States require a license to conduct data forensics
Laws in place to protect the chain of custody during any type of forensic investigation
IT Best Practices Alert
By
Linda Musthaler
and
Brian Musthaler, Network World
July 14, 2008 12:10 AM ET
Sign up for this newsletter now!
Linda Musthaler's CIO-level look at the latest networking technologies and their benefits and pitfalls.
- Share/Email
- Tweet This
- Print
In 2007, the state of Texas updated a law called the "Private Security Act" to insert a new clause that specifies that anyone
who conducts computer data forensics that could potentially be used in a legal proceeding in the state must be a licensed
PI.
The basic tenet of the new stipulation in the law is the protection of the chain of custody during any type of forensic investigation.
If digital forensic data is to be used for a legal proceeding, it needs to be done by a professional who is trained and licensed
in the practice of securing evidence and chain of custody. Traditionally, these people are law enforcement officials, lawyers
and paralegals, and licensed private investigators.
An opinion written by the State of Texas Private Security Bureau is that “Computer repair or support services should be aware that if they offer to perform investigative services, such as
assisting a customer with solving a computer-related crime, they must be licensed as investigators. The review of computer
data for the purpose of investigating potential criminal or civil matters is a regulated activity under Chapter 1702 of the
Texas Occupations Code, as is offering to perform such services.”
This law has broad ramifications for many people in IT professions, including hardware and software technicians and auditors.
These people routinely analyze log data and other information on computers that may eventually be used in reports that could,
someday, be called into question in court.
For example, suppose the owner of a small business suspects one of his employees is creating bogus accounts and sending payments
to those accounts. The business owner might ask a computer technician to study the computer logs to see what this employee
is up to. The technician finds a clear digital trail of misconduct that points to the suspect employee and provides the “evidence”
to the businessman in the form of a report. The business owner uses the information to dismiss the employee, who then sues
his former employer for wrongful termination.
Unless the computer technician is a licensed PI, none of the information he dug up is admissible in court. Worse, both he
and the business owner who used his services face misdemeanor charges for violating the Texas Private Security Act.
Several computer technicians from Houston and Austin have filed a lawsuit against the state, alleging that the law may inadvertently
harm their businesses. An attorney handling the lawsuit says the law is so vaguely worded that it could be enforced broadly
by the Private Security Board, the Texas agency that oversees licensing for the private security industry. The board interprets
the law to cover any data retrieval for a “potential” civil or criminal matter. For all practical purposes in our litigious
society, that is virtually everything.
Computer technicians aren’t the only ones concerned about the impact of this law. Auditing firms and law firms may also be
ensnared by the law that requires licensing for anyone doing data retrieval and analysis for outside companies. (Companies
can use their own employees to conduct internal investigations, but they cannot hire an unlicensed outsider to perform the
same work.)
Linda Musthaler is a principal analyst with Essential Solutions Corporation.
Comments (3)
RidiculousBy Anonymous on July 14, 2008, 1:02 pmTypical Texas jutice. Way past reasonable.
Reply | Read entire comment
Tex-A**-HolesBy Anonymous on July 15, 2008, 10:33 amTexans are a stupid bunch. I'll bet none of the people who authored/voted for this law use PI's to fix their worthless windows boxes when they get viruses.
Reply | Read entire comment
SometimesBy Anonymous on July 15, 2008, 9:27 pm"the law is an ass."
Reply | Read entire comment
View all comments