By Richard P. Goldberg

      Information security work, from pentesting to auditing, incident response to forensics, can be plagued with legal risks—some you probably never imagined. This is a discussion of the straight-forward and, more importantly, not-so-straight-forward legal risks inherent in undertaking these jobs.

      We discuss how to handle "rules of engagement;" what to do about sensitive data; how seemingly unrelated third-parties could become your worst nightmare; what to do about subpoenas and search warrants; and the surprising limits of liability limitations and indemnification. We see that the risks inherent in these areas can arise from failure or success—or from neither. In other words, "I never do anything wrong" is the legal equivalent of "that's a theoretical vulnerability": It's a trap for the ignorant.

      There are ways to avoid some of these problems and ways to handle those you cannot avoid. It is always important to recognize what problems are just the cost of doing business. But where you can, lower that cost by avoiding catastrophes. If you ignore these risks, you better be comfortable betting the company on every job. Attendees should leave with a better understanding of the scope of relevant legal risks, what can be prevented and what cannot—and what to do when prevention isn't enough.

      The presentation is available for download here.

      If you would like to discuss how these issues could affect your business, or if you would like to discuss any other contracting issues, please do not hesitate to contact me.

      Attorney Advertising: This material has been prepared for general informational purposes only and is not intended as legal advice.