Are Your Employees Travelling to the U.S. with Business Data on their Electronic Devices? Enhanced Security Measures Could Mean that Your Business Data is Searched and Retained at the Border
If your employees cross the U.S. border for business or personal purposes, U.S. Border Agents can search all their electronics devices and they could copy all the data contained therein. The U.S. Department of Homeland Security (“DHS”) has the authority to search traveller’s belongings, including electronic devices without a warrant.[1] The DHS’s longstanding policy has been enforced for some time now. However, on June 28, 2017 DHS announced new security measures, including enhanced screening of electronic devices for all travellers travelling via airports to the U.S..[2] Following this announcement, it is expected that an increased number of electronic devices will be searched.
Employees who travel to the U.S. might carry business data on multiple electronic devices. For example, some businesses permit employees to have one cellphone for both personal and business purposes – if the employee travels for leisure but brings this cellphone onboard, the cellphone (and all the business data contained therein) could be subjected to a search. Similarly, if employees bring their business-only laptops and cellphones onboard for a business meeting, the devices could also be subjected to enhanced screening.
The Screening Process
All electronic devices are screened for explosives at a primary inspection station through X-ray machines.
Border Agents may, at anytime and at random, select to conduct a secondary inspection of all the traveler’s belongings. Those selected for secondary inspections might include passengers enrolled in trusted passenger programs, such as NEXUS.
During a secondary search, the traveller could be asked to provide login and password information for the device and the applications on it (including email, business databases, social media, cloud storage). While the traveller is not required to cooperate, failure to do so might result in denied entry to the U.S. and detention of the device.
During the search of an electronic device, Border Agents might take one of the following actions:
- Detention. The Border Agent might keep the original device, in which case a tear sheet containing information on DHS’s authority will be given to the traveler. DHS might also duplicate the information stored on the device, with or without the knowledge of the traveler, for analysis at a later date. DHS might also demand subject matter assistance from other federal agencies, in which case this fact will not be disclosed to the traveler. After the search has concluded, the electronic information will be destroyed “unless retention of the information is necessary for law enforcement purposes”.[3]
- Seizure. The electronic device can be seized if there is a “probable cause to believe a violation of law” has occurred.[4] If the electronic device was returned to the traveler, and DHS later finds probable cause for seizure, then the original copy will be seized and it will not be destroyed.
- Retention. Any or all information from the device can be retained in any of DHS’s recordkeeping systems. This will typically occur if the information obtained reveals information related to immigration, customs or other laws enforced by DHS.
It’s important to understand that a claim of legal privilege will not preclude the secondary search. However, if the traveller claims that the information contained in the electronic device is business sensitive or protected by solicitor-client privilege, the Border Agent is required to seek legal advice from the United States Attorney’s Office before proceeding with the search. The search and information gleaned from it might then be handled in accordance with the U.S. Privacy Act and the Trade Secrets Act.
How to Protect your Business Data
To prevent your business data from being searched and potentially entered into the U.S. federal agency data systems, the ideal scenario would be to travel without any electronic data – no laptops and no cellphones. However, travelling with no electronics might raise suspicions and is not practical in today’s business environment. Below are some suggestions to consider:
- Create a business policy on travelling with electronic devices.
- If your company provides employees with cellphones/laptops, do not offer employees the possibility of using their personal phone/laptop for business. Employees will travel, and if they travel for pleasure, they are likely to bring that cellphone/laptop with them across the border. Instead, offer employees a cellphone/laptop that is to be used solely for business. This way, if employees travel for leisure, they will not have to bring the business phone/laptop on their trip.
- Have spare phones and laptops that contain little to no business data that employees can take on their business trips. These devices could be loaned to employees ahead of their trip, so that they load only the necessary information for their business meeting, but they will not contain sensitive data.
- Consider what business information you are comfortable with disclosing to government agencies and set up your travel devices accordingly.
- U.S. Border Agents are not restricted to searching the data that is physically stored in the device at hand. Border Agents can also ask employees to login to email, applications, software programs, clouds, social media, etc. (“applications”). Consider which applications to load on the electronic devices that your employees carry on their travels.
- Have clear guidelines for employees to follow when they are asked to provide login information.
[1] Privacy Impact Assessment for the Border Searches of Electronic Devices, August 25, 2009.
[2] https://www.dhs.gov/news/2017/06/28/remarks-council-new-american-security-conference
[3] Supra 1, at 5.
[4] Supra 1, at 5.