If anything makes an argument for disk drive level encryption, or synching a laptop back to the head office better than the recent news and meetings over the ability of US Border Guards being able to seize and inspect a companies laptop I cannot think of one.
This is something that affects the millions of travelers that cross US borders on a monthly basis. While I do not advocate using cryptology as a way to shield illegal activities, businesses work hard for their data, and confidential company data on clients, resources, sales, sales figures, usually travels along with the companies sales force. The data on that laptop is company confidential if not critical to the success of that company’s growth. Governmental information security policies differ from company policies, and companies face a slew of legal regulations from SOX to HIPAA to GLB to protect data.
Sales and executive teams that cross the border, and for what ever reason, border guards seize it, the company is not only out the data on the laptop, but given governments record of accomplishment it may not be in an environment that complies with company security policy.
“Last week, an informal survey by the association, which has about 2,500 members worldwide, indicated that almost 90 percent of its members were not aware that customs officials have the authority to scrutinize the contents of travelers’ laptops and even confiscate laptops for a period of time, without giving a reason.
“One member who responded to our survey said she has been waiting for a year to get her laptop and its contents back,” said Susan Gurley, the group’s executive director. “She said it was randomly seized. And since she hasn’t been arrested, I assume she was just a regular business traveler, not a criminal.”
Appeals are under way in some cases, but the law is clear. “They don’t need probable cause to perform these searches under the current law,” said Tim Kane, a Washington lawyer who is researching the matter for corporate clients. “They can do it without suspicion or without really revealing their motivations.” (IHT)
Most companies would find this intolerable, especially when multi-million dollar deals are on the line, and that laptop is the last place that the data is stored (many sales folks do not synchronize their laptops with the company office when on the road). Some simple solutions should help company security folks at least minimize the damage from a laptop loss (theft or confiscation).
1. Have the laptop synch with the head office every time it is connected to the office. That way, at least the documents are synched and new documents are stored on corporate computers. Simple software or scripting can enforce this either at the beginning of the session or the end of the session and should not take too long in the heavily wired world we live in.
2. Use drive level cryptology, windows and Linux both provide drive level cryptology through their operating systems. If the laptop is stolen, it is most likely not going to be of any use to anyone. If the laptop is confiscated, then the sales person needs to have contact with the company lawyers at the time of confiscation, and a solid procedure on not turning over company logins to anyone, backed up by the company lawyer or legal team. This should be a high-level policy, implemented by the security department with keys stored in LDAP or Active Directory in case of key loss. The time to engage company lawyers is at the time of confiscation, not later on down the road when the sales person or executive team comes back to the office to report what happened.
3. Before returning, zip or otherwise compress, password, and e-mail the entire document set or other proprietary data. A script or small program with a Click here and Send button can be created that would zip the contents of the documents directory, or search for and zip all documents, power points, and other files then e-mail them back to the head office. Policy can be used to define what will be zipped and sent.
I am not advocating in any way that anyone refuse to turn over a laptop to customs agents. However, the information security implications, and how SOX, HIPAA, GLB or any other information security style legal process already in place, will be interpreted is something that the company lawyers and the government need to work out. If the traveler has a database of 100,000 people’s personal information on their laptop, and it is seized, is that a reportable loss of information that could result in company fines? Is the data considered in limbo with no legal status? Who is responsible if the laptop is stolen from customs, and the data ends up on the internet or used by someone else?
Simple encryption and file synchronizing shows that the company at least tried to do due care and due diligence if the problem ever goes to court for a data loss. Simple precautions, backed up by company policy and the company’s legal team can at least address many issues that any laptop loss, either stolen or confiscated can bring to the companies doorstep to roost.
For more information click here. The enclosed google search provides a wealth of information about what is worrying business leaders about current US Customs policy.
Tag:
Add to 
Dan Morrill has been in the information security field for 18 years, both
civilian and military, and is currently working on his Doctor of Management.
Dan shares his insights on the important security issues of today through
his blog, Managing
Intellectual Property & IT Security, and is an active participant in the
ITtoolbox blogging community.
