It's no surprise that more and more companies are turning to encryption to keep data safe when their employees travel overseas. They're using encrypted hard drives to safeguard data on laptops and encryption apps to protect company files and user data stored on smartphones' SD RAM cards.
Phil Cox, director of security and compliance at SystemExperts, says clients have told him stories about foreign customs officers taking possession of their laptops and claiming that they needed to inspect them. Although the clients said there was no evidence that anything was hacked, the experience left questions in their minds.
With such uncertainty in the air, encryption makes sense. But from a legal point of view, encryption can pose problems. Specifically, taking an encrypted device into some countries can violate international laws.
"Some countries have restrictions on what type of information you bring in. There are certain countries where encrypted data isn't allowed. And in some cases, coming in with a laptop with an encrypted hard drive is breaking local laws," says Greg Bell, principal and global services leader for information protection at KPMG.
The laws are complex; even countries that currently prohibit individuals from bringing in encrypted devices or data will allow it under certain circumstances with permits or prior permission from government agencies. (Of course, determining which government agencies can grant that permission can be a complicated task in itself.)
According to IT security experts, the countries that prohibit and/or require special permits for encryption include Belarus, China, Hungary, Israel, Russia and Saudi Arabia. (Travelers may want to check the State Department's list of country-specific information, where restrictions on digital data are sometimes -- but not always -- listed under "Customs Information.")
Richard E. Mackey Jr., vice president of consulting at SystemExperts, says prudent companies shouldn't allow workers to carry around too much sensitive information, encrypted or otherwise.
He recommends that IT departments make it a policy to know what each traveling worker has on his or her computer and other mobile devices and keep only what's absolutely necessary for a particular business trip. And that information should be encrypted.
What do you do if the country your employee is visiting prohibits encryption? Consider the cloud.
Bell says some companies are now storing sensitive data in the cloud rather than on laptop drives and equipping their road warriors with secure VPN connections that allow them to access material when they need it.
— Mary K. Pratt