Get a MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training - Learn More

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Sorry! The requested paper could not be found.

Legal Issues

Featuring 58 Papers as of May 22, 2019

  • Overcoming the Compliance Challenges of Biometrics Graduate Student Research
    by David Todd - May 22, 2019 

    Due to increased regulations designed to protect sensitive data such as personally identifiable information (PII) and protected health information (PHI), hospitals and other industries requiring improved data protections are starting to adopt biometrics. However, adoption has been slow within many of the industries that have suffered most of the breaches over the last several years. One reason adoption has been slow is that companies hesitate to implement biometrics across their organization without first understanding the vast complexities of the various state-by-state privacy regulations. By adopting a common biometrics compliance framework, this research will show how organizations can implement biometric solutions that comply with the overall spirit of the different state privacy and biometric regulations, enabling those companies to improve global data protections.

  • Logon Banners by Keelan Stewart - March 20, 2019 

    Logon banners have been a common feature of operating systems and applications for many years. Organizations have adopted logon banners for a myriad of purposes, from threatening unauthorized users with severe repercussions to informing employees that they should not have an expectation of privacy on workstations. The impetus for logon banners typically comes from executive leadership or the legal department, often in response to an incident or lawsuit where such a disclaimer could have aided their stance. Drafting a comprehensive logon banner is daunting, especially when assigned to an arbitrary department with an expectation of quick completion. Understanding the common elements of a logon banner and having a framework to identify requirements, select elements, and write the text allows anybody tasked with implementing a logon banner to do so correctly the first time. This paper considers laws and legal topics from the perspective of the United States and may not be applicable to other jurisdictions.

  • Tackling the Unique Digital Forensic Challenges for Law Enforcement in the Jurisdiction of the Ninth U.S. Circuit Court Graduate Student Research
    by John Garris - November 17, 2017 

    The creation of a restrictive digital evidence search protocol by the U.S. Ninth Circuit Court of Appeals - the most stringent in the United States - triggered intense legal debate and caused significant turmoil regarding digital forensics procedures and practices in law enforcement operations. Understanding the Court's legal reasoning and the U.S. Department of Justice's counter-arguments regarding this protocol is critical in appreciating how the tension between privacy concerns and the challenges to law enforcement stand at the center of this unique Information Age issue. By focusing on the Court's core assumption that the seizure and search of electronically stored information are inherently overly intrusive, digital forensics practitioners have a worthy target to focus their efforts in the advancement of digital forensics processes, procedures, techniques, and tool-sets. This paper provides an overview of various proposals, developments, and possible approaches to help address the privacy concerns central to the Court's decision, while potentially improving the overall effectiveness and efficiency of digital forensic operations in law enforcement.

  • Complying with Data Protection Law in a Changing World Analyst Paper (requires membership in community)
    by Benjamin Wright - June 27, 2017 

    Failure to meet legal and political expectations for data security can expose your enterprise to fines, lawsuits, negative publicity and regulatory investigations. These expectations are rapidly evolving across the world, making it difficult for enterprises to effectively protect their brands. This white paper reveals the major steps a large, multinational enterprise can take to assure the public, authorities and business partners that it is behaving responsibly and is on a commendable path of compliance.

  • Preparing for Compliance with the General Data Protection Regulation (GDPR) A Technology Guide for Security Practitioners Analyst Paper (requires membership in community)
    by Benjamin Wright - March 7, 2017 

    The General Data Protection Regulation (GDPR) is the latest data security legislation in the European Union. When it goes into effect, it can apply widely to various organizations, including those without a physical presence in the European Union. What does this complex regulation mean and what does your organization need to do to comply? This paper explains these as well as how to identify a Data Protection Officer and what this person needs to know to be effective. It also provides a checklist for compliance with concise, practical information your organization can begin using now.

  • Medical Data Sharing: Establishing Trust in Health Information Exchange Graduate Student Research
    by Barbara Filkins - March 1, 2017 

    Health information exchange (HIE) "allows doctors, nurses, pharmacists, other health care providers and patients to appropriately access and securely share a patient's vital medical information electronically--improving the speed, quality, safety and cost of patient care" (, 2014). The greatest gain in the use of HIE is the ability to achieve interoperability across providers that, except for the care of a given patient, are unrelated. But, by its very nature, HIE also raises concern around the protection and integrity of shared, sensitive data. Trust is a major barrier to interoperability.

  • Cyber Insurance Conundrum: Using CIS Critical Security Controls for Underwriting Cyber Risk Graduate Student Research
    by Oleg Bogomolniy - February 1, 2017 

    There has been a number of insurance industry- related research done to define new cyber security frameworks to help insurers underwrite cyber risk. This research includes copula-based actuarial models for pricing cyber insurance based on the number of computers; using peaks-over-threshold method (from extreme value theory) to identifying "cyber risks of daily life"; using Principal-Agent model (from microeconomic theory); creating methodology for common cyber risk categorization; modeling cyber risk based on operational risk, and more. However, there has been little to no input or research into cyber insurance related topics from cyber security experts. The purpose of this exploratory study is to propose the integration of a risk framework for underwriting cyber risk. This paper will analyze how CIS Critical Security Controls, along with its accompanying quantified metrics, benchmarking, and auditing tools can be used as a rating mechanism for determining the cybersecurity posture of insured organizations. Furthermore, such mechanism can be perpetually used for either self-assessments by insured organizations, or by independent qualified security assessors.

  • Minimizing Legal Risk When Using Cybersecurity Scanning Tools by John Dittmer - January 19, 2017 

    When cybersecurity professionals use scanning tools on the networks and devices of organizations, there can be legal risks that need to be managed by individuals and enterprises. Often, scanning tools are used to measure compliance with cybersecurity policies and laws, so they must be used with due care. There are protocols that should be followed to ensure proper use of the scanning tools to prevent interference with normal network or system operations and to ensure the accuracy of the scanning results. Several challenges will be examined in depth, such as, measuring for scanner accuracy, proper methods of obtaining written consent for scanning, and how to set up a scanning session for optimum examination of systems or networks. This paper will provide cybersecurity professionals and managers with a better understanding of how and when to use the scanning tools while minimizing the legal risk to themselves and their enterprises.

  • Legal Considerations When Creating an Incident Response Plan by Bryan Chou - December 22, 2016 

    Creating a cybersecurity incident response plan (CSIRP) is basic requirements of any security program. CSIRPs generally follow the six phases of the incident response process (preparation, identification, containment, eradication, recovery, and lessons learned) or some derivation of those steps (Kral, 2011). Once a security event begins, the cybersecurity incident response team (CSIRT) is focused on identification, containment, eradication, and recovery.. In other words, they are trying to get operations back to normal. The preparation phase is the time to thoughtfully consider and research the legal decisions required during a security event. Legal considerations to include in the CSIRP include the pertinent laws and regulations, what to do if prosecution is a possibility, and maintaining attorney-client privilege.

  • Next Generation of Privacy in Europe and the Impact on Information Security: Complying with the GDPR Graduate Student Research
    by Edward Yuwono - December 5, 2016 

    Human rights have a strong place within Europe, part of this includes the fundamental right to privacy. Over the years, individual privacy has strengthened through various European directives. With the evolution of privacy continuing in Europe through the release of the General Data Protection Regulation (GDPR), how will the latest iteration of European Union (EU) regulation affect organisations and what will information security leaders need to do to meet this change? This paper will explore the evolution of privacy in Europe, the objectives and changes this iteration of EU privacy regulation will provide, what challenges organisations will experience, and how information security could be leveraged to satisfy the regulation.

  • Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey Analyst Paper (requires membership in community)
    by Barbara Filkins - June 20, 2016 

    Results of this survey, conducted in conjunction with Advisen, Ltd., make it clear that the effort to achieve a common understanding of cyber insurance and derive value from it will require focused attention from all sides. This study also sets a direction toward a common, achievable goal: reducing the risk of financial loss from a cyber incident. The gaps identified in this survey come together to form the building blocks needed to achieve this goal.

  • Legal Aspects of Privacy and Security: A Case- Study of Apple versus FBI Arguments Graduate Student Research
    by Muzamil Riffat - June 3, 2016 

    The debate regarding privacy versus security has been going on for some time now.

  • BitTorrent & Digital Contraband Graduate Student Research
    by Kenneth Hartman - April 13, 2016 

    BitTorrent is a popular peer-to-peer file transfer program that allows participants in a swarm to exchange pieces with each other during the downloading process.

  • Finding the Fine Line – Taking an Active Defense Posture in Cyberspace without Breaking the Law or Ruining an Enterprise’s Reputation Graduate Student Research
    by Christopher Jarko - March 10, 2016 

    The issues discussed in this paper will include the legal and ethical questions raised by the use of active defense to protect computer networks.

  • E-Discovery Operations: Tactical considerations for defensible eDiscovery by Thomas Vines - March 8, 2016 

    The tactical processes necessary to comply with an increasingly demanding US Federal court introduce a new level of complexity to the modern business.

  • Email Acceptable Use: Balancing the Needs of the Organization and the Need to Comply with National Labor Relations Board Rulings Graduate Student Research
    by Paul Hershberger - October 26, 2015 

    Organizations strive to enact policies that protect intellectual property, including the reputation of their brand, and support a productive work environment, while at the same time respecting employee privacy and freedom of expression. Despite good intentions, organizations sometimes discover that their existing policies suddenly conflict with the legal system. Unexpected legal rulings can arise as authorities assess how technology changes the workplace. What is acceptable policy within an organization one day may be in violation of law the next. This paper examines National Labor Relations Board (NLRB) rulings regarding the use of email by employees for protected purposes such as union organizing and then presents an analysis of the implications of those rulings. Suggestions as to how policies and practices must evolve to meet the needs of the organization are made, while also complying with the NLRB's interpretation of employment law.

  • What Companies need to consider for e-Discovery by Thomas Vines - August 24, 2015 

    Within the legal environment, Discovery is the process of identifying, locating, preserving, securing, collecting, preparing, reviewing, and producing facts, information, and materials for the purpose of producing/obtaining evidence for utilization in the legal process. Electronic Discovery (e-Discovery) is an extension of these processes into the digital environment and Electronically Stored Information (ESI). Legal departments are ill-prepared to deal with the digital environment of a business. Increasingly they are turning to the company’s Information Technology (IT) department in order to identify, locate, preserve, and collect ESI. This is not break/fix work that is typical in IT operations. This is a new area of Data Governance and Records Information Management. This paper explores the relationships between Executive Management, Legal, Risk Management, IT, and Security in fulfilling the demands and obligations for defensible e-Discovery. This analysis includes a discussion of the Electronic Discovery Reference Model (ERDM) and its integration with Information Governance Reference Model (IGRM).

  • A Concise Guide to Various Australian Laws Related to Privacy and Cybersecurity Domains by Babu Veerappa Srinivas - July 6, 2015 

    There are many laws in Australia related to privacy and cyber security domains. In this paper, the author intends to collate the current laws related to privacy and cyber security domains so that interested readers could get relevant information specific to Australia in one concise document. Additionally, there are no industry specific acts or regulations like HIPAA, SOX or GLBA. Because of this, some organizations do not know their obligations in relation to these laws. This paper presents research on the current applicable cyber security related laws, Acts and regulations published by the Federal and State Governments, established relationship with other applicable Acts, performed a gap assessment and identified relevant industry frameworks that can be adopted as best practices. For ease of future research, the source of these current artefacts and database are cited for throughout the document. Disclaimer: Contents of this document must not be construed as legal advice. Readers are encouraged to seek legal advice prior to consideration.

  • eAUDIT: Designing a generic tool to review entitlements Graduate Student Research
    by Francois Begin - June 22, 2015 

    In a perfect world, identity and access management would be handled in a fully automated way.

  • Evidence Collection From Social Media Sites by Keil Hubert - December 2, 2014 

    Original content written and posted by an individual to a social media site may identify or substantiate an employee's misconduct, whether their own or misconduct by a fellow employee. Capturing evidence from social media sites can significantly support the evidence gathered from other sources (e.g., text messages, e-mails, etc.) in the construction of an event timeline. Proper capture, handling, and presentation of evidence from social media sites will help the investigator explain what happened to upper management, to legal, and to law enforcement agencies.

  • Next Generation Firewalls and Employee Privacy in the Global Enterprise Graduate Student Research
    by Ryan Firth - September 30, 2014 

    An obligation to protect company resources is something nearly every organization tries to instill in their staff.

  • A Model for Licensing IT Security Graduate Student Research
    by Mason Pokladnik - August 6, 2013 

    In 2009, the United States' Senate considered legislation that would require the Department of Commerce to create a national licensing, certification and recertification program for information security professionals (Rockefeller, 2009).

  • Legal Issues within Corporate "Bring Your Own Device" Programs by Robert J. Mavretich - December 26, 2012 

    As corporate finance departments look for ways to decrease costs, their eyes and pencils invariably wander to the Information Technology department.

  • Cloud Computing - Maze in the Haze by Godha Iyengar - October 18, 2011 

    In recent days, “Cloud Computing” has become a great topic of debate in the IT field. Clouds, like solar panels, appear intriguingly simple at first but the details turn out to be more complex than simple pictures and schematics suggest.

  • Solution Architecture for Cyber Deterrence by Thomas Mowbray - April 29, 2010 

    The mission of cyber deterrence is to prevent an enemy from conducting future attacks by changing their minds, by attacking their technology, or by more palpable means. This definition is derived from influential policy papers including Libicki (2009), Beidleman (2009), Alexander (2007), and Kugler (2009). The goal of cyber deterrence is to deny enemies “freedom of action in cyberspace” (Alexander, 2007). In response to a cyber attack, retaliation is possible, but is not limited to the cyber domain. For example, in the late 90’s the Russian government declared that it could respond to a cyber attack with any of its strategic weapons, including nuclear (Libicki, 2009). McAfee estimates that about 120 countries are using the Internet for state-sponsored information operations, primarily espionage (McAfee, 2009).

  • IT Guidance to the Legal Team Graduate Student Research
    by Brad Ruppert - March 8, 2010 

    Technology can be a great tool to simplify a process or increase the output of existing processes. Despite this, Information Technology (IT) teams must be cautious when implementing new technology into their environment because this can also increase their liability of information retrieval if a lawsuit is filed against them. Rarely if ever is an enterprise application, such as e-discovery software, ready to go out of the box. Most enterprise applications of scale require months of planning, negotiations, architecture discussions, engineering consultation, cross-divisional resource allocation, and process redesign to accommodate the software. Information security and IT teams, knowledgeable of this fact should interface with their legal teams prior to ideation of implementing an enterprise e-discovery tool. Just having a tool and not a defined process to effectively manage, correlate, extract, and secure subpoenaed data can leave a company exposed to multiple financial and legal repercussions. An example of this was seen with the case of Morgan Stanley vs. Ronald Perelman where “Morgan Stanley was hit with a $1.75 billion jury verdict, which hinged primarily on the company’s lax e-discovery procedures.” (Cummings, 2007)

  • Electronic Contracting In An Insecure World Graduate Student Research
    by Craig Wright - February 1, 2008 

    The paper covers the legal aspects of electronic contracts and the technologies that aid in the creation and preservation of these instruments and the implications associated with online contractual dealings and the issues that have created these uncertainties. It closes by addressing the issues with digital signatures and repudiation concerning online transactions.

  • CyberLaw 101: A primer on US laws related to honeypot deployments Graduate Student Research
    by Jerome Radcliffe - March 16, 2007 

    A Honeypot is defined as an Internet-attached server that acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break into a system.

  • Information Security and Section 404 of the Sarbanes-Oxley Act by Reed Warner - May 5, 2005 

    In response to the corporate accounting scandals of 2001 the Public Company Accounting and Investor Protection Act of 2002 was passed.

  • The Outsourced Productivity Information Security Risk by Eric Mittler - March 9, 2005 

    Many of your data protection security controls will be by-passed by your vendors if they feel pressured to do so by employees at your company, unless you specifically mitigate this risk.

  • Hearsay and Evidence in the Computer Emergency Response Team (CERT) by Susan Sherman - January 28, 2005 

    The Computer Emergency Response Team (CERT) is responsible for computer related information incident handling within a specific government Agency. Part of that mission is the inherent issue to provide support to law enforcement officials. CERT must provide evidence to those that are going to complete the law enforcement effort of an incident.

  • Ethics in the IT Community by Anthony Bundschuh - January 22, 2005 

    This paper is an overview of the current state of ethics in the IT community. It describes the current state of ethics in IT, identifies the major areas of concern for the IT community, and discusses the relationships an IT professional will face, and the conflicts that may jeopardize those relationships.

  • The Requirements of FDA's 21 CFR Part 11 and Software Programs That Meet the Requirements by Kristine Safi - January 19, 2005 

    With the increased use of electronic records in the Biotechnology Industry, there became a need for requirements to address data security, data integrity and traceability of this data. In response to this need, the Food and Drug Administration (FDA) published a regulation called 21 CFR Part 11, in August of 1997.

  • Federal Computer Crime Laws by Maxim May - August 15, 2004 

    The Internet has been a boon to business, science, education and just about any field you can think of, including crime. Just like every human invention, Internet has two sides to it, on the one hand it allows businesses to be more productive and scientists to share research data almost instantaneously, on the other hand it grants criminals an additional tool to commit crimes and get away with it.

  • An Overview of Sarbanes-Oxley for the Information Security Professional by Gregg Stults - July 25, 2004 

    The Sarbanes-Oxley Act of 2002 has dramatically affected overall awareness and management of internal controls in public corporations. Responsibility for accurate financial reporting has landed squarely on the shoulders of senior management, including the potential for personal criminal liability for CEOs and CFOs.

  • Offshore Outsourcing and Information Confidentiality by Mark Lum - July 25, 2004 

    While recent news headlines of the past few months have focused on the controversial topic of offshore outsourcing of jobs from the United States to countries such as India, China, and Mexico, other headlines, relating to some of the effects of this phenomenon, have exposed problematic consequences and outcomes.

  • Cyber Risk Insurance by Denis Drouin - June 9, 2004 

    Technology has continued to astound the world's electronic culture by reacting with the use of mechanisms to defend and protect against the unknown. Cyber insurance has been one of those phenomenons that has experienced many challenges and at the same time mutated into a more complex tool to protect companies.

  • The Role of IT Security in Sarbanes-Oxley Compliance by Mary Fleming - April 8, 2004 

    This document will summarize the requirements of Sarbanes-Oxley as they apply to IT and define the controls IT must be concerned with in the certification process. This document pertains only to the role of IT and IT security in Sarbanes-Oxley controls compliance; other company departments - accounting, finance, human resources, etc., may be subject to controls not covered herein.

  • U.S. Government IT Security Laws by Trevor Burke - January 11, 2004 

    This document will serve as a guide to those new to federal IT law and address the above four issues, outline the guidelines and steps to ensure successful C&A as designed by NIST, and subsequently address lessons learned from trying to comply with FISMA.

  • Issues in Protecting Our Critical Infrastructure by William Nance - June 2, 2003 

    The Internet has brought many important changes to the way we do business, both in the public and private sectors. We can use it to instantly communicate with others across the country, conduct business meetings, or control equipment in remote locations.

  • E-mail Communication with Patients in the Wake of the HIPAA Final Security Rule by Dennis Schmidt - May 30, 2003 

    This paper will explore the issues that the HIPAA regulations raise with doctor/patient e-mail communications and will discuss some possible solutions.

  • What is the Federal Government Doing to Improve the State of Information Security? by Jason Hiney - April 4, 2003 

    The objective of this paper is to take a broad look at recent Government actions improve the state of information security in the United States and prevent such problems.

  • Running an IT Investigation in the Corporate Environment by Carl Endorf - February 17, 2003 

    This paper describes the issues that are involved in conducting an IT investigation of an incident in a corporate environment.

  • Preparing for HIPAA: Privacy and Security Issues to be Considered by Sherry Fischer - February 9, 2003 

    The Health Insurance Portability and Accountability Act (HIPAA) is imposing privacy and security regulations on health plans, health care clearinghouses, and health care providers.

  • Financial Institutions Required To Do Their Part To Fight Crime by Terry Ritter - February 9, 2003 

    This paper will briefly explain how the U.S. Patriot Act legislation came into existence, but its main focus will be to outline the requirements of the recently proposed Section 326 "Customer Identification Program.

  • An Uneven Playing Field: The Advantages of the Cyber Criminal vs. Law Enforcement-and Some Practical by Torri Piper - September 10, 2002 

    This paper offers some observations of the disparities between the criminals manipulating digital data and law enforcement chasing after them; and tenders some suggestions in an effort to even the playing field.

  • The Legal System and Ethics in Information Security by Amit Philip - July 15, 2002 

    A discussion of the issues faced by the legal system in keeping up with the fast paced development of technology and the ways in which the current laws can help, as well as the role that ethics have to play in the world of computer security.

  • Laws of Canada as they Pertain to Computer Crime by Donna Simmons - May 2, 2002 

    This paper examines the existing laws in the Criminal Code of Canada as they pertain to computer crime.

  • Dangerous Technology: Management Beware by Brent McKinley - March 27, 2002 

    The purpose of this paper is to inform management and upper level administration of the legal liabilities and loss of productivity due to the inappropriate use of the Internet, email, interconnected computer systems and pirated software.

  • The 2001 Patriot Act and Its Implications for the IT Security Professional by Oscar Peterson - February 16, 2002 

    This paper will focus on IT related issues encompassed by the USAPA in general as well as possible actions that could be expected of the IT Security Professional.

  • HIPAA Compliance: Cost-Effective Solutions for the Technical Security Regulations by Tautra Romig - November 21, 2001 

    While HIPAA is comprised of many different regulations, the objective of this document is to suggest cost-effective solutions to the proposed Technical Security Mechanisms regulation.

  • The Ethics and Legality of Port Scanning by Shaun Jamieson - October 8, 2001 

    This paper will define and outline the process of port scanning, discuss ethical and legal issues surrounding port scanning, and assert the importance of strictly defining scanning in an organization's policy.

  • The Art of Enforcement by Jeff Neithercutt - September 28, 2001 

    The careful planning, integration, training, and support of a multi-disciplined group of Incident Responders will continue to be, for most corporations, the last line of defense against computer crimes; and, the better their relationship with the Local, State, and Federal Agencies they work with, the better the success of both their proactive and reactive activities.

  • Malaysian Law and Computer Crime by Wong Yew - August 8, 2001 

    This paper attempts to describe the Malaysian Computer Crimes Act 1997 (CCA 1997) and provide important guidelines for a successful computer crime investigation.

  • System Security and Your Responsibilities: Minimizing Your Liability by Gary Holtz - July 23, 2001 

    A discussion of security policy and procedures, with attention to minimizing liability in the event of computer or network security incidents.

  • A Context-Based Access Control Model for HIPAA Privacy and Security Compliance by Harry Smith - July 18, 2001 

    This paper proposes a new approach to meeting much of the burden imposed by the HIPAA privacy and security requirements

  • Big Brother at the Office: Friend or Foe? by Clint Satterwhite - July 13, 2001 

    This paper outlines most of the issues regarding monitoring of employee workplace computer use and attempts to present an objective presentation of the information from both the employee and employer's perspectives.

  • South Africa - Computer Misuse Act, Proposed by Michael Masters - June 14, 2001 

    This paper looks at this proposed act as well as its application in today's computer environment.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.