On January 4, 2018, U.S. Customs and Border Protection (CBP) issued Directive 3340-049A, governing border searches of electronic devices. CBP’s new directive updates and provides several improvements over the agency’s initial directive, published nine years ago, regarding the policies and procedures for border searches of electronic devices conducted in furtherance of CBP’s mission. CBP has implemented several key changes that aim to provide travelers with more clarity and protections regarding the procedures for electronic device searches; however, the numerous exceptions included in the new directive may, in practice, allow CBP to bypass some of these protections. Ultimately, the new directive serves as an upgrade over CBP’s initial directive, provides additional protection for travelers by incorporating a reasonable suspicion standard for most “advanced” searches, and provides specific procedures to be followed when travelers assert the attorney–client privilege or the attorney work product doctrine.

Under the new directive, CBP assures travelers that it will protect the rights of individuals against unreasonable search and seizure and ensure privacy protections while accomplishing its enforcement mission. However, it is important to note that travelers carrying electronic devices are guaranteed few protections limiting CBP’s searches and seizures of their devices. CBP regards such searches as integral to protecting border security and aiding in the detection of evidence relating to terrorism and other national security matters, human and cash smuggling, contraband, and child pornography.

New Directive Applies Only to CBP

Importantly, the directive applies only to CBP. Thus, any border search conducted by agents of U.S. Immigration and Customs Enforcement (ICE) or Homeland Security Investigations (HSI) is not subject to the protections of the directive. ICE and HSI are not included in the directive and those agencies have not issued a new policy or directive for their searches.

What Is an Electronic Device?

The directive governs searches of electronic devices conducted by CBP at the physical border, functional equivalent of the border, or the extended border. An “electronic device” is defined as “any device that may contain information in an electronic or digital form, such as computers, tablets, disks, drives, tapes, mobile phones and other communication devices, cameras, music and other media players.”

What Content May Be Searched?

Pursuant to the directive, border searches of electronic devices are limited to “only the information that is resident upon the device,” and officers are prohibited from intentionally using the device to access information that is solely stored remotely. To avoid access to information stored remotely, officers will either request that the traveler disable network connectivity or, where warranted by national security, law enforcement, officer safety, or other operational considerations, the officers themselves will disable network connectivity.

New Distinction Drawn Between Types of Searches

The new directive makes a distinction between “basic” searches, which may be conducted without suspicion, and “advanced” searches, which require officers to have reasonable suspicion of activity in violation of the laws enforced or administered by CBP. The directive also carves out an exception to allow for advanced searches without reasonable suspicion when national security concerns exist. For example, a national security concern may arise in scenarios involving a national security-related lookout in combination with the presence of an individual on a government-operated and government-vetted terrorist watch list. During a basic search, an officer may examine the electronic device and review and analyze information encountered at the border. During an advanced search, an officer connects external equipment to an electronic device not merely to gain access to the device, but to review, copy, and/or analyze its contents.

Protections for the Attorney–Client Privilege and Attorney Work Product Doctrine

The new directive includes detailed procedures for searches that may involve the attorney–client privilege or the attorney work product doctrine. However, CPB’s detailed procedures are not applicable to other sensitive material, such as medical records or business confidential information. When an individual asserts the attorney–client privilege or the attorney work product doctrine, the CBP officer will seek clarification—in writing, if practicable—from the individual asserting privilege to assist CBP in identifying the privileged information. While the directive instructs officers to handle medical records and other work-related or business confidential information in accordance with applicable federal laws and CBP policies, it does not require officers to follow the detailed procedures set forth for searches involving attorney–client privilege or the attorney work-product doctrine, and no new protections have been added for these other types of sensitive material.

Travelers Explicitly Required to Provide Passcodes and Encrypted Information

With regard to passcodes or encrypted information, travelers are obligated to present electronic devices and their contents in a condition that allows inspection. If an officer is unable to complete an inspection because the device is protected by passcode or encryption, the officer may detain the device pending a determination as to its admissibility, exclusion, or other disposition. Additional consequences, such as travel delay or denial of entry may potentially arise if a traveler refuses to provide passcodes or encrypted information.

Detention of Electronic Devices

Searches may take place on-site or off-site and are to be completed as expeditiously as possible. Unless extenuating circumstances exist, the detention of devices ordinarily should not exceed five days.

Impact on Employers

Despite the improved guidance and clarified limits in the new CBP policy, employers may still be at some risk when employees carry electronic devices containing company data during international travel. While the CBP directive contains specific procedures for border searches when confronted with sensitive business confidential information, the directive does not preclude a border search of business confidential information. Thus, employers may wish to consider whether it is feasible to restrict employees from carrying electronic devices containing sensitive company data during international travel. When practicable, some employers already seek to determine whether they can provide “clean” electronic devices to be used by employees during international travel so that the devices do not retain company data. These practices may be effective for many employers since border searches of electronic devices are limited to data resident on the device, and CBP is not permitted to connect devices to external networks.