- Lawyers cross borders frequently and carry with them a variety of electronic devices on which client information might be stored.
- Practitioners should be aware of certain recent developments involving searches by government agents of electronic devices.
- They must also understand their impact on pertinent professional obligations.
Early into the Obama Administration, the U.S. Customs and Border Protection (CBP) and Immigration and Customs Enforcement (ICE)—both agencies within the Department of Homeland Security (DHS)—adopted policies to search, sometimes seize, and review the content of electronic devices at U.S. border crossings. Since the inception of the program, the numbers of these searches have steadily increased from approximately 8,500 in 2015; 19,000 in 2016; and 30,000 in 2017. To put these numbers into context, however, even this dramatic increase accounts for only 0.007 percent of the 397 million travelers (including both U.S. and foreign nationals) who crossed the border during the 12-month period ending September 30, 2017, according to a recent article. As reported elsewhere, over 80 percent of devices searched belonged to foreigners or legal permanent residents.
These searches and seizures are carried out without a warrant or any individualized suspicion—much less probable cause—that a traveler has done anything wrong. On the other hand, these searches have been instituted to vindicate national security concerns. Thence arises the delicate constitutional question of balancing that governmental interest against individual rights. Some courts have permitted routine border searches of travelers’ computers and other electronic devices as an exception to the Fourth Amendment prohibition against warrantless searches without probable cause. See, e.g., United States v. Cotterman, 709 F.3d 952, 960–61 (9th Cir. 2013) (en banc); Abidor v. Napolitano, 990 F. Supp. 2d 260, 277–82 (E.D.N.Y. 2013). Nevertheless, even in Cotterman, the Ninth Circuit concluded, en banc, that an intrusive forensic search of a computer hard drive is not “routine” and therefore requires reasonable suspicion to be constitutionally permissible. 709 F.3d at 960–68.
Electronic devices belonging to lawyers raise additional concerns—namely, the attorney-client privilege, the work product doctrine, and the confidentiality of lawyer and client communications (as required by Model Rule of Professional Conduct 1.6) to the extent that any information protected by any or all of these is maintained on any such electronic devices.
Recent Litigation Challenging Border Searches
On September 13, 2017, a lawsuit was filed in Boston against the federal government nominally on behalf of 11 travelers whose smartphones and other electronic devices were searched without a warrant at the U.S. border. The real proponents of the litigation, as made clear on the website of the American Civil Liberties Union (ACLU), are the ACLU, the Electronic Frontier Foundation, and the ACLU of Massachusetts. The named plaintiffs are 10 U.S. citizens and one permanent resident who come from different geographic locations and disparate backgrounds. Defendants are the leaders of DHS, CBP, and ICE. Alasaad v. Duke, No. 1:17-cv-11730-DJC (D. Mass., filed Sept. 13, 2017).
The case seeks to expand into the realm of border searches in the Supreme Court’s ruling in Riley v. California, 134 S. Ct. 2473 (2014), which recognized a significant privacy interest in digital data and held that police may not conduct warrantless searches of the cell phones of the people they arrest. The complaint in Alasaad also challenges prolonged confiscations—which sometimes last for weeks or months at a time—of travelers’ electronic devices without probable cause.
On December 15, the government moved to dismiss the complaint for lack of standing. The argument is that plaintiffs assert merely a general risk of injury from the remote possibility that their electronic devices may be searched in the future, and that the assertion that the government has retained information from electronic devices is conclusory and based on no factual allegations in the complaint that would support such a conclusion. Opposing the motion in a January 26 filing, plaintiffs argue that they have standing because of the substantial risk of future injury, and independently that standing exists to seek “expungement” of information retained by the government from prior unlawful searches. As of this writing, no decision on the motion has yet been issued.
Recent Revisions to CBP Policy
On January 4, 2018, CBP issued a revised policy governing border searches of electronic devices. As it affects issues of privilege, section 5.2 of the new policy represents a distinct improvement over the previous policy (though probably not yet sufficient to be completely satisfactory to the ABA):
- When examining data on a device, CBP officers are now required by section 5.1.2 of the new policy to avoid accessing data stored remotely (e.g., in the Cloud) when they conduct device searches. To accomplish this, that section provides that the officers will either request that the traveler disable connectivity to any network (e.g., by placing the device in airplane mode), or they will themselves disable network connectivity where warranted by national security, law enforcement, officer safety, or other operational considerations. Note also that if a device is encrypted, section 5.3.1 of the revised policy requires travelers to unlock or decrypt their electronic devices and/or provide their device passwords to border agents.
- CBP officers must now consult with the CBP Associate/Assistant Chief Counsel’s Office before searching devices allegedly containing privileged or work product protected information. (Section 5.2.1 of the prior policy required such consultation only when (A) the devices contained materials that appeared to be “legal in nature” or that were claimed to be protected by the privilege or work product and (B) the border officer suspected that the material “may constitute evidence of a crime or otherwise pertain to a determination within the jurisdiction of CBP.”).
- CBP officers and lawyers are now required to seek clarification from the individual asserting the privilege as to the specific files, attorney or client names, or other particulars that may assist the agency in identifying the privileged information, and requires CBP to segregate the privileged materials from the other materials on the device and ensure the privileged materials are handled appropriately, all through the use of a filter team consisting of legal and operational representatives of the agency.
- Any privileged materials that are copied by CBP must be destroyed at the end of the review process, unless the materials indicate an imminent threat to homeland security, or copies of the materials are needed to comply with a litigation hold or other requirement of law.
- The new policy distinguishes a “basic search” of an electronic device, which may be conducted with or without suspicion, from an “advanced search” (defined as one in which an officer connects the device to external equipment to review, copy, and/or analyze its contents), which may only be conducted if there is reasonable suspicion of unlawful activity or a national security concern. Although not explicit in the new policy, this particular requirement may be a reaction to federal court decisions such as Cotterman, holding that an intrusive “forensic search” of a computer hard drive is not “routine” and requires reasonable suspicion to be constitutionally permissible.
- Note that CBP’s revised policy (section 2.7) expressly does not apply to searches by ICE, even when CBP transfers devices to ICE for a search.
As of this writing, ICE has not revised its own policy, so its prior policy remains in force. ICE’s policy authorizes searches of electronic devices with or without individualized suspicion and, unlike CBP’s revised policy, does not contain enhanced protection or consultation procedures for information claimed to be privileged or confidential and does not prohibit Cloud searches.
Pertinent Ethical Obligations
Lawyers should consider whether consenting to a device search by a CBP or ICE agent is compatible with their professional responsibilities. Obviously, a lawyer must advise such agents of the existence of any privileged material on the device in question. In addition, key provisions of the Model Rules of Professional Conduct are summarized below in chronological order. Be sure to consult the versions of these rules in each jurisdiction in which you are admitted to practice.
Competence. Model Rule 1.1 imposes the requirement of competence. Comment  adjures lawyers to “keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology . . . .” Moreover, a 2011 formal opinion of the Standing Committee on Ethics and Professional Responsibility (the Ethics Committee) observes that implicit in the obligation of competence is acting “competently to protect the confidentiality of clients’ information . . . .”
Communicating with Clients. As a general proposition, Model Rule 1.4 requires a lawyer to keep clients informed about the status of their matters, as well as about any matters as to which informed consent (as defined in Model Rule 1.0(e)) is required. Explaining to clients the risks of search of electronic devices containing their confidential or privileged information and obtaining informed consent in advance is, for a lawyer planning cross-border travel, a possible solution. It is not necessarily a reliable solution, however, because some clients might not consent and, even for those that do, questions could arise later about the adequacy of the lawyer’s explanation of the risks involved. In the absence of any such client consent, if information relating to a representation is disclosed during a border search, the lawyer should ascertain whether the rules in the jurisdictions where the lawyer is admitted require advising the affected client. Note in this regard a 2017 opinion of the New York City Bar Association (the NYCBA Opinion), which concludes that the lawyer must inform affected clients about such disclosures.
Confidentiality. Model Rule 1.6 is the most important ethical requirement in this context. Paragraph (a) prohibits revealing “information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted by paragraph (b).” We have already discussed informed consent, and it’s extremely unlikely that border inspection disclosures would ever be “impliedly authorized” within the contemplation of the rule. Paragraph (b) does permit (but does not mandate) disclosure “to the extent the lawyer reasonably believes necessary” under specified circumstances, including (b)(6), “to comply with other law.” The phrase “other law” generally refers to statutory or regulatory requirements, such as the requirement of the Internal Revenue Code that cash transactions over $10,000 be reported to the I.R.S.
Comment  tells us, somewhat unhelpfully, that whether such “[other] law supersedes Rule 1.6 is a question of law beyond the scope of these Rules.” Regulations and official policies of a federal agency normally preempt inconsistent state law, so the odds are that the border search policies of CBP and ICE do, in fact, supersede Rule 1.6(a), but no ethics opinion has as yet so concluded, and no court has as yet so ruled. Comment  goes on to say that when disclosure is required by “other law,” “the lawyer must discuss the matter with the client to the extent required by Rule 1.4.” That is fine in the context of a court order or a subpoena, where there is time and opportunity for such consultation, but barring advance consent under Rule 1.4, it is unlikely as a practical matter that the lawyer whose electronic devices are searched or impounded at the border will be able to consult any client. A 2016 Ethics Committee opinion deals with disclosure under Model Rule 1.6(b)(6) in the context of a subpoena or court order and takes the position that when a client is not available for consultation, a lawyer must (i) assert all reasonable claims against disclosure and seek to limit the subpoena or other initial demand on any reasonable ground, and (ii) consistent with the language in the chapeau of 1.6(b), reveal information only to the extent reasonably necessary.
More specific advice is provided in the border search setting by the NYCBA Opinion. Acknowledging that Rule 1.6(b)(6) “permits a lawyer to comply with a border agent’s demand, under claim of lawful authority, for an electronic device containing confidential information during a border search,” including a demand that the attorney unlock the device to facilitate such a search, the opinion cautions that “compliance is not ‘reasonably necessary’ unless and until an attorney undertakes reasonable efforts to dissuade border agents from reviewing clients’ confidential information or to persuade them to limit the extent of their review.” If confidential client information is, in fact, disclosed during a border search, the NYCBA Opinion requires that “the attorney must inform affected clients about such disclosures pursuant to Rule 1.4.”
Rule 1.6(c) applies to “inadvertent or unauthorized disclosure of, or unauthorized access to” confidential client information. Given the requirements of competence in Model Rule 1.1, disclosure to border agents pursuant to established CBP and ICE policies cannot be regarded as “inadvertent” but will almost always be “unauthorized” by the client. Comment  says these kinds of disclosures are not a violation of 1.6(c) “if the lawyer has made reasonable efforts to prevent the access or disclosure.” What constitutes reasonable efforts in this unusual, compulsory context is not completely clear, but Comment  identifies certain factors to be considered:
the sensitivity of the information, the likelihood of disclosure if additional safeguards are not employed, the cost of employing additional safeguards, the difficulty of implementing the safeguards, and the extent to which the safeguards adversely affect the lawyer’s ability to represent clients (e.g., by making a device or important piece of software excessively difficult to use).
As food for thought, note also that certain clients, particularly sophisticated clients, may require their lawyers to employ special security measures beyond what the rule itself would require.
Supervisory Responsibilities. Even law firm partners who are not crossing borders with electronic devices are not off the hook. For lawyers who exercise, either individually or together with law firm colleagues, managerial authority in the firm, Model Rule 5.1 requires them to “make reasonable efforts to ensure” that supervised lawyers “conform to the Rules.” Model Rule 5.3 contains similar requirements with respect to employed, retained, or associated nonlawyers (e.g., paralegals). Taken together, these provisions suggest that law firms put in place policies addressing the efforts junior lawyers and nonlawyer legal professionals working for the firm should make to preserve client confidential information when traveling with electronic devices.
Some Concluding Observations
Uncertainties abound here. For one thing, the statistics at the beginning of this article show that the likelihood a lawyer’s electronic devices will be searched or seized is quite low. (Recall that Comment  to Rule 1.6 identified as a factor in assessing the reasonableness of safeguards the likelihood of disclosure if those safeguards are not employed). For another, it is entirely possible—at least under the recently revised CBP policy—that advising a border agent of the existence of confidential or privileged information on a device will be sufficient to cause them to segregate any such information from examination.
Pace such palliatives, the cost of additional safeguards is quite low (another factor identified in Comment ), and it is important for a lawyer to be fully prepared for such searches. The following are worthy considerations by any lawyer anticipating cross-border travel:
- Consider whether it is necessary to bring with you any electronic device containing confidential or privileged information. (If you’re going on vacation, stop being a workaholic automaton and leave the device behind).
- If you must bring one or more portable electronic devices along, make sure each one is thoroughly scrubbed of all privileged or confidential information. Merely deleting files may not be adequate to remove them completely. The device will still enable you to work on affected matters because it may be used from abroad to access confidential information remotely that is maintained on law office e-mail, databases, or in the Cloud without having the actual files stored on the device.
- Consider acquiring an electronic device exclusively for use during foreign travel and avoid, to the maximum extent possible, placing confidential or privileged information thereon.
- Merely encrypting privileged or confidential information on a device is no guarantee of its remaining confidential. Remember that border agents may demand that you provide password or other decrypting information, and failure to do so can lead to your device being seized and detained for a period of time.
- Familiarize yourself in advance with the pertinent ethics rules and opinions of each jurisdiction in which you are admitted in order to ascertain whether you may ethically consent to a request (or demand) to inspect your device(s) and, if a device is inspected, whether you are required to advise each client whose information was subject to inspection.
- If your client or any jurisdiction in which you are admitted requires you to take extra steps to safeguard the confidentiality of information on a portable electronic device, be sure you have fully complied with those requirements in advance of travel.
- Finally, be cognizant of the location and content of all privileged and confidential information on each device you bring across the border, and be prepared when advising a CBP or ICE officer of the existence of privileged or confidential information to identify for the officer specific files or categories of files, names, phone numbers (in the case of a mobile phone), and e-mail addresses of clients or lawyers associated with confidential or privileged information on the device, and any other information that will help the officer segregate such information.