On April 21, 2008, the 9th U.S. Circuit Court of Appeals essentially gave the U.S. government carte blanche permission to check any and every piece of data on laptops belonging to travelers passing into the United States at border control checkpoints.
In its decision, the court stated that they "are satisfied that reasonable suspicion is not needed for customs officials to search a laptop or other personal electronic storage devices at the border." This decision also allows the U.S. government to confiscate the laptop for an unlimited period of time, and with no recourse for the owner of the device. Most business laptop owners have nearly everything about themselves stored on their hard drives, including financial information, pictures, e-mails from a variety of sources, and, of course, work-related sensitive information.
Encrypt and back up
This case highlights the need for every enterprise--and any individual who travels internationally--to take immediate steps. The typical password log-in protection is not sufficient to mitigate this risk. Enterprises should require that all users have their hard drives encrypted. Further, it is imperative that a backup of the data on the drive be made and left in a safe place. This should be done in case the U.S. government decides to confiscate the user's machine (although this is an unlikely scenario, it is nevertheless possible). Typically, 50 to 75 percent of critical business information is stored on user PCs, and it is often never backed up. So, if an executive's machine is confiscated, the potential for disruption is alarming.
Use laptop security suites, file backup and employee awareness
Any company with international travelers should initiate the following three precautionary steps immediately:
Precautionary Step No. 1: If there isn't a laptop security suite already in place, companies should deploy one. There are suites available such as Sybase Afaria, Credant, Trust Digital, PGP, RSA and Utimaco. Using this technology, companies should enable a secure storage capability on each device by turning on and maintaining file encryption. It usually isn't desirable to do whole disk encryption (available within Windows XP and Vista), as this could cause performance issues. But specific files of sensitive information should be selectively encrypted.
Precautionary Step No. 2: Next, make sure that all data files on each laptop are backed up to a server or to a portable hard drive provided to the end user. Then follow up with appropriate "nagging" to make sure the user performs the backup regularly. Automated tools are available to accomplish this at a reasonable cost, and often within the same security suite deployed for encryption.
Precautionary Step No. 3: Finally, inform every business traveler of the new rules, and make sure they understand that the new security regimen is not optional.
Re-evaluate lax laptop security attitudes
It is estimated that 75 percent or more of corporate laptops go unprotected (except for the use of passwords). This is despite the risks inherent in losing or having the laptop stolen, and with the risk of the consequent data loss. This action by the U.S. government should finally force the majority of companies to re-evaluate their lax attitude toward laptop security, and provide a robust and secure environment for their users.
Know the ruling also applies to all mobile devices
This ruling does not only apply to laptops. Smart phones, including RIM's BlackBerry, are also included in the powers of review and seizure. Companies should take all necessary steps to secure them as well. Users of many wireless e-mail solutions (such as BlackBerry, Good, Sybase and MSFT Direct Push) already have higher levels of built-in security than the majority of users with enterprise-deployed laptops. Many of the wireless devices already include the ability to do a remote wipe of the device, which many security suites also enable.
Although the risk to individuals of data snooping or laptop loss because of this government ruling is minimal, it nevertheless does represent a real threat--especially in regulated industries such as finance and health care. Further, the risk is disproportionately higher for upper management, since many of a company's highest-level executives regularly engage in international travel while carrying highly sensitive corporate data.
Protect all mission-critical data
Although we hope sanity returns and Congress acts against this unprecedented invasion of privacy, we do not believe that this is a near-term likelihood. Therefore, each company with users who travel with their laptops must go into defensive mode and make sure all mission-critical data is protected. This can be done through the proper deployment of security and backup technology. Failure to act may cause the loss of sensitive information and potentially result in substantial harm to the company from confidential data being publicly disclosed.
Jack E. Gold is the founder and principal analyst at J. Gold Associates. He is a former vice president of Research Services at the META Group. He has over 35 years experience in the computer and electronics industries. He can be reached at [email protected].