Travel Days May Be Postponed, But When it Comes Back, Be Prepared to Protect Sensitive Data
While travel may be currently stalled due to COVID-19 concerns, as soon as travel resumes, border controls and restrictions will likely increase. Often, the phrase “border search” produces thoughts of seeking and seizing a physical object. However, many searches require a computer to be searched – and not just the actual hardware. Remember, border searches can be random and unanticipated. Any traveler, even with special clearances (like TSA pre-check) can be subjected to a broad range of searches at an international border. Chances are that many lawyers travel with at least one device containing sensitive client data, especially if the purpose for traveling is work-related. What happens if a U.S. border agent performs a search of your electronic devices? A border search is a scenario where compliance with law enforcement and the ethical duties to clients intertwine. Luckily, for New York lawyers, the New York City Bar tackled this issue recently in Formal Opinion
2017-5, which posed the following question:
What are an attorney’s ethical obligations with regard to the protection of confidential information prior to crossing a U.S. border, during border searches, and thereafter?
As is common with legal ethics, the answer to this question is “it depends.” The opinion reminds New York lawyers that they need to take certain steps when crossing the border with devices containing confidential client information since a U.S. border agent may search the device. Being proactive about safeguarding client data is crucial to maintaining the integrity of the attorney-client relationship. Lawyers should always bring their bar card to the airport to verify their profession in the event of a search. Other steps lawyers need to take will vary and be subject to the “reasonableness” standard instead of an absolute mandate. The opinion pointed out:
“Given the rapid pace of technological development and the disparities between the practices, capabilities, and resources of attorneys, it would be difficult or impossible to identify a list of minimum mandatory prophylactic or technical measures for an attorney to adopt before crossing the U.S. border. Not only would such a list run the risk of quickly becoming obsolete, but it would also be of limited use, since “reasonableness” standards are not amenable to a one-size- fits-all analysis.”
Ethical Responsibilities of Traveling with Sensitive Data
Before embarking on international travel, lawyers need to make reasonable efforts to prevent disclosure or unauthorized access to confidential client data. First, evaluate the need to bring the information over the border. If there is no need to bring the information along, then leave it. Otherwise, only bring what is professionally necessary. For example, if traveling for a deposition they should only bring the data needed for the specific case and witness. Lawyers should also try to avoid keeping highly sensitive data on devices during travel unless there is no alternative. Most of the time, lawyers will not need to carry confidential client data for personal travel. However, for work travel they will inevitably need to carry devices with client data over the border. Limiting this data is crucial.
Limit the Risk of Disclosing Confidential Client Data While Traveling
If leaving the information behind is unavoidable, lawyers need to determine what safeguards to implement in order to avoid or limit the risk of disclosing confidential client data during a border search. The easiest thing to do is to gain informed consent from clients to allow disclosure in the event of a border search. However, many clients will not feel comfortable with agreeing to disclosure. As such, lawyers should take steps to limit and secure data by doing things before travel like deleting information from devices, turning off cloud apps, signing out of accounts, and uninstalling apps that provide access to client data. More involved and costly steps include using technological solutions to allow remote access to data without creating local copies, storing confidential data on remote servers, and encrypting devices to limit access.
The more sensitive the data is, the more safeguards lawyers should employ. For example, lawyers would need to take more steps to prevent disclosure of their clients’ trade secrets then they would for emails with a client about the outcome of a court ruling. The amount of harm a border search could cause is also a factor to consider. Depending on the situation, border agents have the power to search files on devices, request passwords for access to accounts, copy files, and seize devices. While all disclosure of confidential client data is presumptively harmful, if a lawyer’s practice frequently involves having governmental agencies as opposing parties there would obviously be higher client concern and greater risk of harm from exposure. Such a situation would require executing some more involved methods to protect client data. As always, cost and burden will weigh into the decision about what safeguards to implement.
Ethical Responsibilities During and After a Border Search
Once a border agent requests access to a device, lawyers should take additional steps to prevent or limit disclosure. Some steps include trying to dissuade the border agent by explaining that their device contains confidential client data, asking that they limit the search to exclude confidential files, and requesting to speak to a supervisor before moving forward. If the agent still requests access after this, a lawyer can ethically comply with the request because they have done all they could to reasonably avoid disclosure. The opinion notes: “While legal challenges in court might be made to the relevant law or its application, it would be an unreasonable burden to require that attorneys, having made reasonable efforts to protect clients’ confidential information, forgo reentry into the U.S. or allow themselves to be taken into custody while litigating the lawfulness of a border search.” However, after the American Bar Association (“ABA”) expressed concern about these searches in 2017, border agents now recognize the significance of legal privilege and take extras steps to either avoid or handle these searches more carefully.
After all this, if a lawyer ends up disclosing confidential client data during a border search, they must promptly notify all affected clients. Lawyers must keep in mind that if they failed to take reasonable steps to protect confidential client data, they may face ethical challenges. A client could report them to the bar and they could face license suspension or other discipline.
This opinion reminds New York lawyers about the importance of taking steps to keep client data safe in every scenario. Obviously, if a border agent lawfully requests to search information on a device, lawyers will need to comply but they must implement some of the measures noted above in order to avoid ethical violations if there is disclosure without informed consent. That is why preparation is of the utmost importance. Lawyers will not have time to call clients when a border search occurs and need to know how to handle such a situation. The key takeaways are to limit the client data on devices by bringing only what is professionally necessary, implement appropriate safeguards, explore alternative ways to access data remotely, notify border agents of any confidential data on devices, and be transparent with clients if a search does occur. Lawyers in other states should also take these precautions with client data and monitor whether their local or state bars issue opinions on this subject.
If your organization is interested in the industry’s most comprehensive service for regulatory, compliance, government and voluntary remediation, and data breach response. Regulatory & Compliance
If you found this blog informative, you may enjoy: Using Microsoft 365 to Stay Compliant with Data Privacy Laws or the Epiq Angle Blog.