Where it gets sticky is in the case of incidental discovery (disaster recovery etc). There needs to be clarifying language in the Law for such situations. If left unchanged, the likelyhood of a tech deciding to "look the other way" (not report her findings) to avoid fines and jail time is very high.

—July 2nd, 2008 at 9:17 am
—On the other hand, of what possible use is a degree in criminal
—justice to a data miner or computer forensics examiner?

I'd agree with ya if I did'nt already have a degree in both AND live in Texas..LOL

Or maybe Sandy is right and ITT needs extra business.

1. Under the plain language of the statute, I don't think that your activities require a license to the extent they are a general audit and inspection for possible misfeasance by someone unknown. Perhaps, under a broad reading of the statute, to the extent you are instructed to investigate the activities of a particular user, that would qualify under 1702.104(a)(1)(B), and to the extent that you are engaged to figure out how an intrusion or other threat to the system happened, that could come under 1702.104(a)(1) (D) (both quoted in my post above).

2. It's important to note that not all of the bill you linked represents new law — only (as far as I can tell) the underlined portions, which is how legislatures typically denote new legislative language in draft bills. Therefore one should ask whether it is this new language that actually leads to the feared extension to computer repairs, or preexisting language. For instance, 1702.104(a)(2) — the section applying the requirement to anyone who gathers information to present to a court — is preexisting language. (The reason for the heartburn may be the addition of criminal penalties).

3. The decision to spin this as aimed exclusively at computer technicians is a strange one. If one is going to take an equally broad (and I think unsupportable) interpretation of the statutory language, one could apply it, for example, to the corporate HR person who investigates sexual harassment claims by interviewing employees.

4. The most interesting part of the press release Patrick links in his amended post is the suggestion that somebody has told these computer professionals that the state requires them to get a license. Yet the press release is oddly coy about who told them. If they are getting threatening letters from Texas' PI board, that would be a credible reason to think the state is taking the broad interpretation they fear, whether or not that interpretation is reasonable.

We audit not only for technical issues but also for counter-intelligence/espionage and counter-intrusion purposes. Since most cases of compromise are internal to any company – this includes all user actions and usage of the system and can extend to all data on the system. We are required to implement comprehensive/pervasive levels of auditing and to regularly review and analyze the logs to detect actions.

This is not a particular case just because I currently work on defense systems – similar work is conducted on unclassified systems (for a whole lot of companies) for the same reasons. All companies have proprietary data or some sort and most fall under laws and regulations intended to protect the integrity of financial data (Sarbannes-Oxley) or the privacy of individuals (HIPPA). I'm sure that most large companies routinely and continually monitor the activities of their employees and conduct counter-intrusion efforts. Any System Admin (SA) worth his or her salt is looking for compromises of their systems.

In the case of PC techs – they routinely are called upon to remove spyware/malware and so on, and most are required to report criminal evidence, if found in the course of those duties. Large companies have incident procedures and very careful controls to handle actionable data. That, arguably, makes investigation and handling of evidence normal job duties for PC techs and system admins in those companies.

Kevin, if a repair guy comes across some actionable data accidentally, I don't think he's covered by the statute because he's not in the business of seeking such information or testifying about it.

As to the auditing you do — it depends on what sort of auditing it is. Do you audit for employee/user misconduct?

It may not apply to PC techs in the broadest sense – though PC techs often look at logs and data. However, it seems to clearly apply to anybody (like myself) who does computer security and auditing. I work on defense contract computer systems and clearly all of our (classified) data is "not available to the public" – but that would apply to any proprietary information as well. With the proliferation of Sarbannes-Oxley and HIPPA, etc, this applies to a lot of computer workers who do not have PI licensing.

Another issue I am wondering about is – what if you are in TX and either working on, or being worked on remotely from out of the state? FWIW, I work in TX and this is creating a difficult corporate stir. My wife (also in TX) does PC support nationally from our home (she is 100% telecommute).