How to Comply with Data Laws | Standard of Behavior

I am often skeptical of enterprise policies that say the enterprise “must” or “will” do something relative to data, whether it be securing the data, retaining it or managing it in an investigation, such as an e-discovery probe in litigation.  I have explained my skepticism, and I have argued that often the better thing to say is that the enterprise will “strive” to do something about data rather than it “must” or “will” do something.

This argument . . . this lesson  . . . is central to the Legal 523 course (Law of Data Security and Investigations) I teach for the SANS Institute.
Standard of Performance

Student Feedback

Regarding this lesson, I got feedback from a student.  The student is an IT manager at a municipality.  He took my Legal 523 course in 2011.  Then I saw him at the SANS conference in Las Vegas 2012.

The student approached me and said he was so glad he took the course when he did.  In the past year he has been deeply engaged in eDiscovery on account of a rash of lawsuits filed against his municipality.  He has been working with outside litigation counsel to respond to many eDiscovery requests, where he leads the technical effort to compile email and other e-records in compliance with the requests.

He told me the Legal 523 course prepared him for understanding eDiscovery and coordinating with lawyers who are not technical experts.

Strive to Comply

In particular, he recounted an episode in which he was working with counsel to comply with an especially demanding eDiscovery requirement.  Technically speaking, compliance was going to be difficult within the time frame set by a judge.  He and the lawyers were brainstorming about what to say to the judge about compliance.

My former student then suggested that they tell the judge the municipality would “strive” to comply.  He said, “The lawyers loved it!”  They loved the word strive.  He smiled from ear to ear when he told me the story.  He was so pleased that, thanks to the course he took, he knew the best way to state a responsible standard of compliance in the tumultuous world of data law.

He knew how to talk data law better than the lawyers did. ;-)