Final days to save $150 on top-notch cyber security training at SANS Seattle Spring 2020! Register now.


Washington, DC | Fri, Jun 14 - Sat, Jun 22, 2013
This event is over,
but there are more training opportunities.

LEG523: Law of Data Security and Investigations

Mon, June 17 - Fri, June 21, 2013

  • GLEG
  • 30 CPEs
  • Laptop Not Needed

Before developing any Incident Response or investigation process this class is a must. Ben does a great job getting into the heads of lawyers.

Eliot Irons, Solutionary

Coming from an intense IT operations background, it was extremely valuable to receive an understanding of my security role from a legal point of view.

John Ochman, BD

New as of Summer 2013: Legal tips on confiscating and interrogating mobile devices.

New law on privacy, e-discovery, and data security is creating an urgent need for professionals who can bridge the gap between the legal department and the IT department. The needed professional training is uniquely available in SANS' LEG523 series of courses, including skills in the analysis and use of contracts, policies, and records management procedures.

GIAC certification under LEG523 demonstrates to employers that a professional has not only attended classes, but studied and absorbed the sophisticated content of these courses. Certification distinguishes any professional, whether an IT expert, an auditor, a paralegal, or a lawyer, and the value of certification will grow in the years to come as law and security issues become even more interlocked.

This course covers the law of business, contracts, fraud, crime, IT security, IT liability and IT policy — all with a focus on electronically stored and transmitted records. The course also teaches investigators how to prepare credible, defensible reports, whether for cyber, forensics, incident response, human resources or other investigations.

This course provides training and continuing education for many compliance programs under infosec and privacy mandates such as GLBA, HIPAA, FISMA and PCI-DSS.


  • Day 1: Fundamentals of IT Security Law and Policy
  • Day 2: E-Records, E-Discovery and Business Law
  • Day 3: Contracting for Data Security & Other Technology
  • Day 4: The Law of IT Compliance: How to Conduct Investigations
  • Lessons from day 4 will be invaluable to the effective and credible execution of any kind of investigation — internal, government, consultant, security incidents and the like. These lessons integrate with other tips on investigations introduced in other days of the LEGAL 523 course series.
  • Day 5: Applying Law to Emerging Dangers: Cyber Defense
  • In-depth review of legal response to the major security breach at TJX.
  • Learn how to incorporate effective public communications into your cyber security program.

These five days of integrated education — where each successive day builds upon lessons from the earlier day(s) — will help any enterprise (public or private sector) cope with such problems as hackers, botnets, malware, phishing, unruly vendors, data leakage, industrial spies, rogue or uncooperative employees and bad publicity connected with IT security.

Recent updates to the courses address hot topics such as risk, investigations and business records retention connected with cloud computing and social networks like Facebook and Twitter. Updates also teach students how to analyze and respond to the risks and opportunities surrounding OSINT (open source intelligence gathering).

This course adopts an increasingly global perspective. Non-US professionals attend the Legal-523 course because there is no training like it anywhere else in the world. A lawyer from a European police agency recently attended and expressed high praise for the course when it was over. Another lawyer -- from the national tax authority in an African country -- sought out the course because electronic filings, evidence and investigations have become so important to her work. Students like this European lawyer and this African lawyer help the instructor, US attorney Benjamin Wright, improve the course and include more non-US content as he constantly revises it.

The Legal 523 course is complementary to SANS' rigorous digital forensics program. Together, Legal 523 and the SANS' digital forensics program provide professional investigators an unparalleled suite of training resources.

Legal 523 is tied to the coveted GLEG certification. GLEG can help a forensics investigator appear more credible as a witness in court, and help a forensics consultant win more business.


Course Syllabus

Benjamin Wright
Mon Jun 17th, 2013
9:00 AM - 5:00 PM


This course day number 1 is an introduction to Law and IT, serving as the foundation for the discussion in later course days. Students survey the general legal issues that must be addressed in establishing best InfoSec practices. This course day number 1 canvasses the many new laws on data security, and evaluates InfoSec as a field of growing legal liability. It covers computer crime and intellectual property laws when a network is compromised, as well as emerging topics like honeypots, and active defenses, i.e., enterprises hacking back against hackers. This course day considers the impact of future technologies on law and investigations. A key goal is to help professionals factor in legal concerns when they draft enterprise IT security policies.

This course day number 1 includes lessons on critical thinking about how to draft IT security policies, recognizing legal concerns. Students will debate what the words of an enterprise policy would mean in a courtroom.

This course day includes a case study on the drafting of policy to comply with the Payment Card Industry Data Security Standard (PCI).

CPE/CMU Credits: 6

Benjamin Wright
Tue Jun 18th, 2013
9:00 AM - 5:00 PM


IT professionals can advance their careers by upgrading their expertise in the hot fields of e-discovery and cyber investigations. Critical facets of those fields come forward in this course day number 2. This day number 2 emphasizes the use of computer records in disputes and litigation, with a view to teaching students how to manage requests to turn over e-records to adversaries (i.e., e-discovery), how to manage implementation of a "legal hold" over some records to prevent their destruction and how to coordinate with legal counsel to develop workable strategies to legal challenges.

Transactions that used to be conducted on paper are now done electronically. So now, commercial law applies to computer security. The IT function within an enterprise has become the custodian of the enterprises business records. This course day number 2 teaches how to craft sound policy for the retention and destruction of electronic records like email, text messages and social networking interactions. It offers methods for balancing the competing interests in electronic records management, including costs, risks, security, regulations and user cooperation.

Law and technology are changing quickly, and it is impossible for any professionals to comprehend all the laws that apply to their work. But they can comprehend the big trends in law, and they can possess a mindset for finding solutions to legal problems. A key goal of this course day 2 is to equip students with analytical skills and general tools for addressing technology law issues as they arise, both in the U.S. and around the world.

This course day number 2 is chock full of actual court case studies dealing with privacy, computer records, digital evidence, electronic contracts, regulatory investigations and liability for shortfalls in security. The purpose of the case studies is to draw practical lessons that students can take back to their jobs.

CPE/CMU Credits: 6

Benjamin Wright
Wed Jun 19th, 2013
9:00 AM - 5:00 PM


This course day number 3 is focused on the essentials of contract law sensitive to the current legislative requirements for security. Compliance with many of the new data security laws requires contracts. Because IT pulls together the products and services of many vendors, consultants and outsourcers, enterprises need appropriate contracts to comply with Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, EU Data Directive, California Senate Bill 1386 and others.

When appropriate, this course day 3 leaves the student with practical steps and tools to be applied in his or her enterprise. It includes a lab at the end of the day to help students learn about writing contract-related documents relevant to their professional responsibility. Students will learn the language of common IT contract clauses. They will learn the meaning of and issues surrounding those clauses and become familiar with specific legal cases to show how different disputes have resolved in litigation.

Recognizing that enterprises today operate increasingly on global basis, this course day teaches cases and contract drafting styles applicable to a multinational setting.

Contracts covered in this course day include agreements for software, consulting, non-disclosure, application services and private investigation services. Special emphasis is applied to cloud computing issues.

This course day number 3 teaches students how to exploit the surprising power of informal contract records and communications.

CPE/CMU Credits: 6

Benjamin Wright
Thu Jun 20th, 2013
9:00 AM - 5:00 PM


InfoSec professionals and cyber investigators operate in a world of ambiguity, rapid change and legal uncertainty. To address these challenges, this course day number 4 presents methods for analyzing a situation and then acting in a way that is ethical and defensible and that reduces risk.

Lessons from this course day number 4 will be invaluable to the effective and credible execution of any kind of investigation -- internal, government, consultant, security incident and the like. These lessons integrate with other tips on investigations introduced in other days of the LEGAL 523 course series.

This course day number 4 surveys white collar fraud, with an emphasis on the role of technology in the commission and prevention of that fraud. It teaches IT managers practical, case-study driven, lessons about the monitoring of employees and employee privacy.

The Sarbanes-Oxley Act, which was adopted as a reaction to the commission of fraud at Enron, forces companies to tighten all controls, top to bottom. For better internal control, companies often rely on IT. This reformation of internal control has bestowed on security and audit professionals both greater budget and greater responsibility.

As IT security professionals garner more responsibility for the controls throughout an enterprise, it is natural that they worry about fraud. Fraud starts to become a new part of their domain. Indeed, the primary objective of Sarbanes-Oxley is not to keep hackers out; it is to snuff out fraud inside the enterprise.

This course day 4 covers what fraud is, where it occurs, what the law says about it, and how it can be avoided and remedied.

Scattered through the course are numerous descriptions of actual fraud cases involving IT. The purpose is to acquaint the student with the range of modern business crimes, whether committed by executives, employees, suppliers or whole companies.

More importantly, this course day number 4 draws from the law of fraud and corporate misconduct to teach larger, general lessons about legal compliance and proper professional conduct in difficult case scenarios.

This course day 4 teaches how to conduct social media (social networking) forensics investigations.

This course day 4 trains IT administrators how to stay out of jail.

CPE/CMU Credits: 6

Benjamin Wright
Fri Jun 21st, 2013
9:00 AM - 5:00 PM


"In-depth review of legal response to the major security breach at TJX."

New as of SANSFire, July 2012: How to Develop a Bring Your Own Device (BYOD) Policy for an Enterprise and its Employees.

Knowing some rules of law is not the same as knowing how to deal strategically with real-world legal problems. This course Day Number 5 is organized around extended case studies in security law -- break-ins, investigations, piracy, extortion, rootkits, phishing, botnets, espionage, defamation. The studies lay out the chronology of events and critique what the good guys did right and what they did wrong. The goal is to learn to apply principles and skills for addressing incidents in your day-to-day work.

The skills to be learned are a form of crisis management, with focus on how your enterprise will be judged in a courtroom, a regulatory agency or a contract relationship. Emphasis will be on how to present your side of a story to others, such as law enforcement, Internet gatekeepers or the public at large, so that a security incident does not turn into a legal fiasco.

In addition to case studies, the core material in this course Day Number 5 will include tutorials on relevant legislation and judicial decisions in such areas as privacy, negligence, contracts, e-investigations and computer crime.

In part, this course Day Number 5 draws from knowledge learned in other course days in the Legal 523 series, although it is not mandatory that a student attend those course days before attending this one. To a degree this course Day Number 5 overlaps some topics covered in the Management 512 series of courses, but this course focuses on law and is developed by a lawyer.

The Legal 523 course series is increasingly global in its coverage. Although this course Day Number 5 will center around American law, non-American law and the roles of non-American government authorities will be examined as well.

CPE/CMU Credits: 6

Additional Information

"The best guy in the country on these issues is Ben Wright."

-Stephen H. Chapman, Principal and CEO, Security Advisers, LLC

"Ben's insight into legal issues and teaching style makes this potentially dry material exciting. His stories and examples add to the printed material"

-Karl Kurrle, Golf Savings Bank

Read what one student blogged as he took the Legal 523 course.

Read more of what Mr. Wright and students say about the course.

  • Investigators
  • Security and IT professionals
  • Lawyers
  • Paralegals
  • Auditors
  • Accountants
  • Technology Managers
  • Vendors
  • Compliance officers
  • Law enforcement
  • Privacy Officers
  • Penetration Testers

Author Statement

These are five intense days covering the rapid development of law at the intersection of IT and security. Be prepared for insights and tips you've not heard before.

- Benjamin Wright