In this episode…

From accidental courtroom testimony to becoming “The Privacy Professor,” Rebecca Herold’s journey into expert witnessing began when the FBI sought her evidence in a criminal case involving her home’s previous owners. This unexpected experience revealed her natural talent for explaining complex matters under pressure—a skill that would define her future career.

With over 35 years in information security and compliance, Herold has established herself as a sought-after expert witness specializing in digital privacy, online tracking, and regulatory compliance. Her approach stands out for its unwavering commitment to honesty.

Maintaining expertise in such a rapidly evolving field requires constant education. Herold starts each day reviewing news about security breaches, lawsuits, and regulatory changes. Her background as an adjunct professor and author of 22+ books provides the foundation for explaining technical concepts in accessible ways to judges and juries with varying levels of technical understanding.

For those entering the expert witness field, Herold emphasizes understanding the specific scope and goals of each engagement. Rather than presenting everything you know—a tendency among academics—effective expert witnesses focus precisely on what’s relevant to the specific legal questions at hand.

Join us to discover how digital privacy expertise translates into effective courtroom testimony, and why maintaining professional integrity remains essential in this complex and evolving field.

 

Episode Transcript:

Note:   Transcript has been lightly edited for clarity.

Host:   Noah Bolmer, Round Table Group

Guest: Rebecca Herold, CEO of Privacy and Security Brainiacs

Noah Bolmer: Welcome to Engaging Experts. I’m your host, Noah Bolmer, and I’m excited to welcome Rebecca Herold to the show. Miss Herold, AKA The Privacy Professor, is the award-winning CEO and Founder of Privacy and Security Brainiacs, an information security and compliance firm. She’s an entrepreneur and a published author with expertise in areas ranging from global privacy and security governance to AI. Miss Herold holds an MA in Computer Science and Education from the University of Northern Iowa. Miss Herold, thank you for joining me today on Engaging Experts.

Rebecca Herold: I’m happy to be here, Noah. Thank you.

Noah Bolmer: With over 20 years in privacy and security, how did you first become involved in expert witnessing?

Rebecca Herold: Actually, I have over 35 years of experience and the way I got into it was accidental, like a lot of my career has been. I tend to follow what I find interesting but the back story is the house that I live in was a foreclosure and the bank owned it. Long story short, I had been looking at this house for a long time and fifteen years ago, after I purchased the house, the FBI and the Department of Justice got in touch with me, because the folks that had owned this house before I purchased it, and before it went to the bank, were part of an organized crime ring for mortgage fraud. The Department of Justice and FBI asked me what I knew- if I knew anything about that. Of course I didn’t. However, being someone who documents [many] things and had documented this property for two years before I purchased it, I had a lot of photo evidence of this house. They had me come in and deposed me for a few hours. Then, I went to court and testified for a criminal trial in front of a jury and the defendants. The accused criminals each had their own lawyers, so I was on the stand for around three hours getting asked questions. After it was done, I [thought] “That wasn’t bad.” I enjoyed how I answered the questions and revealed problems with what the defendants were saying about something not even in my profession.

A year later I was contacted [by] a hospital system about whether I would be an expert witness for them for HIPAA. I’ve written over 22 books, and I say over because I’m in the process of finishing some now. Two of them are about HIPAA, the Health Insurance Portability and Accountability Act, the rules healthcare providers, insurers, and clearing houses must abide by. The hospital had my book and used it to create their Program Security and Privacy Program, and they were being sued by a former patient. They wanted me to help them and to provide testimony in court if needed, but primarily as an expert to write a declaration report about how good their program was. Over the years after that—I enjoyed doing that over the years I had an occasional request, but when COVID hit, I started getting more requests for help with security and privacy issues. Especially, when online tracking became a big concern. I’ve done a lot of online tracking cases, and I decided at that point in time that I enjoyed doing those cases and was going to less consulting and more expert witnessing because it was a type of consulting that I enjoyed.

Noah Bolmer: Because you have been doing this for a while, when you have those initial phone calls, what are the questions you like to ask the engaging attorney to make sure that it’s the right fit for you? As a follow up, are there any red flags that you look out for?

Rebecca Herold: Those are great questions, Noah. Even though I’ve been doing this a lot, I’m still learning as I go. I learn with every case, and I’ve learned to ask questions specifically because I want to know a bit more about the case. I won’t take a case if they want me to testify to something that is not true. And I’ve actually run across a couple of situations where I was asked, “Can you talk about this particular issue in a way that doesn’t make it sound like we’re doing bad things?” I will not take those cases. I will only testify honestly because my reputation is on the line. Plus, when I’m talking about security and privacy, especially for situations that can impact people’s safety and health, such as in healthcare, I absolutely want to be clear, honest, and accurate.

Noah Bolmer: I know that you can’t reveal specifics necessarily, but it sounds like there’s a story in there.

Rebecca Herold: Like you said, I can’t mention who it is, and I’ll give you just enough information. However, there are a lot of these cases coming along, so what I say is not going to be unique for [the] hundreds of cases out there that are like. There are many types of lawsuits being filed for patient data that’s being used or shared inappropriately. Particularly, the ways online tracking technology is used. That is something where when I heard that they knowingly had this tracking technology but were trying to say that the contracted entity did it, not them, I had to decline that. Ultimately if you own a website, you allow trackers to be incorporated, when you contract someone, you are contracting them to do work on your behalf, so you are still ultimately responsible for whatever is going on that website. That at a high level is the situation. I was not going to try to offload their responsibility and accountability because of their third party that they wanted to throw under the bus and blame everything on.

Noah Bolmer: Do you find that you have to turn down a significant number of cases?

Rebecca Herold: Not a lot. I mean, I have turned down a few. What I have found though is when I have law firms speaking to me, sometimes they are surprised that I will have been on the defendants—doing work for defendants for those types of online tracking cases. It’s not only for healthcare and HIPAA compliance, but it’s also for the Video Privacy Protection Act and other types of privacy and security things. What’s interesting, though, is the fact that, yes, I do work for defendants too because there are some interesting scammers out there right now, Noah, where they will sue someone to say that they are tracking an organization or people’s data from an organization’s website when that organization wasn’t using trackers at all. They’re trying to extort money from them, thinking that is something that everybody is suing them right now, so we’ll sue them. We’ll take a copy of all the data, all the actual codes off of their website, and then we’ll use that and say that’s evidence of tracking. When the folks that I represent, I can look at that code and quickly identify [that] no, they aren’t using tracking here. Scammers believe that all they have to do is overwhelm somebody with hundreds of pages of code and that they aren’t going to be able to determine whether or not tracking is going on. It’s easy to find fairly quickly whether or not that code is tracking whoever comes there. Those are some of those situations where people might be surprised that I don’t just do plaintiffs or I don’t just do defendants. I know there are experts out there, that do that but I always look at the situation and I want to make sure that I am supporting the truth and how something is represented within any type of situation. It doesn’t even have to be with online tracking. [Much] of it has to do with how you run your security program or what you’re actually doing, physical security, as well. I want to make sure that people are being protected, that the truth is there, and that people aren’t going to get scammed because there’s a lot of that going on.

Noah Bolmer: How has technology changed your work as an expert witness over the years?

Rebecca Herold: It’s been interesting because when I’m looking at every case and every situation, something that I’ve found is often times the experts with the opposing party may not have the experience in, is the fact that you always have to consider that nothing ever goes away with regard to technology and how it can be used. I’ve been around long enough that I know that you can abuse technologies that have been in use for over 35 years because I’ve seen it. Oftentimes it’s not even technologies, it’s practices, and it’s physical, like not physically  protecting your operations center or things like that. That has helped me, but what is changing is how quickly there are new types of security and privacy threats, and vulnerabilities. You have to stay up on all of those threats, vulnerabilities, and stay up with how those are being exploited. In addition, to understanding how the full context of each situation has been implemented, because in some context there might not be a security or privacy problem using the same type of factors in a different context.

Noah Bolmer: In such a dynamic field, how do you stay abreast of everything that’s going on, best practices and everything else? In other words, how do you not only become an expert, but how do you remain an expert in a field like yours?

Rebecca Herold: That’s a great question. One thing that has helped me is the fact that I love to learn. Ever since I was young I’ve loved to learn about everything. That curiosity and a love of learning is something that is absolutely necessary, at least for my areas of focus, which again is security and privacy, and compliance. I love reading the news, and I do that every day. I start the morning looking at the news, not only about breaches, but also about lawsuits. I look at new laws and regulations and throughout my career before I got into being an expert witness, I was an adjunct professor for the Norwich University Master of Science and Information Security. That was something whereas being a professor, and I was an adjunct professor, in addition to doing my consulting work at that time too, for 9 1/2 years. When you are teaching others, especially at the master’s level, all of my students were always practitioners in these areas, so I loved being a professor and helping to teach them, but learning from them too. They brought their own experiences to the course. I would always accumulate that knowledge.

Also writing my 22 plus now books helps a lot because it takes a lot of research and refining to write books about these topics, and that gets ingrained within your brain. It helps support you when you’re looking at a specific case that you’re doing for a client. [Many] times I will think of issues that they bring up to the lawyers I’m working for, and I’ll say, “Do you want me to cover this or that?” [Many} times, they’ll say, “Wait a second, is that an issue?” And I’ll say, “This is a huge issue here.” I love the fact that I can bring up additional aspects of a case that they hadn’t thought of, but yet they point out, “This can be very beneficial for us.” That’s happened with three or four different cases I’ve done for online identity verification and age verification because the way the systems were set up were horribly insecure.

Noah Bolmer: As somebody who is so well published, does it ever concern you, your attorney, or your trial team that something that you’ve written or said in the past might be used to impeach your current thinking?

Rebecca Herold: I love that question and I have a situation for a deposition that’s related to that. One thing I’ve always tried to do throughout my career is to write in a way that is going to not only be accurate at that point in time, but always references the fact that you have to consider context. I’ve been emphasizing context my entire career, for almost 40 years now. I always point out that there might be changes going forward, but in this case why it was very interesting. When I write, and just to clarify, I write for many different types of readers. I write for other professionals and I get into deep details about how technology works, the risk, and so on. I also write for those in my cases, so I make it as clear and understandable as possible for those who are not technical or have the background, but for the specific situation. That’s a different way of writing. Throughout my entire career, and between getting my bachelor’s and master’s degree, for two years I was a 7th through 12th grade math and computing teacher. I always try to write in a way that’s understandable. I have a free newsletter that I’ve been publishing each month to help the general public understand things, so that’s a different type of writing. In one of my depositions, one of the questions had to do with, “You said in your newsletter back on this date” and then they listed it off. I said, “Yes. I did say that.”  Then I explained how when you communicate to the general public, you cannot explain things and that’s something that I have been doing in my newsletter. When I talk about these things I always preface or frame the information in a way that I say, in general, here’s how it works. Then the details are not included. I have always tried to include that but the opposing counsel did try to use that, but I was able to also point to the associated more technical information that was there. I explained to them that I was not writing a PhD paper that was supposed to cover every point. I was writing something that the general public could read in 5 minutes and understand this is important, so you need to do something.

Noah Bolmer: Does your time as a professor inform the way that you go about connecting with the fact finder, be it a jury, a judge, or during a deposition? Do you use any of the same techniques to educate or explain?

Rebecca Herold: I love that question because yes, the more you teach, the more you learn how to communicate better with those in specific situations as applicable. In one of my testimonies, it was an evidentiary testimony for a technical topic. Again, talking about online tracking, and I bring that up because I’ve done a lot of those cases and there [are many] of those cases there now. Anyway the folks involved with that, they wanted—the judge wanted to know more about the case. Again, this is one of many different cases that I’ve done so it’s not any specific [case] that anyone would know about. The judge was asking me specific questions about how the technology works. I realized he wanted to know how it worked technically because he doesn’t have that background, then, I was explaining it to him using examples of how it would be similar to other daily situations. Explaining how, even though you can’t see data or you’re not actively giving a website data, there’s a lot that can be collected while you’re at that site without your knowledge. Even knowing that data is going there. I’m not explaining it well here. What I loved about that was the fact that I got to communicate directly to the judge, and I could tell based—using my teaching background, I can tell the by way he’s asking me questions and how he’s looking at me whether or not he understands. That helped me to adjust my description or my examples.

That’s much different than when you have the opposing counsel looking at their list of questions to ask you. [Many] times, those questions have been refined to the point where they’re trying to have a specific type of question, that gotcha type of question. I answer those differently because I always want to rephrase that question in a way that I’m confirming my understanding and rephrasing it so it points out that the question is not applicable to the full context. It’s trying to pick a thing out of everything. It reminds me of that movie My Cousin Vinny, and the—

Noah Bolmer: Of course, of course I’ve written about that film.

Rebecca Herold: It’s exactly like. When she’s on the stand and there’s a specific question, but you can’t answer it in the way they want. They think they’re going to get you with it, but then you have to explain all the reasons why, “No, no, that’s not the way it is.” That’s a different type of communication, though, and it’s a different purpose for the person listening to you describe or answer the question.

Noah Bolmer: Let’s talk preparation. How do you get yourself ready for a potentially contentious engagement? You’re going to go into a deposition or you’re going to go into cross examination, how do you get yourself in the right headspace and prepared for what is to come? Do you have a pretrial routine? Some of my guests do things like yoga or drink a lot of coffee. [Some say,} “No. You should fast.” A lot of people have a lot of different opinions on getting ready. What’s your routine?

Rebecca Herold: As far the non-content, I always try to keep my fitness routine in place. That’s something I’ve done throughout my entire life. I’ve been very active. I’m a high energy person, but as I get older, I still need to do that exercising. [Much] of what I do to get ready involves that because I will be exercising, doing my walking. I try to get in at least 8 to 9 miles a day. Now, that’s not all at one time, but it’s throughout the day. When I’m doing that walking, I always try to play some video or a podcast like one of your podcasts so I can listen to them while I’m walking. I love that because there’s something about exercising and listening or watching a discussion about that topic that I’m getting prepared for. Just to hear other viewpoints. I can hear what might be brought up during a deposition or doing during a trial that I hadn’t thought of before, so I guess that’s one thing. Then, I like to practice based upon what I’ve seen the opposing counsel and maybe their expert has been published before. I want to know what is it that they have published or what have they said in anything that’s been publicized or made public so I can see some of the tactics that they’re taking with regard to a similar topic.

Noah Bolmer: That’s interesting. Is that a billable occurrence when you’re researching the opposing expert? Is that something that experts can bill for?

Rebecca Herold: You need to ask your client, and that’s what I do. I let them know that I would like to do that, and if they say, “That’s not something that we would consider as within the scope.” Then, okay, that won’t be in the scope, but still for my own peace of mind, because I like to feel prepared, I’ll go ahead and learn anyway. I go ahead and listen to them, but I always get that resolved before I do it just so I’m transparent with my clients about that. Usually they say, “If you think that’s going to help, go ahead and do it.” But if they do say, “No, we don’t feel that’s part of it.” Then I’m like, “I understand that.” Then, I don’t.

Noah Bolmer: Are there any other terms in your engagement letter regarding billing? For instance, do you take a non-refundable retainer? Do you have different project rates for being on the stand versus doing research or writing an expert report, or is it all hourly rate billing ?

Rebecca Herold: I’ve evolved over the years. I absolutely do require a retainer, whether I’m being engaged directly by the law firm or if it’s going through an expert organization. I require that because it’s hard for me to plan ahead if I don’t have that retainer, and I don’t know also how quickly they’re going to pay. So, if you want me to work for you, pay me your retainer. Then, I will know and make sure I have the time available when you need it, even if it is down the road a little ways. So, I do require a retainer and with regard to the hourly, I changed on that. When I first started and I didn’t have—hadn’t done any cases yet, or very few, I wanted to start in a way that. I thought, I’ll charge a lower—the lowest rate for doing the research and writing the reports. Then, I’ll do higher for deposition and then a little higher for testimony. I did that until I had a few more engagements under my belt and after that some of the firms I was working with said, “Some of our clients like it to be more or less divided. Sometimes they like to have it one rate.” Now, I’m at the point where I have basically two rates. I have the rate for everything up to doing testimony in court, which is a higher rate. Then I have everything else at one rate. I do charge a rate just for travel time and that of course is a lower time. Given that it does take typically a day to get anywhere and back, I do charge, at least, to account for the fact that I’m not doing work while I’m traveling. That is a much lower rate, but it still accounts for some of my time.

Noah Bolmer: Let’s back up to the beginning of an engagement and speak generally about engagements. How do you get off on the right foot in a new engagement? What are the things that both the expert and the attorney can do to ensure a good, productive, and efficient engagement for both parties?

Rebecca Herold: This is also continuing to evolve, but I’ve learned that it’s so important to find out about the case and what has already occurred with it up to that point because oftentimes they’ve already had a case going for a year or two. They may have already had another expert or even more than one expert before. Sometimes when I hear about what the topic is before I speak with them, I realize I need to find out more specifically about what they want me to cover. Do they want me to focus on the regulatory requirements and evidence that’s related to regulations and other types of laws? Do they want me to focus on the technologies and how they work, because I also have deep experience there. Do they want me to talk about building programs because I’ve done that throughout the years too? Sometimes the client wants me to do a specific thing. For one situation, they wanted me to focus on identifying all the vulnerable points throughout the Internet when a certain system is being used, to point out here’s where vulnerability is, and it would be easy. They wanted me to opine about yes, [it’s] easy to get data at this point, that point, and this point. Even if they say that they’re encrypting data in storage, there [are] still 10 dozen ways—and that’s just off the top of my head, not from a—there are unlimited ways that you can still get that data. You have to do much more than just one or two things. That is something that an organization must do if they are responsible for that system.

Noah Bolmer: Let’s talk about venue for a moment. Have you worked—I know that you’ve done both criminal and civil litigation, for instance, but have you worked in other states at different levels? Perhaps something at a county level, state appeals, federal level, or even in another country. What are the venues that you’ve worked at and how do they differ in terms of being an expert witness?

Rebecca Herold: That’s a great question because I have some federal cases that are trying to establish a class action and so they want to certify the class. That’s a lot different than if I have a situation that is an organization where they might have maybe an ex-employee or maybe a customer who’s suing that company, or vice versa. What’s interesting about that is—and one other one is when you have one at a state level and state laws are involved. I’ve done some of those as well, so generally what I do for at least [the] topics that I cover, the actual facts, and the research don’t change, but how I approach it and how I look to communicate often does change. It seems when you’re dealing more at a local level, the smaller and more localized it is, the more succinct, but clear you have to explain certain situations. As opposed to a federal level where you can typically, and at least in my experience, get into more details and much wider- deeper depths of specialty technicality and examples, because I use examples a lot with what I do.

Noah Bolmer: Have you noticed any differences in formality or the type of demeanor that you practice while you’re on the stand in these different venues?

Rebecca Herold: I haven’t been on the stand a lot, but when I have—I’m trying to think, it’s just been at the federal level. I’ve done a deposition at the local level, and it was like talking with people. I mean it was informal. It wasn’t stressful at all. The other side did not have an expert so that was different too. That’s something I’ve found that sometimes the opposing counsel will use an expert that may not actually be an expert in the topic, but they’re representing themselves as one. That’s a different type of situation, but I think it’s out there more widely than [many] people realize. There are not a lot of people that I’ve seen doing the types of cases that I’m doing, and who have hands on experience. I’ve been a systems engineer, so I know what I’m talking about with [many] of these technical things. More than someone who just read about it in a book.

Noah Bolmer: And probably your book at that. Before we wrap up, do you have any last advice for expert witnesses and in particular newer expert witnesses or even attorneys who are working with them?

Rebecca Herold: What I’ve loved with some of [the] clients that I’ve worked with is, I love being able to communicate with them and find out, “What is it you want from me?” When I say what you want for me, I’m not talking about what do you want me to say or do. “I want to know what is it in this case that you hired me to address with my expertise? What is the point that you want to make?” Because I’ve seen sometimes in a couple of my cases where they wouldn’t tell me what their goal was for having me as an expert. I would say if you’re starting out, find out what the goal is for hiring you as an expert and the scope of topics that they want you to cover. Early on, I would assume that they would want more than what they were looking for. I would try to boil the ocean with information and [they were] like, “No, you’re not writing a book here.” That’s a risk that some people might get into if they have been professors like me or if they have written books, because if you ask me a question about how something works, my brain is going to think, I’m a professor and I write books. I’m going to tell you everything I know about this. When you’re an expert testifying in a case, you need to find out what is the information that you need and what can you leave out because it’s not going to be relevant to this case.

Noah Bolmer: Sage advice, Miss Herold, thank you for joining me today.

Rebecca Herold: I enjoyed it, Noah. Thank you for inviting me.

Noah Bolmer: Of course. And thank you as always to our listeners for joining us for another edition of Engaging Experts. Cheers.

Rebecca Herold, CDPSE, FIP, CISSP, CIPM, CIPP/US, CIPT, CISM, CISA, FLMI; Owner & CEO Rebecca Herold, LLC aka The Privacy Professor and CEO & Co-Founder, Privacy & Security Brainiacs

Rebecca “The Privacy Professor” Herold, is the award-winning CEO and Founder of Privacy and Security Brainiacs, an information security and compliance firm. She’s an entrepreneur and published author with expertise in areas ranging from global privacy and security governance to AI. Ms. Herold holds an MA in computer science and education from the University of Northern Iowa.