April 16, 2018 | Risk Management Blogs
Last year, the ban on laptops and tablets on flights entering the U.S. from certain Middle Eastern and North African countries created panic among business travelers. The ban was eventually lifted, but it resulted in companies becoming proactive and vigilant. In today’s world, where information is power, data is an extremely important asset for all organizations. Therefore, it is crucial to prevent valuable information from being exposed. This ban was a turning point for companies to explore options to protect their travelers’ devices/data and avoid instances of data breach.
In October 2017, the U.S. Customs and Border Protection commissioner attested that more than 30,000 electronic devices were searched in fiscal 2017, up from about 5000 in fiscal 2012. He further stated that the current figure represents less than one hundredth of 1 percent of travelers arriving in the U.S.; however, the overall increase has travel managers worried.
In light of recent developments, concerns relating to privacy could extend to social media as well, and not be limited to just flights. The U.S. Travel Association had serious reservations about the new proposal from the Trump administration that would require U.S. visa applicants to submit user names for social media platforms such as Facebook and Twitter. The association’s vice president of public affairs said that the new social media vetting standard would affect visitors from countries such as China and India — two rapidly expanding lucrative international travel markets — and dampen America’s ability to capitalize on that growth.
Allen Alison, the chief information security officer for American Express Global Business Travel stated that despite the lifting of last year’s laptop ban, companies and travelers continue to remain concerned about device security and how best to protect their data. He believes that although encrypting a laptop’s hard drive can protect data on a device, human error can leave gaps in encryption programs. It could leave some devices only partially encrypted or, in some cases, completely unprotected, putting sensitive and personal data at risk.
Allison shared his recent experience at a local coffee shop, where he noticed someone at a nearby table with a yellow note stuck to their laptop and the encryption recovery key clearly visible, thus making it possible for anyone to break the encryption with little effort. USB drives and cell phones are other weak links that can be easily stolen. Allison recommends that cell phones should be treated like laptops and be encrypted — strong passwords should be set, and intervals before the phone locks should be made shorter.
Reactive Policy Paradigm
There are innumerable cases that testify that the corporate data policies instituted are more reactive rather than proactive and comprehensive. According to insights shared by the executive director of the Association of Corporate Travel Executives, over the past year, a number of companies came up with different responses, such as traveling with a loaner laptop that would have all the significant business data removed despite all the inconvenience it would cause for businesses. The employees were instructed to use a secure VPN to connect to the company’s network and return the laptop when the trip was over.
There were instances where large-scale multinational organizations had asked their employees not to travel with any PDA; instead, they would be provided with laptops and other necessary devices at their regional office for the entire duration of their stay in that country. This policy created a number of hurdles for business travelers, as they were unable to use their laptops during long flight hours, which impacted their performance and productivity. Repeated attempts are being made to reach a common ground where productivity and performance remain unaffected and data privacy is intact.
An alternative is to use an iPad connected to a cellular network, which is comparatively difficult to hack and break into than an open public Wi-Fi network. Another approach is to focus more on protecting the data and less on devices.
A more practical alternative is to use the same device and keep the sensitive and important information in a secure cloud storage. This will reduce the areas of vulnerability that one needs to protect and safeguard.
A bill was introduced in March 2018 by Senators Patrick Leahy and Steve Daines that proposed increased protection for travelers whose PDAs are inspected and seized by the border personnel. According to the bill, the security personnel would conduct a manual inspection (which does not involve using forensic software or punching a password) of the PDAs only if they had a reasonable suspicion that the business traveler had violated any immigration of customs law, and only if they felt that the device could contain information about the alleged violation. For conducting forensic search of a device, the border personnel would first need to obtain a warrant from a judge.
The Electronic Frontier Foundation, a nonprofit organization focused on digital civil liberties, states that the U.S. citizens cannot be denied entry if they refuse to have a device searched. The border personnel, however, can seize their devices and detain them. Foreign travelers, however, can be turned away. The situation is ambiguous when it comes to lawful permanent residents of the U.S.
Irrespective of the policy in place, business travelers should carry only devices that are important. If security personnel want to inspect a device, it’s better for the traveler to unlock it himself rather than give out the password for the same. The latest example of the laptop ban is just one instance of an overall intensified climate surrounding data security and privacy. In the coming months, one can anticipate an enhanced awareness of the potential dangers relating to data privacy and security.