Three reasons investigators should take the Law of Data Security and Investigations (SANS Legal 523 course)

I have the honor of teaching a 5-day course at the SANS Institute: "Law of Data Security and Investigations" (SANS Legal 523).

The course is an intensive bootcamp on how to manage risk in cyber law, including GDPR, privacy, contracts, data breaches, forensic investigations and other kinds of cyber attacks. It emphasizes the careful selection of words -- in reports, policies, contracts, answers to infosec questionnaires and the like -- to achieve a better outcome from a legal controversy.

An important audience for the course is the cyber investigator, including an incident responder, a penetration tester and a digital forensic expert.

Here are three reasons investigators should take the course.

1. To understand the unpredictable ways your evidence might be used in law.

Cyber investigators are busy these days. There is so much evidence to collect and evaluate from computers, the cloud, mobile devices and so on. Many investigators lack training to help them understand all they different ways their evidence might be used, such as in civil or criminal court, in arbitration, in contract disputes, in business negotiation and in internal decision-making. When investigators learn to see how many different (and unpredictable) ways their evidence might be used, they will follow different procedures and prepare better reports.

2. To learn how to promote yourself as a professional skeptic.

The course teaches that it is very common for cyber evidence to be misinterpreted. Cyber investigators can reduce misinterpretation by learning to be professional skeptics about evidence. They learn how to avoid jumping to conclusions about evidence and thereby help others, such as their management, to make better legal decisions about the evidence. The course teaches specific techniques for exercising and promoting professional skepticism.

3. To obtain GLEG certification that burnishes your credentials.

Like other leading SANS courses, Legal 523 comes with a GIAC exam. If a student passes the exam the are awarded the GLEG certification.

A GLEG certification can help to confirm to an employer that an investigator has completed rigorous training in the law applicable to cyber investigations. In addition, GLEG certification can inform an authority such as a judge or regulator that the investigator possesses cyberlaw qualifications.

The course is delivered in live classrooms and online.

Learning Investigation Law


Photo credit: @chrisfurtick