[ale] IT Security (Evidence Collection) and HB 1259

James P. Kinney III jkinney at localnetsolutions.com
Mon May 8 16:10:31 EDT 2006 

Gag! Another example of the sheer brilliance of people who make rules
about topics they don't understand.

Thanks for the update. I really have NO DESIRE to affiliate myself with
the PI crowd.

> This is a follow-up on the GA bill HB 1259 post I made last week.
>
> First it was veto'd on Friday, but per a meeting I just attended, it
> will be back next year
>
> Below is a brief summary (from memory) of a 2-hr meeting of the HTCIA
> with Calvin Hill (a state representative and a sponsor of HB1259) and
> John Villanes (the head of the GA PI Licensing Board) that likely
> applies to many computer personnel, especially those in IT security.
>
> First some opinions (JV = John Villanes  CH = Calvin Hill)
> 1) (JV) As it stands any third party that collects evidence for use in
> a criminal/civil suit is subject to the existing PI licensing law.
> The penalty is a misdemeaner and a relatively   small fine.  ie. a few
> hundred dollars I believe.  They are starting to get complaints about
> Computer Forensic professionals not having there PI license.
>
> 2) (CH) There is intense pressure on the legislature to regulate
> individuals with access to sensitive data.
>
> 3) (JV/CH) There is pressure to stop abuse of the GA PI law that
> allows PI companies to face minimal sanctions if they employ felons
> and allow them to carry guns.  This is apparently the driver that
> caused HB 1259 to upgrade the offense of vialoting the PI license to
> be a felony.
>
> 4) (JV/CH) HB 1259 will be back next near in some way shape or form.
>
> 5) (JV) The PI Board has a written regulation (IIRC) that individuals
> covered by other GA licensing boards will not be covered by the PI
> board.  (I'm not sure what this means if you are arrested.  i.e You
> are still breaking the law, it is just a regulation that says that
> MDs/CPAs/Engineers/etc. are not required to have their PI license.)
>
> 6) (JV) My interpretation of what he said is that a IT consultant
> responding to a client issue that intentionally gathers evidence for
> potential use at a criminal/civil trial needs to be a PI today, and
> needs to be regulated in some manner in the future.  His question was
> "Why not the PI board?"
>
> 7) (JV/CH) Employees of the violated company do not need to have a
> license.  ie. If you are part of an inhouse IT security group you
> don't need a PI license, it is only if you are an outside consultant
> or work for a 3rd party (IT) security firm that you need a PI license.
>
> 8) (CH) The IT Security industry is likely to be regulated as a whole
> by the next legislative session (Winter 07)
>
> === Future
> The HTCIA is going to form a working group to try to come up with ways
> for Computer Forensic Experts to regulated by the State of GA.  It may
> be that:
>
>      they simply have to get their PI licenses.
>
>     a PI CF specialty is recommended.
>
>     a IT Security Licensing Board is extablished and it will have
> responsibility for CF experts as well as the many other specialties of
> IT Security.
>
> If any of you are part of professional groups that will be affected by
> the above you may want your group to look into this.
>
> Greg
> --
> Greg Freemyer
> The Norcross Group
> Forensics for the 21st Century
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
>

More information about the Ale mailing list