Data Security

What Should Attorneys Do at Border Crossings to Protect Client Information?

Published: Jul. 28, 2017

Updated: Oct. 05, 2020

Earlier this summer, the Secretary of the Department of Homeland Security announced a series of heightened aviation security measures for commercial flights in-bound to the United States, including “enhanced screening of electronic devices.” Increased U.S. government scrutiny of electronic devices raises privacy concerns for every day passengers traveling to and from the United States. Increased searching of electronic devices raises special issues for lawyers, journalists, and others who may owe a heightened duty of confidentiality to others whose data they may be storing on their devices.

Exactly how these heightened security measures can and will be carried out is currently being debated. Support for border searches comes from Supreme Court precedent recognizing strong executive authority at the border, under the “border search doctrine.” Border searches are warrantless searches of personal effects at the international border. Courts have recognized a difference, however, between “routine” and intrusive searches. More intrusive searches, like a forensic examination of a personal electronic device, require reasonable suspicion that the person entering the country has committed a crime. When, exactly, the search rises to the level where a warrant is required is an issue currently on appeal to the Fourth Circuit Court of Appeals. We expect that courts will continue to be called on in the months and years ahead to further distinguish between whether government agents can demand incoming travelers to provide passwords (such as device, social media, and de-encryption passwords), or access to communications apps accessed through their personal device.

Recognizing that being subject to such a search at the border raises special issues for attorneys, the Association of the Bar of the City of New York Committee on Professional Ethics released on July 25, 2017, Formal Opinion 2017-5, detailing An Attorney’s Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients’ Confidential Information. The opinion advises attorneys that they need to take “reasonable steps” to protect confidential client data, including when at the border. The advice takes two approaches. First, the Bar recommends that attorneys take reasonable steps to secure confidential client data, which can include both avoiding storing client data on a device itself, and restricting access to data stored in the cloud. To that end, attorneys should take reasonable steps to protect client data when traveling, including, but not limited to, measures such as using devices specifically configured for travel, not storing sensitive data on the device itself, turning off “sync” functions for data stored in the cloud and otherwise “signing out” of cloud-based services, and uninstalling applications. Second, attorneys should affirmatively communicate to border agents who are seeking access to a device that the device contains protected client communications. Steps attorneys can take to assist in this communication include carrying a bar membership ID form and business card, and, if the agent persists, asking the agent to elevate the request to a supervisor.

The advice does not cover every scenario, but makes clear that bar associations are thinking about these issues and lawyers should not cross borders without thinking about what might happen to client data if they are subject to search and taking steps to prepare for that possibility. Advice like this confirms that law firms should also train attorneys so that, regardless of whether they are traveling for business or pleasure, they know what to say and do when they cross borders and what their rights and their clients’ rights are.