Train From Home with Top Cybersecurity Experts, Hands On Labs and 4 Months Access to Content - OnDemand

Network Security 2018

Las Vegas, NV | Sun, Sep 23 - Sun, Sep 30, 2018
This event is over,
but there are more training opportunities.

LEG523: Law of Data Security and Investigations

Sun, September 23 - Thu, September 27, 2018

  • GLEG
  • 30 CPEs
  • Laptop Not Needed

Before developing any Incident Response or investigation process this class is a must. Ben does a great job getting into the heads of lawyers.

Eliot Irons, Solutionary

I wish I'd taken this course 3-4 years ago. Much of the policy and goverance weve been doing wouldhave been enhanced.

Tom Siu, CWRU

* New: Sample contract clauses requiring cyber security for the Danish government, consistent with GDPR

* New: Court decision shows how to improve an official investigation using artificial intelligence.

* Taken as a whole, the course constitutes unique and indispensable training for GDPR Data Protection Officers.

* New: Form contract for inviting outside incident responders - including police, contractors, National Guard, or civil defense agency anywhere in the world - to help with a cyber crisis.

* New: EU's new General Data Protection Regulation and its impact around the world.

New law on privacy, e-discovery and data security is creating an urgent need for professionals who can bridge the gap between the legal department and the cyber security team. SANS LEG523 provides this unique professional training, including skills in the analysis and use of contracts, policies and insurance security questionnaires.

This course covers the law of fraud, crime, policy, contracts, liability, IT security and active defense - all with a focus on electronically stored and transmitted records. It also teaches investigators how to prepare credible, defensible reports, whether for cyber crimes, forensics, incident response, human resource issues or other investigations.

GIAC certification through LEG523 demonstrates to employers that you not only attended classes, but studied and absorbed the sophisticated content of this course. Certification distinguishes any professional - whether an IT expert, auditor, lawyer, or forensics expert. The value of certification will only grow in the years to come as law and security issues become even more interconnected.

The course also provides training and continuing education for many compliance programs under information security and privacy mandates such as GLBA, HIPAA, FISMA, and PCI-DSS. In addition, LEG523 is associated with the coveted GLEG certification, which strengthens the credibility of forensics investigators as witnesses in court and can help a forensics consultant win more business.


Each successive day of this five-day course builds upon lessons from the earlier days in order to comprehensively strengthen your ability to help your enterprise (public or private sector) cope with illegal hackers, botnets, malware, phishing, unruly vendors, data leakage, industrial spies, rogue or uncooperative employees, or bad publicity connected with IT security. We will cover breaking stories ranging from Home Depot's legal and public statements about payment card breach to the lawsuit by credit card issuers against Target's QSA and security vendor, Trustwave.

Recent updates to the course address hot topics such as legal tips on confiscating and interrogating mobile devices, the retention of business records connected with cloud computing and social networks like Facebook and Twitter, and analysis and response to the risks and opportunities surrounding open-source intelligence gathering.

Over the years this course has adopted an increasingly global perspective. Non-US professionals attend LEG523 because there is no training like it anywhere else in the world. For example, a lawyer from the national tax authority in an African country took the course because electronic filings, evidence and investigations have become so important to her work. International students help the instructor, U.S. attorney Benjamin Wright, constantly revise the course and include more content that crosses borders.

You Will Learn:

  • How to choose words for better legal results in policies, contracts and incidents.
  • How to implement processes that yield defensible policies on security, e-records and investigations.
  • How to reduce risk in a world of vague laws on cyber crime and technology compliance.
  • How to carry out investigations so that they will be judged as ethical and credible.
  • How to persuade authorities that you and your organization responded responsibly to information security, privacy and forensic challenges.


Course Syllabus

Benjamin Wright
Sun Sep 23rd, 2018
9:00 AM - 5:00 PM


The first day is an introduction to law and IT that serves as the foundation for discussions during the rest of the course. We survey the general legal issues that must be addressed in establishing best information security practices, then canvass the many new laws on data security and evaluate information security as a field of growing legal controversy. We will cover computer crime and intellectual property laws when a network is compromised, as well as emerging topics such as honeypots. We will look at the impact of future technologies on law and investigations in order to help students factor in legal concerns when they draft enterprise IT security policies. For example, students will debate what the words of an enterprise policy would mean in a courtroom. The course also dives deep into the legal question of what constitutes a "breach of data security" for purposes of notifying others about it or for other purposes. The course includes a case study on the drafting of policy to comply with the Payment Card Industry Data Security Standard (PCI). Students learn how to choose words more carefully and accurately when responding to cyber security questionnaires from regulators, cyber insurers and corporate customers.

CPE/CMU Credits: 6

Benjamin Wright
Mon Sep 24th, 2018
9:00 AM - 5:00 PM


IT professionals can advance their careers by upgrading their expertise in the hot fields of e-discovery and cyber investigations. Critical facets of those fields come forward in course day two. We will focus on the use of computer records in disputes and litigation, with a view to teaching students how to manage requests to turn over e-records to adversaries (i.e. e-discovery), how to manage implementation of a "legal hold" over some records to prevent their destruction, and how to coordinate with legal counsel to develop workable strategies to legal challenges.

Transactions that used to be conducted on paper are now done electronically, so commercial law now applies to computer security. The IT function within an enterprise has become the custodian of an enterprise's business records. You will learn how to craft sound policy for the retention and destruction of electronic records like email, text messages, and social networking interactions. We will provide methods for balancing the competing interests in electronic records management, including costs, risks, security, regulations and user cooperation.

Law and technology are changing quickly, and it is impossible for professionals to comprehend all the laws that apply to their work. But they can comprehend overarching trends in law, and they can possess a mindset for finding solutions to legal problems. A key goal of this course day is to equip students with the analytical skills and tools to address technology law issues as they arise, both in the United States and around the world. Special attention is devoted to European data protection laws. See white paper by Mr. Wright on the European Union's new General Data Protection Regulation (GDPR).

The course is chock full of actual court case studies dealing with privacy, computer records, digital evidence, electronic contracts, regulatory investigations, and liability for shortfalls in security. The purpose of the case studies is to draw practical lessons that students can take back to their jobs.

CPE/CMU Credits: 6

Benjamin Wright
Tue Sep 25th, 2018
9:00 AM - 5:00 PM


Day three focuses on the essentials of contract law sensitive to the current legislative requirements for security. Compliance with many of the new data security laws requires contracts. Because IT pulls together the products and services of many vendors, consultants, and outsourcers, enterprises need appropriate contracts to comply with Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, EU Data Directive, data breach notice laws and other regulations.

The course provides practical steps and tools that students can apply to their enterprises and includes a lab on writing contract-related documents relevant to the students' professional responsibilities. (The lab is an optional, informal "office hours" discussion with the instructor at the end of the day when the course is delivered live.) You will learn the language of common IT contract clauses and the issues surrounding those clauses, and become familiar with specific legal cases that show how different disputes have been resolved in litigation.

Recognizing that enterprises today operate increasingly on a global basis, the course teaches cases and contract drafting styles applicable to a multinational setting.

Contracts covered include agreements for software, consulting, nondisclosure, application services, penetration testing, and private investigation services. Special emphasis is applied to cloud computing issues. Students will also learn how to exploit the surprising power of informal contract records and communications.

CPE/CMU Credits: 6

Benjamin Wright
Wed Sep 26th, 2018
9:00 AM - 5:00 PM


Information security professionals and cyber investigators operate in a world of ambiguity, rapid change, and legal uncertainty. To address these challenges, this course day presents methods to analyze a situation and then act in a way that is ethical and defensible and reduces risk. Lessons will be invaluable to the effective and credible execution of any kind of investigation, be it internal, government, consultant, security incident, or any other. The lessons also include methods and justifications for maintaining the confidentiality of an investigation.

The course surveys white-collar fraud and other misbehaviors with an emphasis on the role of technology in the commission and prevention of that fraud. It teaches IT managers practical and case-study-driven lessons about the monitoring of employees and employee privacy.

IT is often expected to "comply" with many mandates, whether stated in regulations, contracts, internal policies or industry standards (such as PCI-DSS). This course teaches many broadly applicable techniques to help technical professionals establish that they and their organizations are in fact in compliance, or to reduce risk if they are not in perfect compliance. The course draws lessons from models such as the Sarbanes-Oxley Act.

As IT security professionals take on more responsibility for controls throughout an enterprise, it is natural that they worry about fraud, which becomes a new part of their domain. This day covers what fraud is, where it occurs, what the law says about it and how it can be avoided and remedied. Indeed, the primary objective of Sarbanes-Oxley is not to keep hackers out; it is to snuff out fraud inside the enterprise.

Scattered through the course are numerous descriptions of actual fraud cases involving technology. The purpose is to acquaint the student with the range of modern business crimes, whether committed by executives, employees, suppliers or whole companies. More importantly, the course draws on the law of fraud and corporate misconduct to teach larger and broader lessons about legal compliance, ethical hacking and proper professional conduct in difficult case scenarios.

Further, the course teaches how to conduct forensics investigations involving social, mobile and other electronic media. Students learn how to improve the assessment and interpretation of digital evidence, such as evidence of a breach or other cyber event.

CPE/CMU Credits: 6

Benjamin Wright
Thu Sep 27th, 2018
9:00 AM - 5:00 PM


Knowing some rules of law is not the same as knowing how to deal strategically with real-world legal problems. This day is organized around extended case studies in security law: break-ins, investigations, piracy, extortion, rootkits, phishing, botnets, espionage and defamation. The studies lay out the chronology of events and critique what the good guys did right and what they did wrong. The goal is to learn to apply principles and skills to address incidents in your day-to-day work.

The course includes an in-depth review of legal responses to the major security breaches at TJX, Target, and Home Depot, and looks at how to develop a Bring Your Own Device (BYOD) policy for an enterprise and its employees.

The skills learned are a form of crisis management, with a focus on how your enterprise will be judged in a courtroom, by a regulatory agency, or in a contract relationship. Emphasis will be on how to present your side of a story to others, such as law enforcement, Internet gatekeepers, or the public at large, so that a security incident does not turn into a legal fiasco.

In addition to case studies, the core material will include tutorials on relevant legislation and judicial decisions in such areas as privacy, negligence, contracts, e-investigations, computer crime and offensive countermeasures.

LEG523 is increasingly global in its coverage, so although this course day centers around U.S. law, non-U.S. law and the roles of government authorities outside the United States will be examined, as well.

New for live delivery as of April 2017: At the end of this course section, the instructor will discuss a few sample questions to help students prepare for the GIAC exam associated with this course (GLEG).

CPE/CMU Credits: 6

Additional Information

  • Investigators
  • Security and IT professionals
  • Lawyers
  • Paralegals
  • Auditors
  • Accountants
  • Technology managers
  • Vendors
  • Compliance officers
  • Law enforcement personnel
  • Privacy officers
  • Penetration testers
  • Cyber incident and emergency responders around the world (including private sector, law enforcement, national guard, civil defense and the like)
Other Courses People Have Taken

LEG523 complements SANS' rigorous digital forensics program. This course and the SANS digital forensics curriculum provide professional investigators an unparalleled suite of training resources.

  • Course books with extensive notes and citations.
  • Sample policy templates on topics such as email record retention, bring your own device (BYOD), and the use of company-owned-personal-enabled devices.
  • Sample contract language, such as text for a non-disclosure agreement.
  • MP3 audio files of the complete course lecture.
  • Work better with other professionals at your organization who make decisions about the law of data security and investigations.
  • Exercise better judgment on how to comply with technology regulations, both in the United States and in other countries.
  • Evaluate the role and meaning of contracts for technology, including services, software and outsourcing.
  • Help your organization better explain its conduct to the public and to legal authorities.
  • Anticipate technology law risks before they get out of control.
  • Implement practical steps to cope with technology law risk.
  • Better explain to executives what your organization should do to comply with information security and privacy law.
  • Better evaluate technologies, such as digital signatures, to comply with the law and serve as evidence.
  • Make better use of electronic contracting techniques to get the best terms and conditions.
  • Exercise critical thinking to understand the practical implications of technology laws and industry standards (such as the Payment Card Industry Data Security Standard).

This course is an intensive legal education experience, supported with extensive written notes and citations. Lawyers from all over the world take this course. It is developed and taught by an experienced lawyer, Benjamin Wright, member of the Texas Bar Association.

American lawyers have applied for and received participatory continuing legal education credit for attending the in-person version of the course. Your ability to get credit depends on the rules of your state or jurisdiction.

Update: In 2017 the course was accredited under the Colorado Bar Association. Some states will grant credit based on reciprocity from another state like Colorado.

If you wish to discuss CLE credit, you are welcome to contact Mr. Wright at (put "SANS" in the subject line).

"LEG523 provides a great foundation and introduction into the legal issues involving cybersecurity." - Tracey Kinslow, TN Air National Guard

"The best guy in the country on these issues is Ben Wright." - Stephen H. Chapman, Principal and CEO, Security Advisers, LLC

"Ben Wright's insight into legal issues and teaching style makes this potentially dry material exciting. His stories and examples add to the printed material." - Karl Kurrle, Golf Savings Bank

"This course was an eye opener to the various legal issues in data security. Practices I will use when back in office." - Albertus Wilson, Saudi Aramco Guard

"Coming from an intense IT operations background, it was extremely valuable to receive an understanding of my security role from a legal point of view." - John Ochman, BD

Read what Mr. Wright and students say about the course.

Learn more about LEG523 from the author:

Check out the author's podcast:

Interested in the GLEG certification? Find out the benefits here:

Author Statement

LEG523 includes five intense days that cover the rapid development of law at the intersection of IT and security. Be prepared for insights and tips you have not heard before. The course teaches many non-obvious ideas and lessons, and it can take time for those ideas and lessons to develop fully. I try to enable professionals to change the way they think about law and the way they think about technology. My goal is to help students learn to resolve practical problems and manage legal risk in situations in the future that cannot fully be predicted, and to give students critical insights into how to recognize and cope with the very difficult problems of cyber law.

- Benjamin Wright