Increasing the amount of information and inspection at border crossings is becoming more and more onerous. In particular, lawyers may be asked to provide access to their cell phones and laptop computers for “inspection” by border officers. What can lawyers do to protect the information of their clients? Here are a few suggestions:
Everyone will definitely have a smartphone with them as they traverse the border. Because of that, we recommend the following:
- Issue a firm based cell phone for office use only which would have only email, contacts and Calendar – no apps; no social media etc. Also set the device to purge mail on the device after a specified number of days (like 7) to limit search ability. Lawyers would then have their personal cell phone (which, in this context, is not permitted to have the firm’s email, contacts etc. on it) and use the firm’s smartphone to conduct all business. Note that the personal phone should be left at home in this scenario or placed in carry-on luggage powered down. applying the items noted in 2 below.
2. Failing the above, then protect your personal smartphone with these suggestions:
- Log out of all social media accounts and apps linked to social media accounts.
- Do not use the phone for boarding passes or other information requiring access to the phone as you transit the border. Instead, print a boarding pass and use it, keeping the smartphone pocketed or in carry on.
- Put the phone in airplane mode once entering customs. The border control officers are not permitted to get new data from cell services when they have the phone. If a phone is powered off in airplane mode, it will resume in that mode when powered up.
- Close all windows on the smart phone, clear browser history, and power down the phone until you have crossed the border (cleared customs).
- On the theory that alawyer can be compelled to enter a password into a smartphone then all biometric functions on the cell phone should be removed before approaching customs. No Touch ID, Face ID or any other form of biological recognition. In that way, the lawyer must voluntarily enter a password to get into the phone.
- In the phone search screen search for the word “Trump” and review the results. If the results raise too many concerns, consider setting up a spare clean smartphone.
- Note that separating business and personal data on a phone is only of limited help as the border agent can request that the password be entered for the personal and subsequently the business section of the phone.
3. Another option is to remove firm email from the phones by deleting the mail account. Once across the border, the account can be reactivated. For lawyers with really large mailboxes it could literally take a day for the synchronization to complete. Phones would have to have unlimited data for US and Canada to support this.
We believe that Firm policy should be that laptop computers should not contain any client data whatsoever. Therefore, if a border control officer were to access the laptop, they would not have access to any privileged information. The ruling as to whether a lawyer needs to enter a password into a device to allow access to the border folks is yet to be established, so for this purpose we will assume that they either need to or will be intimidated into doing so for fear of not being allowed into the US. When the border control officer logs into such a computer, they can search it for anything they like and there will be no information found. For greater certainty, the URL linking to your remote access system should not appear on the desktop or be bookmarked within the browser.
This policy will completely protect laptop computers from breach.
If for some reason files do need to be transported, our suggestion is to use only encrypted USB drives and to keep hose drives in the luggage rather than in the laptop bag. The idea here is that you would need to work on the data on the plane then use a service like Citrix ShareFile or Mimecast Secure Mail to send yourself the files needed. You can then access them over the internet when you land.
Back to USB’s… Since the drives are encrypted, the data on those drives cannot be extracted without the password. The USB should be labelled Solicitor/Client privileged right on the USB drive itself. Further, because the data is encrypted, it would require the decryption key to decrypt it. This is a line that the border officer should not cross but failing that, the lawyer should not cross. Ask to speak to the Supervisor in the area should you be requested to provide access to privileged information.
At that point, if this a go/no go decision for entry into the USA is required, the lawyer should opt not to enter the US. Note however that doing so could put the lawyer on a list that could lead to further issues at the border with future visits. The use of portable media should be avoided if at all possible.
As with all security measures, these measures impose a level of inconvenience on lawyers. When considering a policy, consider the level of compliance that can be expected with that policy and choose a path that balances security with convenience.
Charles Bennett is the Principal Consultant at Triella. We are a technology consulting company specializing in providing technology audits, planning advice, project management and other CIO-related services to small and medium-sized firms. Charles can be reached at 647.426.1004. For additional articles, go to our blog page. Triella is a VMware Professional Partner, Microsoft Certified Partner, Citrix Solution Advisor – Silver, Dell Preferred Partner, Authorized Worldox Reseller and a Webroot Reseller.
© 2019 by Triella Corp. All rights reserved. Reproduction with credit is permitted.