This week the New York City Bar has put out a very important, and I think very helpful, ethics opinion to address a real, practical concern for lawyers: what, if anything, can be done to protect confidential client information when traveling and crossing the border into the U.S.?
NY City Bar Formal Op. 2017-5 lays out the issue as follows:
An attorney traveling abroad with an electronic device (such as a smartphone, portable hard drive, USB “thumb drive,” or laptop) that contains clients’ confidential information plans to travel through a U.S. customs checkpoint or border crossing. During the crossing, a U.S. Customs and Border Protection (“CBP”) agent claiming lawful authority demands that the attorney “unlock” the
device and hand it to the agent so that it may be searched. The attorney has not obtained informed consent from each client whose information may be disclosed in this situation.
The opinion makes the point that with the change of administration such searches of travelers and their data has increased exponentially:
In recent years, searches of cell phones, laptop computers, and other electronic devices at border crossings into the U.S. have become increasingly frequent. According to the Department of Homeland Security, more than 5,000 devices were searched by
CBP agents in February 2017 alone. By way of comparison, that is about as many U.S. border searches of electronic devices as were undertaken in all of 2015, and just under a quarter of the
approximately 23,877 U.S. border searches of such devices undertaken in 2016.
The entirety of the opinion is worth a read to see how it offers its guidance about things a lawyer might do at the time of demanded search to protect client confidential information, and to hear its additional important message that lawyers have an obligation under RPC 1.4 to contact all affected clients after such a search takes place.
The aspect of it that I want to focus on, however, is to expand on some of the practical advice it offers as to things a lawyer could do before going through customs at the border to lower risk of disclosure. Particularly, this passage:
The simplest option with the lowest risk is not to carry any confidential information across the border. One method of avoiding the electronic transportation of clients’ confidences involves using a blank “burner” phone or laptop, or otherwise removing confidential information from one’s carried device by deleting confidential files using software designed to securely delete information, turning off syncing of cloud services, signing out of web-based services, and/or uninstalling applications that provide local or remote access to confidential information prior
crossing to the border. This is not to say that attorneys traveling with electronic devices must remove all electronically stored information. Some electronic information, including many
work-related emails, may contain no confidential information protected by Rule 1.6(a). Even when emails contain confidential information, the obligation to remove these emails from the
portable device before crossing the border depends on what is reasonable. As previously discussed, this turns on the ease or inconvenience of avoiding possession of confidential
information; the need to maintain access to the particular information and its sensitivity; the risk of a border inspection; and any other relevant considerations.
Now, as to that sentence about some work-related emails may not contain confidential information protected by RPC 1.6(a), it is worth remembering that New York has a different RPC 1.6(a) than most jurisdictions as it comes closer to retaining the old “confidences and secrets” regime. In most other jurisdictions, where RPC 1.6(a) covers any information related to representation of a client, then it is difficult to imagine any work-related email involving client matters that wouldn’t be protected as confidential under RPC 1.6(a).
And, for that reason, when I’ve had to help people try to work through this question, my advice has been consistent with what the New York City opinion is saying albeit perhaps stated more succinctly – delete the mail application from your smart phone until you get through the border. Then reinstall it. As long as your work email is stored on a server somewhere, then you should have no loss of data at all.
The only inconvenience caused is that for the time between deleting it and crossing through the border, you will have no access to email. Using the balancing factors compared to the risk of the violation of client confidences, this seems like a small inconvenience. Simply deleting the mail application for a period of time also has the benefit of not placing the lawyer in the position of trying to “reason” with customs officials and argue with them over whether they need to be doing what they are doing.
As to other kinds of electronic data, the solutions are not as simple as with email. Text messages are particularly concerning as deleting those or removing access to those from your device for even a short period of time would result in the loss of that data. Generally speaking, the New York City opinion does a good job at explaining some of a lawyer’s options. One option that the opinion doesn’t exactly spend a lot of time discussing is obtaining the consent of clients in advance. One potential way of doing so could be standardizing provisions into engagement letters with clients to address this topic.
This unfortunately appears to be a topic that will only become more difficult to deal with for lawyers who travel frequently. As an example, within the last month there have been stories in the media that Homeland Security is contemplating requiring all reading material be removed from carry on and put in bins for the purpose of potential review by TSA agents. Travel is already a stressful endeavor, but as a lawyer if that were to come to pass there would be almost no way to take anything on a flight to have or review without running a real risk of loss of client confidentiality.