[ale] IT Security (Evidence Collection) and HB 1259

Greg Freemyer greg.freemyer at gmail.com
Mon May 8 14:55:46 EDT 2006


This is a follow-up on the GA bill HB 1259 post I made last week.

First it was veto'd on Friday, but per a meeting I just attended, it
will be back next year

Below is a brief summary (from memory) of a 2-hr meeting of the HTCIA
with Calvin Hill (a state representative and a sponsor of HB1259) and
John Villanes (the head of the GA PI Licensing Board) that likely
applies to many computer personnel, especially those in IT security.

First some opinions (JV = John Villanes  CH = Calvin Hill)
1) (JV) As it stands any third party that collects evidence for use in
a criminal/civil suit is subject to the existing PI licensing law. 
The penalty is a misdemeaner and a relatively   small fine.  ie. a few
hundred dollars I believe.  They are starting to get complaints about
Computer Forensic professionals not having there PI license.

2) (CH) There is intense pressure on the legislature to regulate
individuals with access to sensitive data.

3) (JV/CH) There is pressure to stop abuse of the GA PI law that
allows PI companies to face minimal sanctions if they employ felons
and allow them to carry guns.  This is apparently the driver that
caused HB 1259 to upgrade the offense of vialoting the PI license to
be a felony.

4) (JV/CH) HB 1259 will be back next near in some way shape or form.

5) (JV) The PI Board has a written regulation (IIRC) that individuals
covered by other GA licensing boards will not be covered by the PI
board.  (I'm not sure what this means if you are arrested.  i.e You
are still breaking the law, it is just a regulation that says that
MDs/CPAs/Engineers/etc. are not required to have their PI license.)

6) (JV) My interpretation of what he said is that a IT consultant
responding to a client issue that intentionally gathers evidence for
potential use at a criminal/civil trial needs to be a PI today, and
needs to be regulated in some manner in the future.  His question was
"Why not the PI board?"

7) (JV/CH) Employees of the violated company do not need to have a
license.  ie. If you are part of an inhouse IT security group you
don't need a PI license, it is only if you are an outside consultant
or work for a 3rd party (IT) security firm that you need a PI license.

8) (CH) The IT Security industry is likely to be regulated as a whole
by the next legislative session (Winter 07)

=== Future
The HTCIA is going to form a working group to try to come up with ways
for Computer Forensic Experts to regulated by the State of GA.  It may
be that:

     they simply have to get their PI licenses.

    a PI CF specialty is recommended.

    a IT Security Licensing Board is extablished and it will have
responsibility for CF experts as well as the many other specialties of
IT Security.

If any of you are part of professional groups that will be affected by
the above you may want your group to look into this.

Greg
--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century



More information about the Ale mailing list