Government Contracts Monitor

Information on Your Employees’ Electronic Devices Might Not Be Secure at the Border

February 22, 2017

The recent spate of news stories describing travelers seeking to enter the U.S. being stopped at the border and forced to hand over their phones and laptops has caused a great deal of concern among pro-immigration and civil liberties advocates. But they are not the only ones who need to pay attention. For green card and visa holders, many of whom are already scared to travel outside the U.S. for fear of not being able to return due to the Trump Administration’s recent actions and statements, having to hand over their phone may be the least of their worries. But if they are your employees and have access to your company’s confidential information, the prospect of their surrendering control of their personal devices to anyone, even the Customs and Border Patrol (CBP), should be of concern to you. The fact that U.S. citizens can be subject to the same demands means that the potential threat confronts any employee traveling outside the U.S. with an electronic device. If you’re serious about protecting your company’s confidential information, you need to take steps to address the possibility that your employees will not be able to adequately secure information on their electronic devices at the border.

The need to be proactive on this issue was underscored by numerous news reports about the recent experience of NASA engineer, Sidd Bikkannavar, when returning to the U.S. from vacation in Chile. The incident occurred several days after President Trump signed the “travel ban” Executive Order. Bikkannavar, a U.S. citizen enrolled in the Global Entry program, who is not Muslim (and was not returning from one of the seven nations specified in the Executive Order), was asked by CBP to hand over his work-issued phone and provide the access PIN. He has worked at NASA’s Jet Propulsion Laboratory (JPL) for over a decade and was reportedly torn between his obligation to JPL and the orders he had received from CBP. Bikkannavar claims that, under other circumstances, he would not have given up his work phone, both because it was JPL property and because it contained other people’s information in addition to his. In this case, however, facing the alternative of continued detention by CBP and seizure of his phone, Bikkannavar ultimately turned over both the phone and his PIN. Then he waited in a holding area with other detainees until CBP personnel returned Bikkannavar’s phone and released him. Since the incident, JPL has been working to determine whether CBP took any information from, or installed anything on, the device.

Significantly, the CBP’s practice of detaining electronic devices for further examination is not new. Indeed, Department of Homeland Security (DHS) Secretary Janet Napolitano announced directives in August of 2007 for both CBP and Immigrations and Customs Enforcement (ICE) to enhance and clarify oversight for searches of computers and other electronic media at US ports of entry. DHS has since performed a number of impact assessments of Border Searches of Electronic Devices (examples can be found here and here). As the DHS webpage for Civil Rights and Civil Liberties Impact Assessments explains, to accomplish their mission to secure U.S. borders from illegal activities, “CBP and ICE have the authority to search travelers, baggage, and containers (including electronic devices)”. To that end, CBP has for years used a handout explaining its authority and approach to the inspection of electronic devices.

But while the detention of phones and laptops has been a possibility for years, the number of border searches of electronic devices has been relatively low. According to a 2011 report by the American Civil Liberties Union, over 6,500 people traveling to and from the United States between October 2008 and June 2010 had their electronic devices searched at the border. And nearly half of these people were U.S. citizens. According to DHS, over 4,500 electronic devices were searched in fiscal year 2015, and that number rose to approximately 23,000 in 2016. The 2015 figure amounts to only .0012 percent of the 383 million arrivals during that period. And while DHS agents may not be able to force you to unlock your phone or laptop, they can ask that you do so voluntarily and make things difficult for you if you resist – as NASA engineer Bikkannavar learned the hard way.

The Trump Administration’s emphasis on border security suggests that the likelihood electronic devices will be detained has increased, and may rise going forward. Certainly, regardless of hard data on the issue, anecdotal evidence like that in the recent news stories is worrying many travelers, citizens and non-citizens alike.

Regardless of whether or not these concerns are warranted, any employer that is obligated to properly protect confidential, proprietary or sensitive data, whether by statute, regulation, or contractual obligation (or some combination of the three), needs to review its current policies and procedures with an eye to whether and how they can be updated to pro-actively address the potential of border searches of electronic devices.

Ideally, your current controls are sufficient to prevent or seriously mitigate the possibility that employees are traveling with sensitive data on their devices. But realism strongly suggests that many international business travelers regularly travel with all sorts of sensitive data on their phones and laptops. In addition to continuing to regularly assess and take steps to improve their standard data security protocols, companies need to consider strategies and guidance for their employees that will reduce the likelihood of unpleasantness during interactions at the border with CBP. For example, should employees be required to travel with “clean” machines that the company has made sure contain no sensitive information? That would allow them to hand over their device and their PIN to CBP without having to worry about disclosing sensitive data to CBP or other third parties. Should websites and access portals also be removed from the device in case CBP decides to ask for social media and other passwords, as current DHS Secretary John Kelly suggested is under consideration for at least refugees and via applicants? If sensitive information must be used abroad, can it be sent there or accessed without actually having it on a device?

Many companies’ policies and procedures already address these issues to some degree because of their current legal and contractual obligations. If you have employees who are green card or visa holders or who travel internationally and you haven’t yet given these questions any thought, or you haven’t recently assessed the effectiveness of your current approach, you need to do so now.

Attorneys

Lindsay Simmons