Three+ things I learned at SANS 2010 (Legal Track) today:
1. Appropriately vague or tentative language is not a bad thing in security policies. What is the risk of writing a “must” into a policy, not delivering on the promise, then having to testify about your lack of enforcement in court or answer to it in a public forum?

2. Any effort to provide due care is better than no effort at all (e.g. having a security policy vs. not having one due to lack of enforcement concerns). Negligence when common sense states that there was a easy solution is bad - especially to a judge or jury.

3. Disclaimers, Terms of Service, and things like login banners should be used whenever possible. Words are cheap, and can save your ass. The key concept is to seek consent so that you can handle privacy concerns.

4. Handling a legal issue in the wrong way can turn into a PR nightmare. Decisions to take legal action should be ran through a PR filter to make sure it won’t stink when your opponents take their argument to the Internet.

Great class so far, loving the material and providing new perspectives.

Tuesday Edition
Main Blog