US extreme vetting rules for tourists could put business data at risk

New legislation being considered by the Trump administration suggests that UK citizens traveling to the United States would have to hand over personal information such as passwords to their social media accounts and access to the contacts in their mobile phone or risk being denied entry to the country.

This comes just weeks after another travel-based regulation that banned certain electronic devices from some countries in North Africa and the Middle East bound for either the US or UK. At the same time, the upcoming GDPR is putting huge pressure on organizations to secure their data. How do these new travel regulations impact organizations trying to secure their sensitive data?

Extreme vetting

In this latest would-be new regulation since the arrival of Trump in the White House, tourists from the UK as well as other countries which are allies of the US, such as France and Germany, could be impacted. According to the Wall Street Journal, in what they called a new "extreme vetting" policy, some tourists would have to hand over not just personal information like social media passwords but also financial information and even face questioning as to their ideological beliefs.

Although the article suggested that this was just being considered, further reporting from The Guardian suggested that it might already be in force as US Customs and Border Patrol told them that all international travelers were subject to inspection, going on to say, "This inspection may include electronic devices such as computers, disks, drives, tapes, mobile phones and other communication devices, cameras, music and other media players and any other electronic or digital devices."

If the authorities are mandated to obtain passwords and access codes then, suddenly, it becomes impossible for an organization to limit access to its sensitive corporate data to its trusted employees. At that point, the authorities could in theory target a high-ranking executive who they suspect may have highly commercially sensitive information, demand access, and obtain access to the data on the device. As we know, the US authorities don’t have the best track record on data security so there is a huge exposure here for organizations.

Restrictions on electronic devices

This follows a ban on tablets, laptops and games consoles among other devices bigger than a mobile phone in March this year. In the US, the ban applies to flights from eight countries including Egypt, Jordan, Kuwait, Morocco, Qatar, Saudi Arabia, Turkey and the United Arab Emirates. Meanwhile, in the UK, the ban applies to flights from just six countries including Egypt, Jordan, Lebanon, Saudi Arabia, Tunisia and Turkey.

The impact on the organization

Of course, stopping terrorism should be government's top priority but all of these new regulations have a knock-on impact on both people's personal data and the ability of organizations to protect their sensitive corporate data in transit. For organizations who are coming under increasing scrutiny when it comes to their data protection practices who have been charged with securing their data against data breaches or risk huge fines with the upcoming GDPR, there must at least be some thought put around how these new laws are going to affect them.

It's not just the corporate reputation and the fines for these organizations to worry about, lawmakers also need to consider the long term impact of making an organization data inherently unsecure by forcing business travelers or even non-business travelers with work devices in tow, to divulge passwords or put their laptops in the hold where they cannot guarantee they will not be tampered with, or lost or stolen.

The fact that the electronics ban is so easily circumvented by a terrorist simply asking a friend unknown to the authorities to book a flight to somewhere else, carry the terrorist's device through security and give it to them afterwards so they can take it on the plane, adds insult to injury for organizations trying to do their utmost to secure their data.

Indeed, it begs the question as to whether these new travel measures really are to prevent terrorism, especially when they are so easily circumnavigated and not implemented by other allied countries, or if there is an additional, hidden agenda around commercial gain here?

Terrorism and data breaches

There is also the link between data breaches themselves and terrorism. Often, cyber security breaches in particular but also data breaches involving stolen USBs and laptops, are used to extort money that then goes towards further criminal or indeed terrorist activities either directly or indirectly. So by dealing with terrorism and the security of data as two entirely different issues and without giving any regard to the other, seems to be a poor strategy from our respective government representatives.

The difficulties with encryption

Data on the move has always presented security problems for organizations and the risks associated with data and international travel are not new. Certain countries, China for example, have restrictive policies around encryption and require foreign companies bringing data into the country to report their use of encryption to the Office of State Commercial Cryptography Administration (OSCCA) to obtain approval. Of course, if organizations are required to only use certain types of encryption, this is another potential risk to its data.

In this new world, where new regulations are presenting another challenge to organizations already struggling to secure their sensitive data against everything from insider threats to cyber hackers in order to avoid the potential 20 million Euro fine or four percent of global annual turnover, whichever is the greater, organizations must look to new solutions. The ability to show a verifiable audit trail for your data and having the option to turn the data off rather than just encrypt it, should become key factors in the decision making around choosing new technologies.

The problem with encryption is that it's not always easy to use which can result in employees removing it from the device or switching it off. There's also the possibility that employees will write the password for the encryption on the actual device itself because it's simply too complicated to remember any other way -- this is especially true when devices are shared between users and it's just easier for the users to always be able to access the data.

Of course, this renders the encryption defunct. But that's not the only problem with encryption; if an encrypted device is lost or stolen, perhaps after being forced to be put in the hold of an airplane rather than staying with the passenger, how can an organization prove it was ever encrypted without recovering the device?

Solutions for the new world

With new technologies in USB devices and solutions embedded into laptops, organizations are able to have full visibility of where their device and thereby data is at all times. Organizations can also send a command to the device to turn off the data immediately or even set up geographical zones so that the data disappears once the device is outside the zone.

The data can later be switched back on or if the device is lost or stolen, the data can be destroyed in a mission impossible style puff of smoke. This allows the organization to have a verifiable audit trail should a device be lost or stolen. That ability to show the national regulatory body that you're fully in control of your data at all times will do a lot to reduce or negate the upcoming GDPR fines but equally importantly, these new technologies equip organizations to deal with the ever-changing challenges they are presented with, such as these new travel-related regulations.

Published under license from ITProPortal.com, a Future plc Publication. All rights reserved.

Photo Credit: Olivier Le Moal / Shutterstock