Corporations engaged in international business transactions may be greeted by the U.S. Customs and Border Patrol, upon re-entry into the United States, with a warrantless seizure of its proprietary corporate data. The U.S. Court of Appeals for the Ninth Circuit recently held, in U.S. v. Arnold, that customs officers need no reasonable suspicion to search through the contents of any individual’s laptop at entry points into the United States. The issue, in Arnold, focused on whether a customs officer at LAX could examine the electronic contents of a passenger’s laptop computer without reasonable suspicion.
Michael Arnold was returning from the Philippines when he was selected by a customs officer for second questioning. The customs officer asked Arnold to boot up his computer, and once that process was completed, they began to search through his computer files eventually stumbling onto images depicting child pornography. A grand jury charged Arnold with violating various child pornography statutes, and Arnold filed a motion to suppress the evidence taken from his computer arguing that the government a search without reasonable suspicion. The District Court (Central District of California) granted Arnold’s motion to suppress, and the government subsequently appealed the District Court ruling.
At first glance, many Americans would have a hard time trying to defend the actions of an individual engaged in child pornography, and knowing this, it could be postulated that the U.S. government is using "test" cases, like Arnold, to quietly erode away our right to privacy. It’s rather astonishing to think that a case involving child pornography could dramatically affect how corporate proprietary information is protected when travelling abroad. Essentially, the Ninth Circuit has made it legal for Customs and Border Patrol (CBP) Officials to inspect, copy, and seize data devices carried by anyone entering into the U.S. without some sort of reasonable suspicion. Worse yet, the CBP has established no guidelines on what it does with the information after it has been seized or even if the information itself is going to be returned.
While the CBP makes the argument that it is necessary for them to conduct random searches in order to prevent terrorists and terror attacks from occuring on American soil, the fact that there is no established guidelines for defining individuals who are acting suspiciously like a terrorist, could mean that an Software Engineer from India or Dubai may have his laptop seized while on business here in the U.S. This could subject the corporation he/she works for to data loss, confidentiality, and integrity breaches that would cost the company millions, even billions, of dollars in proprietary revenue.
Jon Espenschied, for Computerworld, says that the best way to avoid losing such proprietary information is to: (1) always backup the information onto an external hard drive that never travels with the corporate personnel; (2) separate personal and business data; (3) encrypt everything sensitive; (4) securely retrieve remote data; (5) insure the equipment against loss; and (6) report any losses. Until the CBP reveals the protocols for the warrantless searches, or Congress mandates some sort of oversight, these are probably the most practical responses a corporation can make to protect proprietary information.
To view U.S. v. Arnold, please click here: United States v. Arnold