Homeland Security (CBP) Laptop/PDA/Phone Search - What is your organization doing to protect internal/customer/partner data entrusted to traveling employee’s/contractors?
Based on an email thread with my team related to this topic I started thinking, “Am I really doing everything I can to protect the data entrusted to me?” To help me understand what other options are out there I recently posted a question on Linkedin Question ”
I’m trying to find and consolidate answers about how we should respond in a manner that both complies with CBP request for access and the requirement to protect the data. The impact on personal privacy and Constitutional rights is an entirely different subject that I am simply unable to address. After a week or so of responses from Linkedin and this blog entry I’ll try and recap the best and brightest answers here for further discussion. Let me be clear - I’m not looking to start a discussion about whether or not DHS CBP is correct in its approach, simply that this is the hand we currently have been dealt - what are our options for playing out the hand?
What advice do you give your employee’s related to Homeland Security (CBP) Laptop/Phone/Pda Searches on entry to the US? What are you telling your traveling employees about their obligations to protect data while returning to the US, should they be stopped and searched? We all have to protect our company data, the data of our clients and partners. Without going to technical extremes, what practical advice is out there to both comply with the Federal Law and your company’s legal obligations (I’ll leave personal rights out of this conversation for now).
Questions:
What if you are a federal contractor and have a Gov’t Issued laptop with you, must you report the data being copied to your security team (both contractor and federal agency) as a security breach?
Currently we are taking some basic measures.
1. All data (internal and external) is encrypted (TrueCrypt, PGP, PointSec, etc), Private Key kept separate.
2. User account created without access to anything beyond desktop and basic folders.
3. Encrypted “cloud” storage for sensitive data while in transit- but let’s be honest if the data is that important and useful I probably also have it on my drive somewhere.
4. OS Settings to make invisible to the user account any other accounts, volumes or administrator accounts, etc.
I’d even consider making the laptops vm sandboxes that get re-imaged and all data is stored encrypted offline - if bandwidth wasn’t a concern in some of the place we have to travel to.. Not everyone has FIOS 
I’m not looking to start a “right or wrong” conversation here - just a plain and simple, this is what we are stuck with (for now), how are you protecting yourself and your client/partner data?
References (Interesting reading)
http://www.dhs.gov/journal/leadership/2008/08/answering-questions-on-border-laptop.html
http://www.cbp.gov/linkhandler/cgov/travel/admissability/search_authority.ctt/search_authority.pdf
http://www.dhs.gov/journal/leadership/2008/06/cbp-laptop-searches.html