#125 – Douglas Brush (Part 3): What is a Special Master?

[00:00:09] I'm Douglas Brush and you're listening to Cyber Security Interviews. Cyber Security Interviews is the weekly podcast dedicated to digging into the minds of the influencers, thought leaders, and individuals who shape the cybersecurity industry. I discover what motivates them, explore their journey in cybersecurity, and discuss where

[00:00:29] they think the industry is going. The show lets listeners learn from the expert's stories and hear their opinions on what works and doesn't in cybersecurity. Welcome to Cyber Security Interviews.

[00:00:49] It's back after a long hiatus and a lot going on in my life, I am bringing back the podcast. In order to do so, I brought my good friend and colleague and data privacy and cybersecurity person of interest Dan Ayala to interview me.

[00:01:04] So over the next few episodes, we'll discuss where I've been in the past 18 months, what I'm doing now, and where I think this industry is going and why I plan to leave it within the next seven years.

[00:01:16] Your title on an email and LinkedIn and other places is Special Master and Court Appointed Neutral. Set the record straight. Set the record straight. Work in progress. On special masters. There's been a lot. The title has been in the news a lot lately.

[00:01:35] Not everyone understands what the function really is or what it does. Tell us more. Tell me more. I know everyone's interested in what it is and what you're doing with it and how the heck does it apply to InfoSack or your upbringing?

[00:01:50] Yeah, I mean, it's an accumulation of just about everything. I find myself now, like I said in my career where I've questioned a lot of things, always had this impulsion, wondering should I be here? I'm just the wrong fit.

[00:02:05] But the fact that I've always been an outsider and never, you know, doubled down on one area of the other. And I stayed kind of neutral across all these disciplines and continued thinking about it. What am I doing?

[00:02:19] Not what am I calling it is really coming to this head. And so in the early 2000s as I started doing the forensics and litigation work, there was some early glimpses of how this was going to go.

[00:02:33] Coming back to the early 2000s, if you really understand when people say this e-discovery boom and ESI and all these terms that get thrown around about civil and even criminal litigation about data, there wasn't a way to bring computer or digital information into litigation easily.

[00:02:53] That being said is because a lot of the frameworks for the legal standards in which evidence can be presented and there's different forms of evidence, but we'll just use discovery evidence that you request from a party and they have to hand over a document would say.

[00:03:08] Traditionally, it was paper documents. And this goes back to, you know, 500 years ago, back to English law of what's the Magna Carta? What's an original document? And this got incorporated into the American juice group.

[00:03:19] So, you know, there's this sanctity of what evidence is there should be now that it's infallible and it's traceable and it has this chain of custody and you can really know who's touched it and that when you present it in court, it's the

[00:03:33] truest representation of how it was used in that business term, how it was stored and it's been unmodified in ways that alter its meaning or integrity. And they didn't have a way to do that.

[00:03:48] And if you look at it, I think you'll remember and or appreciate this is that, you know, when there's these big litigations against these post 2011 companies, people, what we can pause for a second. By the way, get ready for a lot of litigation between companies and this

[00:04:03] economic downturn in 2013. This trends pretty heavily when there's a technology downturn. Everybody starts suing each other. So another reason why I knew this was coming and got in front of this is I've seen this happen before because in 2001, when this happened, everybody

[00:04:17] starts suing each other and they had to really kind of from the judiciaries and you know, the district judges, particularly in Southern District of New York where they say, well, hold on a second. Let's all pause. What is a document?

[00:04:28] They have almost this very kind of, you know, thoughtfulness around it that didn't exist and what's going to represent electronic document versus a paper document? What's the same? What's the difference? How are we going to support the sanctity of that evidence?

[00:04:43] And they set up several rules because also there was a goes back to what we're seeing today is there was an information governance problem. People did not have consistent information records management between paper and data.

[00:04:56] And they said, well, you can't have both or if you do have a policy, where's your policy? We don't have that. So let me get this straight. You're going to delete everything off the server the minute there's a litigation, but you're going to produce paper. Sure, why not?

[00:05:07] Well, that's the bulletin. Isn't it? There's no rules. And so they had to come up with these rules and basically say, thou shall not do that in the anticipation of litigation. You must preserve all records, paper, electronic or otherwise. Figure it out. And that became the discovery boom.

[00:05:21] And I'm really kind of a shorthand way of it, of people having to build into their governance programs, litigation readiness and this ability to preserve, collect and produce this information. However, if you look at it, you had to bring these experts in.

[00:05:42] That then had to testify to too. So you have this supporting evidentiary things. And there was expert witnesses under rule 26 that actually get adopted into the federal court system like I did early on, not knowing it. I said, OK, this is cool.

[00:05:54] Didn't realize how big of a deal it was at the time or 2000. But basically said, well, here's what happened. Here's what I saw. Here's what I tested. It's transparent. Their expert can go chest it and their experts would not to be fired.

[00:06:06] Both sides would have experts come in and say, this is Dan's email. Cool. How much did that cost? I build $100,000. What did it would be the other expert? That's awesome. Yay. And of course, it was like, that took a lot extra time and money.

[00:06:20] And both sides are like, yeah, it's just the same data. Why are we doing this? And I think there was probably some self preservation from the forensics and the skeptics. Well, no, no, no. Let's have two people do this for validation. No, bullshit.

[00:06:34] And a lot of it was just basically, it's data. It's data. It's there. It's there. We set a set of frameworks around both the technical and civil litigation procedures that says what the document is. It's either going to be there or not.

[00:06:45] It's going to have the metadata fields that you can challenge it, but the reality is they're not. So it's this process that exists in extracting data and producing it in civil litigation. And they said, well, why don't we just have one person do it?

[00:06:57] Well, who's going to hire them? Why is it both parties? And his role of a neutral came up that I started doing in around 2009, 2012, 13. And it was great because both parties are like, oh, cool. We're just getting the same evidence

[00:07:12] because you're just going to hand us over whatever you produce. And you did it. And it's controlled. And great. There's all the documentation. We both split the bill. It's great. Courts like, great. They assigned me to do this. I'm like, yeah, that makes sense.

[00:07:25] Unknown to me really was there's this provision in the federal rules is for a procedure on a rule 53 for what's called a special master. And it sets forth the guidelines of which special masters can be used. And it's been changed, modified, adopted,

[00:07:38] and through different literal acts of Congress over the years and how they got adopted. So this is happening on a parallel track. And a lot of these folks were doing things in very different capacities, but similar in the sense

[00:07:50] that they may not be doing like the electronic ESI type of data work, but other types of work, famous one being Ken Feinberg. And if you can watch the documentary worth, he was the special master pointed out to the attorney general to basically divide up

[00:08:07] the funds for the 9-11 compensation victims fund. And he had to sit there and build up basically damage calculations for what somebody's life's worth and how to award them and what's the process. And all these intricate parts have taken something

[00:08:19] from point A to point B under a very watched and contentious legal process. And that's often when special masters are used. So I'm doing this neutral work. I'm doing the extra witness work in 2015. I get a call. Hey, we need a special master.

[00:08:35] It's kind of like a neutral on this big litigation involving a large company in the Bay Area that does a lot of stuff. And I need to come on and do this work. And we're gonna hire you as a special master. Cool, sounds cool. I like that title.

[00:08:54] The title I can live with. It was capital S capital S. So it's a proper now. So at fours I'll report. Or at least a defined term in a contract. Yeah, and I would be addressed. There's nothing better than being addressed as a special master.

[00:09:11] And when I would ask my staff and my family, the dogs and everybody else to continue that trend, they politely declined, which was sad. Because I think that should be, it's like a doctor. I should be called professor wherever I go. Apparently that's not the way it works.

[00:09:26] But anyway, so they said, this is what it is. And I really dug into it. So Alice is interesting. So there's a set of provisions around this that says, hey, this is what you're gonna have to do. This process on behalf of not just partners with the court.

[00:09:40] And really what was happening was I was assisting the court in a very complicated dispute over the dispute. And the dispute I was managing was over the data. How the data was going to be collected, processed and produced in a way that's never been done

[00:09:56] before through the completely unique set of data and I had to use just about everything in my toolkit. And it draw upon my legal background, cyber security, network security, governance, chain of custody for the, I mean, there was every element of this that I had to run.

[00:10:13] And I was like, oh, you kind of uniquely qualified for this because again, I never cared what I was called in doing all these functions, but I did them all. And I never silenced myself. So that was like a perfect nominee for this.

[00:10:25] And I got involved with that. And then I was like, well, that was cool. Build a ton and it was kind of a prestigious thing. And my other friends within centers said, wow, I can't believe you got that. And they were kind of jealous.

[00:10:37] I was just like, okay, cool. It was kind of a sidebar thing. And this litigation continues. I was like, it's just another day at the office and then got pulled in there a few more. And I realized it was this thing that was needed in the judiciary.

[00:10:51] And because there's now this understanding of how electronic data has to come in in one point and one set of rules. And then there's all other rules and litigation that are tangential to this, but there's specific grounds around, say electronically stored information.

[00:11:05] Then you have the special master rule that says that we can bring a special master to come in and the role of a special master is to have these informal meetings, meet and confers and set forth a process

[00:11:19] on behalf of the court to move a sticky issue through. So it's often something that the judge will hand off off and a magistrate judge who hands a lot of discoveries, he says special master, whoever deal with this shit. I have so much else on my plate.

[00:11:34] Both parties are talking past each other. I just need you to take them apart. And particularly when it comes around to technology, these are where these things are becoming increasingly important because they're saying, look, so much of the world is data, it's digital. It's stored on complicated devices.

[00:11:50] And it's not like it was in the early days where it was just getting an email box, I'd go pop, you know, side off of a computer, image a hard driver, log on to an exchange server at three o'clock in the morning and do my data collection

[00:12:03] and dump mailboxes then. These are much more complicated data sets. These are logs, you're a federal data. These are things that are running in ways that we've never seen before. And the data can be exponentially bigger in storage and volume if we have to do preservation things.

[00:12:19] So all these things that have really existed in my life have come into this odd way of doing the special masterwork. And I really sub-setted it into the ESI special masterwork. So electronic control, that's really my subset. There's other functions of special masters under rule 53

[00:12:38] and you know, there's different type of special masters doing different things from dam, like I said, Ken Feinberg doing damage calculations and all these folks that do it only handful of people do the ESI stuff. And through this process, we've also realized particularly just gotten in the news

[00:12:55] is there's one there's a need for it, the judiciary needs it. There's a few people that can do it really well such as myself who can really assist the American judicial system and these judges get through things. But the caveat is the word special master

[00:13:11] has some negative connotations in history, particularly the word master, we've seen it in IT and we do live in a world where, and you know this, I've been a big proponent of diversity, equity and inclusion and I had to really kind of accept that

[00:13:23] that the word special master as much as I want everybody calling me that is not special anymore. And so through the process, the Merrill Hirsch great guy who's a special master as well but ran the honestly, I think it was like the special, I forgot what I see,

[00:13:42] I already forgot the name of our group before it was a special master sometimes but we changed the name to court appointed neutrals. It's a much more acceptable term but it also reflects more of what we do. If you look at some of the earlier

[00:13:53] religious special masters it was like, oh they would do trial work and they'd do this as like, I do pre-trial discovery work. Like I'm like half the stuff I do, all the stuff I do is a number of trial,

[00:14:03] it doesn't fit in the mold of what most judges think of what a special master is, even litigators and there's a lot of education. So we decided the best thing to do is really kind of change the name that better reflects what the pool

[00:14:14] of people that do these functions are and be more inclusive in it. We've seen it reflected in even some of the judiciary's that said, look we just don't want to use that word master. It's got, you know, in our culture

[00:14:26] where words been used and what this district court is ain't gonna fly. And so we've now, when you hear the word special master and court appointed neutrals, they're very much interchangeable but we're in a process right now through these groups of amending

[00:14:40] or updating changing the ABA model rules around the word to be court appointed neutral. And the hope is at some legislative session, and I'm unfortunately less hopeful in the current judiciary subcommittees right now, they don't tend to be so favorable towards diversity, equity inclusion

[00:15:02] based on some of the things I said in the last two weeks. It's gonna be hard to change that word on the federal's and federal procedure but at some point rule 53, we're amended to do that. So long story is that it's a very unique function

[00:15:15] that exists to help and assist judges deal with very bespoke issues where I sit is around doing these things that fall around data privacy, cybersecurity. Sometimes those come into effect in these things and like some of the cases I have, it's been a data privacy, data security

[00:15:36] and electronic discovery. It's been all these things at once. Sometimes it could be just the ESI capture but really set these processes through that demystifies the things and really gets things done faster, more efficiently and more cost effective for everybody. And that's really the function for me

[00:15:53] is as I look forward is this is a cool place to be and it's the accumulation of so many things I've done. I really do enjoy the litigation work. I enjoy helping people miss. It's kind of cool to be working with these federal judges and seeing

[00:16:05] some of these folks are pretty esteemed and they're famous in my eyes at least the litigation and help them get back to doing what they do better, give them some more time with their family during the weekends.

[00:16:17] Even when I say with CISOs, what do you do with Splunk? I was like, I give time with CISOs, I give CISOs back time with their family during the weekends. I'm hoping it was doing the same thing with the judges. There's this stuff can get very needlessly complicated.

[00:16:28] My goal is to distill this stuff down in a way that's understandable, solves the problem at hand. Is it gonna be perfect? No, there's no such thing. Don't let, you know, perfect be the enemy of good and just get these things done and that's really my functioning role

[00:16:42] and where I kind of hang my hat these days. Nice. So you've got a consultancy as well. I'd be remiss if I didn't ask about that as well and where people can find you. Yeah, so don't go to the website

[00:16:57] because I have to get that up at some point. Actually, it find me on LinkedIn but yeah with the self consulting as a consultancy I've been doing the special masterwork on but we're really also focused on the other aspects because there's so much that gets in this interchange

[00:17:10] and I have to stay abreast aware and fresh with this and I really do enjoy doing the CISO work. So some of the things we're doing now is, look, there's a wide berth of consulting services and cyber that I've done in the past 20 years

[00:17:26] but what do I do in the month? And that's, it's seeing progress. Seeing companies and organizations get their program off the ground and moving and going in the right direction. So most organizations have 50, 60 different types of solutions in their environment.

[00:17:44] None of them are working well, none of them are orchestrated. Organizations have made incredibly good investments in technology. Like I said, most of these infrastructure companies early now, cybersecurity, they still look at the OSI model. The OSI model hasn't taken a dramatic shift. Now you're still dealing with,

[00:18:02] a lot of layer two, three, four issues and okay, you probably invested in good polo altos, CISCO, check point, whatever it is. Like you probably have good technologies probably configured poorly because you know what the underlying rules are all the same that might call it differently, which is

[00:18:16] another reason why I hate cybersecurity at times is because we have to have every firewall vendor having a different name for the same goddamn thing but I digress. It's just, that's where I want to say I want to see these companies get achievable results in the short term.

[00:18:30] I don't like this idea that we can't build a governance program, it's just too thorny so we're never gonna do them with bullshit. We just take the step by step, let's do this and like I said, I look at it almost as like I'm a personal trainer.

[00:18:44] Yeah, I'm gonna help you get to your goals. I'm gonna tell you also not to pick up that AI or ML machine because you're not ready for it. You're gonna hurt yourself and then you're gonna be out of the game for three, six months.

[00:18:56] Let's start with the basics. I want to see you do some body weight squats. There's some banded rows, like we're gonna start you off small and get you on. Couch to 5K before you go to the marathon. Yeah, yeah and it's, like I said,

[00:19:09] it's these people get really attached to them. Why hate cyber security? They're getting sold these solutions that they're not ready for. They don't have that level of program maturity and they're sold at the idea that well, you're not perfect so therefore you need this.

[00:19:22] Okay, but there is no perfect so stop tricking people on that and then they feel like they shouldn't buy it and when they do buy it, they were led down the long path because they were gonna be perfect and they're never gonna be perfect. It's annoying.

[00:19:31] So to me it's like, okay, let's assess where you are going. And so for me it's this kind of office of the CISO jumpstart kit where we come in and in one year's time our goal is to get the hell out which is again, pearl clutchy

[00:19:47] to a lot of the consultancies that are out there because I think there's so much of this and our goal is to really land and expand and stay and you can do it with other services but my goal is to basically get them to a point of self-sufficiency.

[00:20:02] Kayla Watson who's a friend of mine and the wife of Chris Wasserman who you know at assessment first and I was talking to her the other day and she's at this company anecdotes that does a pretty cool platform for compliance management.

[00:20:17] And she's like, here's me giving my pitch she goes, so you're hinge. I was like, what? She's like, here's a dating app hinge. You wanna help people get so successful they delete the app. I'm like, yeah, I wanna get to after 12 months they delete the Doug app.

[00:20:31] That they feel that they've met their goals not to sit there and get them on a subscription basis for every month where I can go get VC funds and rounds and pat myself on the back for the amount of money I can milk out

[00:20:44] of somebody unnecessarily year after year. So it's really the goals to get in, get out build out their program and find them the right type of CISO maybe coach their CISO that they're bringing in to doing more of this business talk. I think one of the challenges

[00:20:57] that I'm seeing in you mentioned is that there's gonna be that point of year for another like, well, they're gonna want you like you talk business as well as the tech and you bring in somebody that's too tech they're gonna still want you. So to me, that's okay

[00:21:08] well let's coach more people in the industry let's make the idea scalable not to a person and if we can get more people that are you know, good tactical CISOs and security leaders to be more business oriented I think we can solve a lot of these problems.

[00:21:23] I mean that's an industry is a community problem so I wanna stick with that. So yeah, that's what we're gonna be doing in cybersecurity and then on the data privacy realm is really I get this idea of, you know what's the value of a record? There's data breaches

[00:21:39] and I've done created a grade of data breaches from first call going in there and collected data all the way to breach notification lists and help them put together. I was at several companies where I did the breach notification lists we had to build those

[00:21:53] what people don't realize and I think whether it be folks that receive these notifications or possibly plaintiffs counsel or other regulators that are very reactionary to oh my God, 500,000 people were impacted by this is the data's not organized in a way that you think it is

[00:22:10] it's not a spreadsheet. The breach notification list is a goddamn mail merge we had to build that it's really, really, really, really hard and expensive. Attackers don't do that. They're gonna look at this and go shit data set not gonna use it move on.

[00:22:22] Attackers are more business savvy in that sense. They're gonna know that once they get the data they're gonna use what's valid but what's not granted they do likely have some back dark web databases that rival some of the credit bureau monitoring and data brokerage stuff which

[00:22:36] but you know, in the end of the day it's like okay is every record worth the same? I grew three times in the last year gotten divorced I've gone through all these things in my life my digital footprint and personality are very different than who I am today.

[00:22:50] So if I get notified because you think about the the dwell time by the time of the investigation done a notification nine months after the incident really occurred that data's super stale and yeah there's definitely reasons and times for people to be notified

[00:23:08] and for there to be a regulatory oversight investigation but I question it all the time so working with some of the folks understand on the kind of on the dispute data privacy consultancy side is what's in the environment? What's at risk?

[00:23:21] And when there are these things, should you settle? Should you fight it? Should you just say okay look only 20% of these people really have data that's valuable to anybody. The rest of it exists on the dark web they've been breached numerous times before.

[00:23:36] Now we're not gonna pay this person $500 for their lives being so negatively impacted. So there's different ways of looking at that. And I think that becomes a proactive service too and this is this accumulation of everything I wanna do is look at the data

[00:23:49] I wanna be able to do these data models inside organizations to say here's your riskier data this will help corporate governance this will help insurance underwriting for cybersecurity policies that are traditionally looking at the infrastructure and other things that don't really represent where the risk is

[00:24:05] but if we can actually look at the data and tell you where the risk is on one hand we don't really where the value is how long has this data been there? What is it? Is it stale? And I can't tell me the number of times

[00:24:16] I've done data breach investigations where it's a stale marketing database so you sell it to a notifier and why do you have this? Well, we collected it all and we thought we were gonna use it one time and we never did and I was like well great

[00:24:28] now this data has zero to no value but just cost you a million dollars on legal fees and breach notification of why do you see that that's not worth it and they're like yeah we get it now well what if we can do that proactively

[00:24:38] just go in and say purge this data or it's duplicate and really do true data mapping that needs to be done that's never existed so contextual data introspection inside enterprise environments to really say here's your risk areas and here's what you should do and here's your value. Excellent.

[00:24:56] Thank you for joining me for another episode of Cyber Security Interviews. Next week join Dan and I as we talk a little bit more about my frustrations with the industry and where I see we need to go. Thank you so much for joining us today

[00:25:09] on Cyber Security Interviews. I hope that you enjoyed this interview as much as I did. Please go to cybersacurityinterviews.com where you can find every episode including show notes and links for each guest. There you can also find social media links

[00:25:24] and just sign up for new episode notifications. Thanks, we'll talk soon.