Computer Forensics

December 2, 2020

August 21, 2007
The computer forensics industry has requested clarification of the department's position regarding whether the services commonly associated with computer forensics constitute those of an "investigations company" and are therefore services regulated under the Private Security Act (Chapter 1702 of the Occupations Code).  It is hoped that the following will be of assistance.

First, the distinction between “computer forensics” and “data acquisition” is significant.  We understand the term “computer forensics” to refer to the analysis of computer-based data, particularly hidden, temporary, deleted, protected or encrypted files, for the purpose of discovering information related (generally) to the causes of events or the conduct of persons.  We would distinguish such a content-based analysis from the mere scanning, retrieval and reproduction of data associated with electronic discovery or litigation support services.

For example, when the service provider is charged with reviewing the client’s computer-based data for evidence of employee malfeasance, and a report is produced that describes the computer-related activities of an employee, it has conducted an investigation and has therefore provided a regulated service.  On the other hand, if the company simply collects and processes electronic data (whether in the form of hidden, deleted, encrypted files, or otherwise), and provides it to the client in a form that can then be reviewed and analyzed for content by others (such as by an attorney or an investigator), then no regulated service has been provided.

The Private Security Act construes an investigator as one who obtains information related to the  “identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person; the location, disposition, or recovery of lost or stolen property; the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property; or for the purpose of securing evidence for use in court.  Tex. Occ. Code §1702.104.  Consequently, we would conclude that the provider of computer forensic services must be licensed as an investigator, insofar as the service involves the analysis of the data for the purposes described above.

With respect to the statutory reference to “securing evidence for use in court,” we would suggest that the mere accumulation of data, or even the organization and cataloging of data for discovery purposes, is not a regulated service.  Rather, in this context, the department would interpret the reference to “evidence” as referring to the report of the computer forensic examiner, not the data itself.  The acquisition of the data, for evidentiary purposes, precedes the analysis by the computer forensic examiner, insofar as it is raw and unanalyzed.[1] The mere collection and organization of the evidence into a form that can be reviewed and analyzed by others is not the “securing of evidence” contemplated by the statute.

This analysis is consistent with the language of HB 2833 (Tex. Leg. 80th Session), which amends Section 1702.104.  The amendment confirms that the “information” referred to in the statute “includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.” 

[1]It may well be that the hardware on which the data exists is itself the product of an investigation, but that is a separate question.