Can They Really Do That?

Effective October 18, 2017, the U.S. Department of Homeland Security (DHS), U.S. Citizenship & Immigration Services (USCIS), Immigration & Customs Enforcement (ICE), Customs & Border Protection (CBP), Index, and National File Tracking System of Records, implemented new or modified uses of information maintained on individuals as they pass through the immigration process.

The new regulation updates the categories of individuals covered, to include: individuals acting as legal guardians or designated representatives in immigration proceedings involving an individual who is physically or developmentally disabled or severely mentally impaired (when authorized); Civil Surgeons who conduct and certify medical examinations for immigration benefits; law enforcement officers who certify a benefit requestor’s cooperation in the investigation or prosecution of a criminal activity; and interpreters.

It also expands the categories of records to include: country of nationality; country of residence; the USCIS Online Account Number; social media handles, aliases, associated identifiable information, and search results; and EOIR and BIA proceedings information.

The new regulation also includes updated record source categories to include: publicly available information obtained from the internet; public records; public institutions; interviewees; commercial data providers; and information With this latest expansion of data allowed to be collected, it begs the question: How does one protect sensitive data housed on electronic devices? In addition to inspecting all persons, baggage and merchandise at a port-of-entry, CBP does indeed have the authority to search electronic devices too. CBP’s stance is that consent is not required for such a search. This position is supported by the U.S. Supreme Court, which has determined that such border searches constitute reasonable searches; and therefore, do not run afoul of the Fourth Amendment.

Despite this broad license afforded CBP at the port-of-entry, CBP’s authority is checked somewhat in that such searches do not include information located solely in the cloud. Information subject to search must be physically stored on the device in order to be accessible at the port-of-entry. Additionally, examination of attorney-client privileged communications contained on electronic devices first requires CBP’s consultation with Associate/Assistant Chief Counsel of the U.S. Attorney’s Office.

So what may one do to prevent seizure of an electronic device or avoid disclosure of confidential data to CBP during a border search? The New York and Canadian Bar Associations have compiled the following recommendations:

  • Consider carrying a temporary or travel laptop cleansed of sensitive local documents and information. Access data through a VPN connection or cloud-based warehousing.
  • Consider carrying temporary mobile devices stripped of contacts and other confidential information. Have calls forwarded from your office number to the unpublished mobile number when traveling.
  • Back up data and shut down your electronic device well before reaching the inspection area to eliminate access to Random Access Memory.

  • Use an alternate account to hold sensitive information. Apply strong encryption and complex passwords.

  • Partition and encrypt the hard drive.

  • Protect the data port.
  • Clean your electronic device(s) following return.
  • Wipe smartphones remotely.

This post was written by Jennifer Cory of Womble Bond Dickinson (US) LLP All Rights Reserved.,Copyright © 2017
For more Immigration legal analysis, go to The National Law Review

Equifax Breach Affects 143M: If GDPR Were in Effect, What Would Be the Impact?

The security breach announced by Equifax Inc. on September 7, 2017, grabbed headlines around the world as Equifax revealed that personal data of roughly 143 million consumers in the United States and certain UK and Canadian residents had been compromised. By exploiting a website application vulnerability, hackers gained access to certain information such as names, Social Security numbers, birth dates, addresses, and in some instances, driver’s license numbers and credit card numbers. While this latest breach will force consumers to remain vigilant about monitoring unauthorized use of personal information and cause companies to revisit security practices and protocols, had this event occurred under the Global Data Protection Regulation (GDPR) (set to take effect May 25, 2018), the implications would be significant. This security event should serve as a sobering wake up call to multinational organizations and any other organization collecting, processing, storing, or transmitting personal data of EU citizens of the protocols they must have in place to respond to security breaches under GDPR requirements.

Data Breach Notification Obligations

Notification obligations for security breaches that affect U.S. residents are governed by a patchwork set of state laws. The timing of the notification varies from state to state with some requiring that notification be made in the “most expeditious time possible,” while others set forth a specific timeframe such as within 30, 45, or 60 days. The United States does not currently have a federal law setting forth notification requirements, although one was proposed by the government in 2015 setting a 30-day deadline, but the law never received any support.

While the majority of the affected individuals appear to be U.S. residents, Equifax stated that some Canadian and UK residents were also affected. Given Equifax’s statement, the notification obligations under GDPR would apply, even post-Brexit, as evidenced by a recent statement of intent maintaining that the United Kingdom will adopt the GDPR once it leaves the EU. Under the GDPR, in the event of a personal data breach, data controllers must notify the supervisory authority “without undue delay and, where feasible, not later than 72 hours after having become aware of it.” If notification is not made within 72 hours, the controller must provide a “reasoned justification” for the delay. A notification to the authority must at least: 1) describe the nature of the personal data breach, including the number and categories of data subject and personal data records affected, 2) provide the data protection officer’s contact information, 3) describe the likely consequences of the personal data breach, and 4) describe how the controller proposes to address the breach, including any mitigation efforts. If it is not possible to provide the information at the same time, the information may be provided in phases “without undue further delay.”

According to Equifax’s notification to individuals, it learned of the event on July 29, 2017. If GDPR were in effect, notification would have been required much earlier than September 7, 2017. Non-compliance with the notification requirements could lead to an administrative fine of up to 10 million Euros or up to two percent of the total worldwide annual turnover.

Preparing for Breach Obligations Under GDPR

With a security breach of this magnitude, it is easy to imagine the difficulties organizations will face in mobilizing an incident response plan in time to meet the 72-hour notice under GDPR. However, there are still nearly eight months until GDPR goes into effect on May 25, 2018. Now is a good time for organizations to implement, test, retest, and validate the policies and procedures they have in place for incident response and ensure that employees are aware of their roles and responsibilities in the event of a breach. Organizations should consider all of the following in crafting a GDPR incident response readiness plan:

plan, GDPR, incident response

This post was written by Julia K. Kadish and Aaron K. Tantleff of Foley & Lardner LLP © 2017
For more legal analysis got to The National Law Review