LEG523: Law of Data Security and Investigations

GIAC Law of Data Security & Investigations (GLEG)
GIAC Law of Data Security & Investigations (GLEG)
  • Online
30 CPEs

New law on privacy, e-discovery and data security is creating an urgent need for professionals who can bridge the gap between the legal department and the cybersecurity team. SANS LEG523 provides this unique professional training, including skills in the analysis and use of contracts, policies, and records management procedures.

What You Will Learn

  • New: Supply chain terms and conditions
  • New: The rising influence of EU's General Data Protection Regulation (GDPR) in interpretation of cybersecurity law in the US and around the world
  • New: Understanding cyber insurance for a ransomware event
  • New: Facing a cyber crisis? File a lawsuit in the courts of another country.
  • New: Responding when law of foreign country appears to require you to retain sensitive data connected with a "cyber attack"
  • New: Adopt peer review of cybersecurity program to better evidence legal compliance
  • New: Video demonstration of how technical expert witness can handle adversarial cross-examination in a live online court hearing
  • New: Creative insertion of terms, comments, and conditions in blockchain to influence commercial relationships such as contracts for technology services
  • New: How to make better legal records of digital assets (such as non-fungible tokens) and trading platforms
  • New: How to deal with unwelcome visitors who mistakenly think they have legal right to scan or probe your infrastructure

New law on privacy, e-discovery, and data security is creating an urgent need for professionals who can bridge the gap between the legal department and the cybersecurity team. SANS LEG523 provides this unique professional training, including skills in the analysis and use of contracts, policies, and insurance security questionnaires.

This course covers the law of crime, policy, contracts, liability, compliance, cybersecurity, and active defense - all with a focus on electronically stored and transmitted records. It also teaches investigators how to prepare credible, defensible reports, whether for cyber crimes, forensics, incident response, human resource issues, or other investigations.

"It's an excellent course outlining the emerging legal and security issues to be considered." - Nuran Bekiroska, UPS

The Global Information Assurance Certification (GLEG) associated with LEG523 demonstrates to employers that you have absorbed the sophisticated content of this course and are ready to put it to use. This coveted GIAC certification distinguishes any professional - whether a cybersecurity specialist, auditor, lawyer, or forensics expert - from the rest of the pack. It also strengthens the credibility of forensics investigators as witnesses in court and can help a forensics consultant win more business. And the value of the certification will only grow in the years to come as law and security issues become even more interconnected.

The course also provides training and continuing education for many compliance programs under information security and privacy mandates such as GLBA, HIPAA, FISMA, GDPR, and PCI-DSS.

Each successive day of this five-day course builds upon lessons from the earlier days in order to comprehensively strengthen your ability to help your public or private sector enterprise cope with illegal hackers, botnets, malware, phishing, unruly vendors, data leakage, industrial spies, rogue or uncooperative employees, or bad publicity connected with cybersecurity. We cover topical stories, such as Home Depot's legal and public statements about payment card breach and lawsuits against QSA security vendor Trustwave filed by cyber insurance companies and credit card issuers (third parties with which Trustwave had no relationship!).

Recent updates to the course address hot topics such as legal tips on confiscating and interrogating mobile devices, the retention of business records connected with cloud computing and social networks like Facebook and Twitter, and analysis, response to the risks and opportunities surrounding open-source intelligence gathering and the arrest and criminal indictment of two Coalfire penetration testers in Iowa.

Over the years this course has adopted an increasingly global perspective. Professionals from outside the United States attend LEG523 because there is no training like it anywhere else in the world. For example, a lawyer from the national tax authority in an African country took the course because electronic filings, evidence, and investigations have become so important to her work. International students help the instructor, U.S. attorney Benjamin Wright, constantly revise the course and include more content that crosses borders.

Recently Mr. Wright taught LEG523 in Singapore to a classroom of students representing numerous countries, diverse organizations and many different professions. The students gave the course high marks because it teaches generic, timeless lessons applicable around the world.

One thing that sets this course apart is its emphasis on ethics. The course teaches practical lessons on ethical performace by cyber defenders and digital investigators.


  • Choose words for better legal results in policies, contracts, and incidents
  • Implement processes that yield defensible policies on security, e-records, and investigations
  • Reduce risk in a world of vague laws on cyber crime and technology compliance
  • Carry out investigations so that they will be judged as ethical and credible
  • Persuade authorities that you and your organization responded responsibly to cybersecurity, privacy, and forensic challenges.
  • Negotiate business transactions in the ever-changing cyber world


  • Work better with other professionals at your organization who make decisions about the law of data security and investigations
  • Exercise better judgment on how to comply with privacy and technology regulations, both in the United States and in other countries
  • Evaluate the role and meaning of contracts for technology, including services, software, and outsourcing
  • Help your organization better explain its conduct to the public and to legal authorities
  • Anticipate cyber law risks before they get out of control
  • Implement practical steps to cope with technology law risk
  • Better explain to executives what your organization should do to comply with information security and privacy law
  • Better evaluate technologies, such as digital archives and signatures, to comply with the law and serve as evidence
  • Make better use of electronic contracting techniques to get the best terms and conditions
  • Exercise critical thinking to understand the practical implications of technology laws and industry standards (such as the Payment Card Industry Data Security Standard).


This course is an intensive legal education experience, supported with extensive written notes and citations. Lawyers from all over the world take the course. It is developed and taught by an experienced lawyer, Benjamin Wright, who is a member of the Texas Bar Association.

American lawyers have applied for and received participatory continuing legal education credit for attending the in-person version of the course. Obtaining such credit depends on the rules of your state or jurisdiction.

Update: In 2017, LEG523 was accredited under the Colorado Bar Association. Some states will grant credit based on reciprocity from another state like Colorado.

Update: In December 2018, LEG523 was accredited by the Missouri Bar Association.

Update:Many lawyers have successfully applied for Continuing Legal Education credit from their licensing authorities for taking LEG523 (Live and OnDemand). In fact, Ben is not aware of a lawyer who has been denied credit. 2022, a California lawyer shared with Ben a letter from the California Bar Association granting 25 hours of credit (maximum permitted in California). This letter can help lawyers in California and elsewhere get credit. Often, one authority will give credit for a course if another authority has given credit. Lawyers outside California have received more than 25 hours of credit for LEG523


  • Printed and Electronic Courseware with extensive notes and citations.
  • Form contract to invite outside incident responders - including police, contractors, National Guard, or civil defense agencies from anywhere in the world - to help with a cyber crisis
  • Sample policy templates on topics such as e-record retention, BYOD devices, and the use of company-owned, personal-enabled devices.
  • Sample contract language, such as text for a non-disclosure agreement.
  • MP3 audio files of the complete course lecture.

Interested in the GIAC Law of Data Security and Investigation (GLEG) certification associated with LEG523? Learn more about the benefits here.

LEG523 complements SANS's rigorous Digital Forensics program. The course and the SANS digital forensics curriculum provide professional investigators an unparalleled suite of training resources.

Syllabus (30 CPEs)

Download PDF
  • Overview

    Section 1 is an introduction to cyber and data protection law. It serves as the foundation for discussions during the rest of the course. We will survey the general legal issues that must be addressed in establishing best information security practices, then canvass the many new laws on data security and evaluate cybersecurity as a field of growing legal controversy. The course section will cover computer crime and intellectual property laws when a network is compromised, as well as emerging topics such as honeypots. We will look at the impact of future technologies on law and investigations in order to help students factor in legal concerns when they draft enterprise data security policies. For example, students will debate what the words of an enterprise policy would mean in a courtroom. This course section also dives deep into the legal question of what constitutes a "breach of data security" for such purposes as notifying others about it. The course day includes a case study on the drafting of policy to comply with the Payment Card Industry Data Security Standard (PCI). Students will learn how to choose words more carefully and accurately when responding to cybersecurity questionnaires from regulators, cyber insurers, and corporate customers.

  • Overview

    Cybersecurity and digital forensic professionals constantly deal with records and evidence, so they need a practical understanding of e-discovery and policies on the retention and destruction of data. Section 2 of the course places great emphasis on the law of evidence and records management. It teaches the necessity to apply a "legal hold" or "litigation hold" on records when controversy emerges. It helps technical and legal professionals learn to speak the same language as they assess how to find records and possibly disclose them in litigation or investigations.

    New privacy laws around the world, such as the California Consumer Privacy Act, demand that data be deleted under the so-called right-to-be-forgotten doctrine. But data deletion conflicts with other legal demands, such as the need to retain data to prove (maybe years later) that a consumer was treated fairly in a commercial transaction. Section 2 illuminates this increasingly common conflict. It teaches students how to manage the conflict within their enterprises.

    Recognizing that investigators, like incident responders, collect and manage evidence that may later be needed in court or arbitration, this section teaches how the law evaluates digital evidence. It also introduces electronic contracting methods, in preparation for the extended discussion of technology contracts in the next course section. Students learn that effective contracting today requires thoughtful decisions on the policy for the retention of records like electronic mail and text messages.

    Law and technology are changing quickly, and it is impossible for professionals to comprehend all the laws that apply to their work. But they can comprehend overarching trends in law, and they can possess a mindset for finding solutions to legal problems. A key goal of this section is to equip students with the analytical skills and tools to address technology law issues as they arise, both in the United States and around the world. Section 2 devotes much attention to European data protection laws. The analysis puts the General Data Protection Regulation (GDPR) into a historical context so that students can better understand how the new regulation is being interpreted. (See Benjamin Wright's white paper on the GDPR.)

    The course is chock full of actual court case studies dealing with privacy, computer records, digital evidence, electronic contracts, regulatory investigations, and liability for shortfalls in security. The purpose of the case studies is to draw practical lessons that students can take back to their jobs and apply immediately.

  • Overview

    Section 3 focuses on the essentials of contract law sensitive to the current requirements for security. Compliance with many of the new data security laws requires contracts. Because IT pulls together the products and services of many vendors, consultants, and outsourcers, enterprises need appropriate contracts to comply with Gramm-Leach-Bliley, HIPAA, GDPR, PCI-DSS, data breach notice laws, and other regulations.

    This course section provides practical steps and tools that students can apply to their enterprises and includes a lab on writing contract-related documents relevant to the students''professional responsibilities. (The lab is an optional, informal "office hours" discussion with the instructor at the end of the day when the course is delivered live.) You will learn the language of common technology contract clauses and the issues surrounding those clauses, and become familiar with specific legal cases that show how different disputes have been resolved in litigation.

    Recognizing that enterprises today operate increasingly on a global basis, the course teaches cases and contract drafting styles applicable to a multinational setting.

    Contracts covered include agreements for software, consulting, nondisclosure, outsourced services, cyber insurance, penetration testing, and private investigation services (such as cyber incident response). Special attention is given to cloud computing issues. Students also learn how to exploit the surprising power of informal contract records and communications, including cybersecurity questionnaires and requests for InfoSec assurances.

  • Overview

    Information security professionals and cyber investigators operate in a world of ambiguity, rapid change, and legal uncertainty. To address these challenges, this course section presents methods to analyze a situation and then act in a way that is ethical, defensible, and reduces risk. Lessons will be invaluable to the effective and credible execution of any kind of investigation, be it internal, government, consultant related, a security incident, or any other. The lessons also include methods and justifications for maintaining the confidentiality of an investigation, especially invocation of the doctrines of attorney-client privilege and attorney work product.

    Section 4 surveys insider fraud and other misbehaviors with an emphasis on the role of technology in the commission, discovery, and prevention of that fraud. It teaches cyber managers and auditors practical and case-study-driven lessons about the monitoring of employees and employee privacy.

    IT is often expected to "comply" with many mandates, whether stated in regulations, contracts, internal policies, or industry standards (such as PCI-DSS). This course section teaches many broadly applicable techniques to help professionals establish that they and their organizations are in fact in compliance, or to reduce risk if they are not in perfect compliance. The course draws lessons from models such as the Sarbanes-Oxley Act and European Union guidelines for imposing fines under the GDPR.

    As cybersecurity professionals take on more responsibility for controls throughout an enterprise, it is natural that they worry about fraud, which becomes a new part of their domain. Section 4 covers what fraud is, where it occurs, what the law says about it, and how it can be avoided and remedied.

    Scattered through the course are numerous descriptions of actual fraud (or "insider threat") cases involving technology. The purpose is to acquaint the student with the range of modern business crimes, whether committed by executives, employees, suppliers, or whole companies. More importantly, Section 4 draws on the law of fraud and corporate misconduct to teach larger and broader lessons about legal compliance, ethical hacking, and proper professional conduct in difficult case scenarios.

    Further, this course section will show students how to conduct forensic investigations involving social, mobile, and other electronic media. Students will learn how to improve the preservation and interpretation of digital evidence, such as evidence of a breach or other cyber event.

  • Overview

    Knowing some rules of law is not the same as knowing how to deal strategically with real-world legal problems. Section 5 is organized around extended case studies in security law: break-ins, investigations, piracy, extortion, rootkits, phishing, botnets, espionage, and defamation. The studies lay out the chronology of events and critique what the good people did right and what they did wrong. The goal is to learn to apply principles and skills to address incidents in your day-to-day work.

    The section includes an in-depth review of legal responses to the major security breaches at TJX, Target, and Home Depot, Freddie Mac, and others. It looks at how to develop a bring-your-own-device (BYOD) policy for an enterprise and its employees.

    The skills learned are a form of crisis management, with a focus on how your enterprise will be judged in a courtroom, by a regulatory agency, or in a contract relationship. Emphasis will be on how to present your side of a story to others, such as law enforcement, Internet gatekeepers, or the public at large, so that a security incident does not turn into a legal and political fiasco.

    In addition to case studies, the core material will include tutorials on relevant legislation and judicial decisions in such areas as privacy, negligence, contracts, e-investigations, computer crime, and active countermeasures.

    LEG523 is increasingly global in its coverage. Although this section refers to a number of US-based stories, legal issues and the roles of government authorities outside the United States will also be examined.

    At the end of Section 5 the instructor will discuss a few sample questions to help students prepare for the GIAC exam associated with this course (GLEG).

GIAC Law of Data Security & Investigations

The GIAC Law of Data Security & Investigations (GLEG) certification validates a practitioner's knowledge of the law regarding electronically stored and transmitted records. GLEG certification holders have demonstrated knowledge of the law of fraud, crime, policy, contracts, privacy, compliance, cybersecurity, and investigations.

  • Business Policies and Compliance
  • Contracts and Third Party Agreements
  • Data Retention and E-Discovery
  • Fraud and Misuse
  • Cybersecurity and Investigations
  • Intellectual Property, Privacy and PII
More Certification Details

Author Statement

"LEG523 includes five intense sections that cover the rapid development of law at the intersection of technology and security. Be prepared for insights and tips you have not heard before. The course teaches many non-obvious ideas and lessons that can take time to fully develop. I try to enable professionals to change the way they think about law and technology. My goal is to help students learn to resolve practical problems and manage legal risk in situations in the future that cannot fully be predicted, and to give students critical insights into how to recognize and cope with the very difficult problems of cyber law."

- Benjamin Wright

"[Ben is] very knowledgeable and has given me lots of food for thought." - Jerry Sherman, Cummins, Inc.


Ben Wright's insight into legal issues and teaching style makes this potentially dry material exciting. His stories and examples add to the printed material.
Karl Kurrie
Golf Savings Bank
This course was an eye opener to the various legal issues in data security. Practices I will use when back in office.
Albertus Wilson
Saudi Aramco Guard
Coming from an intense IT operations background, it was extremely valuable to receive an understanding of my security role from a legal point of view.
John Ochman
Becton, Dickinson and Company

    Register for LEG523