Jan Michael Dervish
Loyola University School of Law JD 2020
The economic rebound seen in the last decade has resulted in a substantial increase in business travel, both foreign and domestic. Increasingly complex global supply chains are necessitating that business leaders travel the world in order to expand their businesses and forge valuable new partnerships. Unfortunately, this increase in travel also presents an increased risk for the theft of proprietary or confidential information.
These thefts are proving costly for US corporations – with some reports estimating that the economic impact of intellectual property theft reaches nearly $600 billion yearly. In one recent case, an American electronics manufacturer who was targeted for their intellectual property discovered their software being used to control wind-turbines manufactured overseas. Despite winning a federal court case against the turbine manufacturer, they saw their revenue plunge by nearly 90% after discovery the theft.
Tightly regulated industries such as defense contractors and pharmaceutical companies, as well as universities conducting research on their behalf, have even more reason to be concerned. Industry analysts have warned that both groups are at high risk for the theft of intellectual property related to the development or manufacturing of their products.
The exposure of trade secrets and other types of intellectual property can put an organization at significant competitive disadvantage in the broader marketplace. Corporations of all sizes should take steps to both recognize and mitigate these risks.
Risks at the border
Exposure of corporate data to border authorities should be a growing concern for multi-national corporations. Virtually every country grants their border agents broad power to duplicate and search electronic devices, including laptops, hard drives, and mobile devices. Once duplicated, data is entirely out of the control of the original owner and may be retained for later scrutiny or analysis. Refusal to allow a search can result in refused entry, the confiscation of the device in question, or monetary penalties.
U.S. citizens returning home from an international trip are not immune to searches: Federal border agents have near unlimited powers to duplicate and review data contained on electronic devices, including laptops, external drives, and mobile phones. While a U.S. citizen cannot be denied entry, border agents can and have seized devices from travelers, not returning them until months later.
How this data is stored and protected by border authorities is unclear. In the United States, although Customs and Border Protection states that they will normally delete data retained with seven days, they also have the ability to extend this retention time indefinitely, and reserve the right to “share copies of information contained in electronic devices…with federal, state, local, and foreign law enforcement agencies to the extent consistent with applicable law and policy.”
Risks while travelling
While the risk of improper access at border crossings is the most easily recognized, organizations operating in sensitive industries such as energy or telecommunications, or in high-risk countries where there is significant state control of private industry, face additional threats of both private and state-sponsored espionage.
Data transmitted over foreign networks, both public and private, can easily be intercepted and logged. Sophisticated methods of interception are virtually undetectable, with no indication to either the sender or the receiver that a third party is monitoring what is being transmitted.
Data stored locally on a device is not immune either, as actors working at the behest of a corporate competitor or foreign government may seek to surreptitiously exfiltrate intellectual property from a laptop or mobile phone left unattended. Perhaps more worryingly, a determined actor with physical access to a device can easily make modifications to allow for the continued exfiltration of corporate data long after a traveler has returned home.
Mitigating the risk of data theft
Though the idea of international corporate espionage efforts targeted towards globe-trotting executives sounds far-fetched, it is anything but. The U.S. intelligence community has warned businesses that this is a substantial threat, and both corporate America and higher-education institutions are developing policies to minimize exposure and ensure the security of confidential information possessed by employees who travel internationally for work.
While every organization is unique, all organizations should consider incorporating the following guidelines into their existing compliance and risk management policies:
- Minimize the amount of data at risk
At the bare minimum, organizations should limit the amount of data that their executives travel with. Organizations should require that all non-essential corporate information be removed from electronic devices, and any software installed be fully updated prior to departing. Corporate security officers should consider disabling a travelling employee’s ability to access sensitive resources while away from the office.
- Encrypt laptops and mobile devices, and keep them in sight
Corporations should mandate encryption on all portable devices. There are very few excuses for a modern corporation not to mandate encryption on all laptops and mobile phones, including those not taken outside the office. Encryption technology is already built in to every major operating system, and has been for nearly a decade. The technology has progressed to the point where it is unnoticeable in day-to-day use, and its benefits significantly outweigh any administrative burden. While properly implemented encryption is essentially unbreakable, travelers should still refrain from leaving laptops, mobile phones, or other devices unattended or out of their direct control for any length of time.
- Physically inspect devices and reset passwords upon return
Compliance departments should develop a policy requiring employees to change any corporate passwords used abroad. While executives and other business travelers should ideally use a temporary computer that is erased before and after each trip, corporate security officers should carefully inspect a returning traveler’s laptop and other devices for signs of physical or virtual tampering, prior to allowing it to be used. A device that shows signs of tampering must be immediately be isolated and further investigated, and may trigger certain reporting requirements for regulated industries.
While increased global trade has been a growth driver for U.S. corporations, with this growth comes risk. Advances in technology have increased the average company’s exposure to the possibility of data theft: a set of blueprints in a briefcase pales in comparison to the thousands of records the average business leader has on their laptop or mobile device. Business leaders must be aware of these risks, and take steps to protect valuable intellectual property and trade secrets before taking to the skies in pursuit of their next deal.