Confidential Information Should Be Encrypted or Not Stored on Laptops
Posted by Randy Gainer
81% of U.S. businesses surveyed this year reported that, in the previous 12 months, at least one of their laptops or other portable electronic devices had been lost or stolen. U.S. Survey: Confidential Data at Risk, 5 Privacy & Security Law Report 1162 (2006). When a laptop is lost or stolen, unencrypted data on the computer can easily be accessed. Even if a user name and password are needed to sign on to the laptop, the hard drive can be removed in a few seconds and all data on the hard drive can be copied to another computer or to a storage device in minutes.
Despite the high risk sensitive data may be obtained from lost or stolen laptops, many businesses continue to allow employees to store such information on laptops and to take the laptops home, on business trips, and on vacations. Business managers should consider whether their current laptop security practices are sufficient. If a business’ trade secrets, attorney-client privileged information, customer lists, or financial information are obtained from a lost or stolen laptop, affected shareholders, employees, or business partners may argue that the business failed to take adequate steps to safeguard the data.
Avivah Litan, vice president and analyst at the Gartner Group, said in a recent interview: "Frankly, there is no excuse anymore not to encrypt data on laptops and mobile devices. . . . The cost for laptop encryption is $40 or less per laptop. . . . [T]here is no excuse today. It is really bordering on negligence." An Interview with Experts on the Cost of Ensuring Data Security, 6 Privacy Advisor 20, 23 (2006). Every company with sensitive data on mobile devices should consider whether the data should be encrypted.
Another issue must also be resolved by companies whose employees take laptops containing trade secret or privileged information across U.S. borders. Whether such information is encrypted or not, employees who travel across a U.S. border with company laptops should be prepared for U.S. Customs officers to ask to review files on the device. Customs officers have apparently made several such requests. See Joe Sharkey, At U.S. Borders, Laptops Have No Privacy, N.Y. Times, October 24, 2006, at C 8. Both the Fourth and Ninth Circuit Courts of Appeal have held that Customs officers may conduct routine searches of laptops without a warrant, without probable cause, and without a reasonable suspicion of illegal conduct. See United States v. Romm, 455 F.3d 990, 996-97 (9th Cir. 2006); United States v. Ickes, 393 F.3d 501, 503-07 (4th Cir. 2005). Although a trial court in the Ninth Circuit recently ruled that Customs officers may not search a laptop or other electronic files without at least a reasonable suspicion of wrongdoing, United States v. Arnold, 2006 WL 2861592 (C.D. Cal. October 2, 2006), appeal docketed, No. 06-50581 (9th Cir. October 23, 2006), it is unclear whether that decision will survive on appeal.
If Customs officers note that there are encrypted files on a laptop, they may ask travelers to decrypt the data or may retain the laptop to get a warrant to require that the decryption key be turned over to them. See Sharkey, at C 8; and this article from cybercrimelaw.org (via digg.com). To make sure that businesses are not temporarily denied access to important data, "some companies are considering telling travelers coming back into the country with sensitive information to encrypt it and email it to themselves, which at least protects access to the data, if not its privacy." Sharkey, at C 8. If a laptop with trade secrets or privileged information is retained for inspection by Customs, temporary lack of access to the data may not be the most serious problem on company officials’ minds.
A possible solution, both to the risk that data may be obtained by a thief or by someone who finds a lost laptop and to the potential disclosure of highly sensitive data during border searches, is to stop storing sensitive data on laptops. Such data can be stored on company servers and accessed via a VPN. Whether encrypting confidential data on laptops or never storing such data on laptops is chosen as the means to protect the information, company officials should make sure they are doing all they can to protect confidential data.