U.S. citizens who travel internationally, especially corporate executives and high-net-worth individuals, must consider and navigate data security risks when crossing a border—whether into the United States or another country—due to the potentially sensitive data on their personal electronic devices. Just like your luggage, your electronic devices and their contents are subject to search by border officials, leaving your information vulnerable. Having to provide others access to sensitive personal, corporate, or client information can have serious ramifications, including triggering an obligation to inform your clients and your superiors of the data compromise. However, with proper planning before and after travel, you and your company can take precautions to safeguard the sensitive information on your devices.

Understanding Current U.S. Laws and Policies

For U.S. citizens, it is critical to be aware of your rights, the limitations on those rights, and what to expect when crossing back into the country.

The Fourth Amendment of the U.S. Constitution protects U.S. citizens from unreasonable searches. This generally means the government has to show probable cause that a crime has been committed and get a warrant before it can perform the search. However, relevant case law and resulting government policies have deemed a search performed during a U.S. border crossing as a reasonable search under the Fourth Amendment. This means that, when you return to the United States, the contents of your electronic devices are treated the same as the contents of your suitcase, and are subject to search.

The U.S. government has long held the right to conduct such searches without a warrant or probable cause at the border or any port of entry, such as an airport, even without reasonable suspicion. Several federal court cases have upheld the government’s right to perform warrantless border searches due to the enhanced risk to U.S. interests and security. As was stated in the 1977 Supreme Court case U.S. v. Ramsey, the government’s “interest in preventing the entry of unwanted persons and effects is at its zenith at the international border.”

As a result, officials at the U.S. Customs and Border Protection (CBP), an agency within the Homeland Security Department, are entitled to search the contents of all items crossing a U.S. border, which can include the examination of any data kept locally on an electronic device. CPB’s acting commissioner, Kevin McAleenan, emphasized that point in June 2017 in a statement to Congress: “In this digital age CBP must also conduct limited and targeted inspections of electronic devices to determine whether they contain contraband . . . or information that could present a threat to national security.”

Thus, anything stored on your device can be searched by the government at the border: documents, photos, videos, text messages, call history, downloaded emails, notes, and so on. As clarified in a CBP directive issued on January 4, 2018, however, border officials are not allowed to copy that information or connect your phone/tablet to an external device that would allow them to analyze its contents unless they have reasonable suspicion of criminal behavior. Further, they are not entitled to use the device to retrieve information that is not stored on the device itself, most notably cloud-based data. In fact, as detailed in the directive, border officials are to ask travelers to disable network connectivity (or disable it themselves) to avoid unintentionally accessing such information. The directive also contains guidance on how border officials should handle privileged or sensitive information.

If border officials find “reasonable suspicion” of national security concerns or unlawful activity, according to the January 4 directive they can conduct a more advanced search after obtaining approval from a supervisor. The CBP can also legally detain a device for up to five days.

It is important to note that the CBP or other U.S. officials requesting the searches are doing so as part of their duties to protect the United States from terrorism and other crimes, not to compromise your data. However, if one or more of your devices are searched, this may trigger an obligation for you to inform your employer or client, potentially causing them to question your decision to travel with their sensitive data, or may result in a violation of corporate policies or client data protection agreements.

The percentage of people whose devices are examined at the U.S. border remains quite small. However, the risks discussed above are increased exponentially when traveling to countries outside the United States, where you’ll often have fewer rights and protections.

Device Searches When Traveling Abroad

Your devices and data are at a higher risk when you travel outside the United States, especially when traveling to regions known for limited legal protection of privacy and personal information, specifically authoritarian countries. As discussed, U.S. officials are often merely trying to protect the United States from terrorism and crimes. However, you should not always assume the same intentions when your devices are searched by a foreign government. Foreign officials may search your device in order to gain access to personal, corporate, or client data.

It is also paramount to remember that device searches are not limited to the physical border crossing. Unless proper security measures are in place, all communications conducted on your device during foreign travel are routed through local service providers. These local providers are bound by local laws and regulations, which often require them to give their government access to collected data. Information sought at the border or through local service providers can include sensitive personally identifiable information data, corporate records and operational information, and trade secrets.

Safeguard the Data on Your Devices

With these factors in mind, when planning international travel—for business or pleasure—you should put as much time into deciding which items and information to bring with you as you do planning your itinerary. Consider the following:

• Storing your device’s information to the cloud can shield your data very effectively. Back up everything to the cloud before you travel; then wipe your device clean, reverting it to the factory settings. You can restore the information from the cloud when you arrive at your destination, or once you’ve returned home.
• Know your firm’s corporate policies before traveling. Also, take the time to familiarize yourself with your firm’s agreements with clients regarding safeguarding their data.
• Take every precaution to protect your company’s (and clients’) data. Bring only what you will truly need and cannot access otherwise.
• Understand your obligations regarding the need to inform your company and/or clients if any of their data are searched.
• Don’t expect to be able to call on legal counsel to intervene if you are being searched.
• Packing devices in your checked luggage does not mean they cannot or will not be searched.
• Always assume that you will have fewer rights abroad than you have in the United States. Learn the laws and policies of the countries you plan to visit so you know what to expect.
• Realize that while you may be entitled to enter a country, your device may not be.
• When taking information overseas, always assume that nothing is private.
• Travel with a new or clean device, if possible.
• If you have any thought that one or more of your devices may have been compromised, or if you have traveled to a high-risk country, have your devices forensically examined before you plug them back into your corporate or home network.

The U.S. Congress is unlikely to act soon to limit the government’s search powers at the border. And Congress does not have authority over the stricter search policies that many other countries impose. As a result, corporate executives and high-net-worth travelers need to always plan ahead and be prepared for searches of their smartphones and other data-carrying devices when travelling internationally.

K2 Intelligence can help you prepare to make those smart decisions before you travel around the world with sensitive information. In addition, we can also help you and your devices after your return from international travel. Today, the risk to your electronic devices is at an all-time high. Protect yourself, your company, and your clients by consulting in advance with our experts, who understand what is at stake when crossing international borders and can help you minimize the threat to your devices and data.