Summer has arrived and like many vacationers, you might cross the US/Canada border when embarking on your adventures. And while work may not be top of mind, if you deal with sensitive client information you should always be conscious of the data you carry. You may not have physical paperwork, but if you have access to client files through your phone or other electronic devices, this information may be accessed by border security at any time.
So, before your next cross-border trip, take a moment to learn how authorities may retrieve your electronic information, and some precautions you can take to protect private information.
Authority to search electronic devices
Many Canadians don’t realize that when they are entering the US, American Customs and Border Protection (CBP) officers can view what’s on their electronic devices. According to the Code of Federal Regulations:
"All persons, baggage and merchandise arriving in the Customs territory of the United States from places outside thereof are liable to inspection by a CBP officer” (19 C.F.R. 162.6).
US border officials do not need reasonable grounds to search devices, as the above clause gives broad legal authority for them to search and seize the possessions of all individuals entering the country. This includes the right to search and seize laptops and other electronic devices.
Similarly, when you return from your trip, Canadian Border Services Agency (CBSA) officers are authorized under Section 99 of the Customs Act to examine goods in a traveler’s possession. The term “goods” is defined in the Customs Act to include “any document in any form,” meaning the CBSA may examine electronic documents.
Usually, these searches are limited to cases where an officer has grounds to do so. For example, the officer might suspect that a phone contains information about contraband items discovered in the possession of its owner. However, it’s important to be aware that even in non-suspicious circumstances, border authorities have the right to seize your phone and scroll through its contents if they wish.
These conditions may seem problematic for professionals, such as chartered professional accountants (CPAs) or lawyers. CPAs in British Columbia are governed by Chartered Professional Accountants of British Columbia’s Code of Professional Conduct, which imposes a duty of confidentiality as a professional obligation.
Under the Code, CPAs have a duty to protect any confidential information acquired as a result of professional, employment, and business relationships, and cannot disclose such information without proper and specific authority. However, where such information is required to be disclosed by order of lawful authority, the Code permits the disclosure of confidential information. Nonetheless, CPAs should take steps to safeguard confidential information and to minimize disclosure.
Is your information safe if your electronic devices are password protected? Unfortunately, under Section 99 of the Canadian Customs Act as well as US Customs and Border Protection Directive No. 3340-049, border security is authorized to request your passwords to unlock electronic devices.
If you refuse to disclose your passwords, you could be viewed as preventing border officers from carrying out their duties under the relevant legislation. This could lead to the seizure of your electronic devices for forensic examination and, in rare cases, arrest. Despite these policies, you should still password-protect your devices and use encryption whenever possible. Most documents and devices now have encryption capabilities which convert data into a coded version which can only be readable if the person accessing it has access to a decryption key.
While complying with a border authority’s request for your password may not be a breach of your professional obligations under the Code, you still have a responsibility to take steps to protect sensitive information.
Tips for protecting sensitive electronic information when travelling
- Only bring confidential information you reasonably need to have and use while you are travelling.
- If you need to access confidential information during your travels, save it to a secure cloud-based service based in Canada. It’s safer to access information through a secure, virtual private network connection than to carry files electronically via devices such as a phone, laptop, hard-drive, or USB key. Canadian and US border security do not have authority to search remotely stored data.
- Ensure your electronic devices are password protected with strong passwords and ensure that two-step authentication is enabled where possible.
Under normal circumstances, border security will rarely request to examine the contents of your electronic devices. However, it’s important to remember that this is always a possibility. If you carry sensitive client or company information, it’s wise to know how to respond to authorities, and to take proactive measures to minimize risks to confidential electronic information.
Michela V. Fiorido is a privacy lawyer at Harris & Company LLP in Vancouver. She regularly advises private and public sector employers on information access and protection as well as technology use in the workplace.