Welcome to the LACBA California Privacy Law blog. This blog will provide a forum for summary and discussion of recent developments in California privacy law. California was the first state in the nation to require operators of commercial websites or online services to post privacy policies, and was the first state to pass legislation requiring notification to customers for security breaches of personal information. California continues to pioneer new legislation and policy to address growing concerns regarding individual privacy rights in the information age. The last few weeks have seen the usual flurry of activity on the privacy front in California.
Recent California Privacy Law Developments
In the wake of the Hewlett-Packard pretexting revelations, Attorney General Bill Lockyer filed criminal fraud and conspiracy charges in Santa Clara County against former HP chairman Patricia Dunn and four others. Also, Governor Schwarzenegger signed a bill (S.B. 202), effective January 1, 2007, prohibiting the sale or purchase of a consumer’s phone records without the consumer’s written consent and the practice of obtaining such records by fraud or deceit.
In the same time period, the California Supreme Court refused to reconsider or modify its ruling in Kearney v. Salomon Smith Barney, Inc., 39 Cal.4th 95 (2006), which held that out-of-state companies are subject to California law requiring two-party consent for the recording of telephone conversations made to or received from California. For more on Kearney, click here.
In the last week of September, the governor signed a bill (A.B. 2886) increasing penalties for repeat identity thieves and those who acquire or retain possession of the personal identifying information of 10 or more people with the intent to defraud. Also on the identity theft front, the United States Attorney for the Central District of California issued a press statement on October 6, 2006, indicating that six indictments had been handed down as part of Operation Broken Trust, an investigation by the United States Secret Service into identity theft in the mortgage industry. That investigation focused on a ring that assumed victims’ identities by accessing their credit reports. The indictments are the most recent in a series of investigations in the Central District of California focusing on identity theft. To combat identity theft in Orange County, the United States Attorney’s Office formed the Orange County Identity Theft Task Force, which includes agents and investigators from the United States Secret Service, the United States Postal Inspection Service, the Social Security Administration, the Federal Bureau of Investigation, the Federal Trade Commission, IRS Criminal Investigation Division, and U.S. Immigration and Customs Enforcement.
For more on privacy and data security, including California laws, watch for the forthcoming Proskauer on Privacy Treatise, which will be available from PLI within the next couple of weeks.
Featured Issue: Fourth Amendment Protection Extends to a Border Search of the Private and Personal Information Stored on a Traveler’s Computer Hard Drive.
In a matter of first impression in the Ninth Circuit, the Central District of California ruled on October 2, 2006, that federal agents may not conduct a border search of the private and personal information stored on a traveler’s computer hard drive or electronic storage devices without reasonable suspicion. United States v. Arnold, — F. Supp. 2d –, 2006 WL 2861592 (C.D. Cal. Oct. 2, 2006). Although the Arnold case itself involved an individual’s personal, not business, files, the Arnold court’s analysis makes clear that customs agents do not have free rein to search files on a laptop computer, which may include trade secrets, attorney-client privileged information, and other proprietary business information.
Michael Arnold arrived at Los Angeles International Airport (“LAX”) on July 17, 2005, following a nearly 20 hour flight from the Philippines. Customs and Border Patrol Officers at LAX searched Arnold’s laptop, hard drive, compact discs, and memory stick. Following the search, Arnold was indicted for transportation of child pornography and possession of a computer hard drive and CDs containing images of child pornography. In response to Arnold’s motion to suppress the evidence, the government argued that a border search of information stored in a computer hard drive is not subject to Fourth Amendment protection. The court rejected the government’s argument, noting that the issue was “ripe for determination because technological advances permit individuals and businesses to store vast amounts of private, personal and valuable information within a myriad of portable electronic storage devices including laptop computers, personal organizers, CDs, and cellular telephones.”
The court compared a search of one’s private information stored on a computer with a strip or body cavity search, recognizing electronic storage devices as an “extension” of the person, unique in their storage capabilities: “[w]hile not physically intrusive as in the case of a strip or body cavity search, the search of one’s private and valuable personal information stored on a hard drive or other electronic storage device can be just as much, if not more, of an intrusion into the dignity and privacy interests of a person. This is because electronic storage devices function as an extension of our own memory. They are capable of storing our thoughts, ranging from the most whimsical to the most profound. Therefore, government intrusions into the mind – specifically those that would cause fear or apprehension in a reasonable person – are no less deserving of Fourth Amendment scrutiny than intrusions that are physical in nature.”
The court therefore concluded that such a border search must be based, “at a minimum, on a reasonable suspicion.” Specifically, in Arnold, the government needed, and did not have, a reasonable suspicion that the confidential information stored on the defendant’s computer contained evidence of a crime.
Ordinarily, under the Supreme Court’s Fourth Amendment jurisprudence, an examination of items such as luggage, purses, wallets, and pockets is considered “routine” due to the heightened need of the government to protect the nation’s borders, and requires no suspicion. However, probable cause is required for more intrusive border searches that implicate the “‘dignity and privacy interests of the persons being searched,’” as found by the Supreme Court in United States v. Flores-Montano, 541 U.S. 149, 152 (2004). Courts have held such “non-routine” searches to include strip and body cavity searches. Such searches require at least reasonable suspicion in the Ninth Circuit, and must be no more intrusive than necessary to obtain the truth respecting the suspicious circumstances.
The Arnold court found that the “opening and viewing [of] confidential computer files implicates dignity and privacy interests,” and went as far as to suggest that “some may value the sanctity of private thoughts memorialized on a data storage device above physical privacy.” Thus, the search of an electronic storage device is not the equivalent of a search of a wallet, purse, or lunchbox, because electronic devices “have the potential to contain vast amounts of information. People keep all types of personal information on computers, including diaries, personal letters, medical information, photos and financial records. Attorneys’ computers may contain confidential client information. Reporters’ computers may contain information about confidential sources or story leads. Inventors’ and corporate executives’ computers may contain trade secrets.”
The court summarized the careful balance that must be struck under the Fourth Amendment with respect to border searches in the information age:
[O]n one side is the desire to prevent the clear evil of smuggling through laptops and other storage devices child pornography and other informational contraband, such as the plans for a bomb or a list of possible terrorist suspects. In our information age, such contraband can flow with the click of a mouse through the Internet. On the other side of the scale is the liberty interest in one’s ability to travel with vast amounts of private information. This information can be highly personal, privileged, and valuable. To conduct a search of this type without reasonable suspicion goes well beyond the goals of the customs statutes and the reasonableness standard articulated in the Fourth Amendment. Therefore, while it is appropriate to turn on or x-ray a laptop or other device to ensure that it functions and does not physically contain drugs or other dangerous substances, a search of the information contained therein requires a reasonable suspicion.
Potential Circuit Split
Although it did not address the privacy interests at stake, at least one Court of Appeals appears to disagree with Arnold. The Fourth Circuit in United States v. Ickes, 393 F. 3d 501 (4th Cir. 2005), rejected a defendant’s argument that the search of his computer at the border was invalid because it involved the search of “expressive material.” Ickes held that, “[p]articularly in today’s world, national security interests may require uncovering terrorist communications, which are inherently ‘expressive.’ Following Ickes’s logic would create a sanctuary at the border for all expressive material – even for terrorist plans. This would undermine the compelling reasons that lie at the very heart of the border search doctrine.” The Fourth Circuit disregarded as “far-fetched” Ickes’s argument that the court’s ruling meant that “‘any person carrying a laptop computer . . . on an international flight would be subject to a search of the files on the computer hard drive.’”
Arnold suggests that, at least in the Central District of California, privacy interests – including the liberty interest in traveling with privileged or confidential business information – must trump even national security in the absence of reasonable suspicion of a crime, despite the otherwise broad discretion of custom agents to conduct searches at the border. Independent of the courts’ recent decisions with respect to Fourth Amendment searches of electronic media, companies whose personnel regularly travel on international business should take steps to ensure that access to confidential or otherwise private files on laptops or handheld devices is restricted to authorized personnel.
 This blog is to designed to provide general information, not to provide specific legal advice. By using this blog you acknowledge that there is no attorney-client relationship between you and the blog moderator and/or the authors of any specific posts on the blog. Statements made in this blog are the viewpoints of the individual authors, and do not necessarily reflect the views of Proskauer Rose LLP or any of its clients.