Crossing Back Into the U.S.? Expect Eyes on Your Devices

Under U.S. customs and international laws[1], border agents have the legal authority to inspect, search, or detain any person, luggage, or merchandise coming into or leaving the country. And yes, that includes your electronic devices like phones, tablets, and laptops. While searches of digital devices are still relatively rare, they are increasingly becoming more common at U.S. ports of entry. That is why it is especially important for all travelers to understand what they may encounter when re-entering the U.S.—and for employees carrying sensitive company data or confidential files to know what to expect and take appropriate steps to protect that information during international travel.

Who May be Chosen for an Inspection: Customs and Border Protection (CBP) guidance states that a variety of circumstances can lead agents to choose a traveler for inspection, search and/or detention of electronic devices, including: travelers holding incomplete travel documents or lacking proper documents and/or a visa; travelers who have previously violated a law that CBP enforces; travelers with a name that matches a person of interest in a government enforcement database; and/or travelers randomly selected for such a search. Selection for a search does not necessarily mean that CBP believes that you have done something wrong.

At this time, CBP has not articulated policies that consider a traveler’s nationality or citizenship status as a factor supporting a search, although not all criteria applied by CBP have been made public.

CBP  has said that “searches have been used to identify and combat terrorist activity, child pornography, drug smuggling, human smuggling, bulk cash smuggling, human trafficking, export control violations, intellectual property rights violations and visa fraud, among other violations. Furthermore, border searches of electronic devices are often integral to determining an individual’s intentions upon entry to the United States and thus provide additional information relevant to admissibility of foreign nationals under U.S. immigration laws.”

What Will Occur During the Search: The manner in which a search is conducted may vary widely depending on a number of factors. CBP policy distinguishes between a “basic” and an “advanced” search. A customs official may simply conduct a manual search (without the assistance of any external equipment) through the device and then return it to you. At other times, CBP may elect to take temporary custody (‘detention’) of the device for further examination. If CBP decides to detain your electronic device(s), the officer will issue you a written receipt (Form 6051-D), which will detail what items are being detained, who at CBP will be your point of contact, and your own contact information in order to facilitate return of the items within a reasonable time. After CBP has concluded inspecting your device, they will contact you to retrieve the device. If you are unable to retrieve the device in person, they will provide you instructions to have the device shipped to you at your expense. Whether or not CBP takes custody of your device, they may elect to conduct an advanced search. In this case, the officer will utilize external equipment to not only gain access to the device, but to review, copy, and/or analyze its contents. “Under CBP policy, advanced searches require reasonable suspicion of a violation of law enforced or administered by CBP or a national security concern and require the approval of a senior manager.”[2] Reasonable suspicion is a significantly lower standard than probable cause, and could be based on a myriad of factors, including perceived inflammatory social media content.

What to Consider Regarding a Search: CBP Guidance has stated the following about the expectation that travelers cooperate with electronic device searches:

Travelers are “obligated” to present their electronic devices and the information stored on them in a way that allows CBP to examine both the device and its contents. If a device is protected by security features like passcodes or encryption and cannot be inspected, “that device may be subject to exclusion, detention, or other appropriate action or disposition,” and the traveler may face delays to “allow for CBP to access the contents of the device.” Foreign nationals seeking entry must prove they are admissible. Refusal to allow inspection of electronic devices may be considered during admissibility decisions, though device inspection alone does not determine admissibility. U.S. citizens cannot be denied entry for failing to present their device for inspection, but the device itself may still be subject to exclusion or detention. Additionally, CBP reminds travelers they may face longer processing times to allow for CBP to access the contents of the device. Any passcodes or access codes provided will only be used as needed for the search and will be deleted afterward; they will not be used to access data stored only in the cloud.

Notwithstanding CBP guidance, it is recommended that organizations issue guidelines governing their employees’ response to device inspection, including whether to invoke legal privileges and confidentiality requirements and expectations. For example, attorneys and others whose devices contain attorney-client privileged communications and/or attorney work product may consider invoking those protections before deciding whether to voluntarily grant access to their device. Similarly, company employees traveling with confidential commercial information and/or protected intellectual property should consider whether to assert those concerns before acquiescing to a device inspection. Finally, companies should address the expectations of sharing passwords on company issued devices.

Travelers should be aware that a failure to cooperate in the search may result in either seizure or extended detention of the device, as well as other possible consequences to the traveler.

While U.S. citizens cannot legally be denied entry into the country, they may experience delays and detention, and their phone, laptop, or other devices could be confiscated.

For lawful permanent residents (green card holders), in addition to the same potential delays and device seizures faced by U.S. citizens, it is possible that refusal to cooperate with an electronic device inspection could, combined with other circumstances, lead to denial of entry and/or revocation of lawful permanent residency.

For foreign nationals, including visa holders, refusal to comply may lead to denial of entry into the United States by CBP. Specifically, CBP has said in FAQs that “if a foreign national refuses to present their electronic devices and the information resident on the device in a condition that allows for the examination of the device and its contents, CBP may consider the foreign national’s noncompliance and the inability to inspect the device when making admissibility decisions and may take appropriate law enforcement actions.”

What Companies Should Consider – Protecting Data/Information Belonging to the Company:

As company issued electronic devices are NOT exempt from searches, there are measures the traveling employee could take to minimize or eliminate the impact of border search, should a company have concerns. This includes implementing data security guidelines to create and enforce a company policy outlining best practices for handling sensitive data on electronic devices during international travel, in compliance with relevant data protection and cybersecurity regulations. It is critical the employees check with their security, risk and legal departments, who may be charged with crafting these guidelines and related policies, to understand internal mandates.

Such a policy should explicitly address the authority of CBP officials to detain, inspect, and demand access to electronic devices. Importantly, travelers should understand that while U.S. citizens cannot be denied reentry for refusing to unlock devices, CBP may lawfully seize them. Policies may also require that employees familiarize themselves with the legal frameworks of each jurisdiction they travel to, including rules governing border searches and device access. These rules can vary significantly by country and may present unique challenges depending on an individual’s citizenship or immigration status. Adopting and disseminating a tailored travel policy is not just a best practice—it’s a critical component of client confidentiality, data security, and risk management.

Depending on company-specific circumstances, policies may include:

1.  Encouraging employees to refrain from traveling with company devices, unless necessary for work.
2. If necessary, traveling with a “clean” or “loaner” laptop that has no documents or data saved locally on the company device.
   
   a. Consider having the company issue “thin client” build laptops (e.g. Citrix or similar virtual machine) which do not retain any data locally on the laptop while unconnected to the internet for necessary travel. This is only effective if the user does not work outside the virtual machine (i.e. on the local machine).
3. Having the internal technology/security teams identify solutions to protect sensitive information that could otherwise be accessed by CBP officers.
4. Advising CBP, where applicable, if the device contains confidential or proprietary information.
5. Having employees remove facial recognition and touch ID access on the phones that contain company related information.
6. Reminding employees that traveling with “freshly entirely wiped” or burner phones (a disposable, prepaid cell phone) could cause “concern” at entry. Instead, employers could initiate a discussion regarding traveling with a “burner phone,” weighing whether the benefits outweigh the risks of unnecessarily raising red flags with CBP.
   
   a.  Burner phones may still be a best practice depending upon specific circumstances and the countries an employee is traveling to.
   
   b.  Note this is an evolving area and related legal advice may change based on operational experiences.
7. Mandating encrypting data and strong passwords on any employer-issued device.
8. Mandating the employees contact Security, Governance or the General Counsel’s office immediately, if any devices are reviewed or confiscated at entry. Companies should then follow existing policies on wiping devices where appropriate.

Irrespective of the above, it should be noted that CBP policy directs officials conducting searches and/or inspections of electronic devices containing “business or commercial information” to “treat such information as business confidential information and to take all reasonable measures to protect that information from unauthorized disclosure.” Nonetheless, customs searches entail certain risks necessitating safeguards on the part of the traveling employee and their employer.

Whenever possible, employers should consider directing travelers to take safeguards to avoid loss or destruction of files or data by backing up such files or data onto company servers or onto the cloud, even if not deleted.

Additionally, where possible, files that contain confidential, proprietary or privileged information should be marked as such both within the document and in the file name of the document.

Final Thoughts

We expect border searches of electronic devices to become more routine, and all signs point to a significant increase this year. Whether your employees are traveling for business or leisure, it is essential to be aware of the actions that CBP can take at the border, especially when it comes to personal or work-related data. With a few proactive steps and the right precautions, travelers can better protect privacy, devices, and a company’s sensitive information during international travel.

Please note: This alert is intended to provide general guidance for employers and organizations managing international travel-related risks. It does not address individual travelers' specific circumstances, nor does it cover all considerations related to personal devices or travel scenarios. Employees with questions about their own rights or risks should consider seeking independent legal counsel to ensure they are fully informed.

For more information on travel related matters, contact your Seyfarth relationship attorney or the authors Dawn Lurie and Leon Rodriguez directly at dlurie@seyfarth.com and lerodriguez@seyfarth.com. The Seyfarth Immigration Compliance & Enforcement specialty group offers advice and counsel relating to Form I-9 or E-Verify compliance, ICE inspections and worksite enforcement actions, internal immigration assessments, I-9 audits, DOL immigration-related wage and hour investigations, general H-1B compliance, and DOJ-IER anti-discrimination matters including foreign sponsorship and export control/ITAR issues.

[1] Border searches are an integral aspect of CBP’s border security and counterterrorism responsibilities under Title 6 of the U.S. Code, enforcement of laws relating to customs and international trade under Title 19 of the U.S. Code, and enforcement of the immigration laws under Title 8 of the U.S. Code, in addition to numerous other federal laws that CBP enforces and administers at the border.

[2] See, Border Search of Electronic Devices at Ports of Entry at https://www.cbp.gov/travel/cbp-search-authority/border-search-electronic-devices

Seyfarth Shaw LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from their professional advisers.