In cases in the Business Court, the lawyers are often assisted by computer forensics experts in dealing with electronic discovery issues. That’s becoming almost essential in complicated business cases.
Anyone can do this type of work right now. I get regular phone calls and emails from people pitching this type of work. But there is regulation in the works in North Carolina to clamp down on who can provide computer forensic services.
The North Carolina Board which regulates private investigators is looking at proposing legislation that would require that someone be a licensed private investigator before being able to do computer forensics work. Regulation in this area isn’t a revolutionary idea. You have to be licensed in some states to analyze electronically stored information, although there are great variances from state to state. Kessler International recently did a national survey on state licensing requirements. An American Bar Association Committee recently issued a report recommending against such licensing, as discussed below.
The driving force for the North Carolina legislation is the Private Protective Services Board, which regulates private investigators and others in the "private protective services professions." The Board is working on amendments to N.C. Gen. Stat. Chapter 74C to require a private investigator’s license for anyone doing computer forensics consulting.
Here’s a draft of the legislation, which was recently approved by the Board’s Computer Forensics Committee. It creates a new license category for a "Digital Forensics Examiner," which it defines as "any person who, on a contractual basis, engages in the profession of or accepts employment to conduct examinations of digitally stored data in order to recover, image, analyze, or examine such data to determine responsibility and/or reconstruct usage of such data." A person seeking such a license will need to have 3,000 hours of experience in digital forensics or a closely related field in order to be licensed, and to have completed basic training offered by the company supplying the analysis software used by the licensee.
The Board provided me with excerpts from other committee meetings at which the amendments were discussed, and also the draft minutes from the June 9, 2008 meeting of the committee.
Attorneys are exempt from the current statute, as are their agents, “provided the agent is performing duties only in connection with his or her principal’s practice of law.” G.S. §74C-3(b)(4). That exemption presumably would continue if the statute is amended, so this legislation may not prove to be a major issue for litigation matters if a lawyer retains the consultant, but if a client hires a consultant to perform analysis before litigation, that might be an issue.
The proposed amendment also exempts accountants and others it defines, including "persons employed to conduct network security operations up to the point of responsibility for network security violations," and "members of network security compromise response teams."
The American Bar Association’s Section of Science and Technology Law is also looking at this issue, and has come to a completely different conclusion regarding the need for licensing. The Report from the Section concludes that there shouldn’t be licensing, and recommends that the ABA should take a position discouraging the states from enacting regulatory legislation. Their rationale is that this is a technical area outside the expertise of those regulating private investigators, that there are professional certification programs available for forensic specialists, and that judges can in the final analysis determine whether a person is qualified to testify about the forensic work that he or she did. (Thanks to the TechDirt blog for this information).