Picture this: You’re travelling across U.S. borders, heading home from a client meeting abroad. However, unlike other trips, this time a Customs and Border Protection agent requests that you unlock and hand over for inspection your computer and cell phone — full of client confidential information. You’ve been concerned about this issue, and so you’ve had your IT department encrypt all of the sensitive data on your devices. Will that protect you client’s information from disclosure?
Ethics duties at the border
We wrote here last year about the ethics issues with border searches of e-devices, including the New York City Bar Association’s July 2017 opinion on how to deal with the duty of confidentiality in that scenario.
The NYCBA ethics committee advised that you may of course ethically comply with lawful government orders, but also that you should not comply “unless and until” you “undertake reasonable efforts to dissuade border agents from reviewing clients’ confidential information or to persuade them to limit the extent of their review.”
The concern about this issue was heightened by a sharp uptick in border searches of e-devices. Customs officers searched an estimated 30,200 cellphones, computers and other electronic devices of people entering and leaving the U.S. last year — an almost 60 percent increase from 2016, according to Homeland Security Department data.
Most recently, in January 2018, the CBP revised Directive No. 3340-049, which includes procedures for searching information subject to attorney-client privilege. Section 5.2 calls for segregating privileged material to ensure that it is “handled appropriately.”
Encryption – it’s no panacea
What about encrypting the client information on your e-device to make sure it stays confidential and won’t be revealed during a potential border search? That approach may be of limited use.
Section 5.3.3 of the revised CBP directive provides that if border officers can’t inspect your device “because it is protected by a passcode or encryption,” they may detain it and convey it (or a copy of its contents) to third parties who can supply “technical assistance.”
This is an indirect reference to the various U.S. intelligence agencies that are authorized pursuant to Section 2.6 of Executive Order 12333 to provide technical support and assistance to the CBP. This aid may be derived from the National Security Agency, which leads the federal government in cryptology, or from the National Media Exploitation Center which consists of representatives from multiple intelligence agencies that are responsible for decrypting, translating and analyzing documents and electronic devices in the federal government’s possession.
If CBP officers seek to decrypt and access the confidential information on your device, they likely have the authority and the technical resources, through federal intelligence agencies, to do so.
The magnitude of the risk, and what to do
Even though the 5,000 devices searched in February last year sounds like a lot, it’s only a tiny percentage according to CBP’s Office of Public Affairs. The agency says that in FY 2017, only about .007 percent of arriving international travelers screened and processed by CBP officers were required to submit to an e-device search. That possibly points to a low risk for any one lawyer who might be returning from international travel.
But given the breadth of your ethics duty, and the limits on the ability of encryption to protect confidential client information on your devices, it would be a best practice to heed the advice that the NYCBA gave last year:
- Depending on the circumstances, including the sensitivity of the information, you should consider not carrying any client confidential information across the border.
- Rather than exposing your client’s information to disclosure in a search, you should securely back up client information and cross the border only with a blank “burner” phone or laptop.
- And before coming back across the border, you should also turn off syncing of cloud services, sign out of web-based services, and/or uninstall applications providing local or remote access to confidential information.
Lawyers and their firms should consider incorporating these measures into their data security policies and practices. It’s what the times, and your ethics duties, would seem to call for.