passwords are still accurate.

Conclusion

Practitioners should guide clients to:

• Document all their online accounts, including email and social media, and the relevant passwords. Decide what they would like to happen to them after their death.

• Determine which digital accounts can add legacy contacts, and choose whom they would like their legacy contacts to be.

• Share their digital asset plan with their legal representatives.

By taking the steps outlined in this article, individuals can make sure that their digital assets are accounted for in their estate plans. Given how often and the degree to which technology changes, though, it is important to keep digital asset estate plans up to date.

Endnotes

1. “Victims of Identity Theft, 2021,” https://bjs.ojp.gov/press-release/victims-identity-theft-2021, accessed Nov. 27, 2024.

2. “Digital Assets – Worldwide,” https://www.statista.com/outlook/dmo/ fintech/digital-assets/worldwide, accessed Nov. 22, 2024.

3. “How many photos are taken every day?,” https://photutorial.com/photos-statistics, accessed Dec. 5, 2024.

The Impact of NCBE Dropping Wills and Trusts From the Next Gen Bar Exam

Margaret G. Lodise1

The National Conference of Bar Examiners which develops the Uniform Bar Exam, currently used by 40 states, has dropped wills and trusts as a tested subject matter from the Next Gen Bar Exam

As widely reported, the National Conference of Bar Examiners (“NCBE”), which develops the Uniform Bar Exam (“UBE”) currently used by 40 states, has dropped wills and trusts as a tested subject matter from the Next Gen Bar Exam scheduled to be rolled out in July 2026. Not all 40 states currently using the UBE have signed on to the Next Gen Bar exam, but an increasing number are doing so. When approached about the decision to drop wills and trusts, officials at NCBE advised that trusts and estates concepts will be included between 2026 and 2028 on the performance portions of the exam. The performance portions provide the necessary law, so it is not necessary to

have substantive knowledge ahead of the exam. California announced in May of this year that it would opt out of using the Next Gen Bar exam, but a Blue Ribbon commission organized to study the bar exam in California recommended that the topic be dropped from California’s bar exam as well. Fortunately, the State Supreme Court, in its Administrative Order 202410-10-01 issued Oct. 10, 2024, rejected this recommendation, keeping estate planning, trusts and probate on the California exam at least for the time being.

Even with California for the moment bucking the trend, trusts and estates practitioners are justifiably worried about the impact of decisions to remove wills and trusts from the exam throughout large portions of the country. There is already an alarming drop in tenured wills and trusts professors in law schools around the country. And the removal of the subject from the majority of bar exams will only further that drop – if the subject is not tested on the bar, students are less likely to take it in law school, and, thus, there is less need to teach it and certainly less need for a tenured professor to do so. Law students study at law schools across the country even when they wind up practicing in California, and the breadth of that education matters.

And even an attorney trained and barred in California frequently needs competent assistance in jurisdictions outside of California. Because probate jurisdiction is in rem and each state has its own system, if a California resident dies owning proper-

ty in another state, there needs to be a probate in that state to handle that property. Absent multiple bar admissions, a California lawyer is neither competent nor licensed to handle the property in another state. The same is true for issues relating to conservatorships, guardianships and a multitude of other property transfers. Thus, the general lack of training on this subject will necessarily impact even states where the subject is taught and tested.

Unfortunately, this downward trend in the teaching of wills and trusts comes at a time when skilled trusts and estates attorneys are most needed. In a 2023 survey of attorney professional liability claims, Ames & Gough reported that, for the third year in a row, insurers saw the largest number of malpractice claims related to trusts and estates. The same survey reported that “failure to know or properly apply the law” was one of the top causes of malpractice claims. And the ABA Standing Committee on Lawyers’ Professional Responsibility 2016-2019 Report found that trusts and estates claims were 10% of all malpractice claims. These numbers are not surprising in light of the importance of trusts and estates law to so many areas of the public’s life.

Trusts and estates touch virtually everyone as everyone dies, and any property they die holding needs to be transferred to another owner. Thus, almost every member of the public is touched by the issue. In fact, more than one million probate or estate cases are filed in state courts each year with this number likely to escalate with the aging population. Before 2045, baby boomers and the silent generation will pass a total of $84.4 trillion in assets with approximately $72.6 trillion of that going directly to heirs. And nearly $500 billion is passed to charities each year. Trusts and estates attorneys are instrumental in the vast majority of these transactions, ensuring that assets pass as efficiently as possible and as intended. And while many would assume that this is an issue confined to those wealthy enough to need tax planning, the fact is that even where an estate does not involve significant estate taxes, there are many other issues that require the expertise of trusts and estates attorneys.

The recent heirs’ property initiatives demonstrate the impact of lack of estate planning for those without generational wealth. Heirs’ property is family property that typically results from families that do not do any estate planning. As a result, the property passes via intestacy, divided among however many intestate heirs exist. This may go on for generations. The common ownership created by this situation often results in partition actions and certainly discourages the accumulation and combined use of family wealth. Although heirs’ property exists in families of every race and ethnicity, this situation disproportionally affects African American communities. The Uniform Partition of Heirs Property Act has been drafted to address these issues, but competent and plentiful estate planning and advice is necessary to address issues like this for underserved communities.

Another situation is that there are over 50 million older Americans, soon to be 22% of the population, and Alzheimer’s is expected to affect 18 million people by 2050. Planning and assistance for these people is traditionally the field of trust and estates practitioners. An additional 10% of the elderly population experience abuse. Again, trusts and estate practitioners are instrumental in taking the necessary steps to protect these elders, whether through powers of attorneys and trusts, conservatorships, or the necessary litigation to recover their property.

In other words, knowledgeable trusts and estates practitioners are necessary to clients in all economic situations, and a dearth of such attorneys will be a disservice to the public.

Endnotes

1. Margaret G. Lodise is a partner with Sacks, Glazier, Franklin & Lodise, LLP in Los Angeles. She represents clients in trust, estate, conservatorship and probate litigation involving substantial assets. She can be reached at 213-617-2049. or MLodise@TrustLitigation.LA

TECHNOLOGY

What Estate Planners Should Tell Clients about Security Including Cybersecurity?

By Thomas Tietz1, Brian Cluxton2, and Martin M. Shenkman3

The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has reported that about $27 billion in reported suspicious activity was linked to elder financial exploitation in one year, which exceeds the total Federal Estate Tax collected. This article explores what estate planners can do to help protect their clients from financial abuse and focuses on cybersecurity issues.

Elder Financial Abuse Dwarfs Estate Tax

Over a one-year period ending in June 2023, U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) found that about $27 billion in reported suspicious activity was linked to elder financial exploitation.4 By

comparison $22,518,879,000 was collected in estate tax in 2022.5 Consider the attention given to estate tax minimization planning versus the attention given to elder abuse, identity theft, and similar losses.

With an aging population, the increasing worries over elder financial abuse, and so few taxpayers subject to estate taxation, the emphasis needs to evolve. Further, with document drafting websites proliferating, and the likelihood of AI expanding the ease of use and sophistication of such sites, practitioners might benefit by offering broader estate planning guidance beyond mere document preparation. That broader advice might include addressing ancillary matters like health care navigation, security and access to client financial, legal and other records, etc. It is not uncommon to discuss with clients having a personal excess liability insurance policy (umbrella policy), who might be appropriate as a fiduciary, safeguards to put in place to monitor fiduciaries (e.g., a trust protector) and a range of other topics. The suggestion of this article is that with tech being ubiquitous for so many clients, and an intertwined with the services estate planners provide, tech conversations at some point might be part of the conversation about security, asset protection and elder planning. If an attorney feels unqualified or unskilled to address these matters consider the ethical requirements to be reasonably informed about technology, cyber security and AI. The process of addressing ethical considerations may provide some foundation for the discussions with clients.

Are Practitioners The Barefoot Shoemaker??

As practitioners review the role that they can serve in encouraging clients to take precautionary measures to protect their confidential information (paper and electronic), they should also evaluate whether they themselves have taken appropriate precautionary measures. Some advisers, whose firms have state-of-the-art cyber protection and other security, have wholly inadequate personal document and cyber security. For practitioners who realize that they too are personally at risk, the process can begin with themselves. Consider that one in four lawyers reported that their firm had a cybersecurity breach in 2022, according to a 2023 report from the American Bar Association.6 Navigating personal and firm tech enhancements will help equip the practitioner to take the same messages to their clients.

What Might Practitioners Do?

In a recent announcement, FinCEN stated that: “Older adults who experience financial exploitation can lose their life savings and financial security and face other harm.”7 While the focus of the announcement was providing guidance to financial institutions on this scourge, the lessons are applicable to estate planning practitioners. Practitioners might consider adapting some of these concepts as relevant to their practices:

• Developing policies and practices to protect aging or infirm clients.

• Training staff to recognize elder financial exploitation. For example, if a person is contacting a professional firm to schedule an appointment for an elderly parent or other person, that fact should be recorded. Staff should understand the issue of “procurement” where a beneficiary calls to schedule the appointment, brings the elderly client to the meeting, etc.

• Obtaining information concerning a trusted contact if there is suspicion of an issue. For estate planners the logical person might be the agent under a durable power of attorney or the successor trustee under a revocable trust. But that should be confirmed with the client. For example, if the agent or successor trustee cannot act until the principal is incapacitated, does that affect a practitioner’s communicating with that person in that gray zone where it is not yet certain disability or incapacity has occurred but the client is vulnerable? Addressing whether and how the attorney client privilege and requirements for confidentiality may limit disclosures, and what can be done within ethical parameters.

• Reporting or otherwise responding to suspected elder financial exploitation as permitted by law and professional ethical requirements.

• Educating clients as to steps they may consider reducing the risk of financial exploitation such as elder abuse and identity theft. The suggestions in this article are intended to provide details as to how to do so as part of the estate planning process.

Client Security Should be Part of the Estate Planning Discussion

Elder abuse, identity theft, disability planning may be an important part of the estate planning process for many clients. Inherent in those discussions should be a conversation about document security – for both paper and electronic documents as appropriate to the particular client. Many older clients store old bank and brokerage statements, tax returns and other sensitive paper documents. Rarely do they take precautions to address the risks those documents could pose if pilfered by a repair person or home health aide. Further, the risks that severe weather events pose to that information could or should be a concern. Guiding these clients to have the paper documentation scanned, stored in a secure cloud-based portal, and safely destroying all originals could be an important part of planning for the aging process, or dealing with potential health issues. If there is a flood and all historic records are destroyed, or if the client has to downsize from a home to a small apartment or senior facility, what will be done with the documentation? If it is digitized it can be better secured, safeguarded from disaster, and facilitate what is often a necessary step in the aging process of downsizing.

Clients might be advised to consider some of the following in selecting a vendor to assist with the secure digitization and destruction of their paper documents:

• The vendor should comply with relevant regulations and standards.

• Inquire about the security measures the vendor has in place to prevent unauthorized access to confidential information.

• How does the vendor maintain a secure chain of custody for documents from retrieval, to scanning, to destruction.

In the context of estate and financial planning for aging or infirm clients, it may be helpful to consolidate accounts with reputable institutions or advisers, have periodic review meetings, and encourage clients to communicate if anything questionable arises. This helps in preventing financial scams, including elder abuse and identity theft, which continue to increase. But those steps, without also addressing what is sometimes voluminous amounts of confidential unprotected documents may not alone suffice.

Identity thieves can use personal information from documents like bank statements, tax returns, credit reports, and Social Security cards to open new accounts, claim tax refunds, file fraudulent Medicare claims, and more. Home health aides and even repair persons may have easy access to historic documents often stored in labeled file cabinets or boxes in a basement or attic of the client’s home.8 In a report by the National Center on Elder Abuse, it was noted that home health aides were the third most likely individuals to perpetrate financial abuse, with only family members and close friends/neighbors being more likely.9

Should Advisors Address Cybersecurity with Clients?

Clients routinely communicate with their estate planners and other advisers electronically via emails, email of confidential documents, transmitting data through portals, web meetings, electronic signature of certain documents (perhaps retainer agreements and other items), etc. Even if the professional advisers have state-of-the-art cyber-security measures in place, if the client has inadequate protections, or fails to use the systems the adviser provides (e.g., sending tax documents via unencrypted email, rather than using a secure portal provided by the adviser), the client’s data could be compromised on their end. Estate planners routinely discuss planning for issues of aging (e.g., a durable power of attorney), asset protection, and other planning considerations. Addressing client cybersecurity and related issues is an important part of those conversations, even if the adviser doesn’t have the technological expertise for a detailed or in-depth discussion. Merely highlighting some of the key issues might educate a client sufficiently that the client will then take appropriate measures.

Clients frequently provide their professionals with sensitive information (personal identifiable information) such as tax returns, financial statements, and more. Without proper protection, e.g., the client may merely send sensitive documents via unencrypted email and without password protection, disaster could ensue. If the client’s email is compromised, a bad actor could gain access to those sensitive documents which might lead to theft, elder abuse, etc.

Clients are Targets for Bad Actors

Helping advise clients as to how to protect their wealth should be given priority. Advisors can have conversations with clients to assure that the client understands the risks, and what steps they can take to reduce those risks, even if the only step communicated is to retain a personal IT consultant. Practitioners can discuss with clients how significant a data breach event could be, and the time and effort it takes to rectify an issue once it happens. It is far more costly and time-consuming to fix an issue, than to spend the time protecting themselves in the first place. Each year, the FBI releases a report analyzing nationwide internet crime.10 In 2019, the FBI received 467,361 complaints totaling $3.5 billion in losses. By 2023, the FBI received 880,418 complaints, which totaled $12.5 billion in losses.11 This represents a growth of nearly double the complaints, and more than triple the losses per year in just 4 years! The growth of AI may accelerate these incidences as bad actors may be able to provide more convincing and deceptive email and phone call attacks.

Elder abuse and identity theft can create a huge disruption in the client’s lives. Clients should understand how disruptive it would be to lose access to their LinkedIn accounts, Facebook accounts, cloud storage programs like Dropbox, Microsoft 365, etc. would be to someone’s day-to-day life may help a client understand how significant technology is in their lives, and how a data breach or loss of access would upend their lives.

Clients Avoid Safeguards Because of Complexity

Some clients are reticent to use safeguards offered by advisers, such as a client portal, because of their lack of familiarity with those mechanisms. Perhaps some are embarrassed to admit that they cannot master the technology involved. Consider offering “cheat sheets,” or instruction manuals, that explain with simple steps and screen shots of what to do and how to use a portal or other technology. Short video clips posted to a firm website providing instruction on using the firm’s portal, cybersecurity measures private wealth clients might consider, and similar topics should be inexpensive to create and may not only help clients, but they may protect the practitioner as well. Also, offer to help clients struggling with these safeguards to join a web meeting and talk them through how to use the tools provided.

A survey from Nationwide that concentrated on cyber security and the proliferation of identity theft insurance revealed that while 80% of respondents expressed concern about identity theft, only 16% reported having identity theft insurance.12 The survey found that 77% of respondents have accepted the risk of identity theft as a normal part of life. However, 28% admitted they have never sought more information about cyber protection. Many consumers neglect essential cybersecurity precautions due to misconceptions about the cost and effectiveness of these measures. This should come as no surprise as many law firms have no such coverage.

FiServ prepared a study regarding the general public’s awareness of cyber security, remarking “a surprising number of U.S. consumers have little awareness of how to defend themselves against a cyberattack. Some never change their passwords and when they do, it’s only because they’re forced.” The study found that 59% of consumers are bothered by temporary inconveniences brought about by advanced security measures, even if it means higher levels of safety and protection.13 Practitioners may consider having a “quick facts” spreadsheet to provide to clients outlining several concerning statistics regarding financial abuse, identity theft, and cyber security, providing clients with additional context on why they need additional protection, why they should use the protections they have, and maybe help clients use those protections less begrudgingly.

Security- Discussions to Have with Clients

Practitioners should consider incorporating into their practices, and as appropriate client discussions, how to send data securely:

• Providing clients with tools to securely communicate data with you as a professional is a service to clients and a way to facilitate clients communicating and providing documents in a safer manner. This could be by providing a secure portal clients can use to upload data, suggest clients password protect any confidential data that will be sent via regular email (and not to send the password in the email), and/or to obtain more secure email service.

• Practitioners might establish a policy in their firm that

if a client sends an email with confidential data that is unencrypted, someone at the firm would be notified and follow up with the client and endeavor to help provide guidance.

• What is the right level of protection for clients to use in their email? There are certain legacy email systems that may be dangerous to continue use in today’s environment. If a client still has an AOL, Hotmail, or similar older email address, practitioners may suggest that the clients consider updating to a more modern and secure email.

• There are paid versions of many email systems that may be more secure than a free/unpaid version: Gmail, Outlook, Yahoo, etc. If the client merely switches to an inexpensive paid version of what they are using they may materially enhance their protection. It does not take a significant amount of time to set up these paid services that provide additional protections. Typical cost for these emails is approximately $5-20 a month, and maybe an hour or two of an IT professional’s time to set-up. These paid email systems may provide: Better spam and phishing filters (phishing is a way for bad actors to gain access to even the most secure systems); Better alerts for any security issues; Access to support from the company you purchase the email from; An easier environment with protective tools for an IT professional to manage.14

• However, even with the paid versions of these common email systems, emails are not automatically encrypted. Discuss with clients that communicating securely needs both a baseline of protections, as well as discipline. For example, Outlook 365 can encrypt email without having any third-party software. Outlook can send emails using these “sensitivity levels” that only allows people with that specific access to be able to view the email. Encrypt-only encrypts the email and the attachments. However, these protections can only be implemented with a proactive approach, reviewing the various options in Outlook 365, determining the clients risk threshold and comfort level with restrictions (certain security measures may block legitimate emails, and clients may be frustrated by that) and understanding that those security measures will need to be re-assessed on a periodic basis to determine if evolution in cybersecurity warrants changes. All of this could be overwhelming to a client, even with the assistance of an IT professional.

• Another common issue is clients using their professional or business email account to transmit their personal communications. While some clients may choose to communicate through their business emails for administrative ease (i.e., they don’t want to maintain multiple email accounts), or due to their business emails having a heightened level of protection, practitioners should consider warning clients that there could be material issues with communicating on personal matters through their business emails.

n If a client uses business email for personal matters, this results in all such personal communications being stored on the business email server (and documents on the business network or cloud).

n If the client leaves the company (voluntarily or by being fired), they could lose access to all of the personal email information.

n For clients that are business owners, they may not have concerns with losing access to their personal information. However, what if the business is sold? What if their business is sued, could the client’s confidential personal information be discoverable and accessible to the adversarial party? Consider the impact of personal financial statements, or estate planning memorandum discussing asset protection steps, falling into the hands of plaintiff’s counsel. Most if not all clients should have a separate personal email address with appropriate cybersecurity and not use a business email address for personal matters.

• Create secure client portals. Practitioners might consider obtaining a system to create a secure portal that they provide clients as a mechanism to securely send or upload confidential documents. There are a host of providers and many of these can be branded for the firm to generate a positive image of concern for client security.

n This can also provide a means for practitioners to maintain online access for clients, and those individuals the client designates (e.g., other advisers, fiduciaries, family members) to electronic copies of signed estate planning documents.

n For example, lawyers could upload copies of a client’s signed will, trusts, health care documents, powers of attorney, etc. in the client’s portal. This could be both an added service for the client and a potentially a way to reduce administrative burden for the practitioner.

n If a client has ready access to copies of their documents online, and chooses to give other advisers, e.g. their CPA and wealth adviser access to their portal, they may not have to reach out to the practitioner to ask for copies of those documents. That can result in nonbillable administrative time and also concerns if a CPA or other adviser asks for documents. All of that might be avoided.

• The portal can be used for more than securely sending confidential documents. Certain portal applications will permit additional communications through the system, such as supporting a “chat” function and texting integration. For clients comfortable using the portal, communicating through the portal could protect sensitive conversations from potential exposure. If the client’s

email system is compromised, then any emails they sent or received from the practitioner would be accessible to the bad actor. A secure portal chat function may protect that sensitive information.

• Practitioners will then need to lead by example. They should use the portal, use encrypted email, show clients that they take cybersecurity seriously and it they may reciprocate.

Software To Suggest Clients Consider

Practitioners should not and need not fill the role of IT consultant, but many clients simply do not retain personal IT consultants and do not take adequate protective measures. So, the role of most practitioners is merely about building awareness and making general suggestions to help guide the clients. This is no different that the wide-ranging advice that is often included in a broad or holistic approach to estate planning. Practitioners can use regular firm newsletters and other communications to educate clients about cybersecurity risks. There is another aspect to this. Some of the nefarious actors may send out vast numbers of attacks knowing they only need a few “bites” to make it a financially rewarding endeavor. Likely targets that may “fall” for the scams are elderly, infirm or otherwise challenged individuals. These are the same individuals estate planners serve and try to help protect with planning and proper legal documents. Home health aides, family members, and others involved in the care plan for an elderly or infirm family member should all help monitor against that person following victim to these types of attacks.

It is important for practitioners to consider that non-IT recommendations may help safeguard elderly or infirm clients from cybersecurity and related threats as well. For example, there is always a balance between the goals of protecting vulnerable clients as well as preserving their independence. If the vulnerable client’s credit cards can be replaced with a prepaid debit card they can have the freedom to shop and transact business, but there would be no automatic link between the card and a bank account. That could reduce the risks of abuse. Further, there are special debit cards that can be controlled as to the types of expenditures that are permitted. It may be feasible to restrict spending at stores (e.g., bars) that perpetrators might try to use. 15

The following suggestions are made from this viewpoint.

• Anti-virus software is essential. The free versions of anti-virus that typically come with new computers may not be sufficient, especially for clients who use the Windows operating system.

• Phishing protection is another important protective element. Phishing is an email sent from what appears to be a reputable company, but which is merely a cover for cyber-criminals seeking to induce individuals to reveal personal information such as passwords and credit card

companies. With the proliferation of artificial intelligence like Chat GPT, Microsoft Co-Pilot, etc. phishing attacks have increased in number and become more advanced. A report on the state of phishing in 2023 noted that phishing attacks had increased 1,265% in 2023 after the release of Chat GPT in November 2022.16 Examples of phishing might include: fake invoices, an email account upgrade, advance-fee requests, fraudulent google documents, a Dropbox scam, email from an attorney with documents for the recipient, etc.17 These attacks can appear deceptively genuine and can easily entrap a sophisticated attorney, and more so an aging or challenged client.

• Clients should be cautioned to be alert for requests for sensitive information, unexpected emails, suspicious attachments, too good to be true. If the recipient clicks on the fake link or attachment malware may be downloaded to spy on their computer usage.

• While many people are aware of email phishing, bad actors are innovative and continuously thinking of new ways to attempt compromising an individual. For example, QR-ishing - scanning QR codes in public locales such as restaurants can pose risk. Criminals have replaced retail QR codes with substitutes that nefariously redirect the user to a dangerous website. For an elderly client that is particularly susceptible to being scammed, consider whether it might be feasible to block camera access to their cellphone to avoid scanning questionable QR codes.18 As an attorney that has client contact data and emails on their cell phone, might a policy to never scan QR codes with such a phone be prudent?

• Smishing is another variation that may take the form of a text message that appears to be sent from a reputable company seeking to induce the recipient to reveal personal information such as passwords and credit card company information. These might include: a bank account verification scam (a warning of unauthorized activity in the recipient’s bank account attempting to extract sensitive data), notice of a package delivery alert to induce the recipient to click a link and provide data, or account suspension alerts from what appears to be a reputable company. Clients might be cautioned to exercise caution if they receive a text from a strange telephone number. The nefarious text message may claim to be from a company the recipient knows. Urgency is often conveyed in the message. There may be request for money or information. If the recipient clicks the link their cellphone may be subject to security threats.

• Vishing is a telephone call is made from a seemingly reputable company seeking to induce individuals to reveal personal information such as bank information and credit card information. For example: A cybercriminal may call and appeal to the target’s human instincts of trust, fear, greed and desire to help. The criminal may ask for bank account information, credit card details,

mailing address, etc. The criminal may request a funds transfer, or disclosure by phone or email of confidential information or documents. The caller may pretend to be a government representative, tech support representative, a telemarketer, or banker with the target’s bank. Pay close attention to any caller. Do not answer calls from unknown numbers. Never provide personal information to an unsolicited caller. Register your phone number with the Do Not Call Registry. For an elderly or infirm client, perhaps their use of their cell phone might be monitored, or they can be instructed and reminded that only a named person handles all their finances so that if anyone calls about financial information they should do no more than tell the caller to call that named person. Perhaps a remainder sign might be framed and left on the table where the phone is typically kept.

• Social Engineering (using any of the above and/or social media) is an attack intended to deceive the victim and obtain control over a computer system or steal personal financial or other confidential information. Social engineering techniques account for 98% of all cyberattacks.19 Social engineering may use phishing and other strategies. In September 2023, hackers breached large casinos including MGM and Caesars. The hacking was accomplished via social engineering.20 Hackers impersonate firm employees and convinced the technology helpdesk to provide them duplicate access. The hack was accomplished by hacking group ALPHV, who posted about the hack on its website and warned MGM of further attacks if MGM Didn’t comply with its demands.

• End-Point Detection Response (“EDR”) software. This is next-generation anti-virus software. Examples include: SentinelOne Singularity, CrowdStrike Falcon, Sophos Intercept X, Trend Vision One.21 Traditional anti-virus operates so that when a computer virus is released, the anti-virus software will figure out how to neutralize the virus and protect against it, and then push out an update. The anti-virus companies have traditionally pushed out updates almost daily. However, how often do individuals actually update their anti-virus protection? In contrast, EDR is a more holistic approach, it will view the actions that the computer is taking, and if it finds unusual activity that may be caused by a virus, the software will shut the computer’s activity down and stop it from accessing the internet to prevent further compromise and data loss. This then provides time for a counter to the virus to be found to clean it. This helps prevent “Zero day” virus infections. To assure that software is updated consistently, set rules can be implemented that provide for updates to be completed automatically. Practitioners may consider recommending that clients create a habit of restarting their computers at least weekly to apply the updates that have been queued.

• Password managers. A password manager is a repository that will store all passwords. Certain password managers

will allow the individual to “auto-fill” login credentials on websites, but all of them will allow the copy and paste of login information when needed. A password manager makes it easier to create robust and unique passwords. Many clients (and professionals) will reuse passwords across multiple programs and websites. A recent study found that 78% of people reuse the same password across multiple accounts.22 If that password is compromised all those accounts are compromised. For similar considerations as those mentioned above for having separate business and personal email accounts, consider advising clients to use separate password manager programs for professional and personal passwords.

• Multi-Factor Authentication (“MFA”) should be considered whenever available. Passwords, even strong complex ones generated by a password manager, are no longer sufficient to rely on to secure an account. MFA provides an additional layer of security beyond a password to access an account. This is typically a numerical code that is provided through one of several methods: via email, text message (“SMS”), or an authenticator app, on the user’s cellphone.

Attorneys that use personal laptops and cellular phones for any work-related matters, e.g., answering emails, need to be alert to and should endeavor to have protections installed, as their falling prey to any of the above attacks could jeopardize confidential client data. Presumably work-related laptops are part of the firm’s cybersecurity ecosystem and are appropriately secured. Are they?

Data Backup

Historically, it may have been common to discuss with clients security original legal documents like wills, divorce agreements, birth certificates, etc. That advice might have included a discussion of the pros and cons of storing important personal papers in a bank safe deposit box versus a home safe. The discussion might have included suggestions that the safe be fireproof. More recently fireproof and waterproof envelopes have become available to further protect valuable legal documents whether in a bank safe deposit box or home safe. These might be provide fireproof protection to 2000 ℉) via a silicone coated fireproof and waterproof safe bag for a very modest price.23 SQVIOQI fireproof bags is another provider. For old tax returns and financial documentation, a fireproof, lockable file cabinet may have been suggestion. These concepts are relevant to the new cloud world clients now inhabit.

Consider discussing with clients whether they have sufficient backups of their electronic data. Many do not. A survey in 2023 found that 11% of computer owners backed up their data daily, 8% weekly, and 15% monthly. 18% of computer owners said they’ve never backed up their data.24 As discussed above, the frequency of extreme weather events, and other calamities, could expose paper documents to loss. But if the client has all their critical data on a laptop, that alone won’t avoid the

same risks. If the client backs up their laptop to a portable hard drive, where is that hard drive stored? If in their home, or their child’s home in the same neighborhood, that may provide little security to any localized weather or other event. Having a robust system in place to both protect the loss of data, and help with the smooth transition to resorting data, is as critical for personal data as it is for business data.

Consider the traditional concern with losing family photos in a house fire. People have often discussed digitizing photos to protect against their loss. But if there is no offsite backup, the house fire can destroy those treasured memories as easily on a hard drive as it would have destroyed them in a photo album. Backing up data is now easier than it used to be. Not so long ago, a tape backup cartridge would be used and changed periodically then stored off site. There was a significant physical component to creating backups. Both cloud and physical backups have advantages and disadvantages. Cloud backups may be dispersed. Many cloud backup systems have redundant data centers that store the data so a major event in one region would not cause a loss of data if the redundant data center is located in another region. Also, continuing to maintain a physical backup for quick access and restoration of data may provide an additional layer of backup redundancy, but at the increased risk of a bad actor accessing that device (e.g., a home health aide or home repair person). Consider the need for consistency in a backup plan. Many individuals have numerous cloud backups: Apple for iPhone, OneDrive for Microsoft, Dropbox for personal. This would require going to a different backup program depending on where data has been stored. The client, or the IT consultant assisting in this process may be requested to create a record listing which backup systems are used, how to use each of the backup systems, and other relevant information. This information should be part of the information that is conveyed to fiduciaries and others that will need it in the event of the client’s death or disability. A singular cloud-based backup system may not be sufficient. Many cloud backup companies, such as SharePoint, Dropbox, OneDrive, etc., are all active cloud-based systems (i.e., you can manipulate and work on files directly on the system, similar to physical networks). It might be advisable to have a separate backup program that protects the data that is not actively accessed. For example, what if an active cloud-system is hacked and the data is lost or deleted? Having a backup with a different vendor provides a second layer of protection. In the current environment using a redundant cloud based back up system is quite inexpensive and easy to set up. For example, if the client uses Microsoft 365 all their data may be backed up in the Microsoft cloud. That data may be further backed up to a non-Microsoft cloud, like Wasabi.25 The costs for a second back up cloud, all of which can be set up and automated by an IT consultant could be as little as $100/year. Not a material cost for the extra security.

Finally, discuss with clients that while they may have a backup system in place, they should make sure those backups

are tested. A survey in 2023 found that 60% of backups are incomplete (i.e., they did not fully capture all of the data the individual wanted to restore) and 50% of restores failed when attempted.26 Whether these statistics are accurate or current is secondary to the critical message that caution is in order. Occasionally someone, whether clients, an IT consultant, or other professionals or family members, should test backups. Some clients may find when trying to use their backups they don’t have any at all.

Routers and Firewalls

Firewalls are often used by businesses, but many clients neglect to implement this protection for their personal use. Bad actors may look for the “weakest link” to compromise a system. If the client has children accessing their personal network, the devices the children operate on may not be as secure as those the clients use themselves. Bad actors can access the client’s network through compromising those less protected documents. Clients may use a personal laptop that have less protection then what they would ever accept for their professional or business devices. Clients may conduct their banking, and other sensitive activities from that laptop. Bad actors may be able to pierce those lesser protections and cause significant damage to the client’s life. Many individuals have older routers with outdated security. There have been bad actors that have hacked routers in residential neighborhoods. They can drive around the neighborhood and attempt to connect to the network from outside the client’s home. This is called “Wardiving.”27 Internet service providers (Spectrum, Verizon, etc. “ISP”) provide customers with a modem to access the internet. A basic router, if provided by an ISP, may also provide a firewall, but may not offer stateful packet inspection (where all network traffic is analyzed inbound and outbound for threats). Obtaining and installing an after-market router that incorporates a more robust firewall may be prudent. A stronger firewall protects everyone accessing the internet on your network.28

The phrase “Internet of Things” is often mentioned. This refers to not just the obvious cell phones and laptops, but also the many home appliances that are connected to the internet through a home network. This can include smart refrigerators, Nests security devices, Ring doorbells, microwaves, even cat litter boxes that may all be wired to the internet and to cellphone apps. These items may have weaker security protections, and bad actors may hack into them and use that as a “backdoor” to access a client’s home network.29 For example, inquire whether clients have changed the default password for accessing their smart TV or smart refrigerator. It is likely that many clients will have one or more devices connected to their network that is using a default administrator password. Bad actors could travel a neighborhood attempting to connect to these devices with manufacturer passwords and see if they can access the device. An aftermarket router may provide better protection through the implementation of a firewall for the myriads of items that are on a typical home network. Also, periodically updating the firmware of appliances may help mitigate these risks.

Constant Change Creates Exposure

There is constant evolution in the technology used in home computer and other IT systems. Criminal methods are also consistently evolving, developing new methods of attack. Practitioners might recommend that clients have an IT professional complete a periodic assessment of their cybersecurity measures, suggest upgrades as prudent, and then perform an annual check of the systems to advise clients of any changes and recommended updates.

The IT professional can help with preventative maintenance on their home technology and thereby prevent attacks that could be damaging. Cybersecurity and technology will need consistently need “tune ups” in the same way.

Clients Communicating their Technology Information

More and more components of clients’ lives are online. As this trend continues, a greater amount of digital assets and information will need to be addressed when a client is incapacitated or dies. Discuss with clients whether they have considered what will happen to their online assets when they pass, and if they have taken steps to ensure their heirs will be able to access their digital valuables when they pass. This may require properly setting elections in a website’s terms of service (“TOS”), such as creating a “legacy contact” for the account.30

Clients should also collect critical cyber information and included it with other emergency information in any documents they create for fiduciaries or heirs. Clients should create a compilation of relevant information that provides key fiduciaries or their loved ones with the ability to access relevant or necessary digital accounts if they are disabled, or if they die. Using a password manager would reduce the information the client would need to convey. This information may be password protected on a laptop and backed up to the cloud. It may be advantageous to have physical paper documents with key information kept in a secure location.

Conclusion

Cybersecurity can be an overwhelming topic for many if not most clients, especially older clients who may feel less tech savvy. However, whatever steps practitioners might suggest, or even just risks that can be communicated, may help clients move in the direction of better security. That can safeguard the client from elder financial abuse, identity theft and other risks. While these issues are not as central to the estate planning process as drafting a will, evaluating life insurance coverage, and other traditional steps, they may be integral to a holistic estate planning process, and to helping our clients.

Endnotes

1. Thomas is an associate with the law firm Martin M. Shenkman, P.C. practicing in New Jersey and New York, and can be reached at Tietz@ shenkmanlaw.com.

2. Brian is the owner and operator of Cluxton IT and can be reached at brian@cluxtonIT.com

3. Martin is the principal at the law firm Martin M. Shenkman, P.C. practicing in New Jersey and New York, and can be reached at Shenkman@shenkmanlaw.com.

4. https://www.fincen.gov/sites/default/files/2024-12/Press-Releasefor-Interagency-Statement-on-Elder-Fraud-FINAL-508C.pdf issued Dec. 4, 2024, accessed January 6, 2025.

5. The IRS has provided an excel spreadsheet listing statistics on the estate tax, hosted at the following link: https://view.officeapps.live. com/op/view.aspx?src=https%3A%2F%2Fwww.irs.gov%2Fpub%2Firs-soi%2F22es05soc.xlsx&wdOrigin=BROWSELINK accessed on January 6, 2025.

6. The 2023 Cybersecurity Tech Report by the American Bar Association can be viewed at https://www.americanbar.org/groups/law_practice/resources/tech-report/2023/2023-cybersecurity-techreport/ accessed January 6, 2025.

7 https://www.fincen.gov/sites/default/files/2024-12/Press-Releasefor-Interagency-Statement-on-Elder-Fraud-FINAL-508C.pdf issued Dec. 4, 2024, accessed January 6, 2025.

8. Jory MacKay, “How Does Identity Theft Happen? 10 Risks (and How To Avoid Them),” https://www.identityguard.com/news/how-doesidentity-theft-happen , accessed Jan. 3, 2025.

9. The report noted “In a study of 4,156 older adults, family members were the most common perpetrators of financial exploitation of older adults (FEOA) (57.9%), followed by friends and neighbors (16.9%), followed by home care aides (14.9%).” https://www.congress.gov/116/ meeting/house/111016/documents/HMKP-116-JU00-20200915SD006.pdf, accessed January 6, 2024.

10. The report for 2023, released on April 4, 2024, can be viewed at https://www.ic3.gov/AnnualReport/Reports/2023_IC3Report.pdf, accessed January 6, 2024.

11. Id.

12. “SURVEY: Consumers Are Ignoring Cybersecurity Risks Despite Identify Theft Concerns,” https://news.nationwide.com/survey-consumers-are-ignoring-cybersecurity-risks-despite-identify-theft-concerns/ created September 29,2024, accessed January 7, 2024.

13. Fiserv, “Consumers’ Awareness, Behavior and Concerns Around Cybersecurity,” https://merchants.fiserv.com/content/dam/firstdata/ us/en/cybersecurity-awareness-insights-study/pdf/FDC_Cybersecurity_and_Awareness_eBook.pdf, accessed January 3, 2025.

14. For an article providing further discussion on free versus paid email systems, see https://www.techradar.com/pro/software-services/ free-secure-email-vs-paid-secure-email-what-are-the-differences, accessed on January 7, 2025.

15. As an example, consider True Link Financial, Inc., which is a San Francisco, California based financial technology firm that offers investment accounts and prepaid cards customized for seniors, people with disabilities, and people recovering from addiction. For a review of True Link and the kinds of services they (and similar businesses) provide, see https://www.seniorliving.org/finance/true-link/, accessed January 7, 2025.

16. https://www.prnewswire.com/news-releases/slashnexts-2023state-of-phishing-report-reveals-a-1-265-increase-in-phishingemails-since-the-launch-of-chatgpt-in-november-2022--signalinga-new-era-of-cybercrime-fueled-by-generative-ai-301971557.html , accessed January 7, 2025.

17. For an article providing additional examples of phishing attacks, including pictures of samples, see https://www.csoonline.com/article/514515/what-is-phishing-examples-types-and-techniques.html , accessed on January 7, 2025.

18. For further discussion of QR-ishing, see https://medium.com/ it-security-in-plain-english/understanding-qr-code-phishing-qrishing-2ab6c79ce9ba , accessed January 7, 2025.

19. https://www.proofpoint.com/us/threat-reference/social-engineering

20. For a discussion on how the casinos were breached, see https:// www.cybersecuritydive.com/news/mgm-caesars-attacks-social-engineering/693956/, accessed January 7, 2025.

21. For articles that discuss EDR in more detail, see https://www. gartner.com/reviews/market/endpoint-protection-platforms, accessed January 29, 2024

https://www.sentinelone.com/cybersecurity-101/endpoint-security/ what-is-endpoint-detection-and-response-edr/, accessed January 29, 2024

22. https://www.securitymagazine.com/articles/100765-78-of-peopleuse-the-same-password-across-multiple-accounts, accessed January 7, 2025.

23. For example, Colcase made fireproof document bags. https://www. amazon.com/gp/product/B074S2H4H9/ref=ppx_yo_dt_b_search_ asin_image?ie=UTF8&psc=1 , accessed February 2, 2025.

24. https://www.backblaze.com/blog/2023-state-of-the-backup-asdata-needs-grow-backups-need-to-fill-the-gaps, accessed January 7, 2024.

25. https://wasabi.com/?utm_term=wasabi%20backup&utm_campaign=Primary+-+Branded+-+USA&utm_source=bing&utm_medium=ppc&hsa_acc=5541186137&hsa_cam=816926085&hsa_grp=1180877184166344&hsa_ad=&hsa_src=o&hsa_tgt=kwd-73805054705420:loc-190&hsa_kw=wasabi%20 backup&hsa_mt=e&hsa_net=adwords&hsa_ver=3&msclkid=c820ea7e3d231768635a8dde384e11bb

26 https://ontech.com/data-backup-statistics/, accessed January 7, 2025.

27 https://www.kaspersky.com/resource-center/definitions/what-iswardriving , accessed January 7, 2025.

28. For additional discussion on firewalls, see https://help.ui.com/ hc/en-us/articles/115006615247-Intro-to-Networking-Network-Firewall-Security, accessed January 29, 2025.

29 https://www.newsweek.com/how-cyber-thieves-use-your-smartfridge-door-your-data-1603488, accessed January 7, 2025.

30. As an example, Apple provides the following information on creating a legacy contact for your Apple account: https://support.apple. com/en-us/102631, accessed January 29, 2024 Google, Facebook, and many other services have similar ways to set up legacy contacts

Committee Calls March 2025

Central Time (US and Canada)

HOSPITALITY, TIMESHARING AND COMMON INTERESTS DEVELOPMENT GROUP

March 4, 2025 10:00 AM CT

Join Zoom Meeting

https://americanbar.zoom.us/j/98015508525?pwd=7D46O4ulgXp5BVFjihf0wOKnS7JUzA.1

Meeting ID: 980 1550 8525

Passcode: 825523

CHARITABLE PLANNING AND ORGANIZATIONS GROUP

March 5, 2025 11:00 AM CT

Join Zoom Meeting

https://americanbar.zoom.us/j/99903440668?pwd=HksuLSKJGLMJ5ujR6uLcuVaUUFzSPj.1

Meeting ID: 999 0344 0668

Passcode: 523677

COMMERCIAL REAL ESTATE TRANSACTIONS GROUP

March 5, 2025 01:00 PM CT

Join Zoom Meeting

https://americanbar.zoom.us/j/93023198118?pwd=hnSMVbSNYtgAUQlx0Eynthg5wdqHzw.1

Meeting ID: 930 2319 8118

Passcode: 450512

BUSINESS PLANNING GROUP

March 10,2025 11:00 AM CT

Join Zoom Meeting

https://americanbar.zoom.us/j/93887997935?pwd=lW4r9LaDZz9InYusUpT5baAP5XNFt9.1

Meeting ID: 938 8799 7935

Passcode: 332633

RPTE INCOME AND TRANSFER TAX PLANNING GROUP

March 12, 2025 01:00 PM CT

Join Zoom Meeting

https://americanbar.zoom.us/j/94468502489?pwd=WlYNIxjKjjlFw2hdX3osk13ZieImOz.1

Meeting ID: 944 6850 2489

Passcode: 817717

REAL ESTATE FINANCE GROUP

March 13, 2025 01:00 PM CT

Join Zoom Meeting

https://americanbar.zoom.us/j/97991240905?pwd=vwicvR8CboijGfbo6ecFSgVoeGqiPN.1

Meeting ID: 979 9124 0905

Passcode: 323293

JOINT LAW PRACTICE MANAGEMENT GROUP

March 18, 2025 12:00 PM CT

Join Zoom Meeting

https://americanbar.zoom.us/ j/98400443325?pwd=7TyF20S4iCxjduy9B4t5zJaZVuwtfy.1

Meeting ID: 984 0044 3325

Passcode: 344418

ELDER LAW AND SPECIAL NEEDS PLANNING GROUP | DEATH WITH DIGNITY AND OTHER END OF LIFE OPTIONS

March 18, 2025 03:00 PM CT

Join Zoom Meeting

https://americanbar.zoom.us/j/93962442775?pwd=yPiP61tPi4CdwmB0J7kb7zlerI7aU3.1

Meeting ID: 939 6244 2775

Passcode: 395014

LAND USE AND ENVIRONMENTAL GROUP | PROPERTY TAX, TOPIC: FUNDAMENTAL NEGOTIATION STRATEGY FOR LITIGATION

March 19, 2025 12:00 PM CT

Join Zoom Meeting

https://americanbar.zoom.us/j/95002402731?pwd=7xAUWrXzu10H0PaX8PAqv3pP7UElc2.1

Meeting ID: 950 0240 2731

Passcode: 664755

Charitable Planning and Organizations Group

The committees of the Charitable Planning and Organizations Group are concerned with both sides of the charitable giving process. The various tax and non-tax issues for the donor are addressed by the Charitable Planning Committee and Legislative and Regulatory Issues Committee, while the donor organization perspective is the focus of the Charitable Organizations Committee.

Charitable Planning and Organizations Group

The Legal Education and Uniform Laws Group

The Legal Education and Uniform Laws Group works to keep academics and practitioners alike, apprised of vexing and promising developments in the law and legal education in an increasingly complex world. Among other things, the Group offers every month a free webinar, ‘Professors’ Corner,’ where we discuss emerging issues through a panel discussion by experts. The Professors’ Corner webinar takes place on the second Tuesday of every month, from 12:30 to 1:30 ET. The next one will be presented on February 11 on the topic of Squatters. In March, will we present on the “Zoning Atlas” and in April, the homeowners casualty insurance crisis.

The Legal Education and Uniform Laws Group

Real Estate Finance

The Real Estate Finance Group provides its members (and the Section as a whole) a number of opportunities for educational programming and thought leadership. The group has substantive monthly calls that kicked off in January with a look at the 2025 economic outlook and will continue through the balance of the year providing “nuts and bolts” sessions on topics such as bankruptcy, guaranties and deeds in lieu, among others. In addition to the numerous programs presented at the virtual CLE conference and the Section’s annual National CLE Meeting, the Real Estate Finance Group will be presenting an eCLE finance series later this year.

Real Estate Finance Group

Real Estate Finance Group Leadership:

Chair: Kari Larson

Vice Chair: James Marx

Council Representative: Wogan Bernard

MORTGAGE LENDING

Chair: Heather Horowitz

Vice-Chairs: Frederick H. Mitsdarfer, III, Brooke Benjamin and Harry Leipsitz

WORKOUTS, FORECLOSURES AND BANKRUPTCY

Chair: Laura Bouyea

Vice-Chair: Matthew Kramer

LEGAL OPINIONS

Chair: Imran Naeemullah

Vice-Chairs: Charles Wilkes, Olufunke Leroy and Sara Wagner

Business Planning Group

The Business Planning Group (BPG) addresses trust, estate and tax planning and administration for closely held entity owners via its three committees. The Investment Entities Committee focuses on investment vehicles, including family limited partnerships, family LLCs and private investment funds—such as hedge funds, private equity, and venture capital. The Real Estate, Agriculture and Natural Resources Committee focuses on the planning and administration issues specifically associated with those asset classes. The Operating Businesses Committee focuses on the challenges that are unique to business owners including business succession planning, liquidity planning, and entity taxation.

BPG members contribute to RPTE’s National CLE Conference, eCLEs, and publications. In addition, BPG members monitor proposed legislation, regulations, and guidance, and offer comments on changes that may affect entity owners. We discuss these topics and more on BPG’s monthly open Zoom meetings. Join the Business Planning Group to receive calendar invitations for monthly calls and other outreach from the group!

Business Planning Group

WHAT HAPPENS IN VEGAS...

April 30 to May 1, 2025

Get ready for the ABA Section of Real Property, Trust, & Estate Law 37th Annual RPTE National CLE Conference—your chance to elevate your practice, expand your network, and stay ahead of the curve.

Join us at the Conference and learn from industry leaders on the latest legal trends, connect with top professionals and peers from across the country and gain tools and strategies to bring back to your practice.

This isn’t just a conference, it’s where the future of real property, trust, and estate law comes to life.

Stay tuned for registration details, keynote speakers, and session previews are on the way in early February!

Save the Date and Join Us!

FELLOWSHIP OPPORTUNITY

Applications due June 6, 2025.

The ABA Section of Real Property, Trust and Estate Law Fellows Program encourages the active involvement and participation of young lawyers in Section activities. The goal of the program is to give young lawyers an opportunity to become involved in the substantive work of the RPTE Section while developing into future leaders.

Each RPTE Fellow is assigned to work with a substantive committee chair, who serves as a mentor and helps expose the Fellow to all aspects of committee membership. Fellows get involved in substantive projects, which can include writing for an RPTE publication, becoming Section liaisons to the ABA Young Lawyers Division or local bar associations, becoming active members of the Membership Committee, and attending important Section leadership meetings.

CALLING ALL LAW STUDENTS!

The Section of Real Property, Trust and Estate Law is now accepting entries for the 2025 Law Student Writing Contest. This contest is open to all J.D. and LL.M students currently attending an ABA-accredited law school. It is designed to encourage and reward law student writing on real property or trust and estate law subjects of general and current interest.

1st Place

$2,500 award

2nd Place

$1,500 award

3rd Place

$1,000 award

n Free round-trip economy-class airfare and accommodations to attend the RPTE National CLE Conference. This is an excellent meeting at which to network with RPTE leadership! (First place only.)

n A full-tuition scholarship to the University of Miami School of Law’s Heckerling Graduate Program in Estate Planning OR Robert Traurig-Greenberg Traurig Graduate Program in Real Property Development for the 2025-2026 or 2026-2027 academic year.* (First place only.)

n Consideration for publication in The Real Property, Trust and Estate Law Journal, the Section’s law review journal.

n One-year free RPTE membership.

n Name and essay title will be published in the eReport, the Section’s electronic newsletter, and Probate & Property, the Section’s flagship magazine.

Contest deadline: May 31, 2025

Visit the RPTE Law School Writing Competition webpage at ambar.org/rptewriting.

*Students must apply and be admitted to the graduate program of their choice to be considered for the scholarship. Applicants to the Heckerling Graduate Program in Estate Planning must hold a J.D. degree from an ABA-accredited law school and must have completed the equivalent of both a trusts and estates course and a federal income tax course. Applicants to the Robert Traurig-Greenberg Traurig Graduate Program in Real Property Development must hold a degree from an ABA-accredited law school or a foreign equivalent non-US school.

CONFERENCE AND EXPO

April 2–5, 2025

Hyatt Regency McCormick Place

Chicago, IL

Now, more than ever, lawyers and legal professionals must seek out the newest advances in technology. Techshow 2025 is your gateway to harnessing AI’s true potential, learning all things related to the future of legal tech, and enhancing access to justice.

Join us for a week filled with CLE sessions, networking events, keynotes, and so much more.

Learn about Section of Real Property, Trust and Estate Law’s eReport

The eReport is the quarterly electronic publication of the American Bar Association Real Property, Trust and Estate Law Section. It includes practical information for lawyers working in the real property and estate planning fields, together with news on Section activities and upcoming events. The eReport also provides resources for seasoned and young lawyers and law students to succeed in the practice of law.

For further information on the eReport or to submit an article for publication, please contact Robert Steele (Editor), Cheryl Kelly (Real Property Editor), Keri Brown (Trust and Estate Editor), or RPTE staff members Bryan Lambert or Monica Larys. Are you interested in reading FAQs on how to get published in the eReport? Download the FAQs here. We welcome your suggestions and submissions!

FREQUENTLY ASKED QUESTIONS BY PROSPECTIVE AUTHORS RTPE eReport

What makes eReport different from the other Section publications? The most important distinction is that eReport is electronic. It is delivered by email only (see below) and consists of links to electronic versions of articles and other items of interest. Since eReport is electronic, it is flexible in many ways.

How is eReport delivered and to whom?

eReport is delivered quarterly via email to all Section members with valid email addresses. At the ABA website, www.americanbar.org, click myABA and then navigate to Email, Lists and Subscriptions. You have the option of receiving eReport. Currently almost 17,000 Section members receive eReport.

What kind of articles are you looking for?

We are looking for timely articles on almost any topic of interest to real estate or trust and estate lawyers. This covers anything from recent case decisions, whether federal or state, if of general interest, administrative rulings, statutory changes, new techniques with practical tips, etc.

How long should my article be?

Since eReport is electronic and therefore very flexible, we can publish a two page case or ruling summary, and we can publish a 150 page article. eReport is able to do this since the main page consists of links to the underlying article, therefore imposing no page restraints. This is a unique feature of eReport.

How do I submit an article for consideration?

Email either a paragraph on a potential topic or a polished draft – the choice is yours – to the Editor, Robert Steele, at rsteele@ssrga.com , and either our Real Estate Editor, Cheryl Kelly, at CKelly@ thompsoncoburn.com , or our Trust and Estate Editor, Keri Brown, at keri.brown@bakerbotts.com

Do I need to have my topic pre-approved before I write my submission?

Not required, but the choice is yours. We welcome topic suggestions and can give guidance at that stage, or you may submit a detailed outline or even a full draft. You may even submit an article previously published (discussed below) for our consideration.

Do citations need to be in formal Bluebook style?

eReport is the most informal publication of the Section. We do not publish with heavy footnotes and all references are in endnotes. If there are citations, however, whether to the case you are writing about, or in endnotes, they should be in proper Bluebook format to allow the reader to find the material. Certainly you may include hyperlinks to materials as well.

Can I revise my article after it is accepted for publication?

While we do not encourage last minute changes, it is possible to make changes since we work on Word documents until right before publication when all articles are converted to pdf format for publication.

What is your editing process?

Our Editor and either the Trust and Estate Editor or the Real Estate Editor work together to finalize your article. The article and the style are yours, however, and you are solely responsible for the content and accuracy. We will just help to polish the article, not re-write it. Our authors have a huge variety of styles and we embrace all variety in our publication.

Do I get to provide feedback on any changes that you make to my article?

Yes. We will email a final draft to you unless we have only made very minor typographical or grammatical changes.

Will you accept an article for publication if I previously published it elsewhere?

YES! This is another unique feature of eReport. We bring almost 17,000 new readers to your material. Therefore, something substantive published on your firm’s or company’s website or elsewhere may be accepted for publication if we believe that our readers will benefit from your analysis and insight. In some cases, articles are updated or refreshed for eReport. In other cases, we re-publish essentially unchanged, but logos and biographical information is either eliminated or moved to the end of the article.

How quickly can you publish my article?

Since we publish quarterly, the lead time is rarely more than two months. If you have a submission on a very timely topic, we can publish in under a month and present your insights on a new topic in a matter of weeks.

eReport 2025 Winter

BUYER BEWARE:

The Importance of Conducting Environmental Due Diligence

Buyer Beware: The Importance of Conducting Environmental Due Diligence

Endnotes

California Wildfires: What Is the Lender’s Obligation to Release Insurance Proceeds for the Repair and Restoration of Real Property?

Endnotes

Promises, Promises: What If a Commercial Tenant Doesn’t Pay or Perform?

Endnotes

Leasing SCIF Space: Considerations for Landlords and Tenants

What’s Special About a SCIF?

Considerations for Landlords

Considerations for Tenants

Conclusion

Endnotes

TRUST AND ESTATE

How to Protect Digital Assets in an Estate Plan

It is Not Just Legal Documents

Advise Clients to Designate Legacy Contacts for Accounts That Offer the Ability to Add Them

Provide the Client’s Legal Representatives with Access to Online Accounts in a Will and Revocable Trust

Sample Language for a Digital Asset Provision in a Will

Ensure That Legal Representatives Have Access to a Client’s Digital Asset Plan

Encourage Clients to Revisit Their Digital Asset Plan to Ensure It Still Accomplishes Their Goals

Conclusion

Endnotes

The Impact of NCBE Dropping Wills and Trusts From the Next Gen Bar Exam

Endnotes

TECHNOLOGY

What Estate Planners Should Tell Clients about Security Including Cybersecurity?

Elder Financial Abuse Dwarfs Estate Tax

Are Practitioners The Barefoot Shoemaker??

What Might Practitioners Do?

Client Security Should be Part of the Estate Planning Discussion

Should Advisors Address Cybersecurity with Clients?

Clients are Targets for Bad Actors

Clients Avoid Safeguards Because of Complexity

Security- Discussions to Have with Clients

Software To Suggest Clients Consider

Data Backup

Routers and Firewalls

Constant Change Creates Exposure

Clients Communicating their Technology Information

Conclusion

Endnotes

Committee Calls March 2025

Charitable Planning and Organizations Group

The Legal Education and Uniform Laws Group

Real Estate Finance

MORTGAGE LENDING

WORKOUTS, FORECLOSURES AND BANKRUPTCY

Business Planning Group

WHAT HAPPENS IN VEGAS...

FELLOWSHIP OPPORTUNITY

CALLING ALL LAW STUDENTS!

Learn about Section of Real Property, Trust and Estate Law’s eReport

Articles inside

Buyer Beware: The Importance of Conducting Environmental Due Diligence

California Wildfires: What Is the Lender’s Obligation to Release Insurance Proceeds for the Repair and Restoration of Real Property?

Promises, Promises: What If a Commercial Tenant Doesn’t Pay or Perform?

Leasing SCIF Space: Considerations for Landlords and Tenants

How to Protect Digital Assets in an Estate Plan

The Impact of NCBE Dropping Wills and Trusts From the Next Gen Bar Exam

The 59th Annual Heckerling Institute on Estate Planning

What Estate Planners Should Tell Clients about Security Including Cybersecurity?