The risk of Customs and Border Protection review or seizure of devices containing client information introduces significant professional liability concerns

Steven W. Teppler writes in The Florida Bar News: Smartphones, laptops, tablets, and portable data repositories (external drives) are essential professional tools. Accordingly, as the scope of digital privacy has also expanded — so have the risks. Nowhere is this more evident than at the United States border, where federal authorities exercise expansive powers to search travelers and their belongings, including digital devices. For attorneys and their clients, these searches pose unique threats to privileged information, sensitive corporate data, and constitutional protections. Understanding the evolving legal landscape is vital to preparing for cross-border travel without sacrificing confidentiality or compliance.

The Legal Foundation: The Border Search Exception

The Fourth Amendment guarantees protection against unreasonable searches and seizures, generally requiring law enforcement to obtain a warrant supported by probable cause. However, an exception exists at the border. The “border search exception” permits government agents to conduct searches and seizures without a warrant or probable cause, based on the premise of national sovereignty and the government’s interest in regulating the flow of people and goods across its borders.^[1] In United States v. Cotterman, the Ninth Circuit held that forensic searches of electronic devices require reasonable suspicion. The court distinguished between “basic” searches and “advanced” searches, the latter involving external tools to retrieve deleted or encrypted content. Customs and Border Protection’s own policy reflects this distinction.^[2] However, the Eleventh Circuit in United States v. Vergara upheld warrantless searches of electronic devices at the border without any suspicion, revealing a split among the circuits.^[3]

Customs and Border Protection (CBP) Policies and Practices

CBP Directive No. 3340-049A, issued in 2018, differentiates between basic and advanced device searches. Basic searches do not require suspicion; advanced searches, involving external equipment, do require reasonable suspicion or a national security rationale.^[4] In fiscal year 2023, CBP reportedly conducted over 45,000 electronic device searches at the border.^[5]

Threats to Attorney-Client Confidentiality

Attorneys are obligated to protect privileged communications under the ABA Model Rules and state analogs. The risk of CBP review or seizure of devices containing client information introduces significant professional liability concerns.^[6] In Alasaad v. Mayorkas, the First Circuit permitted suspicionless “basic” searches but required reasonable suspicion for forensic ones. The court urged procedural safeguards for privileged data.[7]

Protective Strategies for Attorneys and Clients

Technical strategies include traveling with “clean” devices, using remote encrypted cloud access, disabling biometric unlocking, and conducting pre-travel legal assessments. Memorized passwords receive stronger legal protection than biometric features.^[8]

Global and Regulatory Considerations

EU attorneys and multinational firms face additional risks under GDPR when transferring personal data during international travel. The Court of Justice of the European Union has ruled that U.S. surveillance practices conflict with GDPR safeguards.^[9]

Ongoing Litigation and Legislative Advocacy

Civil liberties organizations continue to challenge CBP’s authority through litigation. Cases like Alasaad and advocacy from groups such as the ACLU and EFF may eventually prompt Supreme Court review or legislative action.^[10]

Conclusion

Until uniform limits are established through Supreme Court rulings or congressional action, attorneys must remain vigilant and implement preventive strategies to protect sensitive data at the U.S. border.

References

United States Constitution, amend. IV. Almeida-Sanchez v. United States, 413 U.S. 266 (1973). United States v. Cotterman, 709 F.3d 952 (9th Cir. 2013) (en banc). United States v. Vergara, 884 F.3d 1309 (11th Cir. 2018). U.S. Customs & Border Prot., CBP Directive No. 3340-049A (Jan. 4, 2018). Press Release, Elec. Frontier Found., CBP Conducted 45,499 Device Searches in FY2023 (2024). Model Rules of Professional Conduct r. 1.6, 1.9 (Am. Bar Ass’n 2020). Alasaad v. Mayorkas, 988 F.3d 8 (1st Cir. 2021). In re Search of a Residence in Oakland, Cal., 354 F. Supp. 3d 1010 (N.D. Cal. 2019). Case C-311/18, Data Protection Commissioner v. Facebook Ireland Ltd. and Maximillian Schrems, ECLI:EU:C:2020:559 (Jul. 16, 2020). Electronic Frontier Foundation, Border Device Search Litigation (last visited May 2025). ^[1] See U.S. Const. amend. IV; Almeida-Sanchez v. United States, 413 U.S. 266, 272–73 (1973). ^[2] United States v. Cotterman, 709 F.3d 952 (9th Cir. 2013) (en banc). ^[3] United States v. Vergara, 884 F.3d 1309 (11th Cir. 2018). ^[4] U.S. Customs & Border Prot., CBP Directive No. 3340-049A (Jan. 4, 2018). ^[5] CBP Conducted 41,767 Device Searches in FY2023 (2024). ^[6] Model Rules of Pro. Conduct r. 1.6, 1.9 (Am. Bar Ass’n 2020). ^[7] Alasaad v. Mayorkas, 988 F.3d 8 (1st Cir. 2021). ^[8] In re Search of a Residence in Oakland, Cal., 354 F. Supp. 3d 1010 (N.D. Cal. 2019). ^[9] See Case C-311/18, Data Prot. Comm’r v. Facebook Ireland Ltd. and Maximillian Schrems, ECLI:EU:C:2020:559 (Jul. 16, 2020). ^[10] See Elec. Frontier Found., Border Device Search Litigation (last visited May 2025). Steven W. Teppler is a partner and chief cybersecurity legal officer with Mandelbaum Barrett and a member of The Florida Bar Cybersecurity & Privacy Law Committee. The information provided is for general informational purposes only and does not constitute legal advice. Attorneys should conduct their own analysis and consider all relevant facts and circumstances for their clients’ specific situations.