A year ago, business travelers were panicked about a U.S. and UK ban on laptops and tablets on flights departing certain Middle Eastern and North African countries. While that ban was eventually withdrawn, the experience has prompted urgent conversations within companies about how to protect travelers’ devices and data.
High-profile data breaches and reports of electronic devices being searched at border crossings are motivating companies to ask travelers to be more careful about limiting the valuable information that could be exposed.
In October, U.S. Customs and Border Protection commissioner Kevin McAleenan testified that the agency searched more than 30,000 electronic devices in fiscal 2017, up from about 5,000 in fiscal 2012. McAleenan noted the current figure represents “less than one-hundredth of one percent of travelers” arriving in the U.S., but the increase has travel managers worried.
Privacy concerns also could extend to social media. The U.S. Travel Association expressed “serious reservations” about a new proposal from the Trump administration that would require U.S. visa applicants to submit usernames for social media platforms such as Facebook and Twitter.
“These new social media vetting standards would affect visitors from countries that are rapidly expanding as lucrative international travel markets, such as China and India, and could dampen America’s ability to capitalize on that growth,” wrote Patricia Rojas-Ungár, the association’s vice president of public affairs.
Despite last year’s laptop ban being lifted, “companies and travelers find themselves continually concerned about device security and how to best protect their data,” said Allen Allison, chief information security officer for American Express Global Business Travel. Encrypting a laptop hard drive can protect data on a device, he noted, but human error can interfere: “Gaps in encryption programs can leave some devices only partially encrypted or, in some cases, completely unprotected, putting sensitive and personal data at risk.”
Allison, for example, was recently sitting at a local coffee shop and noticed that someone at a nearby table had a yellow note stuck to their laptop with the encryption recovery key clearly visible – making it possible to break the encryption with little effort.
Other weak links tend to be USB drives and cell phones, which are easily stolen. Allison recommends treating cell phones like laptops and encrypting them, setting a short interval before they lock, and requiring a strong password.
Corporate data policies, in many cases, have been reactive rather than comprehensive.
“After last year, companies came up with different responses,” said Greeley Koch, executive director of the Association of Corporate Travel Executives. Despite the inconvenience, some businesses began requiring employees to travel with loaner laptops that would be wiped clean of all significant business information. Employees would connect to the company network using a secure virtual private network, or VPN, while traveling, then return the laptop at the end of the trip.
Large global companies, Koch added, at times asked employees not to travel with any computer at all. Travelers would pick up laptops when they arrived at the local office to borrow for the duration of their trip. But that policy made it too difficult to work, especially with so much time lost during long flights. “People looked at that and said it was really impacting productivity when they couldn’t travel with a laptop,” Koch said.
Some have tried to find a middle ground. Recently, Koch was on a trip with a senior executive for a travel industry company and learned that the executive now travels only with an iPad connected to a cellular network, which is harder to hack than an open public Wi-Fi network.
“We’ve got this great global economy, and part of that means being connected at all times,” Koch said. Given the rising concerns about border searches and hackers, he added, “I hope that doesn’t slow things down in the future.”
Another approach focuses less on devices and more on securing data across the company, said Matt Bradley, regional security director of the Americas at International SOS. “Taking a ‘clean’ laptop or phone is almost as useless as not taking them at all,” he said. “The truth is, information is susceptible wherever you go.”
A practical alternative to switching out devices would be for companies to allow travelers to use their regular laptops, but to require all employees to keep sensitive documents in secure cloud storage. “Then they only have to protect one location, as opposed to having to consider each laptop as a point of vulnerability that they have to protect,” Bradley said.
Lawmakers have noticed the unease. In March, Senators Patrick Leahy, a Democrat from Vermont, and Steve Daines, a Montana Republican, introduced a bill that would increase protections for travelers whose electronic devices are searched and seized by border agents.
The bill would require agents who conduct “manual” searches of devices – those that do not use forensic software or involve entering a password – to have a reasonable suspicion that a traveler violated an immigration or customs law, and that the device contains information relating to the alleged violation. To conduct a forensic search of a device, U.S. border agents would have to get a probable cause warrant from a judge.
In the meantime, the Electronic Frontier Foundation, a nonprofit organization focused on digital civil liberties, reminds travelers that U.S. border agents cannot deny U.S. citizens entry if they refuse to have a device searched – but they can seize their devices and detain them for long periods. Foreign visitors can be turned away, and the situation is unclear for lawful permanent residents.
Allison recommended that business travelers take only the devices they absolutely require, whether there is a strict company policy in place yet or not. If asked to have an electronic device inspected, he said, try to unlock it yourself rather than provide the password.
“The laptop ban is just one example of an overall heightened climate around data privacy,” he said. “Throughout the rest of this year, we are anticipating a heightened awareness of these potential dangers.”