Recently, international travelers have noticed US Customs and Border Protection agents with increased interest in searching cell phones, laptops, and other portable technology. Employers should be aware that this trend increases the risk that an unauthorized individual will access sensitive company information, which could result in an inadvertent data breach.
Some international travelers have been asked by border agents to unlock cell phones or provide a password needed to unlock the device. One report included a customs agent threatening to seize a travelers' phone if he did not unlock his cellphone. Employers are rightfully concerned that these searches may allow unauthorized individuals to access sensitive company information.
What options do employers have to secure company data on personal devices when employees travel internationally?
Policy Directives. Employers that decide to implement a policy in response to this news face a difficult decision between two imperfect options: (1) instruct employees to act within their right not to comply with a request to access a locked device, resulting in a potentially difficult and awkward situation for the employee, or (2) allow employees to permit access to their devices, and face a real risk of unauthorized access. Neither option may be satisfactory.
Alternate Technology. The employer could provide phones that are wiped of all company information to employees before international travel. This plan could be expensive depending on the employer's needs, and could be inconvenient for both the employer and employee.
Full Encryption. The employer could require that all data on a device be encrypted. While a screen lock password may provide an initial barrier to device entry, full disk encryption is a significantly stronger protection for sensitive information. Many states' data breach notification laws, including Michigan's, provide an exception if an unauthorized party receives an encrypted file without the decryption key. However, an employee could still be asked for the key, just like any other password.
Disallow Company Technology on Personal International Trips. Employers could simply require that employees leave portable work technology behind when traveling internationally. This option could be more practical for employees planning personal trips, but impractical if the employee might need to access work information or if the employee's work phone is also his or her personal phone.
None of these options are perfect, and there may be others depending on the employer's needs. Regardless, employers should consider how to approach this sensitive issue.