Land transportation & border securitySecurity ahead of risk at the border, II

Published 7 May 2008

In a ruling by the Ninth U.S. Circuit Court of Appeals, U.S. Customs and Border Protection (CBP) was allowed to continue its practice of warrantless searches through computer data held by U.S. citizens and foreigners alike; with this in mind, an expert offers practical ideas on how to handle sensitive corporate — and personal — information as one crosses into the United States

The Customs and Border Patrol (CBP) service has a practically unlimited rights to rummage through and search the luggage of those who cross into the United States, and a recent court decision has upheld that right (see HSDW story). Jon Espenschied writes in ComputerWorld that without a clear resolution, those who travel with valuable data — for example, business people who carry sensitive corporate information on their laptops’ hard drives — have little choice but to increase their level of preventive and responsive information security controls. For some corporate travelers with astute IT support, this may just mean paying closer attention to existing policy and making sure that data is properly compartmentalized and backed up. For those without such security, a few basic guidelines are in order until this situation is resolved:

  • Regularly back up all information. Even if a portable computer is one’s only computer, ensure that data carried through checkpoints is never the only copy. Where practical, an online incremental backup to a corporate IT service may work, but often it’s as simple as doing it yourself with an external hard drive that never travels with you or at the same time.
  • Separate business and personal data. Some road warriors may carry two laptops, but for most people who travel a lot (and have some leeway about personal use of a corporate computer), this may just mean using Internet Explorer for work and Firefox for personal use. If personal use involves significant data storage or multiple applications, a virtual machine may be the right solution and can easily be backed up at home or copied to a DVD sent back by separate means.
  • Encrypt everything sensitive. Refusing to decrypt data or give the CBP a password may result in seizure or copying of data, but if backups have been done properly, this should have minimal impact — maybe a week’s or month’s work. It is better, however, than having some CBP forensics staffer or contractor pawing through clients’ financial data or leering at a spouse’s French beach pictures. Common sense and a pile of regulatory requirements demand that financial, health, and government data be protected by encryption if they must be carried at all. Personal discretion would normally preclude collections of prurient videos and documents about landmarks and explosives, but people make their own choices regarding entertainment on the road. In both cases, encrypt what you must carry.
  • Securely retrieve remote data. If some data simply can’t be exposed to the risk of warrantless review and undocumented exposure, then view and work with it using a remote, encrypted method if at all possible. Many enterprise document management systems include tools that allow for noncached work on documents and spreadsheets through an encrypted connection. Services such as Google Documents and other online office suites provide a decent approximation for personal use, provided that one maintains an encrypted session and is aware of other security issues.
  • Insure the equipment against loss. The CBP does not currently make any assurance about when a seized laptop will be given back; some have never been returned. Inquire beforehand what time period must elapse before your corporate or personal insurance will treat seizure as theft or other covered loss. If it is a gray area, get the insurer’s positive response in writing or cover a negative response with a loss-of-use rider on the policy.
  • Report any losses. In addition to insurance claims and restoration of data from backups, there may be legal obligations to report an intrusive inspection where the hardware or media is seized or data copied, even if passwords are not divulged. The CBP does not publish its data retention or protection guidelines, so there is nothing that would, for example, satisfy Health Insurance Portability and Accountability Act (HIPAA) requirements for a business associate agreement or the PCI requirement to identify those individuals who have had access to sensitive data. Copied or seized data may be subject to breach disclosure laws such as California’s SB 1386, which requires notification of individuals whose personal information has been exposed or can’t now be accounted for.

Espenschied writes that until the search and seizure protocols are revealed, or until Congress imposes some restrictions on the CBP, such options are the only practical response. “Perhaps the CPB will seize the laptop of, say, a defense contractor of Middle Eastern descent carrying classified data that CBP officers and forensic staffers aren’t cleared to see. If we’re lucky, such a highly visible backfire will right the situation sooner rather than later,” Espenschied concludes.