Lawyers Traveling Abroad: Precautions to Protect Client Data
About a year ago, I learned that the U.S. was considered “high risk” on privacy and security by the international community because of the Patriot Act. Being blissfully unaware of the contents of the Act, I dismissed this notion out of hand until this spring, when I discovered why: the Department of Homeland Security authorizes both U.S. Customs and Border Protection and Immigration and Customs Enforcement (ICE) to seize all electronic devices coming into the country and search the contained data. That includes your smart phone and flash drives.
Although this is not known to occur with frequency, it does occur, and half of those searched have been U.S. citizens. Since they don’t need probable cause, you just might get lucky.
To prepare yourself for the possibility, Susan Gurley, Executive Director of the Association of Corporate Travel Executives, suggests the following:
- Understand that no evidence is required to take your laptop
- Anything can be searched (photos and online bank statements included)
- Seized devices can be kept for an indefinite period of time
- Don’t take anything you don’t want to share
- Be cooperative, but ask for a receipt and badge number if your laptop is confiscated
What You Can Do
Given this scenario, the best course of action would of course be to put all your data in the cloud, leave your devices at home, and arrange for use of necessary devices abroad. Upon returning, load any new data, work product or other information into the cloud and return home device-free. You can always buy an inexpensive cell phone with no data capabilities to get you through the travel time, and take advantage of those great airport book stores to entertain yourself (you remember those days).
Not practical? Let’s take a look at other alternatives.
Mark Nestmann, an international privacy and wealth preservationist, offers these options:
- purchase an inexpensive laptop and use only for international travel. Keep nothing on it except for the operating system and program files. Before you cross the border, “sanitize” it using a program such as Window Washer. When you return to the United States, securely “wipe” any confidential information off your hard drive, along with the “free space,” using a program like PGP Desktop.
- Back up your data to an online backup site such as Carbonite. Encrypt the data before uploading it, using a product such as PGP Desktop or True-Crypt.
- Buy an “unlocked” tri-band cell phone with a replaceable SIM card for international travel. When you arrive in a new country, purchase a domestic SIM card from a local phone dealer.
- If you must carry sensitive data across the border, encrypt whatever device containing that data. However, CBP officials may demand that you decrypt any encrypted files before you proceed.
- Blackberries and other smartphones come with built-in encryption. However, many smartphone encryption systems have significant weaknesses. A better solution (unfortunately only for Windows mobile smartphones) may be PGP Mobile.
Two lawsuits have been filed and are still pending: one in 2008 by the Electronic Frontier Foundation (EFF) and the Asian Law Caucus, requesting clarification on its policies for search and seizure of devices; the other in 2010 by the ACLU, NYCLU and the National Association of Criminal Defense Lawyers on behalf of National Press Photographers Association, criminal defense lawyers and a student: Pascal Abidor, a 26-year-old French-American citizen whose laptop computer was confiscated at the Canadian border. Abidor was released after being detained for three hours, but his laptop didn’t arrive back home until 11 days later.
In spite of the litigation, I doubt the Patriot Act will be amended anytime soon to modify the unfettered authority of customs, given the sad state of international affairs. Considering options to preserve confidential data needs to be on your to-do list.