Two Days Left to Get an iPad Air with Smart Keyboard, Surface Go, or $300 Off with Online Training!

LEG523: Law of Data Security and Investigations

Before developing any Incident Response or investigation process this class is a must. Ben does a great job getting into the heads of lawyers.

Eliot Irons, Solutionary

I wish I'd taken this course 3-4 years ago. Much of the policy and goverance weve been doing wouldhave been enhanced.

Tom Siu, CWRU

  • New: The arrest and criminal indictment of two Coalfire penetration testers in Iowa
  • New: How to balance the right to data privacy versus the right to data security under GDPR and the new California Consumer Privacy Act
  • New: Invoking attorney-client privilege to maintain confidentiality of security assessments such as penetration tests
  • New: Court decision shows how to improve an official investigation using artificial intelligence.
  • Unique and indispensable training for General Data Protection Regulation Officers.
  • New: Form contract to invite outside incident responders - including police, contractors, National Guard, or civil defense agencies from anywhere in the world - to help with a cyber crisis.

New law on privacy, e-discovery, and data security is creating an urgent need for professionals who can bridge the gap between the legal department and the cybersecurity team. SANS LEG523 provides this unique professional training, including skills in the analysis and use of contracts, policies, and insurance security questionnaires.

This course covers the law of crime, policy, contracts, liability, compliance, cybersecurity, and active defense - all with a focus on electronically stored and transmitted records. It also teaches investigators how to prepare credible, defensible reports, whether for cyber crimes, forensics, incident response, human resource issues, or other investigations.

The Global Information Assurance Certification (GLEG) associated with LEG523 demonstrates to employers that you have absorbed the sophisticated content of this course and are ready to put it to use. This coveted GIAC certification distinguishes any professional - whether a cybersecurity specialist, auditor, lawyer, or forensics expert - from the rest of the pack. It also strengthens the credibility of forensics investigators as witnesses in court and can help a forensics consultant win more business. And the value of the certification will only grow in the years to come as law and security issues become even more interconnected.

The course also provides training and continuing education for many compliance programs under information security and privacy mandates such as GLBA, HIPAA, FISMA, GDPR, and PCI-DSS.

Each successive day of this five-day course builds upon lessons from the earlier days in order to comprehensively strengthen your ability to help your public or private sector enterprise cope with illegal hackers, botnets, malware, phishing, unruly vendors, data leakage, industrial spies, rogue or uncooperative employees, or bad publicity connected with cybersecurity. We cover topical stories, such as Home Depot's legal and public statements about payment card breach and the lawsuit by credit card issuers against Target's QSA and security vendor, Trustwave.

Recent updates to the course address hot topics such as legal tips on confiscating and interrogating mobile devices, the retention of business records connected with cloud computing and social networks like Facebook and Twitter, and analysis and response to the risks and opportunities surrounding open-source intelligence gathering.

Over the years this course has adopted an increasingly global perspective. Professionals from outside the United States attend LEG523 because there is no training like it anywhere else in the world. For example, a lawyer from the national tax authority in an African country took the course because electronic filings, evidence, and investigations have become so important to her work. International students help the instructor, U.S. attorney Benjamin Wright, constantly revise the course and include more content that crosses borders.

You Will Learn How To:

  • Choose words for better legal results in policies, contracts, and incidents
  • Implement processes that yield defensible policies on security, e-records, and investigations
  • Reduce risk in a world of vague laws on cyber crime and technology compliance
  • Carry out investigations so that they will be judged as ethical and credible
  • Persuade authorities that you and your organization responded responsibly to cybersecurity, privacy, and forensic challenges.

Course Syllabus

Overview

Section 1 is an introduction to cyber and data protection law. It serves as the foundation for discussions during the rest of the course. We will survey the general legal issues that must be addressed in establishing best information security practices, then canvass the many new laws on data security and evaluate cybersecurity as a field of growing legal controversy. The course section will cover computer crime and intellectual property laws when a network is compromised, as well as emerging topics such as honeypots. We will look at the impact of future technologies on law and investigations in order to help students factor in legal concerns when they draft enterprise data security policies. For example, students will debate what the words of an enterprise policy would mean in a courtroom. This course section also dives deep into the legal question of what constitutes a "breach of data security" for such purposes as notifying others about it. The course day includes a case study on the drafting of policy to comply with the Payment Card Industry Data Security Standard (PCI). Students will learn how to choose words more carefully and accurately when responding to cybersecurity questionnaires from regulators, cyber insurers, and corporate customers.

CPE/CMU Credits: 6

Overview

Cybersecurity and digital forensic professionals constantly deal with records and evidence, so they need a practical understanding of e-discovery and policies on the retention and destruction of data. Section 2 of the course places great emphasis on the law of evidence and records management. It teaches the necessity to apply a "legal hold" or "litigation hold" on records when controversy emerges. It helps technical and legal professionals learn to speak the same language as they assess how to find records and possibly disclose them in litigation or investigations.

Recognizing that investigators, like incident responders, collect and manage evidence that may later be needed in court or arbitration, this section teaches how the law evaluates digital evidence. It also introduces electronic contracting methods, in preparation for the extended discussion of technology contracts in the next course section. Students learn that effective contracting today requires thoughtful decisions on the policy for the retention of records like electronic mail and text messages.

Law and technology are changing quickly, and it is impossible for professionals to comprehend all the laws that apply to their work. But they can comprehend overarching trends in law, and they can possess a mindset for finding solutions to legal problems. A key goal of this section is to equip students with the analytical skills and tools to address technology law issues as they arise, both in the United States and around the world. Section 2 devotes much attention to European data protection laws. The analysis puts the General Data Protection Regulation (GDPR) into a historical context so that students can better understand how the new regulation is being interpreted. (See Benjamin Wright's white paper on the GDPR.)

The course is chock full of actual court case studies dealing with privacy, computer records, digital evidence, electronic contracts, regulatory investigations, and liability for shortfalls in security. The purpose of the case studies is to draw practical lessons that students can take back to their jobs and apply immediately.

CPE/CMU Credits: 6

Overview

Section 3 focuses on the essentials of contract law sensitive to the current requirements for security. Compliance with many of the new data security laws requires contracts. Because IT pulls together the products and services of many vendors, consultants, and outsourcers, enterprises need appropriate contracts to comply with Gramm-Leach-Bliley, HIPAA, GDPR, PCI-DSS, data breach notice laws, and other regulations.

This course day provides practical steps and tools that students can apply to their enterprises and includes a lab on writing contract-related documents relevant to the students''professional responsibilities. (The lab is an optional, informal "office hours" discussion with the instructor at the end of the day when the course is delivered live.) You will learn the language of common technology contract clauses and the issues surrounding those clauses, and become familiar with specific legal cases that show how different disputes have been resolved in litigation.

Recognizing that enterprises today operate increasingly on a global basis, the course teaches cases and contract drafting styles applicable to a multinational setting.

Contracts covered include agreements for software, consulting, nondisclosure, outsourced services, cyber insurance, penetration testing, and private investigation services (such as cyber incident response). Special attention is given to cloud computing issues. Students also learn how to exploit the surprising power of informal contract records and communications, including cybersecurity questionnaires and requests for InfoSec assurances.

CPE/CMU Credits: 6

Overview

Information security professionals and cyber investigators operate in a world of ambiguity, rapid change, and legal uncertainty. To address these challenges, this course section presents methods to analyze a situation and then act in a way that is ethical, defensible, and reduces risk. Lessons will be invaluable to the effective and credible execution of any kind of investigation, be it internal, government, consultant related, a security incident, or any other. The lessons also include methods and justifications for maintaining the confidentiality of an investigation.

Section 4 surveys white-collar fraud and other misbehaviors with an emphasis on the role of technology in the commission, discovery, and prevention of that fraud. It teaches cyber managers and auditors practical and case-study-driven lessons about the monitoring of employees and employee privacy.

IT is often expected to "comply: with many mandates, whether stated in regulations, contracts, internal policies, or industry standards (such as PCI-DSS). This course section teaches many broadly applicable techniques to help professionals establish that they and their organizations are in fact in compliance, or to reduce risk if they are not in perfect compliance. The course draws lessons from models such as the Sarbanes-Oxley Act and European Union guidelines for imposing fines under the GDPR.

As cybersecurity professionals take on more responsibility for controls throughout an enterprise, it is natural that they worry about fraud, which becomes a new part of their domain. Section 4 covers what fraud is, where it occurs, what the law says about it, and how it can be avoided and remedied.

Scattered through the course are numerous descriptions of actual fraud (or "insider threat") cases involving technology. The purpose is to acquaint the student with the range of modern business crimes, whether committed by executives, employees, suppliers, or whole companies. More importantly, Section 4 draws on the law of fraud and corporate misconduct to teach larger and broader lessons about legal compliance, ethical hacking, and proper professional conduct in difficult case scenarios.

Further, this course section will show students how to conduct forensic investigations involving social, mobile, and other electronic media. Students will learn how to improve the preservation and interpretation of digital evidence, such as evidence of a breach or other cyber event.

CPE/CMU Credits: 6

Overview

Knowing some rules of law is not the same as knowing how to deal strategically with real-world legal problems. Section 5 is organized around extended case studies in security law: break-ins, investigations, piracy, extortion, rootkits, phishing, botnets, espionage, and defamation. The studies lay out the chronology of events and critique what the good guys did right and what they did wrong. The goal is to learn to apply principles and skills to address incidents in your day-to-day work.

The course includes an in-depth review of legal responses to the major security breaches at TJX, Target, and Home Depot, and looks at how to develop a bring-your-own-device (BYOD) policy for an enterprise and its employees.

The skills learned are a form of crisis management, with a focus on how your enterprise will be judged in a courtroom, by a regulatory agency, or in a contract relationship. Emphasis will be on how to present your side of a story to others, such as law enforcement, Internet gatekeepers, or the public at large, so that a security incident does not turn into a legal and political fiasco.

In addition to case studies, the core material will include tutorials on relevant legislation and judicial decisions in such areas as privacy, negligence, contracts, e-investigations, computer crime, and active countermeasures.

LEG523 is increasingly global in its coverage, so although this course day centers on U.S. law, legal issues and the roles of government authorities outside the United States will also be examined.

At the end of Section 5 the instructor will discuss a few sample questions to help students prepare for the GIAC exam associated with this course (GLEG).

CPE/CMU Credits: 6

Additional Information

  • Investigators
  • Security and IT professionals
  • Lawyers
  • Staff at government regulatory agencies
  • Auditors
  • Insider threat analysts
  • Technology managers
  • Vendors
  • Compliance officers
  • Law enforcement personnel
  • Privacy officers
  • Penetration testers
  • Cyber incident and emergency responders around the world (including private sector, law enforcement, national guard, and civil defense, among others)
GIAC Certification

Interested in the Global Information Assurance (GLEG) certification associated with LEG523? Learn more about the benefits here.

Related Courses

LEG523 complements SANS's rigorous Digital Forensics program. The course and the SANS digital forensics curriculum provide professional investigators an unparalleled suite of training resources.

  • Course books with extensive notes and citations.
  • Sample policy templates on topics such as e-record retention, BYOD devices, and the use of company-owned, personal-enabled devices.
  • Sample contract language, such as text for a non-disclosure agreement.
  • MP3 audio files of the complete course lecture.
  • Work better with other professionals at your organization who make decisions about the law of data security and investigations
  • Exercise better judgment on how to comply with privacy and technology regulations, both in the United States and in other countries
  • Evaluate the role and meaning of contracts for technology, including services, software, and outsourcing
  • Help your organization better explain its conduct to the public and to legal authorities
  • Anticipate cyber law risks before they get out of control
  • Implement practical steps to cope with technology law risk
  • Better explain to executives what your organization should do to comply with information security and privacy law
  • Better evaluate technologies, such as digital archives and signatures, to comply with the law and serve as evidence
  • Make better use of electronic contracting techniques to get the best terms and conditions
  • Exercise critical thinking to understand the practical implications of technology laws and industry standards (such as the Payment Card Industry Data Security Standard).

This course is an intensive legal education experience, supported with extensive written notes and citations. Lawyers from all over the world take the course. It is developed and taught by an experienced lawyer, Benjamin Wright, who is a member of the Texas Bar Association.

American lawyers have applied for and received participatory continuing legal education credit for attending the in-person version of the course. Obtaining such credit depends on the rules of your state or jurisdiction.

Update: In 2017, LEG523 was accredited under the Colorado Bar Association. Some states will grant credit based on reciprocity from another state like Colorado.

Update: In December 2018, LEG523 was accredited by the Missouri Bar Association.

If you wish to discuss continuing legal education credit, you are welcome to contact Mr. Wright at ben_wright@compuserve.com (put "SANS" in the subject line).

"LEG523 provides a great foundation and introduction to the legal issues involving cybersecurity." - Tracey Kinslow, TN Air National Guard

"The best guy in the country on these issues is Ben Wright." - Stephen H. Chapman, Principal and CEO, Security Advisers, LLC

"Ben Wright's insight into legal issues and teaching style makes this potentially dry material exciting. His stories and examples add to the printed material." - Karl Kurrle, Golf Savings Bank

"This course was an eye opener to the various legal issues in data security. Practices I will use when back in office." - Albertus Wilson, Saudi Aramco Guard

"Coming from an intense IT operations background, it was extremely valuable to receive an understanding of my security role from a legal point of view." - John Ochman, BD

Author Statement

"LEG523 includes five intense sections that cover the rapid development of law at the intersection of IT and security. Be prepared for insights and tips you have not heard before. The course teaches many non-obvious ideas and lessons that can take time to fully develop. I try to enable professionals to change the way they think about law and technology. My goal is to help students learn to resolve practical problems and manage legal risk in situations in the future that cannot fully be predicted, and to give students critical insights into how to recognize and cope with the very difficult problems of cyber law."

- Benjamin Wright


1 Training Results
Type Topic Course / Location / Instructor Date Register

Private Training
All Private Training Course of Your Choice Your Choice  

*Course contents may vary depending upon location, see specific event description for details.