Litigation support professionals who have or may have cases involving electronic data from North Carolina should be aware that committees of the North Carolina Private Protective Services Board (“PPSB”) are meeting in Sunset Beach NC on April 17 and 18 to consider whether computer forensics requires a private investigators license under the current legislation and to rewrite that legislation.

Depending on the outcomes, conducting computer forensics or even conceivably electronic discovery in North Carolina could require a PI license from the state. Under the current regulations that would involve having three years experience working for another private investigator (12 NCAC 07D .0401), filing an application and paying various fees. This type of regulation could substantially increase the cost and complexity of a discovery process that is already viewed by most people as being far too costly and complex. State private investigator regulation lacks consistency state-to-state and this is made worse by the lack of reciprocity state-to-state.

To demonstrate the confusion that the current state-to-state scheme causes, let’s examine just some of the results of a survey conducted by Michael Kessler, a forensic accountant and computer forensics expert. He mailed a survey to various state agencies and posted their responses here. The survey included the following two questions:

4) Does your State require that a Computer Forensic Technician who is engaged in providing computer forensic services to the general public have to be licensed as a Private Investigator?
5) Does your State require that a firm offering computer forensic services be licensed as a Private Investigator in order to provide the service to the general public?

Some of the responses were as follows:

Michigan:

“ Michigan does require that a ‘computer forensics technician’ be licensed as a private detective.

In Michigan, a qualifying person holds the license and represents the business (his/her own business, or that of another). The business does not hold a license. Therefore, a business offering computer forensic services would need to be a licensed private agency, although as stated, would not itself be licensed.”

Letter of Vito J. Danzo, Security Regulation, Board of Accounting, Michigan Department of Labor & Economic Growth, to Mr. Kessler, dated May 22, 2006.

 

 Nevada:

“Yes we would require an individual or a firm offering computer forensic services to be licensed in this state. This is a relatively new area and is being brought to our attention frequently.”

Letter of Mechele Ray, Executive Director, Nevada Department of Justice, Private Investigators Licensing Board to Mr. Kessler dated July 19, 2006.

 

California

“Computer Forensic Technicians who only access and evaluate the computers (hard drive and etc.) are not required to be licensed as Private Investigators in California unless they are going out and performing investigations (interviewing people) in relation to the computers. See the definition of a Private Investigator and the exemptions.”

Email from Noreene DeKoning, California Bureau of Security and Investigative Services Policy Unit, dated May 30, 2007.

 

Texas

“There is not an exemption for computer forensics in Chapter 1702 like there is for accounting, so 1702.104 takes precedence. If a computer forensics company contracts to provide service for a company, it may provide services limited to information from said company, and that company only, without a security license. For example, if a company mainframe’s security was breached, a forensic investigator could legally determine where in that system the security lapse happened (without a license from the Private Security Bureau). However, if the forensic analyst were to follow the digital trail outside of the company it was contracted to in order to find the nature, location, or identity of the intruder, they must be licensed as a Private Investigator.

Again, if the nature of the investigation requires the firm to pursue information or property not in the possession of the client, a Private Investigator company license would be required.”

Letter from Jeremy Dansby, Customer Service Rep III, Private Security Bureau, Texas Department of Public Safety to Mr. Kessler, dated May 16, 2007

 

Missouri – does not require licensing for private investigation. However, according to this website, Kansas City, St. Louis, Joplin, St. Joseph and Springfield require licensing.

 

How would a multi-state company plan a rational system of performing computer forensics in various states? In five states we’ve seen five different approaches:

• Requires state-licensed PI individual, but not company
• Requires state-licensed PI individual and company
• No state license needed unless the forensics person interviews (i.e. talks) to someone.
• No state license needed unless data from outside the client is investigated.
• No state license, but city licenses may be required.

Clearly there needs to be uniform state laws on this topic. This topic may be appropriate for the National Conference of Commissioners on Uniform State Laws to consider. The International Association of Security and Investigative Regulators is comprised of members from 37 agencies in 26 states and eight Canadian provinces and it could provide the most cost-effective forum to address computer forensics and e-discovery on a national scope as opposed to having each state implement a potentially slightly different approach (recognizing that each state will still have to enact any model or proposed legislation). Until there is national-scope forum for providing consistent regulation across the United States, bar associations, paralegal associations, ALSM groups, and ALSP chapters should make sure that the interests of legal and litigation support professionals and their clients are fully considered by legislators and regulators. Points that should be presented to the regulatory bodies and/or state legislatures should include:

 

• No PI license should be required for a company or an individual to examine its own paper or electronic data, whether or not
• the person examining that data interviews or talks to people or
• the person examining that data has an employer-employee relationship with or is contractually retained by the company or individual whose records or data are being examined.
• The attorney exemption to PI regulation should extend to those people who assist the lawyer in examining his/her client’s data or data provided by an opposing party in litigation, whether or not those people have an employer-employee relationship with the attorney or are contractually retained by the lawyer or the lawyer’s clients.

 

North Carolina. The forensics committee of the North Carolina PPSB meets on April 17 th, 2008 at 4:00 PM and the rewrite committee meets on April 18 th, 2008 at 4:00 PM. Both meetings are open to the public and are being held at Sea Trail Golf Resort and Convention Center, 211 Clubhouse Road, Sunset Beach, North Carolina. If you can’t attend in person, you could direct any comments or suggestions to Terry Wright, Director of the NC PPSB at twright@ncdoj.gov.

 

References:

 North Carolina General Statutes Chapter 74C, Private Protective Services

Website of the North Carolina Private Protective Services Board

Administrative Rules and Regulations of the North Carolina Private Protective Services Board

Website containing responses of state PI boards to the question of whether a PI license was required for forensic computing. The survey is described here for March 26, 2008.