Lawyers and Border Searches: What Should a Lawyer Crossing a Border Do?

Emily Voshell had a very helpful post on this blog recently about a case in federal court in Massachusetts challenging the government’s approach to border searches of electronic devices.

Generally speaking, when you cross a border you have fewer Fourth Amendment protections from a search than you do if you’re in your home, office, or car. The federal court in Massachusetts may narrow what the government can do, but, for now, you have dramatically fewer protections when you cross a border.

At the same time, virtually every lawyer traveling for business will carry a laptop and a smartphone. And phones and laptops contain vast amounts of client data.

A lawyer has a duty to take reasonable steps to keep client confidences. ABA Model Rule 1.6(c) says that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” In the wake of increased concern about cybersecurity, the ABA released ethics opinion 477 which says, among other things, that a lawyer has a duty to take reasonable steps to prevent client confidence or privileged material from being accessed by others, and has a duty to keep up to date on when and how that may foreseeably happen.

Lawyers, therefore, have a duty to think about how to protect the client data that they have from being searched by Homeland Security when they cross a border.

So what’s a lawyer traveling internationally to do?

Happily, the ABA recently had a meeting in Vancouver, British Columbia. Anticipating that hundreds of American lawyers would go through U.S. border control on the way home, the ABA issued an advisory telling lawyers what they ought to do as they cross the border into the United States. If you’re traveling internationally and you’re a lawyer, you’d do well to read the advisory.

The watch word for all of this is that you should do what’s reasonable to protect confidential information. Different clients may have different cybersecurity needs. If you have a practice where you do real estate closings, the steps you take to protect your clients’ information may be different than the steps you’d take if you representing clients who are actively under investigation by the U.S. intelligence community. It does appear that U.S. Customs is not investing time in randomly searching devices – if they’re looking at your laptop, it may be because they think there’s something on it that they’re interested in. This can reasonably affect your decisions about what steps to take.

In a nutshell, here are some things you should think about doing before you travel internationally:

  • Think about whether you need to have a device that contains client information when you cross the border. If you can do without that device, just don’t bring it.
  • Minimize the number of files that contain client information on your devices as you cross the border. For example, if you have Outlook on your phone, you can delete it then reinstall it after you cross the border. If you have documents on a cloud server that sync to your laptop, you can take them off of your device and resync after you cross the border.
  • Bring a burner laptop and/or phone that doesn’t have client confidences on it.
  • Encrypt your client files before you cross the border so that they can only be accessed with a password. (although see below on what happens if you refuse a demand for the password)
  • Disconnect your device from the internet (whether through WiFi or a cellular connection)

If you are stopped by Homeland Security and they decide to search your devices, know that they have a process for handling information that may be privileged. The directive is here (Section 5.2 is the one you want to read). Homeland Security is supposed to respect the privilege and set up a taint review process, similar to what the Department of Justice does if it gets potentially privileged information when executing a search warrant. To get the benefit of this directive, you should:

  • Identify yourself as a lawyer and tell the border officer you have client confidences on your device. You may want to have something on you that buttresses that claim, like a bar card or a business card.
  • Identify what files, emails, email addresses, etc. may be privileged on your devices. You probably want to think through this before you come to the border.
  • Be clear on whether the officer is making a request or a demand for, say, a password. If the officer is making a demand, you’re likely not going to get the device back until you do what he’s demanding. Though, depending on the device and the data, that may be your only option to comply with your professional duties.
  • If you’re subject to a search, think about whether you need to notify your clients. Depending on the data and the search, you may need to.

All of this is a massive pain. I wouldn’t be surprised if most lawyers crossing the border don’t do much of this. Though, of course, that’s no reason not to do it.

Finally, all of this guidance has to do with crossing a United States border. If you read the ABA’s guidance before the Vancouver meeting closely, you’ll notice that there isn’t much discussion about what happens when you cross the border into Canada. If you’re going to another country, you may want to spend a few minutes looking into what protections your client data needs when you cross that border.

It’s a shrinking world. For many of us, it’s now routine to have clients all over the world.

We just have to protect our client information when we do.

May 28, 2019