Executives and in-house counsel should be aware that traveling with sensitive data can lead to its seizure—with potentially severe consequences worldwide. Recently, Parliament in the United Kingdom seized from a traveling executive a USB drive containing data that had been produced in a United States lawsuit between Six4Three, a software company, and Facebook. Put simply, that data was in the wrong place at the wrong time.
Several Members of Parliament, frustrated with the apparent refusal of Facebook’s CEO and co-founder Mark Zuckerberg to appear for testimony, summoned (via a sergeant at arms) Ted Kramer, the founder of Six4Three, at his hotel room in London. According to reports, the executive met with a parliamentarian, was threatened with contempt, “panicked,” and copied onto a USB drive a large amount of lawsuit-related data that previously had been synchronized to his laptop from a DropBox account.
The consequences were immediate in the U.K. and severe back in the U.S. The USB drive ended up in the hands of Damian Collins, Parliament’s chair of the culture, media and sport select committee. This exposed the contents of the drive—including potential trade secret information—to a foreign investigative body that was not subject to the jurisdiction of the California state court that had issued a confidentiality order prohibiting disclosure to third parties. Collins then announced an intent to publish the documents. But back in California state court, things got worse. Not only did Kramer’s turning over the data violate the confidentiality order; the executive possessed the information by erroneous DropBox permissions thatthemselvesviolated the confidentiality order by giving him access to “attorneys eyes only” material. The state court judge called the situation “unconscionable” and ordered forensic examinations of numerous devices of Kramer—and his attorneys, who had to withdraw from the case.
There are many lessons to be learned, but this event highlights three things about physically moving data across borders. First, once data is within the boundaries of another country, it is subject to seizure and search according to the laws of that country. U.S. components of multinationals are frequently confronted with the hazards of importing datafromthe EU or Asia, where such data might be sought for a U.S. civil or criminal action. But the recent seizure in London underscores that when sensitive U.S. data—even when subject to a confidentiality order from a U.S. court—moves out of the country, neither its U.S. origin nor protective orders of American courts are necessarily effective in preventing a foreign law enforcement agency (or legislative body) from taking it.
Second, once data is in the custody of a foreign government, the information is at risk of being disclosed to third parties or the public—in a context where expected principles of confidentiality (or the protection of U.S. law) is absent. A foreign authority may simply decide that the public interest of its country outweighs comity. Notions of privilege can also vary dramatically. Europe and parts of Asia accord far less protection for in-house counsel’s activities than do principles of law in the United States. And some foreign governments may be interested in (involuntary) technology transfers.
Finally, when U.S.-based data comes back into its home country, even when there is no incident abroad, it can still be seized at the border, without being subject to Fourth Amendment protections. Data seized by the Department of Homeland Security may be disclosed to other federal investigative agencies, and there have been multiple recently reported instances of Customs and Border Patrol personnel forcing entrants to allow searches of electronic devices, where a purely internal law enforcement agency would have to obtain a warrant.
There are several ways to mitigate risks that stem from crossing international borders while carrying electronically stored data:
- For in-house counsel traveling on business, consider taking devices containing just what you need, not everything you have. For example, if you are dealing with a specific matter, you could minimize the amount of material you are carrying related to other matters.
- For all employees, minimize the amount of unnecessary technical material you are carrying, for data security; competitive; and reasons related to ITAR (International Traffic in Arms Regulations) and the EAR (Export Administration Regulations). And what data you do carry should never be the only copy of that data.
- If you are a producing party in litigation, consider confidentiality orders that prohibit adversaries from moving your data abroad, be it hosting or physical carrying.
- Make sure that your data is encrypted on the device. This will not prevent all unwanted access, but it can provide some protection, even if a device simply becomes the subject of theft.
- If you review company data that is resident in another country, carefully consider the risks of bringing it to the United States, whether those risks stem from the General Data Protection Regulation (GDPR), data residency laws, or pending investigations.
|