SANS Institute's Legal 523 Course
A prospective student asked: "I'm very interested in attending your SANS course. I'm working on a consulting gig that heavily references international HR / employee data (personal info, training info, health info, etc.) and am interested to know if you will cover such things and (different-country-different-laws) sort of issues in the SANS course?"
The purpose of the course is not to fill students' heads with five days of facts, reciting every law in the world that touches on data privacy, security or investigations. If you survey the world looking for all those laws, you'll find that there are so many of them (and they are constantly changing) that it would be impossible to recite and compare all of those laws in a course of any duration.
|Continuing Professional |
In those five days, with this mix of intelligent people, I try to set a realistic goal: Instead of teaching and comparing every relevant law in the world, I try to teach broad, timeless principles. I aim to teach students how to think about this quickly changing field of law -- how to critically analyze the laws that apply to any given situation and how to develop practical strategies for compliance.
I emphasize techniques for staying out of trouble in this ultra-networked 21st Century, where the conflicting laws of many countries can apply all at once.
But you should not expect to walk out of the class with a recitation and country-by-country comparison of present employment data laws. Even if it were possible to give you such a thing, it would be out-of-date in a week.
Coping with Risk
My goal is to help students cope rationally with the facts that:
(1) The laws applicable to them will change;
(2) It is impossible for the students or their employers to know all of the laws that apply to them; and
(3) The law of data privacy, security and investigations abounds with unanswered questions.
These facts imply that this area of law is filled with risk. I strive to teach students how to manage legal risk, recognizing that the risk will never come close to zero.
Five days leaves a lot of time for focusing on particular issues. If the prepared material does not cover specific topics, students and I talk a lot about those topics during breaks, before class and after class. Obviously, in those five days I do not become your employer's lawyer, and I don't give specific legal opinions. But I'm pretty good at teaching students how to get more information and how to cope with it at a practical level.
Students also learn a lot from each other. When during class a student says, "I'm dealing X," it is common that some other students say they have dealt with X too. Then the students talk and exchange cards and war stories during the breaks.
Unique Professional Education
My SANS Legal 523 course is unique in the world. I know of nothing that competes with it as rigorous, practical education on the law of data privacy, security and investigations. Professionals from all over the world, including lawyers, come to take that course.
Footnote: In fact, dear reader, if you are aware of any other course in the world that compares to SANS Legal 523, I'd like to hear about it, just for the sake of knowing.