Security Ripcord

** It was recommended that I add a disclaimer stating I am not a lawyer.  So, be advised, I am not a lawyer **

*** Update 2: shrdlu points out (see comments below) that I missed the very last line of the PSB opinion on security consulting.  Thank you, shrdlu.  So, until they change that opinion all is well. ***

The SANS Computer Forensics Blog post Digital Forensics Professionals: Texas PI Legislation Interpreted got me thinking about the Texas PI laws again so I decided to take another look at the TEXAS OCCUPATIONS CODE CHAPTER 1702.  What I have found concerns me very much and if you or your company does forensic or security consulting work in the State of Texas then you had better read it as well and pass it onto your lawyers BEFORE you do anymore work in this state.

Basically, the State of Texas is now regulating all of the information security consultant industry within its boundaries.  This *DOES NOT* include the security departments of individual businesses.

Let’s start with a bit of clarification.  The State of Texas designates anybody doing investigative or security consultant work as a “company.”  If you do not understand this then reviewing the statue is going to confuse you at first.  With this in mind, here is the definition of “investigations” as put forth in Chapter 1702.

Sec. 1702.104.  INVESTIGATIONS COMPANY.

(a)  A person acts as an investigations company for the purposes of this chapter if the person:

(1)  engages in the business of obtaining or furnishing, or accepts employment to obtain or furnish, information related to:

(A)  crime or wrongs done or threatened against a state or the United States;

(B)  the identity, habits, business, occupation, knowledge, efficiency, loyalty, movement, location, affiliations, associations, transactions, acts, reputation, or character of a person;

(C)  the location, disposition, or recovery of lost or stolen property; or

(D)  the cause or responsibility for a fire, libel, loss, accident, damage, or injury to a person or to property;

(2)  engages in the business of securing, or accepts employment to secure, evidence for use before a court, board, officer, or investigating committee;

(3)  engages in the business of securing, or accepts employment to secure, the electronic tracking of the location of an individual or motor vehicle other than for criminal justice purposes by or on behalf of a governmental entity; or

(4)  engages in the business of protecting, or accepts employment to protect, an individual from bodily harm through the use of a personal protection officer.

(b)  For purposes of Subsection (a)(1), obtaining or furnishing information includes information obtained or furnished through the review and analysis of, and the investigation into the content of, computer-based data not available to the public.

After contacting the Private Security Bureau, which is a division of the Texas Department of Public Safety, I was told that the State of Texas regulates “investigations” so that the persons conducting them are qualified.  To ensure that investigators are qualified they are required to comply with Sec. 1702.113.  GENERAL QUALIFICATIONS FOR LICENSE, CERTIFICATE OF REGISTRATION, OR SECURITY OFFICER COMMISSION (which are basic employment requirements) and:

Sec. 1702.114.  ADDITIONAL QUALIFICATIONS FOR INVESTIGATIONS COMPANY
LICENSE.

(a)  An applicant for a license to engage in the business of an
investigations company or the applicant’s manager must have, before the
date of the application, three consecutive years’ experience in the
investigative field as an employee, manager, or owner of an investigations
company or satisfy other requirements set by the commission.

Now I do understand the need to provide a governing hand to protect the public from “investigators.”  If the state feels it is necessary then so be it.  This is basically stating that you have to have three years experience before you can operate individually or be the primary investigator of a company (yours or somebody elses).  More explaintion about this can be found in the PSB Opinion Summaries in the section titled Computer Forensics.

The part of Chapter 1702 that is really going to concern people is the guidance it provides for people the state considers as “security services contractors” or “private security consulting company.”  Here is the guide lines for what constitutes as a “private security consulting company.”

Sec. 1702.1045.  PRIVATE SECURITY CONSULTING COMPANY.

A person acts as a private security consulting company for purposes of this chapter if the person:

(1)  consults, advises, trains, or specifies or recommends products, services, methods, or procedures in the security or loss prevention industry;

(2)  provides a service described by Subdivision (1) on an independent basis and without being affiliated with a particular service or product;  and

(3)  meets the experience requirements established by the board.

Guidance on how this applies can also be found in the PSB Opinion Summaries in the section titled Computer Network Vulnerability Testing Firms.  Here is the part that stands out to me:

However, while the Bureau regulates consultants in the “security industry
or loss prevention industry,” these latter phrase is not explicitly defined
in the statute. It is therefore necessary to look to the rest of the
statute in order to understand to which services the private security
consultant’s licensure requirement applies.

It is reasonable to consider those industries otherwise regulated by the
Private Security Act as reflecting the scope of the phrase “security
industry or loss prevention industry.” In other words, the definitions are
implied by those services that are regulated by the statute, viz., security
guards, locksmiths, alarm system installers and monitors, and private
investigators, and not software designers, installers or suppliers.

Thus, the industries that are directly regulated are the same industries
about which one cannot consult without a license. Because the Private
Security Bureau does not regulate software designers, installers, or
suppliers, it also does not regulate those who provide consulting services
related to computer network security.

What this tells me is basically, if you are a security consultant in the State of Texas you must be registered.  This requires that you apply for a license and pass the Qualified Manager’s Exam.  This is the same exam that is required to become a licensed Private Investigator only where as Private Investigators only pay $350 to take the exam, security consultants have to pay $400 to take the exam, as outlined in Chapter 1702.  This exam simply shows that the person passing the exam has an understanding of the regulations we are covering and nothing specific to investigations or consulting.  The additional requirements to become a licensed security services contractor include:

Sec. 1702.115.  ADDITIONAL QUALIFICATIONS FOR SECURITY SERVICES CONTRACTOR LICENSE.

(a)  An applicant for a license to engage in the business of a security services contractor or the applicant’s manager must have, before the date of the application, two consecutive years’ experience in each security services field for which the person applies as an employee, manager, or owner of a security services contractor or satisfy other requirements set by the commission.

(b)  The applicant’s experience must have been obtained legally and must be:

(1)  reviewed by the commission or the director; and

(2)  determined to be adequate to qualify the applicant to engage in the business of a security services contractor.

As a security profession in the State of Texas I am concerned that I cannot consult, advise, train, or specify or recommend products, services, methods, or procedures in the security or loss prevention industry without being a licensed security services contractor.  This basically tells me that I cannot talk to anybody (family, friends, public gatherings like the PTA or a church, in addition to business relationships) about these issues until I am licensed.  Consultant businesses doing business within Texas should have the very same concerns.

Security professionals coming to Texas should also be concerned.  If you come to Texas to work or even to teach a class (SANS training) or give a presentation (TRISC) that consults, advises, trains, or specifies or recommends products, services, methods, or procedures in the security or loss prevention industry and you are not licensed you could be held accountable.  Specifically:

Sec. 1702.386.  UNAUTHORIZED EMPLOYMENT; OFFENSE.

(a)  A person commits an offense if the person contracts with or employs a person who is required to hold a license, registration, certificate, or commission under this chapter knowing that the person does not hold the required license, registration, certificate, or commission or who otherwise, at the time of contract or employment, is in violation of this chapter.

(b)  An offense under Subsection (a) is a Class A misdemeanor.

Although a Class A misdemeanor does not seem like much, individuals who have been found in violation of this statue may not be able to obtain a license in the future as outlined in Sec. 1702.113.  GENERAL QUALIFICATIONS FOR LICENSE, CERTIFICATE OF REGISTRATION, OR SECURITY OFFICER COMMISSION.

If you have additional information, updates, or clarification on this please leave a comment or shoot me an email so that I can update this post.

I’m starting to wonder if this blog is a violation of this statue.

Go forth and do good things,

Don C. Weber

---

Help support my training and travel to security conferences. Get your SANS Training and GIAC Certifications through the Security Ripcord.

---

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.