Consider the following scenario: your organization holds an annual meeting with all Research & Development employees for the purpose of having an open discussion between thought leaders and R&D regarding product-development capabilities. This year’s meeting is scheduled outside the United States and next year’s will be within the U.S. with all non-U.S. R&D employees traveling into the U.S. to attend. For each meeting, your employees may be subject to a search of their electronic devices, including any laptop that may contain your company’s trade secrets. Pursuant to a new directive issued in January 2018 by the U.S. Custom and Border Protection (“CBP”), the electronic devices of all individuals, including U.S. citizens and U.S. residents, may be subject to search upon entry into (or leaving) the U.S. by the CBP. CBP Directive No. 3340-049A (Jan. 4, 2018).
The directive allows for the warrantless border search of electronic devices without a showing of reasonable suspicion. It differentiates between a basic search and an advanced search. A basic search allows officers, with or without suspicion, to examine an electronic device, including an examination of the information that is resident and accessible on the device. Information that is solely stored remotely may not be accessed. An advanced search is one in which the officer connects external equipment, through a wired or wireless connection, to an electronic device in order to “review, copy, and/or analyze” the contents of the electronic device. Advanced searches are permitted where there is a “reasonable suspicion” of criminal activity or for national security concerns. While the directive states that “[m]any factors” may create a reasonable suspicion or a national security concern warranting an advanced search, it articulates examples particularly aimed at national security concerns but does not provide much color as to what may constitute reasonable suspicion of criminal activity.
By issuing the directive, the CBP appears to align its position with that of the majority of federal courts that held reasonable suspicion is not required for border searches of electronic devices. See, e.g., United States v. Ickes, 393 F.3d 501, 506-07 (4th Cir. 2005) (rejecting reasonable suspicion requirement for laptop computer searches at the border); United States v. Linarez-Delgado, 259 Fed. Appx. 506, 508 (3d Cir. 2007) (rejecting reasonable suspicion requirement for border search of electronic data). Thus, the CBP may have also sought to reject the statements by at least one other court suggesting a requirement for a showing of reasonable suspicion before search of an electronic device. See, e.g., United States v. Cotterman, 709 F.3d 952 (9th Cir. 2013) (implying that officers need reasonable suspicion to conduct a border search of complex personal computing devices).
Can’t your employees just encrypt everything before international travel? Under the directive, travelers are required to present the electronic device (and the information contained within the device) in a condition that allows for the inspection of the device and its contents. Therefore, under the directive, officers may request an individual’s assistance in accessing the device if it is encrypted or password protected, and officers are authorized to detain a device pending a determination as to its admissibility in to the U.S.; they may also exclude a device if access to it is prevented by encryption or password protection.
The directive provides officers with instructions regarding the handling of certain sensitive materials, including business information, medical records, and information protected under the attorney-client privilege. Upon encountering business or commercial information resulting from a search, such as confidential business information, officers are required to “protect that information from unauthorized disclosure[.]” Such confidential business information may only be shared with agencies or entities that have mechanisms in place to protect the information.
Companies should alert employees of the requirements under the new directive. Certain preventative steps should be considered to minimize the potential for disclosure of confidential information at the border, including: (1) minimizing the number of electronic devices with trade secret or confidential information; (2) minimizing the amount of confidential information on a device; (3) to the extent possible, using electronic devices that do not contain confidential information when international travel is required; and (4) considering whether confidential information on the device should be encrypted but with the knowledge that CBP may request that the device be unlocked. Companies should also be cognizant of other issues relating to encrypted devices, including U.S. export control requirements for traveling to certain countries and licenses that may be required for individuals traveling into certain countries with an encrypted device.
In the event of an inspection request by an officer, your employees should be prepared to alert the officer that the device contains confidential business information in order to protect against its disclosure. Employees should also carry company business cards to show officers requesting an inspection that they are an employee of your company.