Cyberlaw Cybersecurity Data Security Featured Governance, Risk & Compliance Mobile Security Security Boulevard (Original) Spotlight 

Attorney-Client Privilege at the Border

Avatar photo by Mark Rasch on September 6, 2023

Adam Malik was familiar with how the Department of Homeland Security (DHS) operated, having been an employee of DHS before he went to law school and became an attorney. He was also a member of the Global Entry program, which was supposed to give him privileged access through customs and immigration. Attorney Malik had filed a lawsuit in a matter that was adverse to the interests of his former employer. After doing so, he found his travel scrutinized for the first time. When he flew from Costa Rica to Dallas, Texas, the attorney was flagged for a “secondary” inspection at DFW after he repeatedly refused to answer questions posed by DHS about matters within the scope of his attorney-client privilege. Among other things, DHS wanted to examine all of the contents of the attorney’s phone—including files related to Malik’s lawsuit involving DHS.

Malik refused to consent to the search (a “basic” search) of his phone, and informed the DHS officials that the phone contained a vast quantity of privileged communication and information. Malik advised the DHS officers that he was an attorney and that there was privileged information on the device. The DHS officer consulted with his supervisor and then seized the lawyer’s phone. The phone was then sent to a DHS computer forensics lab in Houston, who bypassed the lawyer’s passwords and DHS agents then sent the phone to DHS (well, Customs and Border Patrol (CBP) which is a component of DHS). CBP’s “filter team” read through the full contents of the Cellebrite report and redacted what they thought were privileged materials. They sent the rest to CBP in Dallas months later for them to conduct the “border” search on Malik’s phone.

Malik filed a lawsuit to get his phone back and to assert his right to the privacy of the privileged information. After he filed the lawsuit for declaratory judgment and injunctive relief, DHS returned his phone.

On August 4, 2022, federal district court judge Mark Pittman ruled that Malik was not entitled to the relief he sought, and granted the federal government summary judgment. Malik v. U.S. Department of Homeland Security, Dkt. No. 4:21-cv-0088-P, (USDC, N. D. Tex., August 4, 2022). On August 15, 2023, the United States Court of Appeals for the Fifth Circuit found that, while Malik had suffered an injury sufficient to grant him standing to sue, he was not entitled to relief.

Standing for Privacy

One of the persistent problems with privacy litigation is establishing standing—a real and concrete injury—which gives you a right to sue. The question is related to but distinct from the issue of damages—what the court should award you if you win the case. In numerous data breach cases, courts have dismissed lawsuits alleging that the leak of victims’ personal and even intimate information enhances the likelihood that they will become the victim of identity fraud and identity theft. In those cases, courts frequently find that potential future harm (or even current concern about potential future harm) is insufficient to grant the data breach victim standing to sue. It’s worse than “no harm, no foul”—the data breach victim doesn’t even get into court because they have to demonstrate a present concrete injury.

In attorney Malik’s case, the court found that, since DHS returned his phone, the fact that they might use the privileged information in a way that was inconsistent with the privilege or the fact that he would now be deterred from bringing privileged documents when he travels was insufficient to grant standing. While Malik might have been able to sue alleging a “substantial risk” of future injury resulting from the seizure of his privileged information, the fact that Malik sued and alleged a past injury means that he is not entitled to declaratory or injunctive relief. The court rejected as speculative Malik’s argument that DHS’s seizure of his privileged materials (and their examination thereof) might expose Malik to discipline by the Texas Bar or might discourage future clients to engage his services. Besides, the court opined, these damages relate to parties other than DHS.

The court of appeals went further. It found that the remedy Malik proposed—a declaration that the search was unlawful—would not prevent the harm he alleged would occur. While the appellate court recognized that an attorney who frequently sued DHS might suffer a harm if DHS were allowed to keep (and read) his privileged files, the Fifth Circuit concluded, “Declaratory relief would not require the government to destroy the data it seized. Instead, declaratory relief would help Malik and his clients only if the government later attempted to introduce the extracted data as evidence at a trial, and if the opposing party moved to suppress that evidence.” In short, the court would not declare the search unlawful because the declaration would not provide any help to Malik. The court also rejected the attorney’s claim that the compelled violation of the attorney’s duty to protect privileges would expose him to liability to his clients (and to the bar) explaining that Malik “does not point to any pending or threatened claim, and he does not explain how the mere ‘exposure’ is itself an injury (redressable or otherwise).”

Malik also alleged that DHS violated its own policy on border searches of privileged records and that the policy itself was adopted in violation of law and not consistent with his and his client’s constitutional rights, including their First, Fourth, Fifth and Sixth Amendment rights. First, the circuit court was skeptical that Malik could assert harm and damages from the invasion of the attorney-client privilege which the court found belonged to the client and not the attorney. The court surmised that the attorney suffered no injury when the government seized his clients privileged information. The court did find, however, that Malik suffered an injury when the government seized his own work product, and rejected the government’s contention that this injury was “self-inflicted” when, as a result of Malik’s lawsuit, his attorney asked DHS to impose a “litigation hold” so he could demonstrate the nature of the documents at issue.

Border Search Policy for Attorneys

The DHS policy on conducting searches of attorney’s electronic records at border searches requires approval by both a supervisor and an Assistant United States Attorney, and the creation of a “taint team” to ensure the protection of privileged information. The policy states that:

“Prior to any border search of files or other materials over which a privilege has been asserted, the Officer will contact the CBP Associate/Assistant Chief Counsel office. In coordination with the CBP Associate/Assistant Chief Counsel office, which will coordinate with the U.S. Attorney’s Office as needed, Officers will ensure the segregation of any privileged material from other information examined during a border search to ensure that any privileged material is handled appropriately while also ensuring that CBP accomplishes its critical border security mission. This segregation process will occur through the establishment and employment of a Filter Team composed of legal and operational representatives, or through another appropriate measure with written concurrence of the CBP Associate/Assistant Chief Counsel office.”

DHS reserves the right to read all information to see if it is privileged and even to retain and use any “materials are identified that indicate an imminent threat to homeland security” even if those materials are legitimately privileged and not covered by the “crime-fraud” exception to the privilege. DHS also reserves the right to share the privileged information “with agencies or entities that have mechanisms in place to protect appropriately such information, and such information will only be shared in accordance with this Directive.”

The DHS policies do not discuss how the “filter team” will be created or organized, who will be on the team, who will ensure that the team adheres to legal principles and whether they are bound by the findings of the filter team. Moreover, without knowing who the attorney’s clients are and the scope of representation, it is difficult, if not impossible, to determine whether specific documents or communications in an attorney’s cell phone are or are not privileged. Moreover, DHS is actually not bound to follow its own policies.

In any event, the circuit court was not swayed. The court found that Congress had appropriately delegated to DHS the authority to establish policies on searches at the border and that the DHS policy was made pursuant to this authority. The court also found that DHS agents could search without even “reasonable suspicion,” noting that “no reasonable suspicion is necessary to conduct [a] routine manual cell phone search at the border.”

The court also found that the DHS agents actually did have reasonable suspicion to seize and then search the lawyer’s phone because “the apparent connection between Malik and “an international arms dealer with known ties to the Dallas area” was plenty to create reasonable suspicion—even if Malik is correct that the connection appears dubious in hindsight.” At the trial court, the DHS agents testified that they (erroneously) thought that Malik might be connected to the arms dealer, although Malik testified that he did not know the arms dealer and had no connection with him. The court found that fact irrelevant—the issue was not whether Malik had a connection with the arms dealer, but whether DHS thought he did—even if that suspicion was unfounded. The appeals court noted, “To be sure, Mr. Malik testified in a sworn deposition that he does not know the alleged international arms dealer. And the Court has no reason to doubt the veracity of that assertion. The Court, however, considers only the information available to the officers at the time of the decision to search. Thus, Mr. Malik’s testimony (even if correct) cannot change the reasonable suspicion standard or disprove that reasonable suspicion existed at the time of the challenged search.”

Certainly a lawyer whose privileged documents are seized and examined by government agents for months can challenge the policy under which the CPB relies to call that seizure “reasonable.” Not all border searches are going to be the same. There’s a difference between having someone open their suitcase to see if there are illegally imported live muskrats and reading the privileged communications of a client because the lawyer took a trip out of the country. While the directive is not the source of the authority, the exercise of the border search authority must ultimately be reasonable to withstand constitutional scrutiny.

The Seizure of the Privileged Information Was Lawful

The court ruled that “the Government’s seizure and search—conducted in accordance with CBP’s Directive—did not violate the Fourth Amendment. [T]he CBP Directive is consistent with current Fifth Circuit precedent, which explained that “only two of the many federal cases addressing border searches of electronic devices have ever required any level of suspicion,” and “both required only reasonable suspicion . . . for [] more intrusive forensic search[es].” The CBP Directive does not conflict with any applicable law.”

The problem is that the court only addressed the question of whether CPB needs more than reasonable suspicion to seize or examine a cell phone at the border—it does not. The court never really addressed the question at issue before it—whether CPB needs anything more than mere suspicion to examine the privileged information in an attorney’s phone seized at the border, when such a seizure implicates the constitutional rights of the attorney’s clients.

Seizure and examination of privileged information presents specific problems not addressed by the court. When a lawyer’s phone is seized—particularly a lawyer representing a person adverse to the federal government—a trust is broken. The client undoubtedly and understandably worries that the government now has access to his or her privileged information. Indeed, the fact that the lawyer is representing the specific client may be part of the basis for the lawyer being targeted for a search in the first place. The mere fact that the government is holding the phone and then decrypting the contents is cause for an assault on the privilege.

In ordinary litigation, where a party asserts that data is not privileged, the court appoints a “special master” unassociated with the litigation. The special master may be briefed by both sides—one on what is sought and the other on what is privileged—and then segregates what they believe is privileged from that which is not. It is an iterative process, with input from both sides. If the attorney believes that the special master has put a privileged document (or information that is otherwise protected by, for example, the attorney work product doctrine) into the wrong pile, they can ask the court to review the document or to protect it. The process is not perfect, but it works reasonably well.

While the CPB regulation suggests the use of a “filter team” (and one was used in this case) it provides no guidance for how that filter team is to work and, critically, provides neither the attorney nor his or her clients with the ability to have input into the dealings of the filter team or review their decisions. The filter team applies the same low standard that the court applied—something slightly above mere suspicion. Moreover, under the regulation, even if the filter team finds that a document is clearly privileged, they may still use it and share it with government agencies without court approval.

Lawyers crossing borders either with—or with access to—client information face a dilemma. Lawyers have an ethical duty https://casetext.com/rule/ohio-court-rules/ohio-rules-of-professional-conduct/rule-i-client-lawyer-relationship/rule-16-confidentiality-of-information to protect client confidences and not to reveal a client’s secrets, and they can be disbarred for violating that duty. The Texas federal judge found that the examination of privileged information by CPB, based on something slightly greater than a guess, was “reasonable” without discussing the implications of this. Moreover, by the time CPB actually examined Malik’s phone and returned it to him, almost five months had elapsed since Malik was stopped at the airport. Any suspicion that there was information relevant to violation of customs laws—the principle (but not exclusive) justification for the border exception to the warrant requirement—certainly had gone stale by that point.

Practice Tips

Advice for lawyers. First, if you are traveling across borders with privileged information on electronic devices, make sure that that information is encrypted as is access to the device on which the data is located. It is not currently clear whether the government may use a lawyer’s credentials obtained from a search of a device to log into a cloud service (e.g., Google Docs) to then conduct a search of privileged data on the cloud, but in some ways, data on the cloud may be more protected. The attorney can, having provided the device, de-link the device from the cloud and then change the cloud access credentials. An attorney should, like Malik, make sure that the agents know that the device contains privileged and work product information and seek the immediate return or the appointment of a special master by the court for the examination and the assertion of privilege.

As a result of the Texas opinion, it appears that CPB can seize and examine an attorney’s privileged documents based on nothing more than mere suspicion, and the attorney would need to show specific harm to themselves to proceed with an injunction. We will see whether other courts follow suit.

Image source: privacy us-border–bobby-hidy–cc-by-nd

Recent Articles By Author
Avatar photo More from Mark Rasch
Mark Rasch , , , ,
Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 223 posts and counting.See all posts by mark