Increase
Decrease
Several months ago, I wrote a column about collecting data in the European Union. While most of it focused on the complicated rules that govern data collection over there, I was equally interested in the fact that if you broke one of their rules you could wind up in jail. I still have a picture in my mind of the hapless CIO who spent 6 months in a Finnish jail because he didn’t provide sufficient protection for individual privacy in his security policies.
I contrasted the severity of the EU provisions with discovery in the United States, which up until now was pretty much unregulated. Corporations could collect data from their networks without special requirements. Attorneys and legal assistants could collect data from any willing subject. Heck, just about anybody you could pull in off the street could lay hands on a computer and collect data from it, forensically or otherwise.
That may be about to change. Two states have recently enacted statutes that make it a crime for unlicensed individuals to engage in computer forensics. Texas passed a law that would give regulators the power to impose up to a year in jail and a $14,000 fine on people doing “computer investigations.” Michigan went a bit further. On May 28 th of this year, Governor Jennifer Granholm signed into law a bill that makes unlicensed computer forensics work in Michigan a felony punishable by up to a four-year prison term, damages of up to $25,000 and a criminal fine of up to $5,000.
Can you believe that? They say everything is big in Texas but when it comes to imposing penalties on computer forensics, Michigan now takes the cake. Crack open that computer case in Detroit or Duluth or even Ann Arbor and you better bring your toothbrush. You might be doing a stretch at the Standish Maximum Correctional Facility or maybe in Saginaw.
Let’s take a look at these two state laws and see what we can learn. Not surprisingly, both seem to be the product of heavy lobbying from the state PI bar. If this proves good for local business, you can expect other PI groups to start lobbying their legislatures as well. (You will find links to all of this information at the end of this column.)
Computer Forensics: Texas Style
Last year, the Texas Private Security Bureau, a division of the Texas Department of Public Safety, convinced the Texas Legislature to pass amendments to the Private Security Act which regulates, among other things, licenses for Private Investigators. The amendments, which took effect in September of 2007 were significant in that they made forensics investigations the domain of licensed Texas PIs rather than technical people.
Here are the relevant provisions:
Sec. 1702.104. INVESTIGATIONS COMPANY.
(a) A person acts as an investigations company for the purposes of this chapter if the person:
(1) engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to:
(A) crime or wrongs done or threatened against a state or the United States;
(B) the identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person;
(C) the location, disposition, or recovery of lost or stolen property; or
(D) the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property;(2) engages in the business of securing, or accepts employment to secure, evidence for use before a court, board, officer, or investigating committee;
(3) engages in the business of securing, or accepts employment to secure, the electronic tracking of the location of an individual or motor vehicle other than for criminal justice purposes by or on behalf of a governmental entity; or
(4) engages in the business of protecting, or accepts employment to protect, an individual from bodily harm through the use of a personal protection officer.(b) For purposes of Subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.
What does this mean? Mindful of another Texas regulatory body that governs the unauthorized practice of law, the last thing I would do is give you a legal opinion about Texas law. But just from a layman’s perspective, I would say it looks pretty broad.
In most electronic discovery, the goal is to extract information from computers or other electronic devices that can be severed, processed, reviewed and otherwise analyzed for purposes of a legal proceeding. So, for starters, that activity would seem to fit nicely under category (a)(2), which covers anyone who:
engages in the business of securing, or accepts employment to secure, evidence for use before a court, board, officer, or investigating committee.
From there, head on down to subsection (b) which now makes it clear that:
obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.
Put the two together and you have real questions about who can obtain discovery from computers in Texas. Not me, is my answer.
Penalties for Violation
The penalties can be pretty stiff if you run afoul of this Act. This is a licensing issue and the Texas regulators can impose penalties of up to one year in jail and $14,000 in fines.
If you are doing the collection, take a look at TEX. OCC. CODE §§1702.101, 1702.388, which makes it a criminal offense to provide or offer to provide a regulated service without a license.
If you are hiring someone else to do this work, you can also get into trouble. Employing a non-licensed expert can also be a criminal offense under TEX. OCC. CODE§1702.386 with the same potential penalties.
One answer to this problem may be to seek licensing in Texas as a PI. Unfortunately, that isn’t a trivial undertaking. Here are some of the key requirements:
- Three years of investigative experience or a bachelors degree in criminal justice for investigations company license;
- Successful completion of a two-hundred-question examination;
- Criminal background check
- Submitting fingerprints to have on file with the FBI
- About $500 in registration fees payable yearly.
If you don’t already have your BA in criminal justice, you have a lot of work to do before you will qualify for a license.
How far does this reach?
A lot of people have wondered about the breadth of this Act. Reportedly, members of Best Buy’s famed “Geek Squad” were issued a cease and desist order from the Texas Private Security Bureau for doing home repairs. Under threat of a $10,000 fine, they have apparently limited their services to installations and parts replacement. Others have suggested that you would be in danger even for providing simple services like setting up a home wireless network or tuning up a network.
The Texas Private Security Bureau appears to be a bit softer on electronic discovery activities, at least if you consider several opinions they issued in the summer of 2007. They seem to make helpful distinctions between forensic investigation and regular electronic discovery.
The first was called “Litigation Support & Document Retrieval Industry” and was dated July 26, 2007. In it the drafters answered the question of when and how these changes affected the litigation support business. They stated:
[T]he phrase ‘electronic data discovery’ encompasses many activities, some of which may require licensure. However, if:
1. The company does not obtain or secure data by way of an investigative analysis;
2. Does not analyze or review the content of the data;
3. Processes the data (provided by others) in order to create a database that can be searched by the lawyer/clients; and/or
4. Reproduce or retrieve the documents or images upon request of the clients;
Then it would appear that the company is not engaging in activities for which a private investigations company license is required.
About a month later, on August 21, 2007, the Bureau issued a second opinion on “Computer Forensics.” In it the Bureau stated:
First, the distinction between “computer forensics” and “data acquisition” is significant. We understand the term “computer forensics” to refer to the analysis of computer-based data, particularly hidden, temporary, deleted, protected or encrypted files, for the purpose of discovering information related (generally) to the causes of events or the conduct of persons. We would distinguish such a content-based analysis from the mere scanning, retrieval and reproduction of data associated with electronic discovery or litigation support services.
For example, when the service provider is charged with reviewing the client’s computer-based data for evidence of employee malfeasance, and a report is produced that describes the computer-related activities of an employee, it has conducted an investigation and has therefore provided a regulated service. On the other hand, if the company simply collects and processes electronic data (whether in the form of hidden, deleted, encrypted files, or otherwise), and provides it to the client in a form that can then be reviewed and analyzed for content by others (such as by an attorney or an investigator), then no regulated service has been provided.
With respect to the statutory reference to “securing evidence for use in court,” we would suggest that the mere accumulation of data, or even the organization and cataloging of data for discovery purposes, is not a regulated service. Rather, in this context, the Bureau would interpret the reference to “evidence” as referring to the report of the computer forensic examiner, not the data itself.
As I read these opinions, there is some comfort for people doing routine electronic discovery collection but not if there is a forensic or testimonial aspect to the collection. There is a strong suggestion that experts who are called to testify in Texas courts regarding examinations of electronic files better be licensed in Texas. If you don’t have a license, you might be pulled off the stand and escorted to the hoosegow for an extended visit.
Michigan: Not to be outdone by Texas
This May, Michigan jumped on the regulatory bandwagon with computer forensic amendments to their laws regulating private investigators. Known as House Bill 5274, the Act was signed into law on May 28, 2008 and took immediate effect (Codified as Public Act 146, effective May 28, 2008).
Simply stated, the bill put to rest the notion that Michiganders are more easygoing and laissez faire than their Texas counterparts. If you practice unlicensed computer forensics in Michigan, the penalty could be quite severe: up to 4 years in prison, damages of up to $25,000 and/or a $5,000 criminal fine.
Here are the key provisions from Section 2 of the Michigan law:
(b) “Computer forensics” means the collection, investigation, analysis, and scientific examination of data held on, or retrieved from, computers, computer networks, computer storage media, electronic devices, electronic storage media, or electronic networks, or any combination thereof.
(e) “Investigation business” means a business that, for a fee, reward, or other consideration, engages in business or accepts employment to furnish, or subcontracts or agrees to make, or makes an investigation for the purpose of obtaining information with reference to any of the following:
( viii) Computer forensics to be used as evidence before a court, board, officer, or investigating committee.
Section 4 of the Act contains two exemptions that are relevant to this discussion. The first exempts:
(a) A person employed exclusively and regularly by an employer in connection with the affairs of the employer only and there exists a bona fide employer-employee relationship for which the employee is reimbursed on a salary basis.
The second provision provides an exemption for:
(e) An attorney admitted to practice in this state in performing his or her duties as an attorney at law.”
It is not clear how far these exemptions will go. The corporate exemption seems to require a payroll relationship and would not seem to apply to outside contractors, no matter how closely they are tied to the corporation. The attorney exception does not extend by its words to cover the attorney’s staff. Since most attorneys look to their staff for help on electronic discovery, this exception probably won’t go very far.
Other states have extended similar provisions to anyone working for the attorney but that has not been done here.
How far does this reach?
Good question. If I were a forensics expert and offering testimonial services, I would be pretty nervous about this law. The Act seems to focus on:
Computer forensics to be used as evidence before a court, board, officer, or investigating committee.
Most electronic discovery is focused on collection rather than forensics and an argument could be made that your eDiscovery efforts are not about forensics but rather the collection of relevant evidence for review. But do you want to make this argument to some Michigan criminal court? I wouldn’t.
Hopefully there is a bureau or committee in Michigan that can interpret this new law and give some comfort to those having to conduct electronic discovery up in the northlands. Until that happens, I would be very careful about this law. It has teeth and maybe an ambitious prosecutor looking to make a name for herself.
What is Really Going On?
Job protection, plain and simple (my opinion at least). Since the beginning of time, trade guilds have existed to keep out competition and protect their monopolies and this situation doesn’t look much different. Private investigators have been licensed for the past century and historically there may have been good reason for this. After all, you don’t want just anyone snooping in your trash cans or spying in your windows.
But in the 21 st century, investigations are not what they used to be. Anyone with a computer and Internet connection can dig up incredible amounts of information about all of us, without need for binoculars or a fedora and trench coat. What’s a PI supposed to do with all his free time now that he isn’t needed for traditional investigations? Answer: Become a forensics expert. And make sure nobody else can touch those computers.
I know there are privacy implications around all this, but I don’t see much good coming from attempts to regulate this behavior at the state level. Rather, it feels like requiring local counsel in out of state cases. It adds costs to the process without (in many cases) a corresponding benefit.
If every state adopts regulation like these, you may find that you need to retain licensed PIs in multiple states just to do what one good forensics person could do from a central location. And, I don’t think you can get around the issue by using Terminal Services to connect to and collect from remote computers. I bet Texas and Michigan won’t hesitate to extend the long arm of prosecutorial jurisdiction to anyone setting foot in the state, even if it is a virtual foot.
Watch out all you forensics and collection types, at least in Texas and Michigan. There are new dangers out there waiting for you.
Resources
Link to Texas Private Security Bureau web page
Link to statutes regulating Texas Private Investigators
Link to opinions from Texas Private Security Bureau
Link to information regarding Michigan House Bill 5274
Link to Public Act 146 (House Bill 5274 as enacted)
Read Joe Howie’s article on the Michigan Act in the ALSP Newsletter
RSS
