Travel Guidance for Data Security

Data Security Travel Guidance Icons

While traveling, there can be no expectation of physical or technical privacy or security. All information sent electronically can be intercepted, and in some countries, hotel rooms are often searched (source: National Counterintelligence and Security Center [external link]). To limit risk, travelers must take actions before they leave, while traveling, and upon returning. 

In 2010, Intel sponsored a report (PDF) (external link) that found that approximately one-third of all lost laptops occur while traveling. Among lost or stolen laptops, nearly all (95%) were permanently lost. A lost laptop can result in replacement costs, data breach investigations, lost intellectual property, lost productivity, legal ramifications, and consulting and regulatory expenses. 

The following travel guidance was derived from Research & Education Networks Information Sharing & Analysis Center (REN-ISAC)’s International Travel Checklist (PDF) (external link), and provides steps that should be taken to reduce risk of, and mitigate consequences for, a lost/stolen/compromised device, credentials, or unintended disclosure of data (breach). This guidance does not supersede project requirements and/or restrictions on travel as stipulated by but not limited to: Standard Operating Procedures (SOP), Technology Control Plans (TCP), or Federal or State regulations. 

Suitcase icon

Before You Leave

Travel Light! If you don’t need it, don’t take it with you. Less is best.

Review the U.S. (United States) State Department’s Travel Advisories (external link) list and the Country Information (external link) for anticipated destination(s).

Contact Research Information Security (RIS) or University of Maine System Information Technology (UMS:IT) Information Security Office (ISO) (maine.edu login required) to gain awareness of national data protection laws in your home and destination countries.

Contact RIS or UMS:IT ISO (maine.edu login required) to gain the knowledge necessary to follow policies for using various devices, institutional data, and institutional resources.

Share the list of individuals and entities with which you will be communicating and collaborating with the Office of Research Compliance (ORC) export compliance staff by emailing um.export@maine.edu. ORC will ensure these individuals or entities are not restricted or barred by the U.S. government via Restricted Party Screening (RPS). Consequences for transferring or transacting with a Restricted Party are severe.

Review ORC’s Export Control Regulations website to identify and understand the risks and expectations regarding export-controlled information.

Research personal, criminal, and cyber risks in the country or region you are visiting.

Purchase and pack privacy screen filters, portable chargers, and country specific plug adapters.

Create an inventory of your devices to compare to upon your return. 

Be aware that border and/or customs agents may search your devices multiple times and copy data on them. Agents may be authorized to search and retain electronic devices without probable cause. Agents may also ask for access to social media profiles, email, and similar accounts when entering or exiting a country, including the U.S. Understand that legally confiscated electronic devices may not be returned for months. Passwords should be changed as soon as securely possible if they were shared during a search. Refusing a search request can result in consequences that vary by location.

Consult with University of Maine System Information Technology (UMS:IT) with this Technical Security checklist if additional support is needed.

Consult with your campus IT staff, UMS:IT ISO (maine.edu login required), or RIS about special concerns regarding your technology or your destinations.

See if low-cost loaner devices are available to mitigate the risk of losing more valuable equipment.

Turn on multi-factor authentication where available for credentials intended for use while traveling.

Contact UMS:IT to request forwarding of office phone voicemails to email.

If encryption is legal in the country you are visiting, ensure your devices have full disk encryption. If a device is encrypted when lost or stolen, the data is significantly more secure. A lost or stolen unencrypted device may put UMS at risk of monetary fines in the event of a breach.

If encryption is illegal, or not permissible to be brought to the country that you are traveling to, then consider bringing a wiped (erased) and unencrypted device. 

Use institutionally approved data storage. See Permitted and Restricted Systems for Data Storage and Data Processing for more guidance. 

Refrain, when possible, from using any cloud-based storage while abroad.

Backup all data prior to travel and take only essential data with you. Remove any confidential or restricted data (per UMS Administrative Practice Letter VI-I) from your devices. Traveling with certain types of data can result in violation of export control, national security regulations, or UMS policy. Consider removing unpublished data.

Make sure your antivirus program is updated and performing regular updates and scans.

Update your operating system with all the latest security patches.

Install software updates/patches and all needed application software before you leave. Use a trusted and secured network (e.g., eduroam, VPN [Virtual Private Network]) and a valid source.

Uninstall unnecessary applications and ensure that necessary applications have the latest security patches.

Check your cell phone coverage and international data plan options.

Consider using a non-smartphone when traveling internationally. A non-smartphone that will only be used for making calls is ideal. If not, backup your device and reset it to factory default settings to clear personal information.

Enable the University of Maine’s VPN access. Be aware some countries block VPN. Talk to UMS:IT for alternatives if needed.

Use complex passwords instead of PINs (personal identification numbers) or codes for screen locks on your device.

Clear your internet browser of history, caches, cookies, URLs, and temporary internet files. All web browsers should be set to automatically clear browsing history and cache after each session.

Update voicemail greetings and automatic email replies, as appropriate.

Plane flying around the globe icon

While Traveling

Be aware of your surroundings. Watch for those looking over your shoulder or potential thieves.

Keep safe by carrying only necessities, keeping bags zipped, and practicing situational awareness.

Do not leave electronic devices unattended. Protect electronic devices by keeping them secure, locked, and hidden from sight when not in use. Do not check them with luggage and do not assume they are secure if left in a hotel room.

Protect RFID (Radio Frequency Identification)-enabled devices and bank cards with RFID shielded containers.

Report stolen devices to your native embassy or consulate and other appropriate authorities immediately.

Protect your data by using privacy screen filters and avoiding public discussions of sensitive data. Again, be aware of your surroundings.

Assume everything you do on your devices is being monitored and adjust your actions accordingly.

Be wary of charging stations; use wall outlets with your own chargers or external batteries instead. There may be a hostile computer on the other end of the wire.

Do not use unknown storage devices. These can silently deploy malware onto your device.

Avoid using courtesy computers in business centers. Be aware that keyloggers, “shoulder surfing” (i.e., someone observing your typed in password), and cameras pointed toward keyboards are common ways that credentials are compromised.

Disable Wi-Fi, Bluetooth, and GPS when not needed on all devices. 

Always use VPN access or a viable alternative if permissible and not blocked by the country you are traveling to.

Do not connect to unknown resources like Wi-Fi access points and Bluetooth devices.

Avoid using public Wi-Fi, computers, or devices. Assume locally provided technology, such as wireless networks, may be vulnerable to attacks or have risky security settings. In some countries, they are even controlled by security services. 

If you must connect to wireless hotspots or unsecured networks without a VPN, then do not enter or transmit sensitive information while connected. Be sure that the website you are connecting to has the correct URL. Nefarious actors use public Wi-Fi to steal sensitive information by redirecting your connections to sites that are not protected by a secure connection. Disconnect and forget the hotspot or network when done.

Keep track of what credentials you use while traveling. If you are on an extended trip, change your credentials periodically and only while connected to a secure network (e.g., eduroam, VPN). Never use the same password for multiple services.

Use multi-factor authentication whenever possible.

Do not install software updates or patches unless connected to a trusted and secured network (e.g., eduroam, VPN) and a valid source.

Choose private browsing when accessing websites. 

Clear your internet browser of history, caches, cookies, URLs, and temporary internet files after each use. 

Report incidents to UMS:IT as soon as possible if there is any indication that your device or data have been compromised.

Plane landing icon

Upon Return

Confirm all inventoried devices are accounted for. Notify UMS:IT if there were any lost or stolen devices.

Review banking and credit card statements for unauthorized transactions.

Restore your cellular device to its previous state (from the backup).

Scan devices for unusual activities with the help of UMS:IT.

Provide feedback to UMS:IT on what did and did not work well.

Reestablish normal systems and safeguards with the help of UMS:IT. If possible, all devices should be wiped (erased) and rebuilt upon your return, as all devices taken abroad should be considered compromised.

Resume your weekly or monthly data check and back up routines as normal.

Change your passwords for all services that were accessed while abroad.

Reset voicemail greetings and automatic email replies.

International Travel Considerations for Data Security

U.S. Export Control Regulations

In addition to data security, it is imperative that international travelers are aware of, and in full compliance with, U.S. Export Control Regulations. For more information on this topic, please visit International Travel and Export Compliance.

International Travel & Encryption

Encryption should be enabled on devices (laptops, desktops) that are purchased and set up through UMS:IT. However, it is illegal in some foreign countries to use encryption on devices, so you must be mindful of the laws of other countries. If traveling to a nation that prohibits encrypted devices, travelers should consider bringing a wiped (erased) and unencrypted device that is free of any sensitive information.

The personal use of encryption is covered by countries participating in the Wassenaar Arrangement (external link). This arrangement allows travelers to participating countries to have encrypted devices, as long as the traveler does not “modify, sell, or distribute the encryption software.” 

International Travel & Presenting at Conferences

Carefully consider what information is disseminated or discussed while abroad. Any information provided about the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing, and use of defense articles is an export control violation. Avoid discussing unpublished research. Do not use removable media (jump drives, flash memory storage, portable storage devices, etc.) given at conferences, as they may introduce malware into your system. For more information, see International Travel and Export Compliance.

International Travel with Mobile Phones

All major cellular companies provide guidance to their users on managing data usage while overseas. Consider using a non-smartphone. A non-smartphone that will only be used for making calls is ideal. If not, review the National Security Agency’s Mobile Device Best Practices (PDF) (external link), backup your device, and reset it to factory default settings to clear personal information prior to traveling. Only install applications on the device that are absolutely necessary. If feasible, consider using a temporary email address. Have the device scanned by UMS:IT and reset to factory default settings upon return. 

Resources

Federal Travel Resources

Additional Travel Resources

Contact

Please contact Research Information Security (RIS) at um.ressec@maine.edu with any inquiries on data security while traveling.