Customs and cross-border data transfer
By Luis Salazar
Do you carry personal information—yours, your employees', or your customers'—on your laptop, PDA, or cell phone when you travel? Federal border agents have the unrestricted right to search your electronic devices and see that information when you enter the United States. Several recent incidents and at least one notable United States Ninth Circuit Court of Appeals case have made clear that the "Border Search Doctrine"—which allows suspicion-less and warrantless searches of closed containers and their contents—applies to electronic devices. Border agents, therefore, have the power to search and, subsequently, confiscate your laptop, PDA, or USB memory device. This, of course, opens a Pandora's box of potential privacy issues for international travelers and businesses that employ them.
The "Kodak Memories" case
A recent Federal Appellate Court decision from the Ninth Circuit has done much to ignite this controversy. In U.S. v. Arnold, U.S. Customs and Border Patrol agents detained an international traveler, Michael Arnold, as he was returning home from the Philippines. He was carrying a laptop, USB drive, and several compact disks. Border agents searched his laptop, ultimately finding images they believed to be child pornography. The officers seized his computer equipment and, after further investigation, Arnold was indicted on child pornography charges.
Arnold filed a Motion to Suppress the Evidence, arguing that Customs Agents lacked a "reasonable suspicion" to search his computer. The district court agreed, and the government appealed. The Ninth Circuit overturned the decision, finding that laptops fall squarely within the Border Search Doctrine, just like any other closed container. It further held that there were no grounds to impose a reasonable suspicion standard to "expressive materials" under the First Amendment. In short then, border agents can freely search computers and electronic storage devices when international travelers enter the U.S.
Formal policies publicized
The decision sparked an outcry from travel groups and members of Congress, leading to Senate hearings on the border search of electronic devices. U.S. Customs & Border Protection (CBP) and Immigration and Customs Enforcement (ICE) quickly developed and issued policies governing border searches of documents and electronic media.
Each policy makes clear that border searches of information and electronic devices are fully authorized "absent particularized suspicion" and that the policies do not create any private right of action for any third party. Both policies make clear that its officers may examine computers, disks, hard drives, electronic or digital storage devices, documents, books and other printed material.
Government agents are authorized to detain documents or electronic documents for a "reasonable" period of time to perform a thorough border search. If information in documents or on electronic media is in another language or encrypted, the policies further authorize agents to seek assistance from and share the information with other agencies or entities, including outside contractors.
If, after reviewing the information the agencies determine that there is no probable cause to retain it, they must return any originals and destroy any copies. But the policies do not specify the manner of destruction, much less than an officer must track down every copy to ensure its destruction. Further, the policies make clear that officials are permitted to share information with other federal, state and government agencies, as allowed by applicable laws and policies.
Additionally, business or commercial information must be treated as "business confidential information" and officers must take all "reasonable measures" to protect that information from "unauthorized disclosure" and consistent with other laws that may apply to the agency. Information and documents that may be attorney-client privileged are not immune from inspection, but may be subject to special handling procedures.
The slightly more detailed ICE policy indicates that ICE agents must complete their review of detained or seized documents and electronic media within a "reasonable time." In determining that, agents may consider the nature of the documents or media, whether the traveler has been allowed to continue his journey, the actual time elapsed, the need for outside assistance and other factors. There is, however, no firm deadline or timelines for the return of data.
As for actual "security" precautions, only the ICE policy offers anything that could even generously be described as privacy precautions:
Safeguarding Data during Storage and Transmission.
ICE will appropriately safeguard information detained, copied, or seized under this directive while in ICE custody and during transmission to an outside entity. Appropriate safeguards include keeping materials in locked cabinets or rooms, documenting and tracking copies to ensure appropriate disposition, and appropriate safeguards during transmission such as encryption of electronic media or physical protections (e.g., locked containers). Any suspected loss or compromise of information that contains personal data detained, copied, or seized under this directive must be reported immediately to the ICE Help Desk.
In short, these policies are, not surprisingly, agency favorable. The security and privacy precautions imposed would not likely pass any requirements imposed on the private sector, such as those required by GLBA, HIPAA or even the PCI Data Security Standards.
Given border agents' unfettered power, there are a number of critical business concerns. Primarily, they center around disclosure of personally identifiable information—a business' customers or employees—or confidential trade secrets. Disclosure potentially takes place at two points—when border agents search the laptops and, if seized, while in the possession of government agents. If an employee's laptop is accessed and seized, its whereabouts are unknown, and a government agent may access every file, putting personally identifiable information at risk. Indeed, the policies make clear that electronic devices may be shared with third parties.
This opens a Pandora's box of potential data-breach and disclosure issues. For example, California's famous data breach statute requires that the "breach of security of the system means unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information maintained by the person or business." If border agents seize a laptop with customers' personal information, will business be required to deliver breach notices?
Steps to take now
- Businesses whose employees travel internationally should take concrete steps now to protect confidential and sensitive information:
- businesses should have firm policies against their employees travelling across borders with confidential or sensitive information;
- employees should travel with forensically clean devices, and download needed data on location;
- employees should be discouraged from downloading files containing personally identifiable information onto business devices; and,
- data on electronic devices should be encrypted.
While perhaps not the gravest threat to personal data, the Border Search Doctrine's application to computers and electronic devices requires businesses to carefully consider the impact of international travel. Without proper planning, one confiscated laptop could lead to a world of embarrassment.
Luis Salazar, CIPP, is a shareholder with the international law firm of Greenberg Traurig and a founding member of the firm's Data Privacy andSecurity Law Taskforce. He is based in the firm's Miami office. Luis can be reached at +305.579.0751 or firstname.lastname@example.org.