Anthony E. Davis ()
This article explores a potential threat to lawyers whenever they travel internationally while carrying electronic devices containing client confidential information. The recent New York ethics opinion that is the primary focus of this article addresses only one aspect of the problem: What happens when overseas travelers return to the United States. While the scope of the risks for lawyers at that point is by no means clear, the problem of re-entry pales in comparison to the risks of taking devices containing client confidential information into foreign countries. Obviously, the risks of either private- or state-sponsored hacking, as well as official border searches, varies depending on the jurisdiction visited. The dimensions of the threat must be assessed in the context of lawyers’ duties to protect client confidential information generally, implicating two questions: What is the scope of those duties when information is on the move in an electronic device, rather than stationary in the lawyer’s office, and what steps do lawyers need to take to comply with these duties? Into this quagmire bravely marched the New York City Bar Association’s Committee on Professional Ethics with its Formal Opinion 2017-5 “An Attorney’s Ethical Duties Regarding U.S. Border Searches of Electronic Devices Containing Clients’ Confidential Information” (Opinion 2017-5).
In assessing the risk that lawyers may face in protecting data on devices they bring into the United States, in footnote 3, Opinion 2017-5 refers to U.S. Customs and Border Patrol, Snapshot: A Summary of CBP Facts and Figures (2017). While the number of electronic devices searched at the U.S. border has significantly increased, the percentage of travelers whose devices are searched is miniscule, and there are no statistics as to what proportion of those devices belong to lawyers. The scope of the government’s authority to search the contents of devices is also addressed in footnotes, principally notes 3 and 7, and the latter sums up the Committee’s view that at this time “[t]he legality of a border search of an electronic device is apparently unsettled.”
Regarding lawyers’ duties to protect confidential client information, Opinion 2017-5 properly refers to New York Rule of Professional Conduct (NYRPC) 1.6(c) “which requires ‘reasonable efforts to prevent … unauthorized access to’ clients’ confidential information,” and to the duty of competence under NYRPC 1.1, which necessarily includes “a responsibility to take reasonable protective measures when … electronically storing clients’ confidential information,” as set out in prior ABA, New York State Bar and other ethics opinions.
Opinion 2017-5 correctly articulates the key questions: What do the requirements to take “reasonable efforts,” and “reasonable protective measures” actually mean? It gamely tries to answer these questions, but unfortunately—and understandably—can do no more than refer to what is already stated in Comment 16 to NYRPC 1.6. It explains: “‘Reasonableness’ by its nature depends on the multiple facts and circumstances of a given situation and does not lend itself to categorical or bright-line rules,” and that lawyers should refer to the non-exclusive list of factors to be considered in determining the reasonableness of an attorney’s efforts. Thus, Opinion 2017-5 falls short of materially advancing what, in practice, is ethically required.
The “reasonableness” standard, which was designed and generally works when considering information that is static within lawyers’ offices, is vague at best when it comes to articulating clear guidance for what is required when information moves across international borders. Indeed, the reasonableness standard may aggravate the risk for practitioners if client confidential information is actually exposed as a result of the lawyer’s actions or inactions in handling digital information carried across international borders. The client aggrieved by the exposure of its information is inevitably going to take the position that the precautions taken were less than “reasonable.” Opinion 2017-5 does point out the worst case scenario, concluding if a device is reviewed, or seized and held by U.S border agents, a lawyer should notify the clients whose information is on the device that their information has been exposed. The monetary, regulatory and reputational cost of such a scenario should obviously be avoided.
Opinion 2017-5 does attempt to address what precautions lawyers should consider before bringing devices containing client information into the United States. It recognizes that obtaining the consent of every client whose information is stored on the lawyer’s devices may be unrealistic. And surely some clients will require that their information not be exposed to any risk at all. The Opinion therefore suggests “that an attorney should not carry clients’ confidential information on an electronic device across the border except where there is a professional need to do so,” and that attorneys should not carry clients’ highly sensitive information unless “the professional need is compelling” (emphasis added). Since there are tools generally available, such as Citrix and VPN where the information remains on the lawyer’s server (except in China and Russia, which recently outlawed the use of VPN), there may not be a compelling need to carry information on electronic devices.
Opinion 2017-5 explores at length how lawyers should evaluate “the risk of disclosure and the potential harm that may result,” and what safeguards lawyers should implement to protect against that risk. In exploring the issue, it falls back on the conclusion that “Attorneys must also evaluate the efficacy, cost, and difficulty associated with implementing safeguards to prevent or limit confidential information … . [concluding] whether safeguards are ultimately required as minimally ‘reasonable efforts’ depends on the circumstances of each such situation.” The circularity of the Opinion’s answer to the question it poses becomes apparent.
Because lawyers’ devices (mobile phones, tablets, and laptop computers) may contain massive amounts of client information, and because different clients’ information will have differing levels of sensitivity, any time a lawyer travels abroad with a device containing client information, the lawyer exposes that information to some level of risk, however slight. Thus, Opinion 2017-5 suggests “[t]he simplest option with the lowest risk is not to carry any confidential information across the border.” It then suggests this may be accomplished by “using a blank ‘burner’ phone or laptop, or otherwise removing confidential information from one’s carried device by deleting confidential files using software designed to securely delete information, turning off syncing of cloud services, signing out of web-based services, and/or uninstalling applications that provide local or remote access to confidential information prior to crossing the border.” But it stops short of suggesting that all attorneys traveling with electronic devices must remove all electronically stored information. Instead it falls back on recommending that lawyers should act in accordance with the “reasonableness” standard.
The Plot Thickens
Here Opinion 2017-5 takes a turn that is troubling, by implicitly suggesting that the ethical requirement may vary depending on whether the lawyer is one “with access to greater resources.” Clearly, some law firms are in a better position to provide the resources needed to avoid transporting client information across international borders than many solo and small firm practitioners. But is it right that a solo practitioner who represents criminal defendants should be subject to a lower standard of “reasonableness” in protecting her clients’ information than would apply to her counterpart with a similar practice in a large firm? Surely, the ethical rules provide one ethical standard applicable to (and affordable and practicable for) all lawyers for the protection of confidential information. And that standard ought to be based on the sensitivity of the information, not the means of the lawyer to afford “burner” phones and other sophisticated work-arounds, such as scrubbing client information from personal devices, instead of just carrying their everyday devices with them when they travel.
Opinion 2017-5 makes the useful recommendation that lawyers should carry identification showing that they are lawyers, to be shown in the event a border agent seeks to access the lawyer’s devices, such as evidence of bar association membership. The Opinion’s alternative suggestion that lawyers should at least carry business cards showing their profession is not compelling—business cards may not be persuasive to a suspicious border agent.
Finally, it is critical to recognize that Opinion 2017-5 is intended only to address issues that may arise when entering the United States from overseas. But, the risk of compromising client information is greater when taking such information out of the United States and into at least some overseas jurisdictions. What is needed is clear and specific guidance as to what is required, what is permitted, and what is unacceptable, when lawyers travel overseas with devices containing client information. Are lawyers required to keep personal and client information on separate devices, or to carry “burner” devices only, or to purge client information from all devices moving across international borders? This clarity is not provided by Opinion 2017-5, and arguably is beyond the scope of any ethics opinion. These issues are better addressed by the rule makers than the rule interpreters.