New CBP Directive on Search of Electronic Devices and How to Ensure Ethical Responsibility Over Confidential Information
A Revised CBP Directive Governing its Authority to Search Electronic Devices and How to Maintain Ethical Integrity as an Attorney in Safeguarding Confidential Client Data
In the continuous effort to strike a balance between its onus of protecting national security and confining its practices to those allowed by statutory and constitutional law, on January 5th, 2019, U.S. Customs and Border Protection issued its first directive governing border searches and electronic devices since the 2009, approximately a decade prior.
Due to the wide authority consigned to CBP in conducting its searches at U.S. ports of entry as long upheld by judicial decrees in cases concerning such authority, it is imperative that law practitioners be aware of CBP practice both generally and as contained in the updated directive in order to continue to best protect client information if ever faced with such a search.
Changes Introduced by the New CBP Directive
CBP enjoys an expansive breadth of authority concerning its ability to search and inspect the contents being conveyed across U.S. ports of entry, including data stored on electronic devices. While it’s worthy of note that the number of searches has been on the increase, CBP examines less than one-hundredth of one percent of travelers entering the U.S. Nonetheless, due to the wide discretion given to CBP officers in their ability to conduct searches, attorneys with the responsibility to protect privileged client information should embrace all reasonable preparedness at the possibility.
The updated directive includes noteworthy practice guidance concerning the inspection of electronic devices that affected law practitioners should be aware of, including:
Continuation of existing policy prohibiting CBP officials from purposefully accessing information that is stored remotely – that is, the only data that is open for scrutinization is that which is stored on the device, thereby excluding information stored by means of software such as the cloud. To avoid the access of information stored remotely, the traveler may disable connectivity. CBP can also disable network connectivity when dealing with issues of national security. In fact, CBP officers are instructed to ensure that that network connectivity is disabled so as to limit access to remote systems.
A distinguishing between “basic” and “advanced” searches, an “advanced” search being any search in which the CBP officer connects external equipment to the device in order review, copy, or analyze its contents. In order to conduct an advanced search, it is required that CBP have reasonable suspicion of unlawful activity or demonstrate the existence of matters concerning national security.
Limits to the review of information protected under attorney-client privilege. Regarding such matters of confidentiality, CBP is directed to request clarification – ideally in writing – from the individual asserting the privilege with concern to specifically which files, file types, folders, or categories of information may be privileged. The privileged information is to then be segregated by a designated “Filter Team” made up of legal and operational personnel whose responsibility it is to oversee the information’s appropriate handling.
The requirement for travelers to present electronic devices and the information they contain in such a fashion that allows inspection thereof, with the allowance that CBP officers may request the individual’s assistance by means of providing passwords or other keys for access. If the device cannot be accessed so that the inspection may be completed, CBP has the authority to detain the device pending determination of admissibility.
Furthermore, CBP may detain an electronic device or copies of information for a reasonable span of time required to perform the search. However, supervisory approval is required to continue the search if the traveler has since departed the port of entry.
CBP may also request technical assistance to access and search the electronic device. There are no specified limitations delineating what may constitute such technical assistance or what its source may be. CBP may also request additional expertise in the form of “subject matter assistance” if it is decided within reasonable suspicion that laws enforced by CBP have been violated, as well as in matters of national security.
Additional Useful Information Surrounding the Directive and CBP Practice
Perhaps most important for the law practitioner possessing sensitive information with concern to clientele is that, while there are safeguards protecting the sanctity of attorney-client privilege, it is still the responsibility of the traveler to assert this privilege and the materials it covers. If this assertion is made, the information on the device in question would have to be assessed by a remote team of experts and would likely involve confiscation of the device.
There are virtually no exceptions to CBP’s authority to search electronic devices. CBP policy solely dictates that, should an assertion of privileged information be made, the officer by whom the search is being conducted is to consult with the local Associate or Assistant Chief Counsel or U.S. Attorney’s Office before any further actions concerning the search are taken.
The following are also useful items of note concerning the authority granted to CBP and its methods of exercising it:
CBP relies on 8 USC §1357(c) and other provisions for its authority to conduct warrantless searches of personal effects so long as the officer has “reasonable cause” to suspect that grounds for the denial of admission exist. These grounds, if applicable, would be disclosed by the search.
CBP officers are authorized to transmit electronic devices or copies of the information that they contain to other federal agencies only in cases in which they have reasonable suspicion that laws enforced by CBP have been violated.
CBP has the authority to search and inspect any persons, baggage, or merchandise that arrives at a U.S. port of entry, including electronic devices and at the request of other government agencies.
If a CBP officer cannot at the time determine whether or not an electronic device is admissible, the officer may detain the electronic device. In cases such as these, officers are to provide the traveler with a custody receipt.
CBP does not hold that it is required to inform travelers of their right to withhold information such as passwords, PINs, or other keys to facilitate access to an electronic device, and believes that inspection of electronic devices does not require the consent of the traveling owner. CBP holds requests for passwords or PINs as analogous to requests to open a briefcase or purse. On a related note, U.S. citizens will not be denied entry because of such refusals to provide these means of access.
Upon CBP’s completion of reviewing the contents of an electronic device, copies of materials maintained by CBP and determined to be privileged will be destroyed with the exception that the materials are indicative of an imminent threat to national security.
Guidance for Attorneys Whose Practice Requires the Protection of Confidential Client Information
In the most general and obvious sense with concern to CBP’s almost unmitigated authority in conducting searches of personal effects when one is entering the U.S., attorneys should be aware of all privileged materials they are transporting in such scenarios and should be sure to educate clients on their personal need to assert the privileged nature of any communications contained on their own devices upon entering such circumstances.
More specifically, as per the American Bar Association (ABA) as well as direct guidance promulgated by the New York City Bar Association’s Ethics committee, attorneys should be mindful to address the protection of client data (1) before approaching a U.S. port of entry, (2) when a U.S. border officers ask to review information on their electronic device, and (3) after the officer’s review of sensitive information. Attorneys should also be sure to carry identification regarding their attorney status and notify clients of any disclosure of confidential information to a third party if it occurs.
The following practices could also prove extremely useful in adopting as a means to safeguard confidential client information:
Use of temporary or travel laptops stripped of local documents and client information. Necessary documents can be accessed through a law firm VPN, cloud-based document storage, and other such services.
More generally just use Software as a Service (SAAS) – software housed on the internet.Use of temporary mobile phones devoid of client contacts and other client information. Clients can be requested to use an office number while on travel, which is forwarded to the new cell phone number that remains unpublished.
Travel with a bare or “forensically clean” computer.
Turn off the computer at least 5 minutes before reaching the inspection point so as to bar access to the Random Access Memory (RAM).
Back up data before crossing.
Use a different user account to hold sensitive information.
Make utilization of strong encryption and complex passwords.
Partition and encrypt the hard drive.
Protect the FireWire data port.
Clean laptops or phones once they are returned.
Wipe smartphones remotely.
Most importantly, in light of all the information above and one’s ethical duties as a law practitioner, it must be remembered that attorneys are required as part of their professional responsibility to take all reasonable measures in advance to avoid disclosing confidential information, this case being the potential scenario in which a border officer attempts to search one’s electronic devices.