U.S. Customs and Border Protection (CBP), along with foreign ports of entry, have authority to search electronic devices including mobile phones, cameras, computers, and other electronic devices during the inspection process. Lawyers traveling abroad must be mindful of confidential client data they are traveling with, and law firms should have or immediately develop policies addressing international travel and access to confidential client data. This duty should come to the forefront of firms and lawyers’ agendas because the Trump Administration has made clear its efforts to target lawyers and law firms coupled with its border protection policies.
Recent coverage confirms lawyers have been targeted. According to NPR, Amir Makled, a Michigan attorney who represents a student in connection with a pro-Palestinian protest, was detained after returning from a family vacation to the Dominican Republic after he refused to hand over his cell phone. After 90 minutes, he showed agents his contacts list, was released, and was not provided a reason for his detainment.
Concerns about access to confidential and privileged data through border searches are not new. In 2017, the ABA addressed the rise of electronic-device searches at the border. The table below demonstrates the number of travelers’ device searches per fiscal year:
| Fiscal Year | Searches |
| 2015 | 8,503 |
| 2016 | 19,033 |
| 2017 | 30,200 |
| 2018 | 33,296 |
| 2019 | 40,913 |
In 2024, according to CBP Publication No. 3871-1024, there were 47,047 total border searches of electronic devices out of 420,521,616 passengers. Of the searches in 2024, 42,725 were basic-media searches and 4,322 were advanced-media searches. CBP is not authorized to use an electronic device to access cloud-based data.
All travelers are required, if requested, to present their electronic devices and information that resides on the devices in a condition that allows for examination of the device and the contents on the device. A U.S. citizen will not be denied entry because their device is presented in a way that cannot be inspected, but the device may be subject to exclusion, detention or other action or disposition.
Admissibility decisions for foreign nationals are determined on a totality of the circumstances basis. Foreign nationals who refuse to present devices in a condition that allows for examination of the device and its contents factor against admissibility.
U.S. CBP document border searches of electronic devices in the “Electronic Media Report.” If passengers are referred to secondary inspection, CBP maintains records of the examination, detention, retention or seizure of the traveler’s property, including electronic devices. Copies of information from an electronic search may be maintained (1) if there is probable cause to believe the information contains evidence of a violation of law that CBP is authorized to enforce or administer, or (2) if the information relates to immigration, customs, or other enforcement matters. Information obtained during an electronic-border search may be made available to other agencies or subject-matter experts.
In 2022, in Malik v. U.S. Dept. Of Homeland Security, a Texas federal judge ruled against an immigration lawyer on a summary judgment basis, who—citing attorney-client privilege—refused to consent to a basic search of his cell phone after returning from Costa Rica. When the lawyer refused to provide his phone, CBP seized the lawyer’s phone which was sent to experts to bypass the passcode and extracted data was sent to CBP which used a filter to redact privileged data.
Lawyers’ and Firms’ Ethical Obligations
Lawyers travel internationally and often remain connected to client matters electronically, even if travelling personally. Firms should immediately review or implement policies that address international travel and electronic-device protocol to protect client and firm data in the event of a border search. Firms should consider requiring lawyers to disclose personal or professional international travel plans to ensure lawyers are advised of firm electronic device and data protocol while travelling.
Working with the firm’s IT vendor will be key in developing secure cloud-based technology and in developing training for lawyers for remote data storage. International travel policies are also important because there can be immigration visa requirements, safety protocols, and it will ensure compliance with the firm’s professional liability coverage. Updated policies should include training that increases Rule 1.1, competency related to electronic devices, and cloud access when traveling abroad.
Lawyers also should be offered training related to border protocol when a device search is requested, including Rule 1.6 confidentiality and privilege obligations, and Rule 1.4 communication requirements following a search. Lawyers should also be mindful that it is unethical to raise a privilege- or Rule-based objection to a search, if no legitimate basis exists. Practical first steps, guidance, and helpful roadmaps are addressed below.
In 2017, the New York City Bar Association issued Formal Opinion 2017-5: An Attorney’s Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients’ Confidential Information. While the Opinion highlights New York lawyers’ obligations pursuant to its professional conduct rules, the analysis is transferable and helpful to other jurisdictions. The opinion focuses on lawyers’ ethical obligation pursuant to Rules 1.1 (competence), 1.4 (communication), and 1.6 (confidentiality) to protect confidential client information at three distinct stages when traveling internationally and is discussed below with modifications applicable to Minnesota Rules.
Stage 1: Before Crossing a Border
According to the Minnesota Rules of Professional Conduct (MRPC) Rules 1.6(a) and (c), lawyers shall not knowingly reveal information relating to the representation of a client, and lawyers are required to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. Maintaining competence (Rule 1.1, MRPC, [Cmt] 8.) also requires that lawyers keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology.
When travelling abroad Rules 1.1 and 1.6(c), MRPC require lawyers to make reasonable efforts prior to crossing the border to avoid or minimize risk that government agents will access confidential client information on the lawyer’s electronic devices.
The ABA and other jurisdictions have issued several Formal Opinions addressing the principle of the duty to protect client confidences through reasonable measures when engaging in electronic communications and in electronically storing clients’ confidential information. See, e.g., ABA Formal Op. 477R (May 11,2017); ABA Formal Op. 11-459 (Aug. 4, 2011); ABA Formal Op. 99-413 (March 10, 1999); Cal. Ethics Op. 2010-179 (Jan. 1, 2010); NYSBA Ethics Op. 842 (Sept. 10, 2010); NYSBA Ethics Op. 709 (Sept. 16, 1998).
The level of reasonable efforts and precautions the lawyer must take are guided by the factors in comments 17 and 18 to Rule 1.6. These factors will determine whether a lawyer’s protective efforts are reasonable to avoid disclosure of client confidences at the border. The factors include:
- The sensitivity of the information;
- The likelihood of disclosure if additional safeguards are not employed;
- The cost of employing additional safeguards;
- The difficulty of implementing the safeguards; and
- The extent to which the safeguards adversely affect the attorney’s ability to represent clients (e.g., by making a device or software excessively difficult to use).
Lawyers will be required to engage in a risk analysis of disclosure of confidential client information and the potential harm that may result. This analysis requires staying abreast of current precedent and current border practices. Also distinct from the ABA Model Rules, Minnesota has a key difference in Minnesota’s Rule 1.6(b)(2) exception which allows lawyers to reveal information relating the representation of a client if (1) the information is not protected by the attorney-client privilege under applicable law, (2) the client has not requested the information be held inviolate, and (3) the lawyer reasonably believes the disclosure would not be embarrassing or likely detrimental to the client.
Prior to traveling, a clean way to protect confidential and privileged data is to not travel with device-stored data. Before lawyers begin ranting about their inability to work while traveling, the solution is travel with “clean” devices that access confidential data from the cloud while the lawyer is traveling. The lawyer should not store any data locally on any device. This will prevent access to the data. This includes not storing contacts locally. Before travelling, lawyers should delete all locally stored emails, turn off cloud syncing, sign out of web-based services, and uninstall applications that provide local or remote access to firm systems.
Stage 2: At the Border
If lawyers choose to cross the border with confidential client data on electronic devices, lawyers must be prepared to take reasonable measures to protect confidential client data. Before allowing any search as a permissible exception to Rule 1.6, attorneys must first take reasonable measures to protect their clients’ data and attempt to prevent the search. These steps include: (1) identifying oneself as a lawyer and providing credentials; (2) advising agents that the devices or files contain confidential and/or privileged information (this statement must be true); (3) requesting the materials not be searched or copied on this basis; and (4) asking to speak to a superior agent/officer.
Stage 3: After Search Occurs
If a lawyer is subject to search, and his/her electronic device contained confidential and/or privileged client data, the lawyer will have a duty following the search to notify the client of the search. Attorneys’ duties of communication (Rules 1.4(a)(1), (3) and (b), MRPC and Rule 1.6, [Cmt] 11) require that affected clients be notified of access to confidential information that is accessed or searched. This duty can be compared to the duties owed to clients in the event of a cyber breach at the firm. It will be important to advise clients of what data was available on the lawyer’s device and of the nature of the search.
Final Thoughts
Searches of electronic devices are authorized by CBP and will continue, likely at higher numbers based on the current Administration’s immigration and border-enforcement policies. Lawyers may face an increased risk of electronic-device searches because of the Administration’s position on law firms. Firms should immediately implement policies addressing international travel to ensure confidential client data will not be housed on devices that will be subject to search.
Disclaimer: This article is not intended to be relied upon as legal advice. There is no attorney-client relationship between Bassford Remele P.A. and any reader of this article. This article was previously published in Minnesota Lawyer.
