Picture this:   You’re travelling across U.S. borders, heading home from a client meeting abroad.  However, unlike other trips, this time a Customs and Border Protection agent requests that you unlock and hand over for inspection your computer and cell phone — full of client confidential information.  You’ve been concerned about this issue, and so you’ve had your IT department encrypt all of the sensitive data on your devices.  Will that protect you client’s information from disclosure?

Ethics duties at the border

We wrote here last year about the ethics issues with border searches of e-devices, including the New York City Bar Association’s July 2017 opinion on how to deal with the duty of confidentiality in that scenario.

The NYCBA ethics committee advised that you may of course ethically comply with lawful government orders, but also that you should not comply “unless and until” you “undertake reasonable efforts to dissuade border agents from reviewing clients’ confidential information or to persuade them to limit the extent of their review.”

The concern about this issue was heightened by a sharp uptick in border searches of e-devices.  Customs officers searched an estimated 30,200 cellphones, computers and other electronic devices of people entering and leaving the U.S. last year — an almost 60 percent increase from 2016, according to Homeland Security Department data.

Most recently, in January 2018, the CBP revised Directive No. 3340-049, which includes procedures for searching information subject to attorney-client privilege.  Section 5.2 calls for segregating privileged material to ensure that it is “handled appropriately.”

Encryption – it’s no panacea

What about encrypting the client information on your e-device to make sure it stays confidential and won’t be revealed during a potential border search? That approach may be of limited use.

Section 5.3.3 of the revised CBP directive provides that if border officers can’t inspect your device “because it is protected by a passcode or encryption,” they may detain it and convey it (or a copy of its contents) to third parties who can supply “technical assistance.”

This is an indirect reference to the various U.S. intelligence agencies that are authorized pursuant to Section 2.6 of Executive Order 12333 to provide technical support and assistance to the CBP.  This aid may be derived from the National Security Agency, which leads the federal government in cryptology, or from the National Media Exploitation Center which consists of representatives from multiple intelligence agencies that are  responsible for decrypting, translating and analyzing documents and electronic devices in the federal government’s possession.

If CBP officers seek to decrypt and access the confidential information on your device, they likely have the authority and the technical resources, through federal intelligence agencies, to do so.

The magnitude of the risk, and what to do

Even though the 5,000 devices searched in February last year sounds like a lot, it’s only a tiny percentage according to CBP’s Office of Public Affairs. The agency says that in FY 2017, only about .007 percent of arriving international travelers screened and processed by CBP officers were required to submit to an e-device search.  That possibly points to a low risk for any one lawyer who might be returning from international travel.

But given the breadth of your ethics duty, and the limits on the ability of encryption to protect confidential client information on your devices, it would be a best practice to heed the advice that the NYCBA gave last year:

  • Depending on the circumstances, including the sensitivity of the information, you should consider not carrying any client confidential information across the border.
  • Rather than exposing your client’s information to disclosure in a search, you should securely back up client information and cross the border only with a blank “burner” phone or laptop.
  • And before coming back across the border, you should also turn off syncing of cloud services, sign out of web-based services, and/or uninstall applications providing local or remote access to confidential information.

Lawyers and their firms should consider incorporating these measures into their data security policies and practices. It’s what the times, and your ethics duties, would seem to call for.

The ACLU and the Electronic Frontier Foundation have sued the Department of Homeland Security to block U.S. Customs and Border Protection personnel from searching travelers’ electronic devices without warrants.  This has implications for lawyers who cross in and out of the U.S. with phones and laptops  containing confidential client information.  The CBP’s policy, which the ABA also has questioned, currently authorizes such searches even without a suspicion of wrongdoing.

We first wrote about the issue last month, when the New York City Bar Association published an ethics opinion raising the client confidentiality issues and advising that in some circumstances lawyers should consider using “burner” phones, and avoid taking client confidential information across borders.

The ACLU and EFF’s lawsuit, in Massachusetts district court, alleges violations of the First and Fourth Amendments on behalf of 11 plaintiffs whose electronic devices were searched as they reentered the U.S.  None were subsequently accused of any wrongdoing.

The plaintiffs include journalists, students, an artist, a NASA engineer and a business owner — but no lawyers.  Despite the absence of lawyers from the roster of plaintiffs, the client confidentiality issues are obvious, and have received a lot of notice.  See here for the New York Times story on the lawsuit, and here and here for commentary on the N.Y. City bar ethics opinion.

I’d be interested in hearing whether lawyers have personal experience with border searches of their electronic devices.

Stay tuned for additional developments on this issue.