What Estate Planners Should Tell Clients about Security Including Cybersecurity?

By Thomas Tietz, Brian Cluxton, and Martin M. Shenkman

The Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has reported that about $27 billion in reported suspicious activity was linked to elder financial exploitation in one year, which exceeds the total Federal Estate Tax collected. This article explores what estate planners can do to help protect their clients from financial abuse and focuses on cybersecurity issues.

Elder Financial Abuse Dwarfs Estate Tax

Over a one-year period ending in June 2023, U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) found that about $27 billion in reported suspicious activity was linked to elder financial exploitation.4 By comparison $22,518,879,000 was collected in estate tax in 2022.5 Consider the attention given to estate tax minimization planning versus the attention given to elder abuse, identity theft, and similar losses.

With an aging population, the increasing worries over elder financial abuse, and so few taxpayers subject to estate taxation, the emphasis needs to evolve. Further, with document drafting websites proliferating, and the likelihood of AI expanding the ease of use and sophistication of such sites, practitioners might benefit by offering broader estate planning guidance beyond mere document preparation. That broader advice might include addressing ancillary matters like health care navigation, security and access to client financial, legal and other records, etc. It is not uncommon to discuss with clients having a personal excess liability insurance policy (umbrella policy), who might be appropriate as a fiduciary, safeguards to put in place to monitor fiduciaries (e.g., a trust protector) and a range of other topics. The suggestion of this article is that with tech being ubiquitous for so many clients, and an intertwined with the services estate planners provide, tech conversations at some point might be part of the conversation about security, asset protection and elder planning. If an attorney feels unqualified or unskilled to address these matters consider the ethical requirements to be reasonably informed about technology, cyber security and AI. The process of addressing ethical considerations may provide some foundation for the discussions with clients.

Are Practitioners The Barefoot Shoemaker??

As practitioners review the role that they can serve in encouraging clients to take precautionary measures to protect their confidential information (paper and electronic), they should also evaluate whether they themselves have taken appropriate precautionary measures. Some advisers, whose firms have state-of-the-art cyber protection and other security, have wholly inadequate personal document and cyber security. For practitioners who realize that they too are personally at risk, the process can begin with themselves. Consider that one in four lawyers reported that their firm had a cybersecurity breach in 2022, according to a 2023 report from the American Bar Association.6 Navigating personal and firm tech enhancements will help equip the practitioner to take the same messages to their clients.

What Might Practitioners Do?

In a recent announcement, FinCEN stated that: “Older adults who experience financial exploitation can lose their life savings and financial security and face other harm.”7 While the focus of the announcement was providing guidance to financial institutions on this scourge, the lessons are applicable to estate planning practitioners. Practitioners might consider adapting some of these concepts as relevant to their practices:

• Developing policies and practices to protect aging or infirm clients.

• Training staff to recognize elder financial exploitation. For example, if a person is contacting a professional firm to schedule an appointment for an elderly parent or other person, that fact should be recorded. Staff should understand the issue of “procurement” where a beneficiary calls to schedule the appointment, brings the elderly client to the meeting, etc.

• Obtaining information concerning a trusted contact if there is suspicion of an issue. For estate planners the logical person might be the agent under a durable power of attorney or the successor trustee under a revocable trust. But that should be confirmed with the client. For example, if the agent or successor trustee cannot act until the principal is incapacitated, does that affect a practitioner’s communicating with that person in that gray zone where it is not yet certain disability or incapacity has occurred but the client is vulnerable? Addressing whether and how the attorney client privilege and requirements for confidentiality may limit disclosures, and what can be done within ethical parameters.

• Reporting or otherwise responding to suspected elder financial exploitation as permitted by law and professional ethical requirements.

• Educating clients as to steps they may consider reducing the risk of financial exploitation such as elder abuse and identity theft. The suggestions in this article are intended to provide details as to how to do so as part of the estate planning process.

Client Security Should be Part of the Estate Planning Discussion

Elder abuse, identity theft, disability planning may be an important part of the estate planning process for many clients. Inherent in those discussions should be a conversation about document security – for both paper and electronic documents as appropriate to the particular client. Many older clients store old bank and brokerage statements, tax returns and other sensitive paper documents. Rarely do they take precautions to address the risks those documents could pose if pilfered by a repair person or home health aide. Further, the risks that severe weather events pose to that information could or should be a concern. Guiding these clients to have the paper documentation scanned, stored in a secure cloud-based portal, and safely destroying all originals could be an important part of planning for the aging process, or dealing with potential health issues. If there is a flood and all historic records are destroyed, or if the client has to downsize from a home to a small apartment or senior facility, what will be done with the documentation? If it is digitized it can be better secured, safeguarded from disaster, and facilitate what is often a necessary step in the aging process of downsizing.

Clients might be advised to consider some of the following in selecting a vendor to assist with the secure digitization and destruction of their paper documents:

• The vendor should comply with relevant regulations and standards.

• Inquire about the security measures the vendor has in place to prevent unauthorized access to confidential information.

• How does the vendor maintain a secure chain of custody for documents from retrieval, to scanning, to destruction.

In the context of estate and financial planning for aging or infirm clients, it may be helpful to consolidate accounts with reputable institutions or advisers, have periodic review meetings, and encourage clients to communicate if anything questionable arises. This helps in preventing financial scams, including elder abuse and identity theft, which continue to increase. But those steps, without also addressing what is sometimes voluminous amounts of confidential unprotected documents may not alone suffice.

Identity thieves can use personal information from documents like bank statements, tax returns, credit reports, and Social Security cards to open new accounts, claim tax refunds, file fraudulent Medicare claims, and more. Home health aides and even repair persons may have easy access to historic documents often stored in labeled file cabinets or boxes in a basement or attic of the client’s home.8 In a report by the National Center on Elder Abuse, it was noted that home health aides were the third most likely individuals to perpetrate financial abuse, with only family members and close friends/neighbors being more likely.9

Should Advisors Address Cybersecurity with Clients?

Clients routinely communicate with their estate planners and other advisers electronically via emails, email of confidential documents, transmitting data through portals, web meetings, electronic signature of certain documents (perhaps retainer agreements and other items), etc. Even if the professional advisers have state-of-the-art cyber-security measures in place, if the client has inadequate protections, or fails to use the systems the adviser provides (e.g., sending tax documents via unencrypted email, rather than using a secure portal provided by the adviser), the client’s data could be compromised on their end. Estate planners routinely discuss planning for issues of aging (e.g., a durable power of attorney), asset protection, and other planning considerations. Addressing client cybersecurity and related issues is an important part of those conversations, even if the adviser doesn’t have the technological expertise for a detailed or in-depth discussion. Merely highlighting some of the key issues might educate a client sufficiently that the client will then take appropriate measures.

Clients frequently provide their professionals with sensitive information (personal identifiable information) such as tax returns, financial statements, and more. Without proper protection, e.g., the client may merely send sensitive documents via unencrypted email and without password protection, disaster could ensue. If the client’s email is compromised, a bad actor could gain access to those sensitive documents which might lead to theft, elder abuse, etc.

Clients are Targets for Bad Actors

Helping advise clients as to how to protect their wealth should be given priority. Advisors can have conversations with clients to assure that the client understands the risks, and what steps they can take to reduce those risks, even if the only step communicated is to retain a personal IT consultant. Practitioners can discuss with clients how significant a data breach event could be, and the time and effort it takes to rectify an issue once it happens. It is far more costly and time-consuming to fix an issue, than to spend the time protecting themselves in the first place. Each year, the FBI releases a report analyzing nationwide internet crime.10 In 2019, the FBI received 467,361 complaints totaling $3.5 billion in losses. By 2023, the FBI received 880,418 complaints, which totaled $12.5 billion in losses.11 This represents a growth of nearly double the complaints, and more than triple the losses per year in just 4 years! The growth of AI may accelerate these incidences as bad actors may be able to provide more convincing and deceptive email and phone call attacks.

Elder abuse and identity theft can create a huge disruption in the client’s lives. Clients should understand how disruptive it would be to lose access to their LinkedIn accounts, Facebook accounts, cloud storage programs like Dropbox, Microsoft 365, etc. would be to someone’s day-to-day life may help a client understand how significant technology is in their lives, and how a data breach or loss of access would upend their lives.

Clients Avoid Safeguards Because of Complexity

Some clients are reticent to use safeguards offered by advisers, such as a client portal, because of their lack of familiarity with those mechanisms. Perhaps some are embarrassed to admit that they cannot master the technology involved. Consider offering “cheat sheets,” or instruction manuals, that explain with simple steps and screen shots of what to do and how to use a portal or other technology. Short video clips posted to a firm website providing instruction on using the firm’s portal, cybersecurity measures private wealth clients might consider, and similar topics should be inexpensive to create and may not only help clients, but they may protect the practitioner as well. Also, offer to help clients struggling with these safeguards to join a web meeting and talk them through how to use the tools provided.

A survey from Nationwide that concentrated on cyber security and the proliferation of identity theft insurance revealed that while 80% of respondents expressed concern about identity theft, only 16% reported having identity theft insurance.12 The survey found that 77% of respondents have accepted the risk of identity theft as a normal part of life. However, 28% admitted they have never sought more information about cyber protection. Many consumers neglect essential cybersecurity precautions due to misconceptions about the cost and effectiveness of these measures. This should come as no surprise as many law firms have no such coverage.

FiServ prepared a study regarding the general public’s awareness of cyber security, remarking “a surprising number of U.S. consumers have little awareness of how to defend themselves against a cyberattack. Some never change their passwords and when they do, it’s only because they’re forced.” The study found that 59% of consumers are bothered by temporary inconveniences brought about by advanced security measures, even if it means higher levels of safety and protection.13 Practitioners may consider having a “quick facts” spreadsheet to provide to clients outlining several concerning statistics regarding financial abuse, identity theft, and cyber security, providing clients with additional context on why they need additional protection, why they should use the protections they have, and maybe help clients use those protections less begrudgingly.

Security- Discussions to Have with Clients

Practitioners should consider incorporating into their practices, and as appropriate client discussions, how to send data securely:

• Providing clients with tools to securely communicate data with you as a professional is a service to clients and a way to facilitate clients communicating and providing documents in a safer manner. This could be by providing a secure portal clients can use to upload data, suggest clients password protect any confidential data that will be sent via regular email (and not to send the password in the email), and/or to obtain more secure email service.

• Practitioners might establish a policy in their firm that if a client sends an email with confidential data that is unencrypted, someone at the firm would be notified and follow up with the client and endeavor to help provide guidance.

• What is the right level of protection for clients to use in their email? There are certain legacy email systems that may be dangerous to continue use in today’s environment. If a client still has an AOL, Hotmail, or similar older email address, practitioners may suggest that the clients consider updating to a more modern and secure email.

• There are paid versions of many email systems that may be more secure than a free/unpaid version: Gmail, Outlook, Yahoo, etc. If the client merely switches to an inexpensive paid version of what they are using they may materially enhance their protection. It does not take a significant amount of time to set up these paid services that provide additional protections. Typical cost for these emails is approximately $5-20 a month, and maybe an hour or two of an IT professional’s time to set-up. These paid email systems may provide: Better spam and phishing filters (phishing is a way for bad actors to gain access to even the most secure systems); Better alerts for any security issues; Access to support from the company you purchase the email from; An easier environment with protective tools for an IT professional to manage.14

• However, even with the paid versions of these common email systems, emails are not automatically encrypted. Discuss with clients that communicating securely needs both a baseline of protections, as well as discipline. For example, Outlook 365 can encrypt email without having any third-party software. Outlook can send emails using these “sensitivity levels” that only allows people with that specific access to be able to view the email. Encrypt-only encrypts the email and the attachments. However, these protections can only be implemented with a proactive approach, reviewing the various options in Outlook 365, determining the clients risk threshold and comfort level with restrictions (certain security measures may block legitimate emails, and clients may be frustrated by that) and understanding that those security measures will need to be re-assessed on a periodic basis to determine if evolution in cybersecurity warrants changes. All of this could be overwhelming to a client, even with the assistance of an IT professional.

• Another common issue is clients using their professional or business email account to transmit their personal communications. While some clients may choose to communicate through their business emails for administrative ease (i.e., they don’t want to maintain multiple email accounts), or due to their business emails having a heightened level of protection, practitioners should consider warning clients that there could be material issues with communicating on personal matters through their business emails.

■ If a client uses business email for personal matters, this results in all such personal communications being stored on the business email server (and documents on the business network or cloud).

■ If the client leaves the company (voluntarily or by being fired), they could lose access to all of the personal email information.

■ For clients that are business owners, they may not have concerns with losing access to their personal information. However, what if the business is sold? What if their business is sued, could the client’s confidential personal information be discoverable and accessible to the adversarial party? Consider the impact of personal financial statements, or estate planning memorandum discussing asset protection steps, falling into the hands of plaintiff’s counsel. Most if not all clients should have a separate personal email address with appropriate cybersecurity and not use a business email address for personal matters.

• Create secure client portals. Practitioners might consider obtaining a system to create a secure portal that they provide clients as a mechanism to securely send or upload confidential documents. There are a host of providers and many of these can be branded for the firm to generate a positive image of concern for client security.

■ This can also provide a means for practitioners to maintain online access for clients, and those individuals the client designates (e.g., other advisers, fiduciaries, family members) to electronic copies of signed estate planning documents.

■ For example, lawyers could upload copies of a client’s signed will, trusts, health care documents, powers of attorney, etc. in the client’s portal. This could be both an added service for the client and a potentially a way to reduce administrative burden for the practitioner.

■ If a client has ready access to copies of their documents online, and chooses to give other advisers, e.g. their CPA and wealth adviser access to their portal, they may not have to reach out to the practitioner to ask for copies of those documents. That can result in nonbillable administrative time and also concerns if a CPA or other adviser asks for documents. All of that might be avoided.

• The portal can be used for more than securely sending confidential documents. Certain portal applications will permit additional communications through the system, such as supporting a “chat” function and texting integration. For clients comfortable using the portal, communicating through the portal could protect sensitive conversations from potential exposure. If the client’s email system is compromised, then any emails they sent or received from the practitioner would be accessible to the bad actor. A secure portal chat function may protect that sensitive information.

• Practitioners will then need to lead by example. They should use the portal, use encrypted email, show clients that they take cybersecurity seriously and it they may reciprocate.

Software To Suggest Clients Consider

Practitioners should not and need not fill the role of IT consultant, but many clients simply do not retain personal IT consultants and do not take adequate protective measures. So, the role of most practitioners is merely about building awareness and making general suggestions to help guide the clients. This is no different that the wide-ranging advice that is often included in a broad or holistic approach to estate planning. Practitioners can use regular firm newsletters and other communications to educate clients about cybersecurity risks. There is another aspect to this. Some of the nefarious actors may send out vast numbers of attacks knowing they only need a few “bites” to make it a financially rewarding endeavor. Likely targets that may “fall” for the scams are elderly, infirm or otherwise challenged individuals. These are the same individuals estate planners serve and try to help protect with planning and proper legal documents. Home health aides, family members, and others involved in the care plan for an elderly or infirm family member should all help monitor against that person following victim to these types of attacks.

It is important for practitioners to consider that non-IT recommendations may help safeguard elderly or infirm clients from cybersecurity and related threats as well. For example, there is always a balance between the goals of protecting vulnerable clients as well as preserving their independence. If the vulnerable client’s credit cards can be replaced with a prepaid debit card they can have the freedom to shop and transact business, but there would be no automatic link between the card and a bank account. That could reduce the risks of abuse. Further, there are special debit cards that can be controlled as to the types of expenditures that are permitted. It may be feasible to restrict spending at stores (e.g., bars) that perpetrators might try to use. 15

The following suggestions are made from this viewpoint.

• Anti-virus software is essential. The free versions of anti-virus that typically come with new computers may not be sufficient, especially for clients who use the Windows operating system.

• Phishing protection is another important protective element. Phishing is an email sent from what appears to be a reputable company, but which is merely a cover for cyber-criminals seeking to induce individuals to reveal personal information such as passwords and credit card companies. With the proliferation of artificial intelligence like Chat GPT, Microsoft Co-Pilot, etc. phishing attacks have increased in number and become more advanced. A report on the state of phishing in 2023 noted that phishing attacks had increased 1,265% in 2023 after the release of Chat GPT in November 2022.16 Examples of phishing might include: fake invoices, an email account upgrade, advance-fee requests, fraudulent google documents, a Dropbox scam, email from an attorney with documents for the recipient, etc.17 These attacks can appear deceptively genuine and can easily entrap a sophisticated attorney, and more so an aging or challenged client.

• Clients should be cautioned to be alert for requests for sensitive information, unexpected emails, suspicious attachments, too good to be true. If the recipient clicks on the fake link or attachment malware may be downloaded to spy on their computer usage.

• While many people are aware of email phishing, bad actors are innovative and continuously thinking of new ways to attempt compromising an individual. For example, QR-ishing - scanning QR codes in public locales such as restaurants can pose risk. Criminals have replaced retail QR codes with substitutes that nefariously redirect the user to a dangerous website. For an elderly client that is particularly susceptible to being scammed, consider whether it might be feasible to block camera access to their cellphone to avoid scanning questionable QR codes.18 As an attorney that has client contact data and emails on their cell phone, might a policy to never scan QR codes with such a phone be prudent?

• Smishing is another variation that may take the form of a text message that appears to be sent from a reputable company seeking to induce the recipient to reveal personal information such as passwords and credit card company information. These might include: a bank account verification scam (a warning of unauthorized activity in the recipient’s bank account attempting to extract sensitive data), notice of a package delivery alert to induce the recipient to click a link and provide data, or account suspension alerts from what appears to be a reputable company. Clients might be cautioned to exercise caution if they receive a text from a strange telephone number. The nefarious text message may claim to be from a company the recipient knows. Urgency is often conveyed in the message. There may be request for money or information. If the recipient clicks the link their cellphone may be subject to security threats.

• Vishing is a telephone call is made from a seemingly reputable company seeking to induce individuals to reveal personal information such as bank information and credit card information. For example: A cybercriminal may call and appeal to the target’s human instincts of trust, fear, greed and desire to help. The criminal may ask for bank account information, credit card details, mailing address, etc. The criminal may request a funds transfer, or disclosure by phone or email of confidential information or documents. The caller may pretend to be a government representative, tech support representative, a telemarketer, or banker with the target’s bank. Pay close attention to any caller. Do not answer calls from unknown numbers. Never provide personal information to an unsolicited caller. Register your phone number with the Do Not Call Registry. For an elderly or infirm client, perhaps their use of their cell phone might be monitored, or they can be instructed and reminded that only a named person handles all their finances so that if anyone calls about financial information they should do no more than tell the caller to call that named person. Perhaps a remainder sign might be framed and left on the table where the phone is typically kept.

• Social Engineering (using any of the above and/or social media) is an attack intended to deceive the victim and obtain control over a computer system or steal personal financial or other confidential information. Social engineering techniques account for 98% of all cyberattacks.19 Social engineering may use phishing and other strategies. In September 2023, hackers breached large casinos including MGM and Caesars. The hacking was accomplished via social engineering.20 Hackers impersonate firm employees and convinced the technology helpdesk to provide them duplicate access. The hack was accomplished by hacking group ALPHV, who posted about the hack on its website and warned MGM of further attacks if MGM Didn’t comply with its demands.

• End-Point Detection Response (“EDR”) software. This is next-generation anti-virus software. Examples include: SentinelOne Singularity, CrowdStrike Falcon, Sophos Intercept X, Trend Vision One.21 Traditional anti-virus operates so that when a computer virus is released, the anti-virus software will figure out how to neutralize the virus and protect against it, and then push out an update. The anti-virus companies have traditionally pushed out updates almost daily. However, how often do individuals actually update their anti-virus protection? In contrast, EDR is a more holistic approach, it will view the actions that the computer is taking, and if it finds unusual activity that may be caused by a virus, the software will shut the computer’s activity down and stop it from accessing the internet to prevent further compromise and data loss. This then provides time for a counter to the virus to be found to clean it. This helps prevent “Zero day” virus infections. To assure that software is updated consistently, set rules can be implemented that provide for updates to be completed automatically. Practitioners may consider recommending that clients create a habit of restarting their computers at least weekly to apply the updates that have been queued.

• Password managers. A password manager is a repository that will store all passwords. Certain password managers will allow the individual to “auto-fill” login credentials on websites, but all of them will allow the copy and paste of login information when needed. A password manager makes it easier to create robust and unique passwords. Many clients (and professionals) will reuse passwords across multiple programs and websites. A recent study found that 78% of people reuse the same password across multiple accounts.22 If that password is compromised all those accounts are compromised. For similar considerations as those mentioned above for having separate business and personal email accounts, consider advising clients to use separate password manager programs for professional and personal passwords.

• Multi-Factor Authentication (“MFA”) should be considered whenever available. Passwords, even strong complex ones generated by a password manager, are no longer sufficient to rely on to secure an account. MFA provides an additional layer of security beyond a password to access an account. This is typically a numerical code that is provided through one of several methods: via email, text message (“SMS”), or an authenticator app, on the user’s cellphone.

Attorneys that use personal laptops and cellular phones for any work-related matters, e.g., answering emails, need to be alert to and should endeavor to have protections installed, as their falling prey to any of the above attacks could jeopardize confidential client data. Presumably work-related laptops are part of the firm’s cybersecurity ecosystem and are appropriately secured. Are they?

Data Backup

Historically, it may have been common to discuss with clients security original legal documents like wills, divorce agreements, birth certificates, etc. That advice might have included a discussion of the pros and cons of storing important personal papers in a bank safe deposit box versus a home safe. The discussion might have included suggestions that the safe be fireproof. More recently fireproof and waterproof envelopes have become available to further protect valuable legal documents whether in a bank safe deposit box or home safe. These might be provide fireproof protection to 2000 ℉) via a silicone coated fireproof and waterproof safe bag for a very modest price.23 SQVIOQI fireproof bags is another provider. For old tax returns and financial documentation, a fireproof, lockable file cabinet may have been suggestion. These concepts are relevant to the new cloud world clients now inhabit.

Consider discussing with clients whether they have sufficient backups of their electronic data. Many do not. A survey in 2023 found that 11% of computer owners backed up their data daily, 8% weekly, and 15% monthly. 18% of computer owners said they’ve never backed up their data.24 As discussed above, the frequency of extreme weather events, and other calamities, could expose paper documents to loss. But if the client has all their critical data on a laptop, that alone won’t avoid the same risks. If the client backs up their laptop to a portable hard drive, where is that hard drive stored? If in their home, or their child’s home in the same neighborhood, that may provide little security to any localized weather or other event. Having a robust system in place to both protect the loss of data, and help with the smooth transition to resorting data, is as critical for personal data as it is for business data.

Consider the traditional concern with losing family photos in a house fire. People have often discussed digitizing photos to protect against their loss. But if there is no offsite backup, the house fire can destroy those treasured memories as easily on a hard drive as it would have destroyed them in a photo album. Backing up data is now easier than it used to be. Not so long ago, a tape backup cartridge would be used and changed periodically then stored off site. There was a significant physical component to creating backups. Both cloud and physical backups have advantages and disadvantages. Cloud backups may be dispersed. Many cloud backup systems have redundant data centers that store the data so a major event in one region would not cause a loss of data if the redundant data center is located in another region. Also, continuing to maintain a physical backup for quick access and restoration of data may provide an additional layer of backup redundancy, but at the increased risk of a bad actor accessing that device (e.g., a home health aide or home repair person). Consider the need for consistency in a backup plan. Many individuals have numerous cloud backups: Apple for iPhone, OneDrive for Microsoft, Dropbox for personal. This would require going to a different backup program depending on where data has been stored. The client, or the IT consultant assisting in this process may be requested to create a record listing which backup systems are used, how to use each of the backup systems, and other relevant information. This information should be part of the information that is conveyed to fiduciaries and others that will need it in the event of the client’s death or disability. A singular cloud-based backup system may not be sufficient. Many cloud backup companies, such as SharePoint, Dropbox, OneDrive, etc., are all active cloud-based systems (i.e., you can manipulate and work on files directly on the system, similar to physical networks). It might be advisable to have a separate backup program that protects the data that is not actively accessed. For example, what if an active cloud-system is hacked and the data is lost or deleted? Having a backup with a different vendor provides a second layer of protection. In the current environment using a redundant cloud based back up system is quite inexpensive and easy to set up. For example, if the client uses Microsoft 365 all their data may be backed up in the Microsoft cloud. That data may be further backed up to a non-Microsoft cloud, like Wasabi.25 The costs for a second back up cloud, all of which can be set up and automated by an IT consultant could be as little as $100/year. Not a material cost for the extra security.

Finally, discuss with clients that while they may have a backup system in place, they should make sure those backups are tested. A survey in 2023 found that 60% of backups are incomplete (i.e., they did not fully capture all of the data the individual wanted to restore) and 50% of restores failed when attempted.26 Whether these statistics are accurate or current is secondary to the critical message that caution is in order. Occasionally someone, whether clients, an IT consultant, or other professionals or family members, should test backups. Some clients may find when trying to use their backups they don’t have any at all.

Routers and Firewalls

Firewalls are often used by businesses, but many clients neglect to implement this protection for their personal use. Bad actors may look for the “weakest link” to compromise a system. If the client has children accessing their personal network, the devices the children operate on may not be as secure as those the clients use themselves. Bad actors can access the client’s network through compromising those less protected documents. Clients may use a personal laptop that have less protection then what they would ever accept for their professional or business devices. Clients may conduct their banking, and other sensitive activities from that laptop. Bad actors may be able to pierce those lesser protections and cause significant damage to the client’s life. Many individuals have older routers with outdated security. There have been bad actors that have hacked routers in residential neighborhoods. They can drive around the neighborhood and attempt to connect to the network from outside the client’s home. This is called “Wardiving.”27 Internet service providers (Spectrum, Verizon, etc. “ISP”) provide customers with a modem to access the internet. A basic router, if provided by an ISP, may also provide a firewall, but may not offer stateful packet inspection (where all network traffic is analyzed inbound and outbound for threats). Obtaining and installing an after-market router that incorporates a more robust firewall may be prudent. A stronger firewall protects everyone accessing the internet on your network.28

The phrase “Internet of Things” is often mentioned. This refers to not just the obvious cell phones and laptops, but also the many home appliances that are connected to the internet through a home network. This can include smart refrigerators, Nests security devices, Ring doorbells, microwaves, even cat litter boxes that may all be wired to the internet and to cellphone apps. These items may have weaker security protections, and bad actors may hack into them and use that as a “backdoor” to access a client’s home network.29 For example, inquire whether clients have changed the default password for accessing their smart TV or smart refrigerator. It is likely that many clients will have one or more devices connected to their network that is using a default administrator password. Bad actors could travel a neighborhood attempting to connect to these devices with manufacturer passwords and see if they can access the device. An aftermarket router may provide better protection through the implementation of a firewall for the myriads of items that are on a typical home network. Also, periodically updating the firmware of appliances may help mitigate these risks.

Constant Change Creates Exposure

There is constant evolution in the technology used in home computer and other IT systems. Criminal methods are also consistently evolving, developing new methods of attack. Practitioners might recommend that clients have an IT professional complete a periodic assessment of their cybersecurity measures, suggest upgrades as prudent, and then perform an annual check of the systems to advise clients of any changes and recommended updates.

The IT professional can help with preventative maintenance on their home technology and thereby prevent attacks that could be damaging. Cybersecurity and technology will need consistently need “tune ups” in the same way.

Clients Communicating their Technology Information

More and more components of clients’ lives are online. As this trend continues, a greater amount of digital assets and information will need to be addressed when a client is incapacitated or dies. Discuss with clients whether they have considered what will happen to their online assets when they pass, and if they have taken steps to ensure their heirs will be able to access their digital valuables when they pass. This may require properly setting elections in a website’s terms of service (“TOS”), such as creating a “legacy contact” for the account.30

Clients should also collect critical cyber information and included it with other emergency information in any documents they create for fiduciaries or heirs. Clients should create a compilation of relevant information that provides key fiduciaries or their loved ones with the ability to access relevant or necessary digital accounts if they are disabled, or if they die. Using a password manager would reduce the information the client would need to convey. This information may be password protected on a laptop and backed up to the cloud. It may be advantageous to have physical paper documents with key information kept in a secure location.

Conclusion

Cybersecurity can be an overwhelming topic for many if not most clients, especially older clients who may feel less tech savvy. However, whatever steps practitioners might suggest, or even just risks that can be communicated, may help clients move in the direction of better security. That can safeguard the client from elder financial abuse, identity theft and other risks. While these issues are not as central to the estate planning process as drafting a will, evaluating life insurance coverage, and other traditional steps, they may be integral to a holistic estate planning process, and to helping our clients.

Endnotes

1. Thomas is an associate with the law firm Martin M. Shenkman, P.C. practicing in New Jersey and New York, and can be reached at Tietz@ shenkmanlaw.com.

2. Brian is the owner and operator of Cluxton IT and can be reached at brian@cluxtonIT.com

3. Martin is the principal at the law firm Martin M. Shenkman, P.C. practicing in New Jersey and New York, and can be reached at Shenkman@shenkmanlaw.com.

4. https://www.fincen.gov/sites/default/files/2024-12/Press-Releasefor-Interagency-Statement-on-Elder-Fraud-FINAL-508C.pdf issued Dec. 4, 2024, accessed January 6, 2025.

5. The IRS has provided an excel spreadsheet listing statistics on the estate tax, hosted at the following link: https://view.officeapps.live. com/op/view.aspx?src=https%3A%2F%2Fwww.irs.gov%2Fpub%2Firs-soi%2F22es05soc.xlsx&wdOrigin=BROWSELINK accessed on January 6, 2025.

6. The 2023 Cybersecurity Tech Report by the American Bar Association can be viewed at https://www.americanbar.org/groups/law_practice/resources/tech-report/2023/2023-cybersecurity-techreport/ accessed January 6, 2025.

7 https://www.fincen.gov/sites/default/files/2024-12/Press-Releasefor-Interagency-Statement-on-Elder-Fraud-FINAL-508C.pdf issued Dec. 4, 2024, accessed January 6, 2025.

8. Jory MacKay, “How Does Identity Theft Happen? 10 Risks (and How To Avoid Them),” https://www.identityguard.com/news/how-doesidentity-theft-happen , accessed Jan. 3, 2025.

9. The report noted “In a study of 4,156 older adults, family members were the most common perpetrators of financial exploitation of older adults (FEOA) (57.9%), followed by friends and neighbors (16.9%), followed by home care aides (14.9%).” https://www.congress.gov/116/ meeting/house/111016/documents/HMKP-116-JU00-20200915SD006.pdf, accessed January 6, 2024.

10. The report for 2023, released on April 4, 2024, can be viewed at https://www.ic3.gov/AnnualReport/Reports/2023_IC3Report.pdf, accessed January 6, 2024.

11. Id.

12. “SURVEY: Consumers Are Ignoring Cybersecurity Risks Despite Identify Theft Concerns,” https://news.nationwide.com/survey-consumers-are-ignoring-cybersecurity-risks-despite-identify-theft-concerns/ created September 29,2024, accessed January 7, 2024.

13. Fiserv, “Consumers’ Awareness, Behavior and Concerns Around Cybersecurity,” https://merchants.fiserv.com/content/dam/firstdata/ us/en/cybersecurity-awareness-insights-study/pdf/FDC_Cybersecurity_and_Awareness_eBook.pdf, accessed January 3, 2025.

14. For an article providing further discussion on free versus paid email systems, see https://www.techradar.com/pro/software-services/ free-secure-email-vs-paid-secure-email-what-are-the-differences, accessed on January 7, 2025.

15. As an example, consider True Link Financial, Inc., which is a San Francisco, California based financial technology firm that offers investment accounts and prepaid cards customized for seniors, people with disabilities, and people recovering from addiction. For a review of True Link and the kinds of services they (and similar businesses) provide, see https://www.seniorliving.org/finance/true-link/, accessed January 7, 2025.

16. https://www.prnewswire.com/news-releases/slashnexts-2023state-of-phishing-report-reveals-a-1-265-increase-in-phishingemails-since-the-launch-of-chatgpt-in-november-2022--signalinga-new-era-of-cybercrime-fueled-by-generative-ai-301971557.html , accessed January 7, 2025.

17. For an article providing additional examples of phishing attacks, including pictures of samples, see https://www.csoonline.com/article/514515/what-is-phishing-examples-types-and-techniques.html , accessed on January 7, 2025.

18. For further discussion of QR-ishing, see https://medium.com/ it-security-in-plain-english/understanding-qr-code-phishing-qrishing-2ab6c79ce9ba , accessed January 7, 2025.

19. https://www.proofpoint.com/us/threat-reference/social-engineering

20. For a discussion on how the casinos were breached, see https:// www.cybersecuritydive.com/news/mgm-caesars-attacks-social-engineering/693956/, accessed January 7, 2025.

21. For articles that discuss EDR in more detail, see https://www. gartner.com/reviews/market/endpoint-protection-platforms, accessed January 29, 2024 https://www.sentinelone.com/cybersecurity-101/endpoint-security/ what-is-endpoint-detection-and-response-edr/, accessed January 29, 2024

22. https://www.securitymagazine.com/articles/100765-78-of-peopleuse-the-same-password-across-multiple-accounts, accessed January 7, 2025.

23. For example, Colcase made fireproof document bags. https://www. amazon.com/gp/product/B074S2H4H9/ref=ppx_yo_dt_b_search_ asin_image?ie=UTF8&psc=1 , accessed February 2, 2025.

24. https://www.backblaze.com/blog/2023-state-of-the-backup-asdata-needs-grow-backups-need-to-fill-the-gaps, accessed January 7, 2024.

25. https://wasabi.com/?utm_term=wasabi%20backup&utm_campaign=Primary+-+Branded+-+USA&utm_source=bing&utm_medium=ppc&hsa_acc=5541186137&hsa_cam=816926085&hsa_grp=1180877184166344&hsa_ad=&hsa_src=o&hsa_tgt=kwd-73805054705420:loc-190&hsa_kw=wasabi%20 backup&hsa_mt=e&hsa_net=adwords&hsa_ver=3&msclkid=c820ea7e3d231768635a8dde384e11bb

26 https://ontech.com/data-backup-statistics/, accessed January 7, 2025.

27 https://www.kaspersky.com/resource-center/definitions/what-iswardriving , accessed January 7, 2025.

28. For additional discussion on firewalls, see https://help.ui.com/ hc/en-us/articles/115006615247-Intro-to-Networking-Network-Firewall-Security, accessed January 29, 2025.

29 https://www.newsweek.com/how-cyber-thieves-use-your-smartfridge-door-your-data-1603488, accessed January 7, 2025.

30. As an example, Apple provides the following information on creating a legacy contact for your Apple account: https://support.apple. com/en-us/102631, accessed January 29, 2024 Google, Facebook, and many other services have similar ways to set up legacy contacts