Law of Data Security and Investigations

New law on privacy, e-discovery and data security is creating an urgent need for professionals who can bridge the gap between the legal department and the cybersecurity team. This course provides this unique professional training, including skills in the analysis and use of contracts, policies, and records management procedures.

Course Key Learnings:

• Choose words for better legal results in policies, contracts, and incidents
• Implement processes that yield defensible policies on security, e-records, and investigations
• Reduce risk in a world of vague laws on cyber crime and technology compliance
• Carry out investigations so that they will be judged as ethical and credible
• Persuade authorities that you and your organization responded responsibly to cybersecurity, privacy, and forensic challenges.
• Negotiate business transactions in the ever-changing cyber world

Skills Gained:

• Work better with other professionals at your organization who make decisions about the law of data security and investigations
• Exercise better judgment on how to comply with privacy and technology regulations, both in the United States and in other countries
• Evaluate the role and meaning of contracts for technology, including services, software, and outsourcing
• Help your organization better explain its conduct to the public and to legal authorities
• Anticipate cyber law risks before they get out of control
• Implement practical steps to cope with technology law risk
• Better explain to executives what your organization should do to comply with information security and privacy law
• Better evaluate technologies, such as digital archives and signatures, to comply with the law and serve as evidence
• Make better use of electronic contracting techniques to get the best terms and conditions
• Exercise critical thinking to understand the practical implications of technology laws and industry standards (such as the Payment Card Industry Data Security Standard).

Course Content:

Module1: Fundamentals of Data Security Law and Policy

Overview

Section 1 is an introduction to cyber and data protection law. It serves as the foundation for discussions during the rest of the course. We will survey the general legal issues that must be addressed in establishing best information security practices, then canvass the many new laws on data security and evaluate cybersecurity as a field of growing legal controversy. The course section will cover computer crime and intellectual property laws when a network is compromised, as well as emerging topics such as honeypots. We will look at the impact of future technologies on law and investigations in order to help students factor in legal concerns when they draft enterprise data security policies. For example, students will debate what the words of an enterprise policy would mean in a courtroom. This course section also dives deep into the legal question of what constitutes a “breach of data security” for such purposes as notifying others about it. The course day includes a case study on the drafting of policy to comply with the Payment Card Industry Data Security Standard (PCI). Students will learn how to choose words more carefully and accurately when responding to cybersecurity questionnaires from regulators, cyber insurers, and corporate customers.

Module2:  E-Records, E-Discovery, and Business Law

Overview

Cybersecurity and digital forensic professionals constantly deal with records and evidence, so they need a practical understanding of e-discovery and policies on the retention and destruction of data. Section 2 of the course places great emphasis on the law of evidence and records management. It teaches the necessity to apply a “legal hold” or “litigation hold” on records when controversy emerges. It helps technical and legal professionals learn to speak the same language as they assess how to find records and possibly disclose them in litigation or investigations.

New privacy laws around the world, such as the California Consumer Privacy Act, demand that data be deleted under the so-called right-to-be-forgotten doctrine. But data deletion conflicts with other legal demands, such as the need to retain data to prove (maybe years later) that a consumer was treated fairly in a commercial transaction. Section 2 illuminates this increasingly common conflict. It teaches students how to manage the conflict within their enterprises.

Module3: Contracting for Data Security and Other Technology

Overview

Section 3 focuses on the essentials of contract law sensitive to the current requirements for security. Compliance with many of the new data security laws requires contracts. Because IT pulls together the products and services of many vendors, consultants, and outsourcers, enterprises need appropriate contracts to comply with Gramm-Leach-Bliley, HIPAA, GDPR, PCI-DSS, data breach notice laws, and other regulations.

This course section provides practical steps and tools that students can apply to their enterprises and includes a lab on writing contract-related documents relevant to the students” professional responsibilities. (The lab is an optional, informal “office hours” discussion with the instructor at the end of the day when the course is delivered live.) You will learn the language of common technology contract clauses and the issues surrounding those clauses, and become familiar with specific legal cases that show how different disputes have been resolved in litigation.

Module4:  The Law of Data Compliance: How to Conduct Investigations

Overview

Information security professionals and cyber investigators operate in a world of ambiguity, rapid change, and legal uncertainty. To address these challenges, this course section presents methods to analyze a situation and then act in a way that is ethical, defensible, and reduces risk. Lessons will be invaluable to the effective and credible execution of any kind of investigation, be it internal, government, consultant related, a security incident, or any other. The lessons also include methods and justifications for maintaining the confidentiality of an investigation, especially invocation of the doctrines of attorney-client privilege and attorney work product.

Section 4 surveys insider fraud and other misbehaviors with an emphasis on the role of technology in the commission, discovery, and prevention of that fraud. It teaches cyber managers and auditors practical and case-study-driven lessons about the monitoring of employees and employee privacy.

Module5:: Applying Law to Emerging Dangers: Cyber Defense

Overview

Knowing some rules of law is not the same as knowing how to deal strategically with real-world legal problems. Section 5 is organized around extended case studies in security law: break-ins, investigations, piracy, extortion, rootkits, phishing, botnets, espionage, and defamation. The studies lay out the chronology of events and critique what the good people did right and what they did wrong. The goal is to learn to apply principles and skills to address incidents in your day-to-day work.

The section includes an in-depth review of legal responses to the major security breaches at TJX, Target, and Home Depot, Freddie Mac, and others. It looks at how to develop a bring-your-own-device (BYOD) policy for an enterprise and its employees.

Who Should Attend