States require a license to conduct data forensics

In 2007, the state of Texas updated a law called the "Private Security Act" to insert a new clause that specifies that anyone who conducts computer data forensics that could potentially be used in a legal proceeding in the state must be a licensed PI.

The basic tenet of the new stipulation in the law is the protection of the chain of custody during any type of forensic investigation. If digital forensic data is to be used for a legal proceeding, it needs to be done by a professional who is trained and licensed in the practice of securing evidence and chain of custody. Traditionally, these people are law enforcement officials, lawyers and paralegals, and licensed private investigators.

An opinion written by the State of Texas Private Security Bureau is that “Computer repair or support services should be aware that if they offer to perform investigative services, such as assisting a customer with solving a computer-related crime, they must be licensed as investigators. The review of computer data for the purpose of investigating potential criminal or civil matters is a regulated activity under Chapter 1702 of the Texas Occupations Code, as is offering to perform such services.”

This law has broad ramifications for many people in IT professions, including hardware and software technicians and auditors. These people routinely analyze log data and other information on computers that may eventually be used in reports that could, someday, be called into question in court.

For example, suppose the owner of a small business suspects one of his employees is creating bogus accounts and sending payments to those accounts. The business owner might ask a computer technician to study the computer logs to see what this employee is up to. The technician finds a clear digital trail of misconduct that points to the suspect employee and provides the “evidence” to the businessman in the form of a report. The business owner uses the information to dismiss the employee, who then sues his former employer for wrongful termination.

Unless the computer technician is a licensed PI, none of the information he dug up is admissible in court. Worse, both he and the business owner who used his services face misdemeanor charges for violating the Texas Private Security Act.

Several computer technicians from Houston and Austin have filed a lawsuit against the state, alleging that the law may inadvertently harm their businesses. An attorney handling the lawsuit says the law is so vaguely worded that it could be enforced broadly by the Private Security Board, the Texas agency that oversees licensing for the private security industry. The board interprets the law to cover any data retrieval for a “potential” civil or criminal matter. For all practical purposes in our litigious society, that is virtually everything.

Computer technicians aren’t the only ones concerned about the impact of this law. Auditing firms and law firms may also be ensnared by the law that requires licensing for anyone doing data retrieval and analysis for outside companies. (Companies can use their own employees to conduct internal investigations, but they cannot hire an unlicensed outsider to perform the same work.)

Linda Musthaler is a principal analyst with Essential Solutions Corporation.