MCLE Self Study

By Scott B. Garner

Garner

California lawyers who travel through airports – and particularly those who travel through any of California's eight international airports – must be aware of certain risks tied to our nation's heightened security concerns. The scenario is not hard to picture. A California lawyer, tired after three days of meetings, is arriving into SFO from Montreal late at night, with a short layover before continuing to LAX. After retrieving her suitcase, she heads for the shortest customs line, carrying not only the suitcase, but also her laptop. The Customs and Border Protection ("CBP") officer asks her to take her laptop out of her bag and turn it on. She follows his instruction and the screen lights up and arrives at a sign-in page asking for a password. The officer tells her to enter the password. The lawyer is about to do so when she begins to think about the client information contained on her laptop, including highly confidential information about the meeting she just attended as well as trade secrets and patent portfolios of other clients. She smiles at the officer and politely tells him that she cannot enter the password because she is a lawyer and the laptop holds privileged and confidential client information. The officer repeats his directive and adds that if she does not enter the password he may be required to seize the laptop and detain her until a supervisor is brought in to assess her objection. In thinking about her situation, the lawyer considers that her connecting flight is boarding in 20 minutes, and it is the last flight out that evening.

This scenario, of course, is not unique to lawyers. Physicians, psychotherapists, clergy, among others, may carry information about third parties (patients, parishioners, etc.) that is protected by law as privileged and confidential. See, e.g., Cal. Evid. Code §§ 994, 1014, 1033. Nor is this hypothetical scenario something that is new – travelers through international airports for some time have been subject to potential search and seizure. But the search and seizure of a laptop or other mobile device seems more likely now than ever before, and, accordingly, lawyers would be wise to have a plan in place if and when they travel internationally.

The Fourth Amendment and searches and seizures

The Fourth Amendment to the U.S. Constitution provides:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

See Arizona v. Gant, 556 U.S. 332, 338 (2009) ("'[S]earches conducted outside the judicial process, without prior approval by judge or magistrate, are per se unreasonable under the Fourth Amendment.'") (quoting Katz v. United States, 389 U.S. 347, 357 (1967). The Fourth Amendment's protections have been held to apply to cell phones and other mobile devices. See Riley v. California, 134 S. Ct. 2473, 2494-95 (2014).

With limited exceptions, law enforcement cannot raid a lawyer's office and confiscate client files absent a warrant issued by a court because the Fourth Amendment prohibits such warrantless searches and seizures. Those same protections, however, do not apply at the border, including at international airports, where CBP officers are empowered to search and seize without a warrant or other court oversight. See United States v. Flores-Montano, 541 U.S. 149, 152 (2004) (noting that the government's "interest in preventing the entry of unwanted persons and effects is at its zenith at the international border"); United States v. Ramsey, 431 U.S. 606, 616 (1977) (noting government's interest in border search cases is "the long-standing right of the sovereign to protect itself by stopping and examining persons and property crossing into the country"); but see United States v. Cotterman, 709 F.3d 952, 960 (9th Cir. 2013) ("Even at the border, individual privacy rights are not abandoned but '[b]alanced against the sovereign's interests.'") (quoting United States v. Montoya de Hernandez, 473 U.S. 531, 539 (1985)). That power extends over all individuals passing through the U.S. borders, including at international airports, whether or not the individual is a U.S. citizen, and whether or not the individual is suspected to have committed a crime.

The power to search and seize at the border has been held to apply to mobile devices. See United States v. Arnold, 533 F.3d 1003, 1008 (9th Cir. 2008) (holding that "reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border"). Cases have not been consistent on what an officer may do with a mobile device once it is seized, and at least some courts have placed restrictions on the government's ability to conduct forensic analysis to review confidential information contained on a device. See Cotterman, 709 F.3d at 961 (holding that CBP may review computer files without reasonable suspicion, but may not conduct "forensic examination" of a computer without reasonable suspicion).

The duty of confidentiality and the attorney-client privilege

Although all states provide both evidentiary and ethical protections for confidential client communications and information, no state is more protective of client secrets than California. Business and Professions Code section 6068(e)(1) provides the statutory duty of confidentiality, mandating that it is the duty of a lawyer in California "[t]o maintain inviolate the confidence, and at every peril to himself or herself to preserve the secrets, of his or her client." (emphasis added). A lawyer's duty of confidentiality is broader than the attorney-client privilege, which protects only confidential attorney-client communications. See Cal. Evid. Code § 954. Indeed, the duty of confidentiality protects not only confidential communications, but also information derived from any source (not just from the client), and even protects information that is otherwise publicly available. See In the Matter of Johnson , 4 Cal. State Bar Ct. Rptr. 179, 189 (2000); Cal. State Bar Formal Opn. No. 2016-195. Moreover, a lawyer's duty to keep her client's secrets continues even after the representation has terminated. See Oasis West Realty, LLC v. Goldman, 51 Cal. 4th 811, 822-23 (2011); Cal. State Bar Formal Opn. No. 2016-195. As a result, far more client information is considered a secret, subject to the duty of confidentiality, than many lawyers may assume.

Years ago, a lawyer might carry one or several hard copy client files in her briefcase. The lawyers' duty of confidentiality of course required the lawyer to take precautions to avoid having those client files fall into unintended hands. The best "technology" in that instance might be a locking mechanism on the briefcase.

Times have changed. Information is digital, and the briefcase has been replaced by the laptop, tablet, and smart phone, each of which can hold far more client files than a briefcase. In fact, many lawyers can access all or nearly all of their client files remotely; all they need is a mobile device and one or more passwords. This increased access to data presents a number of challenges, including when traveling through an international airport.

Customs officer's demand for access to confidential information

A customs officer's demand that a lawyer provide her password so a laptop or other device can be accessed is, in effect, a demand that the lawyer turn over client secrets. Although the border officer may not be able to force a lawyer to provide him with a password, that officer does have the ability to seize the device and to detain the lawyer. A lawyer in this situation should consider steps to minimize the likelihood of her client's confidential information being inspected.

A lawyer's ability to take precautions begins before ever approaching the border. First, before flying internationally, a lawyer should consider what materials she takes with her. If possible, she should minimize the number of clients whose confidential information is contained on any devices. That may mean using a second device, like a "burner" phone or a laptop or tablet that has been stripped of confidential information, for international travel, and securely storing and accessing confidential information "in the cloud." If that is not possible, the lawyer should make sure that the device taken contains only those files absolutely necessary for that particular trip. To the extent this is not a practical or realistic option, a lawyer should consider taking other precautions.

One obvious and important precaution is to use a strong password to protect each device. Although a border officer may demand that a passenger turn over a password so he can access a device, a lawyer may choose not to turn over the password. Before doing so, a lawyer should ask the officer if he is requesting the password or demanding the password. If it is the former, the lawyer can politely decline. If it is the latter, the lawyer will have to decide how much aggravation – in the form of further delay, seizure of the device, or additional hassle – she is willing to tolerate before making a final decision on whether to comply with the demand. Before responding, the lawyer should take into account just how sensitive the client information is that she has on her device.

Moreover, a lawyer should consider using both a sign-on password to access the device and other additional passwords to protect specific drives, folders, files, or individual documents. Using "hidden" folders also is an option in some operating systems. The hidden files function typically is used for critical system files that ordinarily should not be accessed by any user, but this function may be useful as an additional layer of privacy protection for client files. It might be the case that a CBP officer would be satisfied by having the lawyer unlock the device to provide access to applications and data that do not include confidential client information (such as music files, games, and social media apps) without also accessing hidden or protected areas of the device where confidential client information is stored.

Another option for the lawyer carrying a mobile device with particularly sensitive information is to use two-factor authentication, which requires a second device to receive a code before the first device is unlocked. The second device could be, for example, a different laptop or tablet not carried with the lawyer but in the possession of a colleague at the home office, or with a colleague traveling separately or waiting at the lawyer's destination. Of course, if the lawyer is unable to provide the officer with access to the device as a result of the use of two-factor authentication, the lawyer runs the risk of further detention.

Encryption is another option – one that should be considered whether or not a lawyer is traveling internationally. Many lawyers encrypt most of their files in order to avoid having them fall into the wrong hands – either through hacking or a lost device. A lawyer's duty to protect confidential client information probably does not require encryption all the time, but it is one measure that at least should be considered when traveling through an international airport. And, the more sensitive information is, the more the lawyer should consider taking extra precautions such as encryption. Again, this may not prevent the lawyer from being detained and having her device seized, but it will make it that much harder for a border officer to access the confidential information contained on the seized device.

Lawyers also should close all files and applications and completely power down their devices before entering the airport, which makes encryption and other security devices more effective. Powering down an iPhone, for example, will require the user to enter a pin number rather than a fingerprint when first booting the device back up, which may make it more difficult for a border officer to compel the lawyer's cooperation. In contrast, a lawyer who waits until the last moment to stow her laptop before landing may run out of time to close all client files or completely shut down. This practice could leave the device in a sleep mode and render the last files worked-on in virtual plain view when the device is awakened.

Given the possibility that an officer may seize a device – particularly if the lawyer refuses to turn over a password or otherwise facilitate a search of that device – the lawyer also should back up the information on a separate device back at home in order to maintain access to the data.

Lawyers traveling internationally also should familiarize themselves with the Department of Homeland Security policy on border searches and seizures. Of particular interest is a 2009 policy memo that states, "Where a traveler claims that the contents of the electronic device contain attorney-client or other privileged material, the CBP Officer must consult with the local Associate/Assistance Chief Counsel or United States attorney's office before conducting the examination."

Lawyers should not assume, however, that a border officer is familiar with this policy or will voluntarily follow it. Thus, a lawyer faced with the seizure of a device must alert the officer about the existence of privileged material, and further demand – or at least strongly suggest – that the officer consult with the appropriate personnel before inspecting any confidential data. Handing a copy of the policy to the officer also might be helpful, as would showing the officer proof that that the traveler is a lawyer – for example, by presenting a Bar card or similar identification. At least one court has held that a border officer may not read or copy privileged information on a seized device without first obtaining a search warrant or subpoena. See Looper of Behalf of His Firm's Clients v. Morgan, 1995 WL 499816 (S.D. Tex. June 23, 1995). Thus, although not a guarantee of protection, the lawyer should tell anyone who will listen that the device contains attorney-client privileged data.

Conclusion

There may be little a lawyer can do in the face of an unreasonable border patrol officer demanding  mobile device. The harder question is, after turning over the device (or not preventing the officer from seizing it), must the lawyer refuse the officer's demand for any passwords or other information needed to access the confidential client data housed on the device when faced with a lengthy detention as the alternative to complying with the demand? Certainly an argument could be made that a California lawyer's duty to preserve her client's secrets "at every peril" to herself requires the lawyer's refusal, even at the risk of being detained. But there is insufficient authority to conclude either way that a lawyer either has the duty to refuse the request for access or may comply with the request and turn over access so that she can go home.

Notwithstanding the inability to resolve this dilemma, a lawyer does have some options, and best practices suggest the lawyer be familiar with, and at least consider exercising, these options. They include making assessments and taking precautions before traveling internationally in the first place and, if faced with a seizure demand, requesting that the border officer consult with the local associate/assistant chief counsel or United States attorney's office before accessing confidential client data. Moreover, the more client information contained on a device, and the more sensitive that information is, the more the lawyer should do to protect that information from the probing eyes of a border patrol officer.

The American Bar Association president recently sent a letter to the Department of Homeland Security requesting clarification of the rules to be followed by CBP officers, including, in particular, the rules regarding the handling of an attorney's privileged information.  But until the department clarifies and, indeed, changes the current rules, confidential information will continue to be at risk, and lawyers will have to take appropriate steps to minimize that risk and protect their clients' confidential information.

Scott B. Garner represents clients in complex business litigation matter with a focus on professional liability disputes and ethics counseling. Opinions in this article are his own.