Engaging Experts

Engaging with Security, Privacy, and Compliance Expert, Rebecca Herold

Round Table Group

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 39:03

From accidental courtroom testimony to becoming "The Privacy Professor," Rebecca Herold's journey into expert witnessing began when the FBI sought her evidence in a criminal case involving her home's previous owners. This unexpected experience revealed her natural talent for explaining complex matters under pressure—a skill that would define her future career.

With over 35 years in information security and compliance, Herold has established herself as a sought-after expert witness specializing in digital privacy, online tracking, and regulatory compliance. Her approach stands out for its unwavering commitment to honesty.

Maintaining expertise in such a rapidly evolving field requires constant education. Herold starts each day reviewing news about security breaches, lawsuits, and regulatory changes. Her background as an adjunct professor and author of 22+ books provides the foundation for explaining technical concepts in accessible ways to judges and juries with varying levels of technical understanding.

For those entering the expert witness field, Herold emphasizes understanding the specific scope and goals of each engagement. Rather than presenting everything you know—a tendency among academics—effective expert witnesses focus precisely on what's relevant to the specific legal questions at hand.

Join us to discover how digital privacy expertise translates into effective courtroom testimony, and why maintaining professional integrity remains essential in this complex and evolving field. Subscribe to Engaging Experts for more insights from top specialists across diverse professional domains.

Meet Rebecca Herold, The Privacy Professor

Speaker 1

This episode is brought to you by Roundtable Group the experts on experts. We've been connecting attorneys with experts for over 30 years. Find out more at roundtablegroupcom.

Speaker 2

Welcome to Engaging Experts. I'm your host, noah Balmer, and today I'm excited to welcome Rebecca Harreld to the show. Ms Harreld, aka the Privacy Professor, is the award-winning CEO and founder of Privacy and Security Brainiacs, an information security and compliance firm. She's an entrepreneur and a published author with expertise in areas ranging from global privacy and security governance to AI. Ms Harold holds an MA in computer science and education from the University of Northern Iowa. Ms Harold, thank you so much for joining me here today on Engaging Experts.

Speaker 1

Well, I'm happy to be here today, Noah.

Speaker 2

Thank you Of course, let's jump into it. With over 20 years in privacy and security, how did you first become involved in expert witnessing?

Becoming an Expert Witness Accidentally

Speaker 1

Yes, well, actually I have over 35 years of experience and the way I got into it was really accidentally. Kind of like a lot of my career has been, I tend to follow what I find interesting. But the house that I live in, the back story is it was a foreclosure and the bank owned it. Long story short, I had been looking at this house for a long time and 15 years ago, after I purchased the house, the FBI and the Department of Justice got in touch with me of justice got in touch with me because the folks that had owned this house before I purchased it, before it went to the bank, they were, um, basically part of an organized ring uh, so organized crime ring, wow, for mortgage fraud and the. The department of Justice and FBI asked me you know what I knew, if I knew anything about that? Of course I didn't. However, being someone who documents things a lot and documents documented this property for two years before I purchased it. I had a lot of evidence, photo evidence of this house. So they had me come in and they deposed me for a few hours and then I went to court and testified for a criminal trial in front of a jury and the defendants, the accused criminals, each had their own lawyers. So I was on the stand for around three hours getting asked questions and after it was done I was thinking that wasn't bad. In fact, I enjoyed it in the way that I was able to answer the questions and also reveal problems with what the defendants were saying with regard to just you know, something that's not even in my profession.

Speaker 1

So after that, a year later, I actually was contacted from a hospital system about whether or not I would be, and two of them are in HIPAA, the Health Insurance Portability and Accountability Act, which are the rules that health care providers and insurers and clearinghouses have to abide by.

Speaker 1

Well, the hospital had my book and used it to create their program security and privacy program and they were being sued by a former patient, so they wanted me to help them to provide testimony in court if needed, but primarily, as an expert, to write a declaration report about how good their program was. So you know, over the years after that, I enjoyed doing that. Over the years I had an occasional request, but when COVID hit, I started getting a lot more requests for help with security issues, privacy issues and especially when the online tracking became a really big concern. So I've done a lot of online tracking cases and I decided at that point in time that you know I enjoy doing these cases. So I'm going to go ahead and just do a little bit less consulting and do more expert witness, because it was a type of consulting that I enjoyed.

Case Selection and Ethical Considerations

Speaker 2

Because you have been doing this for a while. When you have those initial phone calls, what are the sorts of questions that you like to ask the engaging attorney to make sure that it's the right fit for you? And also, as a follow-up, are there any red flags that you look out for?

Speaker 1

Oh, those are great questions, noah. Well, even though I've been doing this a lot, I'm still learning as I go. I learn with every case and I've learned to ask questions very specifically because I want to know, you know a little bit more about the case, because I won't take a case if they want me to testify to something that is not true. And I've actually run across a couple of situations where I was asked you know well, can you talk about this particular issue in a way that doesn't make it sound like we're doing bad things? I will not take those cases. I will only testify honestly because it's my reputation on the line. And, plus, when I'm talking about security and privacy, especially for situations that can impact people's safety and people's health, such as in health care, I absolutely want to be very clear and honest and accurate.

Speaker 2

I know that you can't reveal specifics necessarily, but it sounds like there's a story in there.

Speaker 1

Sure, and, like you said, I can't mention who it is and I'll give you just enough information.

Speaker 1

However, there's a lot of these cases coming along, so what I will say is not going to be unique, for probably what are hundreds of cases of lawsuits that are being filed for patient data that's being used inappropriately or being shared inappropriately, particularly by the ways in which online tracking technology is being used. Um, online tracking technology is being used so, uh, that is something where, when I heard that they knowingly had this tracking technology but, um, they were they were trying to say that that was the, the contracted entity that did it, not them. I had to decline that because, ultimately, if you own a website and you allow trackers to be incorporated when you contract someone, you are contracting them to do work on your behalf, so you are still ultimately responsible for whatever is going on on that website. So that is at a very high level. Is the situation. I was not going to try to make it offload their responsibility and accountability because of their third party that they wanted to throw under the bus and, you know, blame everything on.

Speaker 2

Right, right. Naturally Do you find that you have to turn down a significant number of cases.

Online Tracking Cases and Scammers

Speaker 1

You know, I Not not a lot, I mean, I have turned down a few. What I have found, though, is when I have law firms speaking to me, sometimes they are surprised that I will have been on the defendants doing work for defendants for those type of online tracking cases. For those type of online tracking cases and it's not only for healthcare and HIPAA compliance, but it's also for, like, the Video Privacy Protection Act and a whole bunch of other types of privacy and security things. But what's really interesting, noah, is the fact that, yes, I do work for defendants too, because there is some really interesting scammers out there right now, noah, where they will actually sue someone to say that they are tracking an organization or tracking people's data from an organization's website when that organization really wasn't using trackers at all. They're just trying to extort money from them, thinking that that is something that, oh well, you know, everybody is suing them right now, so we'll sue them and we'll take a copy of all the data, all the actual like code off of their website, and then we'll use that and say that's evidence of tracking, when the folks that I represent I can look at that code and very quickly identify no, they aren't even using tracking.

Speaker 1

Here, you know, and I think the scammers believe that all they have to do is just overwhelm somebody with hundreds of pages of code and that they aren't going to be able to determine whether or not tracking is going on. But it's pretty easy to find fairly quickly whether or not that code is actually tracking whoever comes there. So, yeah, so I think you know those are some of those situations where people might be surprised that I don't just do plaintiffs or I don't just do defendants, and I know there are experts out that not only I'm supporting the truth and how something is represented within any type of situation. It doesn't even have to be with online tracking. A lot of it has to do with how you run your security program or what you're actually doing physical security as well. But I want to just make sure that you know that people are being protected, that the truth is there and also that people aren't trying to get scammed, because there's a lot of that going along.

Speaker 2

Yeah, yeah, there absolutely is. How has technology changed your work as an expert witness over the years?

Speaker 1

It's been very interesting because, when I'm looking at every case and every situation, something that I found oftentimes that the experts for the opposing party may not have the experience in is the fact that you always have to consider that nothing ever goes away with regard to technology and how it can be used. So I've been around long enough that I know that you can abuse technologies that have been in use for over 35 years, because I've seen it, and oftentimes it's not even technologies, it's practices and it's physical, like not protecting physically your operations center or things like that. So I think that has helped me. But what is changing is how quickly there are new types of security and privacy threats and vulnerabilities. So you really have to stay up on all of those threats and vulnerabilities and stay up with how those are actually being exploited, in addition to understanding how the full context of each situation has been implemented, because in some contexts there might not be a security or privacy problem using the same type of factors as in a different context of factors is in a different context.

Speaker 2

In such a dynamic field, how do you stay abreast of everything that's going on and best practices and everything else? In other words, how do you not only become an expert, but how do you remain an expert in a field like yours?

Speaker 1

Oh, that's a great question. So one thing that has helped me is the fact that I love for my areas of focus, which again is security, privacy and compliance, and I love reading the news. I do that every day. I start out the morning looking at the news, not only about breaches but also about lawsuits. I look at new laws and regulations and also, throughout my career before I really got into being an expert witness why I was an adjunct professor for the Norwich University Master of Science and information security.

Staying Current in Tech Security

Speaker 1

So that was something where, as being a professor and I was an adjunct professor in addition to doing my consulting work at that time too, for nine and a half years so when you are teaching others, especially at the master's level, all of my students were always practitioners in these areas. So I loved being a professor and helping to teach them, but learning from them too, because they brought to the course that they were taking their own experiences. So you know, I would just always accumulate that knowledge and then also writing my 22 plus now books. That helps a lot because it takes a lot of research and refining to write books about these topics and that really gets ingrained within your brain. So it really helps support you when you're looking at a specific case that you're doing for a client.

Speaker 1

A lot of times I will think of issues that I bring up to you know the lawyers I'm working for and I'll say, well, do you want me to cover this or that? And a lot of times I'll say, well, wait a second, is that an issue? And I'll like, yes, I'm like this is a huge issue here, and so I love the fact that I can bring up additional aspects of a case that they hadn't thought of but yet they point out. Oh, this can be very beneficial for us, and that's happened with three or four different cases I've done for online identity verification and age verification, because the way the systems were set up were just horribly insecure.

Speaker 2

As somebody who is so well-published, does it ever concern you or your attorney or your trial team that something that you've written or said in the past might be used to impeach your current thinking?

Speaker 1

I love that question and I actually have a situation for a deposition that was related to that. That was related to that. But one thing I've always tried to do throughout my career is to write in a way that is going to not only be accurate at that point in time but always references the fact that you have to consider context. I've been emphasizing context my entire career, so for almost 40 years now. But also I always point out that there might be changes going forward, but in this case, why? It was very interesting. So when I write and just to clarify, I write to many different types of readers. So I write to other professionals and I get into deep details about how technology works and the risk and so on. I also write to those in my cases. So I make it as clear as possible but understandable for those who are not technical or have the background, but for the specific situation. So that's a different way of writing.

Speaker 1

But then throughout my entire career and I started between getting my bachelor's and master's degree for two years I was a seventh through twelfth grade math and computing teachers. So I always try to write in a way that's very understandable and I have a free newsletter I've been publishing each month to help the general public understand things. So that's a different type of writing. So in one of my depositions one of the questions had to do with well, you said in your newsletter back in this date, and then they listed it off and I said yes, I did say that, and then I explained how, when you communicate to the general public, you cannot explain things, and that's something that I have been doing in my newsletter.

Speaker 1

When I talk about these things, I always preface or frame the information in a way that I say in general, here's how it works, but then, you know, the details are not included. So I have always tried to include that. But the opposing council did try to use that. But I was able to also point to the associated more technical information that was there and I explained to them that you know I was not writing a PhD paper that was supposed to cover every point. I was writing something that the general public could read in five minutes and understand. This is important, so you need to do something.

Speaker 2

Does your time as a professor? Did that inform the way that you go about connecting with the fact finder, be it a jury, be it a judge or during a deposition? Do you use any of the same techniques to educate, to explain?

Preparation for Testimony and Depositions

Speaker 1

I love that question because, yes, so the more you teach, the more you learn how to communicate better with those in specific situations, as applicable. So in one of my testimonies it was an evidentiary testimony for a very technical topic again talking about online tracking, and I bring that up because I've done a lot of those cases and also there's a lot of those cases there now. So, anyway, the folks involved with that, the judge wanted to know more about a case, and again, this is one of many different cases I've done. So it's not any specific one that anyone would know about. But so the judge was actually asking me very specific questions about how the technology works. So I realized if he wants to know how it works technically because he's not got that background then I was explaining it to him, using examples of how it would be similar to other you know daily situations and just explaining how you know, even though you can't see data or you're not actively giving a website data, there's a lot that can be collected while you're at that site without your knowledge, even knowing that that data is going there, and I'm not explaining it very well here.

Speaker 1

But what I loved about that was the fact that I got to communicate directly to the judge and I could tell using my teaching background I can tell the way he's asking me questions and how he's looking at me whether or not he understands. So that helped me to adjust my description or my examples. And that's so much different than when you have the opposing counsel looking at their list of questions. You know that they're going to ask you and a lot of times those questions are very have been refined to the point where they're trying to have a very specific type of question, that kind of like a gotcha type of question, and so I answer those differently because I always want to reframe that question in a way that I'm confirming my understanding and rephrasing it so that it kind of points out that the question is really not applicable to the full context. It's just trying to pick out of everything.

Speaker 1

It reminds me a lot of, I think, what that movie my cousin vinny, you know of course, of course, I've written about that film it's exactly like that, when you know she's on the stand and there's a very specific question, but it's like you can't answer it in a way that they want. You know they think they're going to get you with it, but then you have to explain all the reasons why no. No, that's not the way it is. So that's a different type of communication, though, and it's a different purpose for the person listening to you describe or answer the question.

Speaker 2

Yeah, of course, let's talk preparation a little bit. How do you get yourself ready for a potentially contentious engagement? You're going to go into a deposition. You're going to go into cross-examination. How do you get yourself in the right headspace and prepared for what is to come? Do you have a pre-trial routine? Some of my guests do things like yoga or drink a lot of coffee, or no, no, no, you should fast. A lot of people have a lot of different opinions on getting ready. So what's your routine?

Speaker 1

Yeah, well, as far as the non-content, I always try to keep my fitness routine in place, so that's something. Throughout my entire life I've been also very active. I'm kind of a high energy person, but as I get older I still need to do that exercising. So a lot of what I do to get ready then involves that, because I will be exercising, doing my walking, I do it, I try to get in, you know, at least eight to nine miles a day. Now that's not all at one time, but it's throughout the day.

Speaker 1

But when I'm doing that, walking, I always try to play some video or a podcast like you know one of your podcasts so I can listen to them while I'm walking. And I love that, because there's something about exercising and listening or watching a discussion about that topic that I'm getting prepared for, to just hear other viewpoints, so I can hear, maybe, what might be brought up during a deposition or during a trial that I hadn't thought of before. So I guess that's one thing, and then I just like to practice based upon what I've seen, the opposing counsel and their expert maybe has been published before. I want to know what is it that they have published or what have they said in anything that's been publicized or made public. So I can see. You know maybe some of the tactics that they're taking with regard to a similar topic.

Speaker 2

That's interesting. Is that a billable occurrence when you're researching the opposing expert? Is that something that experts can bill for?

Speaker 1

And if they say, you know, we don't, that's not something that we would consider as part within the scope, why then? Okay, that won't be in the scope, but still, just for my own peace of them, but I always get that resolved before I actually do it, just so I'm very transparent with my clients about that. Now, usually they say, yeah, if you think that's going to help, go ahead and do it. But if they do say no, we don't feel that's part of it, then I'm like, okay, I understand that, and so I don't.

Speaker 2

Are there any other terms in your engagement letter regarding billing, for instance, do you like to take a non-refundable retainer? Do you have different project rates for being on the stand versus doing research or writing an expert report, or is it all a simple billing hourly rate?

Speaker 1

I've evolved over the years. So I absolutely do require a retainer and whether it's I'm being engaged directly by the law firm or if it's going through an expert organization, I require that because it's hard for me to then plan ahead, you know, if I don't have that retainer and I don't know also how quickly sometimes they're going to pay. So it's like, yes, if you want me to work for you, pay me a retainer and then I will know and make sure I have the time available when you need it, even if it is down the road a little ways. So I do require a retainer. And with regard to the hourly, I've kind of changed on that.

Speaker 1

When I first started and I didn't have, I hadn't done any cases yet or very few, why I wanted to start in a way that you know I thought, well, I'll charge the lowest rate for doing the research and writing the reports and then I'll do a little bit higher for the deposition and then a little bit higher for testimony.

Building Effective Expert-Attorney Relationships

Speaker 1

So I did that until I had a few more engagements under my belt and after that actually some of the firms that I was working with said, well, you know, some of our clients really like it to be more, you know, less divided. They just like sometimes to have it one rate. So now I'm at the point where I have basically two rates. So I have a rate for everything up to doing testimony in court, which is a higher rate, and then I have everything else at one rate, and then I do charge a rate just for travel time, and that, of course, is a lower time, but given that it does take, you know, typically a day to get anywhere and get back, why I do charge, at least to account for the fact that I'm not doing work while I'm traveling usually. So that is a much lower rate, but it still accounts for some of my time.

Speaker 2

Let's back up to the beginning of an engagement and speak a little bit generally about engagements. How do you get off on the right foot in a new engagement, and what are the sorts of things that both the expert and the attorney can do to ensure a good, productive and efficient engagement for both parties?

Speaker 1

Yes, so this is also continuing to evolve, but I've learned that it's so important to find out, you know, about the case and what has already occurred with the case up to that point, because oftentimes they've already had a case going for a year or two years. They may have already had another expert or even more than one other experts before, and also they might sometimes, when I hear about what the topic is before I speak with them, why I realize, oh, I need to find out more specifically about what they want me to cover. So do they want me to focus on the regulatory requirements and the evidence that's related to regulations and other types of laws? Or do they want me to focus on the technologies and how that works, because I also have deep experience there? Or do they want me to talk about building programs, because I've done that throughout the years too, because that's something sometimes the client wants me to do, just a very specific thing.

Speaker 1

So, like for one situation, they wanted me to focus on identifying all the vulnerable points throughout the internet when a certain system is being used and point out yes, here's where vulnerability is, and it would be very easy. And they wanted me to opine about yes, that's pretty easy to be able to get data at this point and that point and this point. So you know, even if they say that they're encrypting data in storage, there's still 10 dozen ways. That's just off the top of my head. There's unlimited ways that you can still get that data, and so you have to do much more than just one or two things. So and that is something that an organization must do if they're responsible for that system- let's talk about venue for a moment.

Speaker 2

Have you worked I know that you've done both criminal and civil litigation, for instance but have you worked in other states, at different levels, perhaps something in a county level, state appeals, federal level or even in another country? What are the venues that you've worked at and how do they differ in terms of being an expert witness?

Speaker 1

So that's a very great question because I have some federal cases that areee, or maybe a person who's a customer who's suing that, or vice versa, that company. So what's interesting about that is and one other one is when you have like at a state level and state laws are also involved, and I've done some of those as well. So generally what I do for at least my topics, that I cover the actual facts and the research, doesn't really change, but certainly how I approach it and how I look at how to communicate it often does change, because it seems like when you're dealing more at a local level, the smaller and more localized it is, the more succinct but yet still clear you have to explain certain situations, as opposed to on a federal level, where you can typically at least in my experience get into more details and, you know, get into much wider depth, deeper depth, depth of of, um, especially technicality and examples, cause I use examples a lot uh, within what I do have you noticed any differences in formality or the type of demeanor that you have?

Speaker 2

or practice, uh, while you're on the stand in these, in these different venues, or practice while you're on?

Speaker 1

the stand in these different venues.

Speaker 1

Well, I haven't been on the stand a lot, but when I have why I'm trying to think it's really just been at the federal level.

Speaker 1

So I've done deposition at the local level. It was like talking with people, right. I mean, it was very informal, it wasn't very stressful really that at all, and so and the questions, the other side did not have an expert, so that that was different too, because that's something I found that sometimes the, the opposing counsel, will use an expert that may not actually be an expert in the topic but yet you know, that's kind of they're representing themselves as one. So it's that's a little bit different type of situation, but I think it's out there a lot more widely than what a lot of people realize, because there's not a lot of people that I've seen doing the types of cases that I'm doing who actually has hands-on experience. And you know, I've been a systems engineer, so I know what I'm talking about with a lot of these technical things a lot more than someone who just read about it in a book anyway, and probably your book at that.

Speaker 2

Before we wrap up, do you have any last advice for expert witnesses and in particular, newer expert witnesses or even attorneys who are working with them?

Advice for New Expert Witnesses

Speaker 1

Yes. So what I've loved with some of my experts or with my clients that I've worked with, I love being able to really communicate with them and find out, you know well, what is it you want from me. And when I say what you want from me, I'm not talking about what do you want me to say, or do I want to know what is it in this case that you hired me to address with my expertise? You know what is a point that you want to make, Because I've seen sometimes in a couple of my cases where they wouldn't really tell me what their goal was for having me as an expert. So I would say, if you're starting out, find out what the goal is for hiring you as an expert and the scope of topics that they really want you to cover, Because early on I would assume that they would want really more than what they were looking for, and so I would try to boil the ocean with information and it's like, oh no, you're not writing a book here, and I think that's maybe that's a risk that some people might get into if they have been professors like me or if they have written books.

Speaker 1

Because if you ask me a question about how something works. My brain is going to think oh, I'm a professor and I write books, so I'm going to tell you everything I know about this. But when you're an expert testifying in a case, you need to find out, well, what is the information that you need and what can you leave out, because it's not going to be relevant to how this case is going to be determined.

Speaker 2

Sage advice. Ms Harold, thank you so much for joining me here today.

Speaker 1

Well, I really enjoyed it. Noah, Thank you so much for inviting me.

Speaker 2

Of course, and thank you, as always, to our listeners for joining us for another edition of Engaging Experts Cheers.

Speaker 1

Thank you for listening to our podcast Engaging Experts. Our show notes are available on our website roundtablegroupcom.