Business travelers will soon need to carry the name of their corporate lawyer in addition to their passport when returning home to the United States, and they may need to bring with them a different business laptop as well. This is because U.S. Customs can search and confiscate your laptop without any prior cause, according to policies that have been posted online since a Ninth U.S. Circuit Court ruling in April.
Alice Stitelman, a consultant who writes about e-mail usage and legal matters, says this is just one example of "what you don't know about legal computer issues [that] can hurt you. Many business users mistakenly believe that their data is private -- whether it is on their laptop, cell phone, or mobile device. In fact, they should have no expectation of privacy. Users have much less control over who reads their data than they may realize."
There are other examples of new regulations and policies that will have a profound impact on business technology policy in the coming years. As legal battles over content filtering, Net neutrality, tracking Web history, and laptop searches ensue, corporate IT managers will need to rethink their strategies on how they implement cloud computing, formulate their e-discovery and records retention policies, and safeguard business data carried by traveling executives using various mobile devices.
Confiscated Laptops: Time to Revise Data Access Strategies for Execs
The Department of Homeland Security has reaffirmed its policy that lets it search, copy, or even impound your employees' laptops when they return to the United States. This is completely at the security screeners' discretion, and applies to anyone entering the country -- citizens and noncitizens alike. Security consultant Jeff Bardin, writing on the CSO Online blog, calls it a "virtual strip search" and cautions somewhat facetiously, "I'd best not forget to take the microdot off the woolly boogers that collect in my pockets."
But all kidding aside, this policy is very much a reality and not just for the tin-hat paranoids. "It definitely has been happening more and more recently, and we have gotten lots of complaints," says Danny O'Brien, the international outreach coordinator for the Electronic Frontier Foundation, an advocacy group.
"A CEO I know was detained and his computer's hard drive was copied and returned," says David Burg, a principal at PricewaterhouseCoopers' advisory and forensics practice. As a result, his client's company has changed its practice, so "employees aren't allowed to travel outside their home countries with their standard-issue laptops," he says. Instead, they are issued bare-bones laptops that have very little corporate data and use VPNs to communicate securely back to their offices.
Other countries are also randomly inspecting laptops: "Canada has been looking for child pornography on laptops entering their country," says John Pescatore, a Gartner security analyst and a former security engineer for the U.S. Secret Service. "It is hard for anyone to argue against that." And as more countries claim the right to copy or confiscate laptops -- or, worse, to install monitoring software -- soon this idea of having a "travel laptop" will become more common practice so that sensitive corporate data is left behind.
"Given that the majority of corporate PCs are laptops now, your data is now more vulnerable," says the EFF's O'Brien.
"You might want to consider limiting the data on your laptop to what you are willing to share with the government," says Kevin Clark, network operations manager of Clearpointe, a managed services provider.
"I would never travel with any data that I cared about anyway," says John Kindervag, a senior analyst for Forrester Research. "I would put it on my iPod or encrypt it." Certainly, "you should have been encrypting the hard drives of your laptops; these are just more reasons to do so," says Gartner's Pescatore.
But using encryption is no guarantee that the government won't obtain your employee's data, according to legal authorities, especially if a security screener demands your password to decrypt your files. "We would say that you have some strong protections against giving out your password, and believe that falls under self-incrimination," says the EFF's O'Brien. Other lawyers agree that requiring users to give up their passwords to the government could fall under the category of unreasonable searches that the courts have long ruled are impermissible, but they note that overall case law is still evolving, so there's no hard-and-fast rule to rely on.
"A lot of this is just security theater," says Forrester's Kindervag, meaning it's just for show. He was detained -- although not at an airport -- and "I stood my ground and refused to give up my data, and eventually the screener backed down." Clearly, one prudent course of action is to have ready access to legal counsel when returning to the United States.
If your execs' laptops are impounded, you have several critical issues to address. First, do you have the executives' data backed up so that you can get them up and running quickly on new computers? Second, is sensitive data protected from prying eyes -- whether bored screeners or investigating authorities? This is where having the cleaned "travel laptop" begins to sound compelling. Finally, does this change your corporate policies on other mobile devices besides laptops, such as smartphones and PDAs that often have all sorts of personal and customer confidential information on them?