Summary. Some states define “private investigator” for PI licensing purposes in ways that can include digital forensics. State PI legislation invariably exempts lawyers, but the scope of that exemption may be limited to people who have an employer-employee relationship with the attorney, meaning that third-party digital forensics examiners (“DFEs”) may have to be licensed as PI’s. The limited scope of the attorney exemption could also bring what many consider as litigation support activities within the scope of state PI regulation. There can be criminal penalties for unlicensed PI’s and, in at least one state, for people who hire unlicensed PI’s.

DFEs operate in a fundamentally different manner than private investigators and PI regulation should not extend to digital forensics. To the extent there is regulation it should be consistent across the Unites States – the national and international scope of many companies and transactions means that many cases and investigations will necessarily be multi-jurisdictional and consistent rules are needed to avoid unnecessary burden and expense.

Statutory Definition of Private Investigator

North Carolina is one of the states currently considering whether the definition of Private investigator should include DFE’s. Its current statute (N.C. G.S. 74C-3(a)(8)) uses a definition that is similar to one used by many states. It defines a private detective or private investigator in part as follows:

Any person who engages in the profession of or accepts employment to furnish, agrees to make, or makes inquiries or investigations concerning any of the following on a contractual basis:

***

b.         The identity, habits, conduct, business, occupation, honesty, integrity, credibility, knowledge, trustworthiness, efficiency, loyalty, activity, movement, whereabouts, affiliations, associations, transactions, acts, reputation, or character of any person.

***

d.         The cause or responsibility for fires, libels, losses, accidents, damages, or injuries to persons or to properties.

e.         Securing evidence to be used before any court, board, officer, or investigative committee.

***

Note that the actions of a DFE or a litigation support vendor in helping gather responsive records (“secure evidence”), or to search evidentiary databases containing those records (“inquiries.. the cause or responsibility for … damages or injuries…”) arguably fall within the definition of a private investigator.

Attorney Exemption

Virtually all states that have PI laws also provide an exemption for attorneys who are acting in their capacities as attorneys. Recognizing that attorneys rely on the assistance of others to help manage and prepare their cases, the attorney exemption is extended to those who assist lawyers. North Carolina is somewhat typical. It exempts “An attorney at law licensed to practice in North Carolina while engaged in the practice of law and the attorney's agent, provided the agent is performing duties only in connection with his or her principal's practice of law.” N.C. R.S. 74C-3(b)(4). This provision appears to avoid requiring that the agent be an employee of the attorney. However, note that the exemption extends only to agents of attorneys licensed in North Carolina – even if the company is headquartered elsewhere or the litigation is filed in a different jurisdiction.

Other states define the scope of the exemption differently. For example, the New York statute states, “nor shall anything in this article contained be construed to affect in any way attorneys or counselors at law in the regular practice of their profession, but such exemption shall not enure to the benefit of any employee or representative of such attorney or counselor at law who is not employed solely, exclusively and regularly by such attorney or counselor at law.” Section 83 of Article 7, N.Y. General Business Law. How a lawyer chooses to staff a project could impact whether the staff would have to be licensed PIs. Full-time regular employees would be exempt, but outsourced positions or temporary positions may have to be PI’s.

Private Investigation

Setting aside specific statutory language for a moment, inherent in the term “private investigation” is the notion of confidentiality or discreteness. When a client hires a private investigator (“PI”) to investigate a third-party or a specific incident, the PI may employ various means, none of which will involve giving the third-party the right to be present, telling the third party that the investigation is underway or telling the subject of the investigation the names of those being contacted. In an undercover or clandestine investigation the PI may talk with or record the subject or make observations regarding the subject at the subject’s home, place of business or worship, or while engaged in civic or associational activities, all without notifying the subject that his or her discussions or actions are being noted for possible use later on. If the subject does learn of the investigation, it may be weeks or months later, and it may simply not be possible to recreate with any confidence what all was said or done at the time other than by resorting to the notes or materials gathered by the PI.

Differences Compared to Private Investigation

Digital forensics and litigation support can both involve the gathering, analysis and presentation of data that is secured with the full knowledge and consent of the owner of the data or of data that was obtained pursuant to judicial process where the owner of the data was aware of the inquiry and had the opportunity to raise any objections or concerns in a court of law prior to producing or making the data available. PI professionals operate in a fundamentally different way than digital forensic examiners or litigation support professionals; hence the regulation of PI’s should not encompass digital forensics or litigation support.

Need for Consistent National Approach

Michael Kessler, a forensic accountant and computer forensics expert, mailed a survey to various state agencies that regulate private investigators that included the following two questions:

• Does your state require that a computer forensic technician who is engaged in providing computer forensic services to the general public have to be licensed as a private investigator?
• Does your state require that a firm offering computer forensic services be licensed as a private investigator in order to provide the service to the general public?

Mr. Kessler posted their responses online and the responses highlighted the inconsistencies from state to state in whether PI regulatory bodies considered digital forensics to be within the scope of their responses. Responses included:

Michigan : "Michigan does require that a ‘computer forensics technician’ be licensed as a private detective. In Michigan, a qualifying person holds the license and represents the business (his/her own business or that of another). The business does not hold a license. Therefore, a business offering computer forensic services would need to be a licensed private agency, although as stated, would not itself be licensed.”
— Vito J. Danzo, Michigan Department of Labor & Economic Growth, 22 May 2006

Nevada : “Yes we would require an individual or a firm offering computer forensic services to be licensed in this state. This is a relatively new area and is being brought to our attention frequently.”
— Mechele Ray, Nevada Department of Justice, Private Investigators Licensing Board, 19 July 2006

California : “Computer Forensic Technicians who only access and evaluate the computers (hard drive and etc.) are not required to be licensed as private investigators in California unless they are going out and performing investigations (interviewing people) in relation to the computers. See the definition of a private investigator and the exemptions.”
— Noreene DeKoning, California Bureau of Security and Investigative Services Policy Unit, 30 May 2007

Texas : “There is not an exemption for computer forensics in Chapter 1702 like there is for accounting, so 1702.104 takes precedence. If a computer forensics company contracts to provide service for a company, it may provide services limited to information from said company, and that company only, without a security license. For example, if a company mainframe’s security was breached, a forensic investigator could legally determine where in that system the security lapse happened (without a license from the Private Security Bureau). However, if the forensic analyst were to follow the digital trail outside of the company it was contracted to in order to find the nature, location, or identity of the intruder, they must be licensed as a private investigator. Again, if the nature of the investigation requires the firm to pursue information or property not in the possession of the client, a private investigator company license would be required.”
— Jeremy Dansby, Private Security Bureau, Texas Department of Public Safety, 16 May 2007

Missouri : Does not require licensing for private investigation. However, according to the National Council of Investigation & Security Services ,  Kansas City, St. Louis, Joplin, St. Joseph and Springfield require licensing.

How would a multistate company plan a rational system of performing computer forensics in various states? In five states we’ve seen five different approaches:

• One requires a state-licensed PI individual, but not a company
• Another requires a state-licensed PI individual or company
• One says no state license needed unless the forensics person interviews someone
• Another says no state license needed unless data from outside the client is investigated
• One has no state license, but city licenses may be required

Note that the requirements for becoming licensed as PI’s can be a considerable burden, often requiring three years of experience working for another private investigator, filing an application, paying various fees and possibly maintaining an office in state. Violating the statute can be criminally prosecuted, and in Texas this could include the person hiring the unlicensed PI. This type of regulation could substantially increase the cost and complexity of a discovery process that is already viewed by most people as being far too costly and complex. The lack of state-to-state PI regulation and state reciprocity exacerbates the situation.

Recommendation

Clearly, uniform state or national laws are essential. This issue may be appropriate for the National Conference of Commissioners on Uniform State Laws to consider. The International Association of Security and Investigative Regulators , composed of members from 37 agencies in 26 states and eight Canadian provinces, could provide a cost-effective forum to address computer forensics and e-Discovery on a multinational scope. Until the profession has a national forum to promote consistent regulation, bar associations, paralegal associations, ALSM groups and ALSP chapters should lobby their regulators — and legislators, if appropriate — to adopt the exemptions listed below:

Private Protective Services” shall not include any of the following:

• A person or organization that examines or processes information that is in its lawful possession, custody or control.
• A person or organization that is retained or employed by another person or organization to examine or process the information that is in the lawful possession, custody or control of the retaining or employing person or organization.
• Individuals or corporations that access publicly available information, including data that reside on public networks, including but not limited to the Internet.
• Attorneys who are licensed in the jurisdiction in which they practice while performing actions related to their practice of law and those agents retained or employed by the attorney provided that the agent is performing duties only in connection with his or her principal’s practice of law.