Executive Travel Data Protection: Devices and Digital Security | CloseProtectionHire

In April 2015, the Wall Street Journal reported that senior officials at major US defence contractors had been targeted at a Beijing hotel. The method was not technical in any sophisticated sense – it involved physical access to unattended devices in hotel rooms. The data loss predated the visit because the executives had carried production devices loaded with years of accumulated credentials and project files.

This is the data protection problem that most executive security programmes address too late, if at all. The physical close protection team is briefed on threat actors and protective routing. The IT security team handles network defence. Nobody owns the intersection: the device in the executive’s bag, crossing a border, connecting to an unknown network, sitting in a hotel room that may have been accessed by housekeeping or an intelligence officer with a copied key.

The Border Search Problem

US Customs and Border Protection published revised guidance on electronic device searches in January 2018 (CBP Directive No. 3340-049A, 2017). It permits border agents to conduct basic and advanced searches of electronic devices at any US port of entry without a warrant and without reasonable suspicion. Advanced searches – which include connecting the device to external equipment to copy or analyse its contents – require “reasonable suspicion of activity in violation of the laws enforced by CBP” or a national security concern.

The United Kingdom’s equivalent power sits in Schedule 7 of the Terrorism Act 2000. Schedule 7 permits an examining officer to stop, question, and detain any person at a port or airport and to seize and examine anything in their possession. No suspicion is required. The person is compelled to co-operate. The Civil Liberties Organisation Liberty documented 11,000 Schedule 7 examinations in 2019/20, of which roughly 1 in 20 involved examination of electronic devices.

The practical implication for executives: any device carried to the United States, United Kingdom, or any other jurisdiction with equivalent border search powers may be forensically imaged without notice or consent. A production device carries years of email, credentials, corporate documents, and personal data. That data can be retained, copied, and shared with intelligence agencies under the relevant jurisdiction’s national security legislation.

Clean Device Protocol

The response to border search risk is not to attempt to lock devices or invoke legal rights at the border. It is to ensure there is nothing on the device worth seizing.

A clean device protocol operates as follows:

Pre-departure provisioning: The executive is issued a travel-only device – laptop, phone, and tablet as required. The device is configured with only the applications and files genuinely needed for the specific trip. No cached credentials, no email history beyond the current trip’s correspondence, no cloud sync to production accounts, no VPN credentials to the production network.

Communications provision: A temporary SIM and number for voice calls in-country if needed. In high-surveillance environments, the NCSC advises against using local SIMs in primary devices for any sensitive communications. A dedicated travel phone with a temporary number limits correlation between the executive’s travel and their usual digital identity.

VPN and encryption: All connections made through an approved VPN. Device storage encrypted at rest. The NCSC’s “Protect yourself online” travel guidance (current as of 2024) specifies full-device encryption as a minimum requirement for any device taken to a high-threat jurisdiction.

Border crossing: The device contains nothing sensitive. If it is seized, examined, and imaged, the exposure is limited to the trip’s working files.

Return and forensic examination: On return, the device is submitted to the IT security team before any corporate network access. It is forensically examined for indicators of compromise – software installed during a border search, modifications to system files, or evidence of remote access. Only after clearance is it either cleaned and reissued or decommissioned.

The FBI Cyber Division’s “Clean Machine” protocol, published in joint advisories with CISA since 2018, outlines the same principle for executives travelling to China, Russia, and other high-risk jurisdictions. CISA’s Secure Our World guidance (2024) cites clean device provisioning as one of four core executive travel security measures.

Hotel Network and Physical Security

The Darkhotel campaign – documented by Kaspersky Lab in November 2014 and covered subsequently in analysis by the SANS Institute – ran for at least four years targeting executives at luxury hotels across Asia. The attack vector was the hotel’s internal Wi-Fi network. When executives connected, they were prompted to download what appeared to be a legitimate software update. The update installed a keylogger and backdoor.

The Kaspersky analysis named hotel networks in Japan, Taiwan, China, Russia, and South Korea. The targets were executives from automotive, electronics, pharmaceutical, and defence sectors. The campaign was sophisticated enough to identify specific executives staying at specific hotels in advance – implying a data feed from hotel reservation systems.

The NCSC’s hotel network guidance is unambiguous: treat hotel Wi-Fi as a hostile network. Use a corporate VPN for all connections. Do not perform any authentication – email, corporate systems, banking – without VPN protection. For the highest-risk destinations, consider mobile data as the only acceptable connectivity option.

Physical security of devices in hotel rooms is a separate layer. Hotel safes are not secure – most accept a master override code and some can be bypassed mechanically. Devices left in hotel rooms should be treated as having been accessed. The close protection team’s room security protocols should include device custody: either the device is with the executive or it is secured in a way that tamper-evidence can be verified on return.

GDPR and Legal Obligations

UK GDPR Article 5 requires that personal data be processed with appropriate security. An executive who travels with a device containing employee records, client data, or commercially sensitive information is, in the legal sense, processing that data. The organisation remains the data controller regardless of where the executive is.

The Information Commissioner’s Office published guidance in 2022 on personal data processed by staff during travel. The key obligations relevant to executive travel:

Adequacy decisions: Transfers of personal data to countries without a UK adequacy decision must use an approved transfer mechanism – typically standard contractual clauses. An executive whose device containing personal data is seized at a border, copied by a government agency, and retained has created an unplanned international transfer. Whether that transfer is lawful under UK GDPR is a matter for legal advice, but the ICO has been clear that organisations cannot rely on force majeure to excuse a transfer that could have been prevented by not carrying the data.

Data minimisation: Article 5(1)(c) requires that personal data be “adequate, relevant and limited to what is necessary”. Executives whose devices carry years of accumulated personal data in violation of data minimisation principles carry a legal as well as a security risk.

Breach notification: A border seizure that results in unauthorised access to personal data is a personal data breach under UK GDPR Article 33. The organisation has 72 hours to notify the ICO if the breach is likely to result in risk to individuals.

The Close Protection Team’s Role

Data protection during travel is not solely an IT function. The close protection team is present during the physical moments of highest risk: transit, hotel stay, and any uncontrolled environment where the executive is away from their usual security infrastructure.

The team’s data protection responsibilities include:

Device custody: Maintaining awareness of where the executive’s devices are at all times, particularly during transit and at venue locations where the device may be put down.

Shoulder surfing awareness: Public transport, airport lounges, and hotel lobbies are prime shoulder-surfing environments. The team’s positioning during these transits should account for the executive’s screen and PIN entry visibility.

Briefing on local surveillance practices: In high-threat environments, the team should brief the executive on local intelligence service methods and the behaviours to avoid – not connecting to unknown networks, not using devices in sensitive meeting rooms, leaving devices outside government buildings when required to do so.

Border crossing support: Where the itinerary includes a potentially difficult border crossing, the team should have pre-briefed the executive on the device seizure protocol: do not provide PINs or passwords without legal advice, note the officer’s details, treat the device as compromised.

For travel to the highest-risk cities – including bodyguard hire in Moscow, security in Beijing, and executive protection in Riyadh – data protection protocols are as important to the protective plan as physical route surveys.

See also TSCM and technical surveillance countermeasures and physical and cyber security convergence.

For the border crossing dimension of executive travel data protection – CBP Directive No. 3340-049A (2017), Schedule 7 Terrorism Act 2000 examination powers, clean device protocol implementation, ISPS Code at international ports, and the specific risks at land border crossings in high-risk regions – see our port and border crossing security guide.