ITRC Fact Sheet 134
The business traveler often carries electronic storage devices and documents for reference or work while on planes, in hotels, and in the spare time between meetings. There is often information you may need in case your office or a customer contacts you during your trip. However, some of the information included may be sensitive personally identifying information (PII). PII includes Social Security numbers, employee identification numbers, addresses, insurance policy numbers, credit card or payroll information, financial account numbers, and other items that could be readily used by an identity thief.
Business travelers must stay alert for situations that an identity thief might use to try to steal this information, and also guard against inadvertent loss or exposure of PII. Any person could be looking for the opportunity to gain access to sensitive information in your possession, waiting for a good opportunity. In this respect, you should not trust anyone you meet with any PII. Housekeeping staff, bellmen, security guards, TSA agents, front desk clerks, and many others you encounter during your trip could have the opportunity to access your data if you are not aware.
You must realize that once you remove PII from your office, you are solely responsible for its protection and security. In addition, even inadvertent exposure or loss of such information (without theft involved) could trigger state breach laws which can require:
- Law enforcement data exposure notification
- Consumer or customer notification of those exposes
- Media notification
These data exposure events (data breaches) may cost your company money, consumer trust and negative publicity.
Rules for the Road
The following items should be considered when you are on the move:
- Laptops, Computer Storage Devices, and PDAs with personally identifying information (PII) – The best way to protect this information is by using data encryption to encrypt the device prior to leaving the workplace. While many people believe password protection is sufficient they can be bypassed by anyone with enough knowledge and capability. Encryption is the gold standard in data protection. Do not carry the encryption code in writing with you. Commit it to memory.
Prior to beginning your trip, make time to consider which files really need to be carried on the trip. Although it is usually easier to do a “data dump” to your laptop, such action may expose large amounts of sensitive data to unnecessary risk. Take only those files which are likely to be needed during the trip.
- Make an effort to keep your laptop in your control at all times. Be especially alert when going through airport security when crowds and security procedures may cause some chaos. Do not put your laptop through the security x-ray scanner until you are in position to be the next person through the metal detector. Thieves are waiting for those moments to distract you while an accomplice picks up your laptop from the opposite side of the x-ray scanner. By the time you get through the metal detector, your laptop is long gone.
Other protective measures include: GPS tracking devices for the laptop; fingerprint readers to access laptop files; and remote wipe capabilities that enables you to delete all the information off a device in case you lose it or it is stolen. Finally, it is important to log out of your computer when it is not in use, even if it is for just a few minutes.
- Paper Documents with PII – Sensitive documents should always be kept in a locked briefcase that is secured at all times. As in the case of data files, select only those files for the trip that are likely to be needed. Do not leave sensitive documents in baggage that must be checked for flight.
If, during a trip particular documents become no longer necessary, see that they are shredded at the first opportunity. Most hotel business centers have crosscut shredders available for your use. Do the shredding yourself. All documents should be cross-cut shredded when no longer needed.
- Hotel Safes – Be sure to take advantage of hotel safes if you are leaving your laptop, PDA or storage devices in a hotel room, even for a short period of time. Many persons have access to your hotel room when you are not there. Leaving any of your valuable items in the room, in this case PII, is providing an opportunity to a thief. You must recognize that the information you carry is a target for an identity thief.
- Business Center Computers – There is always a higher risk in using a public computer. In addition to leaving information (history) on the computer about your cyber travels, there may be malware or viruses that have been installed on the computer. These might be a virus, key-logger, Trojan, or worm that you then allow to transfer to your company network when you log in to your company network. Key-loggers are programs that record and store each and every keystroke you make while using an infected computer. That keystroke data is quietly stored for later access by the thief. When it is retrieved, the thief will have an exact record of all the websites you visit, files you access, including your company network, and your user name and password that were used to access any accounts you visited. This information is a goldmine for an identity thief.
A better choice would be to use your own laptop and connect to a hotel network while using a virtual private network (VPN).
- Personal and Business checks – Leave personal checkbooks and checks at home. If necessary, keep business checks in a secure location (hotel safe) when not needed. Checking account takeover is one of the hardest types of financial fraud to remedy. ITRC recommends that you use cash, traveler’s checks or credit cards for purchases.
- Leave bills at home – Taking personal bills and financial account information with you during your travels puts you at greater risk for identity theft. Unfortunately, many people have access to your room while you are away at meetings and victims have reported that financial account information and checking information has been stolen in this way.
- Pickpockets – Business travelers should be aware that in addition to wallets, pickpockets are also looking for laptops and PDAs that are temporarily out of your control. This can easily happen at airports, in hotel lobbies and in restaurants. Remember, out of sight means out of control. Thieves may travel in pairs and watch where you put your belongings long before you know you are even a target.
- Shoulder surfers – Many business travelers are tied to cell phones or PDA devices 24 hours a day. In public areas, identity thieves use “shoulder surfing” to gain access to your personal information. That term used to only apply to those who looked “over your shoulder” to see information. With the common use of cell phones, we forget that we are in a public venue and may talk about things that a thief can overhear and use. (This pertains to public payphones as well.) In other words, if you wouldn’t want to see it on a billboard, don’t talk about it on a phone in public. This includes PII as well as company proprietary information.
- Mail – If you travel frequently, you might want to consider having a P.O. Box rather than allowing mail to accumulate in your mailbox. If you do not have a locked mailbox, and don’t want to get a P.O. Box at the post office, at least put your mail on “postal hold” while you are gone.
Rules for the Company
There should be a person in your company or organization that audits information and tracks who has access to PII files or records. This person should be the first person notified in the event information is misplaced or lost. This way, a response team can be alerted to follow a pre-established protocol regarding information containment as well as implement the steps which need to be taken at that time by the company or agency.
For additional information about ways to reduce identity theft risk while traveling, please refer to:
ITRC Fact Sheet FS 122 – Identity Theft Travel Tips
This fact sheet should not be used in lieu of legal advice. Any requests to reproduce this material, other than by individual victims for their own use, should be directed to firstname.lastname@example.org.