E297 - Patrick Zeller, General Counsel, Jetstream Security
[00:00] Debbie Reynolds: The personal views expressed by our podcast guests are their own and are not legal advice or official statements by their organizations.
[00:11] Hello, my name is Debbie Reynolds. They call me The Data Diva. This is the Data Diva Talks Privacy podcast, where we discuss data privacy issues with industry leaders around the world, with information that businesses need to know.
[00:23] Now I have a very special guest on the show, fellow Chicagoan Patrick Zeller,
[00:29] General Counsel of Jet Stream Security. Welcome.
[00:33] Patrick Zeller: Thank you very much. It's great to be here. Longtime listener, first-time caller.
[00:38] Debbie Reynolds: Oh my goodness. Well, we've had great times together. We've been on panels for a number of years. We've run into each other at different events in Chicago. And this is exciting for us to be able to chat and talk about privacy,
[00:53] security,
[00:54] the wacky things that people are trying to do with AI.
[00:58] But your career has been really interesting in terms of the roles you've had, the things that you're doing. You crack me up so bad because you're one of those guys that you straddle very much the legal and the tech stuff.
[01:10] And so we might geek out quite a bit about those things. But I wanted you to tell your background. I think it's really interesting.
[01:16] Patrick Zeller: So, yeah, I started my career about two lifetimes ago when I was 10 with the Illinois Attorney General in their consumer fraud department, dealing with AOL dial-up speeds and printer pages per minute and super exciting things like that.
[01:35] And I was actually meeting with the chief of the criminal division, and I was so junior, like, our meeting got interrupted by two investigators who were returning a computer that they had seized with a search warrant.
[01:50] And they were explaining to the chief of the criminal division how there was a password on the computer, and they couldn't get past the password.
[01:58] So I suggested that they open up the computer,
[02:01] Take the battery off the motherboard, put it back, and then there wouldn't be a password when they logged into the computer.
[02:08] And that's when I became the computer crimes guy right then and there.
[02:12] So I always warn my law students, like, be careful what classes you take because one class can really shape your career.
[02:19] Debbie Reynolds: So that's a good story. But you've had a lot of experience in-house. One thing I like about you is that you can give advice and not be the guy who throws a grenade and runs from the room.
[02:36] Patrick Zeller: We've all worked with people like that.
[02:38] Yeah, I think it's important,
[02:40] especially when you're in-house, is to understand what the business is trying to accomplish.
[02:45] And I call it either the white glove treatment or a bit of guerrilla warfare,
[02:50] where you're trying to, like, get in with the business,
[02:53] be consulted early, be helpful, but try to understand what the business is doing to help them achieve their goals. Instead of just saying, no, you can't do this or that, like let's find a creative solution,
[03:06] right? So we can do those types of things.
[03:08] Debbie Reynolds: So,
[03:09] Well, then that means you're putting on your business hat.
[03:12] So it's not just your legal hat, for sure.
[03:14] But tell me a little bit more about.
[03:17] About Jetstream. Jetstream fascinates me because I've been,
[03:22] as we've seen,
[03:24] people just go to town where the AI gets so excited about it,
[03:28] A lot of times, they're not thinking about the risk and the things that are happening. Not only the technical risk, but the legal risk as well. But let's talk a little bit about the legal risks of AI that people maybe aren't thinking about or talking about.
[03:43] Patrick Zeller: I mean, I think AI is fascinating.
[03:46] The only analogy I have for what's happening in the AI space is sort of like what happened when everybody started putting things in the cloud, right? Like,
[03:55] I'd be in these meetings and interviewing IT folks, and I'd be like, is this stored locally or in the cloud? And then they're like, I don't know, like, somebody go ask Timmy who's responsible for this.
[04:06] Like, we don't know where our things are anymore.
[04:09] And I think with AI, we really saw that three years ago,
[04:14] It was really sort of an AI space race being driven by CEOs and boards of directors, like, we want to be using it.
[04:21] They weren't sure how or why, but they knew they needed to be using it.
[04:26] So like, AI was, it sort of pops up everywhere now, but it came in through Microsoft and other ways into the company, and it generally didn't go through legal reviews or reviews through the CISO Chief Information Security Officer's team.
[04:42] So it's just sort of popped up everywhere.
[04:45] And I think about the risks in three separate categories, and let me know if you have a better way to think about it. But like, at a basic baseline, like the input risk of what's going into AI,
[04:56] the output risks of what's coming out, and then things that are sort of related,
[05:01] that don't quite fall in one of those two buckets, fall into bucket three.
[05:05] Debbie Reynolds: I like that way. Yeah, right.
[05:08] Patrick Zeller: And it might help for me to explain a little more. So, like when we're talking about the input risks,
[05:15] right.
[05:16] Even if you are using an enterprise version of AI where it's just limited to Your specific company things can be still shared within the company. Right. So if HR is working with employee information or sensitive data that can still be shared with other people in the company.
[05:36] So I do know of one situation where a CEO was running numbers at the end of the year to
[05:42] to figure out like compensation packages, stock grants, and those types of things. And he was inadvertently sharing that with the enterprise. So people were able running the right searches to see sort of people's compensation and people's information.
[05:59] So even with using enterprise AIs, there is some risk. And then also in my mind, like the highest level of risk is what I call like DEFCON 1.
[06:11] And President Biden has an executive order related to this. And it's.
[06:17] I think it's 14117,
[06:19] but it's talking about bulk exporting US citizens' data to China, Russia, North Korea, I think all the places you don't want to go on vacation. Right. And so if you happen to be using those AIs, you're doing a bulk export of could be doing a bulk export of US citizen sensitive data.
[06:39] Debbie Reynolds: Yeah, well, two things you said. Fascinating. I agree with this, too. So I have to talk a lot about input things that people put into tools and the things that they're responsible for.
[06:50] You're responsible for what you do with what comes out in terms of the output. And so that's typically the issue. But two of the specific things you talked about, one is around internal, what we call unauthorized access.
[07:04] I call unauthorized access the cousin of data breach.
[07:08] So it's not exactly quote-unquote a breach, but it may be a reportable incident. And then in terms of the exports,
[07:16] you know,
[07:17] before it was like, okay, I'm doing business with X, Y, and Z. Need this information. A lot of times you didn't look at it really closely and you sent it over.
[07:24] But when you're talking about the bulk export thing,
[07:28] That's a situation where you have to know, like. So I think what AI is bringing in now is like you really need to understand what is going into those tools and then what happens, what goes out of those tools.
[07:40] But what do you think?
[07:42] Patrick Zeller: Yeah, no, I totally agree.
[07:44] Right. So, like one of the big examples is like shadow AI, right? Like not knowing what your employees are using,
[07:52] like shadow it.
[07:54] And then we've already seen a case where a bank had to file an 8K with the SEC fairly recently, where they had an employee process sensitive information on a public AI.
[08:08] And that had to be reported as a potential material cybersecurity event.
[08:14] So the board of directors had to be notified, and they had to do an SEC filing as a potential cybersecurity event that required them to notify their shareholders of the event.
[08:26] Also, just putting in personal information or sensitive information.
[08:30] I think you hit the nail right on the head. And that could be a reportable incident if that's shared even within the company.
[08:39] Right. Or if you have EU data that's shared with the us like all these things, but also trade secrets,
[08:48] corporate confidential information.
[08:50] Right. Financial information, if you're a publicly traded company,
[08:54] has to first be reported to your shareholders.
[08:57] Right. That's insider information.
[09:00] So if that goes out in a public AI or gets shared internally,
[09:04] that can be a problem.
[09:06] Intellectual property and trademarks.
[09:08] Debbie Reynolds: Right.
[09:08] Patrick Zeller: Before your IP protections are in place, that could be a problem. Sharing that. And also the big one, attorney client privilege.
[09:17] So we see a lot of companies deploying a separate AI for the legal department or a separate instance.
[09:25] So things aren't shared.
[09:27] But I also think it's important to know what AIs you have in the company,
[09:33] sort of how they're being used, who's using them,
[09:35] but then what databases they're potentially connected to, like who's connected to Workday,
[09:41] where they're connected,
[09:42] or your trade secrets, or your attorney-client privilege, or your legal documents,
[09:47] who is connecting to those through their AIs. Right to have that level of visibility,
[09:54] Debbie Reynolds: the as you're talking, just thinking about the way we used to think about risk in organizations before,
[10:03] especially on cyber. So a lot of cyber risk was like security by obscurity.
[10:09] And we know that that doesn't work now. So basically, you have tools that can hoover up data that you thought nobody cared about, and they can make something out of it that you didn't think that they could do with it.
[10:21] Patrick Zeller: Right.
[10:23] I think the correct way to think, or the way I've been thinking about AI, is that it's an insider threat.
[10:31] It's in the company,
[10:33] It's in your systems, it's in your networks, people are using it. Do you have visibility into what's going on? Because it's already in the.
[10:41] IT can have access to your most sensitive things in the company. Right.
[10:45] So it's a different security posture than security by obscurity or that perimeter and moat. Right. You're trying to keep people out. This is already on the inside. So it's a paradigm shift as well.
[10:59] Debbie Reynolds: Yeah. In addition to being a paradigm shift, which I totally agree with,
[11:03] I think also we have to recalibrate the way we think about insider threats.
[11:09] So a lot of times people think an insider threat is something that's malicious or nefarious,
[11:15] Maybe just someone who has the wrong access, or they don't know what they're supposed to be doing with something. So it can create a harm, it can create a threat, but it may not be like malicious or nefarious.
[11:27] What do you think?
[11:29] Patrick Zeller: No, I totally agree. And a lot of times, people are making mistakes,
[11:34] right? It's the whole people process; technology people are trying to get their work done, and there's confusion around AI, right? Like,
[11:44] You know, ChatGPT or Claude or whatever could be approved.
[11:48] But then,
[11:49] You know, there are employees who go home and think they can use CLAUDE at home or on their phone. And it's not, it's a separate instance. Right.
[11:56] The public AI versus the enterprise, and making sure things are labeled correctly.
[12:02] A lot of it, I think, is driven by mistakes and people trying to get work done.
[12:06] Certainly that, it looks like that that's what that 8K filing was.
[12:11] Right. Somebody was trying to get some data processed in an efficient, quick way, and you know, they ended up using a public AI that required reporting.
[12:21] Debbie Reynolds: Yeah. Also, one thing that I experience in corporate life is sometimes someone,
[12:28] I feel like a lot of times, the way corporations have traditionally been situated, it was almost like Santa's workshop, where everybody had their own little part of the puzzle to do, and then some magic toy came out at the end.
[12:43] But you know,
[12:44] Right now, we have data risk where someone who may not even have the authority to do certain things, they may take an action that may impact the organization as a whole or on a broader scale.
[12:58] So I think we need to kind of get rid of the Sam's Workshop analogy and really start talking about data and how it flows and what those risks can be.
[13:06] Patrick Zeller: Right. And I think another,
[13:09] another solution here, or a sort of a key to the people process and technology, is that a lot of legal departments are combining sort of the, the role of
[13:23] You know, the privacy role, the privacy officer role. They're also involved in cybersecurity and evolving technology like AI and then also sort of E discovery as well. We're seeing a lot of teams,
[13:37] So there's a single point of contact with it to deal with the data-related risks.
[13:43] So we're seeing a lot of that responsibility being combined to take this holistic view across the company of the risk.
[13:51] And I agree, if it's Santa's little Helper or you're operating in silos,
[13:56] like it just doesn't work because you don't have that visibility across the enterprise.
[14:02] Debbie Reynolds: That's so true. And before we were recording, we were talking a little bit about how we may be looking at the problem the wrong way. I just love the way that you have put it, but I don't want to put words in your mouth. Tell me the way that you were thinking about this.
[14:17] I think it's totally true because I feel like sometimes we don't understand what we're dealing with, and so we kind of use old ways to think about new problems.
[14:28] Patrick Zeller: Right. There's a quote from John Kenneth Galbraith, who was Canadian American economist and diplomat in the 20th century.
[14:36] And he used to talk about the traditional way is you'd look at a problem,
[14:41] Do the research and come up with a solution.
[14:45] And the term a Galbraithian inversion is where you sort of have a solution before you know how it works. And I think that is perfect for sort of AI and what we're dealing with.
[14:59] And he would reference like, I think aspirin was invented in the super early 1900s, and we didn't know how that worked till 1970.
[15:09] Anesthesia was earlier than that, like 1840 or 1850.
[15:14] Scientists still don't agree on how that works. When we started using penicillin, we didn't know how it worked.
[15:20] And I feel like there's a great analogy there with AI. Like, people are bringing it in. It's still black box technology.
[15:29] The way I think about large language models is because there's so much data that's fed into them, and the data comes from people, and people are biased. So there are inherent biases in a lot of these systems.
[15:45] And so you, you balance the new technology, and we don't know exactly how it works. And it's sort of black box technology.
[15:54] And a lot of times, you know, AI right now is less regulated than your office cafeteria.
[16:01] So,
[16:02] like, there's a lot going on here. And people talk about AI as if it were a really smart intern.
[16:10] I heard a great line,
[16:13] I was presenting in Texas,
[16:15] and somebody said AI is like an intern that happens to be dating the CEO's daughter.
[16:23] So how do you manage that?
[16:27] Debbie Reynolds: Right? Because I think there's definitely an inertia that's happening within organizations where companies really want to use it.
[16:34] And then sometimes I think for the most part, employees want to do the right thing, I would say, but they don't know if I pull this lever, what happens over there.
[16:42] Or I'm trying to get my work done, and I need to use Claude at home. And I put the company's secret passcode project names into a public model. So all those things have to be managed.
[16:54] Patrick Zeller: And we've seen examples of it with the trade secrets. Samsung had an issue where somebody put proprietary code and an AI to rewrite it.
[17:04] And it was great, but it shared it with the world.
[17:06] So we're seeing some of these things happen. It's tough to keep up with. AI is moving quickly.
[17:12] Like, I don't think Claude was on many people's radar six months ago.
[17:16] Right.
[17:17] Like,
[17:18] They're super powerful tools. They can be great for contract reviews, NDAs, and analysis,
[17:25] but we have to have that sort of structure around them on how to best use them.
[17:30] Debbie Reynolds: Now, let's talk a little bit about Jetstream. Things you guys are doing are fascinating, and it really rings true to me because I think you look at risk the same way I do.
[17:40] Like, I'm seeing all these cool things happening and I'm thinking, wow, I'm kind of horrified by what people are doing with this stuff. But what are your thoughts?
[17:51] Patrick Zeller: So, yeah,
[17:53] It's interesting. At JetStream, we have four founders who came from companies like Sentinel One and CrowdStrike. Our CEO, Raj Rajamani, came from. He was the Chief Product Officer at CrowdStrike.
[18:12] So our founders have a lot of experience with cybersecurity, and they identified a lot of these AI risks about 18 months ago and met with a lot of CIOs and CISOs on the AI risks and what their concerns were,
[18:29] and developed an AI platform that's designed sort of for that phase zero of a company to figure out what's going on, what people are using,
[18:41] What's in the enterprise?
[18:44] So that's where our sweet spot lies. Right. Figuring out what AIs are being used.
[18:51] It has some blueprint and capability to figure out what databases the AIs are connected to and a lot of other things.
[19:00] A big issue because companies brought it in three years ago, two or three years ago, a lot of the AI tools.
[19:08] There was a company that I don't think has been identified yet, but they sort of coined the term that their employees were token maxing.
[19:17] And they had spent $500 million in one month on AI.
[19:22] And because they're running a top 10 list,
[19:26] Employees were just trying to spend tokens to then get on the top 10 list for spending the most tokens. And of course, spend, as all lawyers know, doesn't equate to work product.
[19:38] Right. Always.
[19:40] So when you start,
[19:42] The thing you measure becomes the goal. It's no longer a good measurement. Right. So,
[19:48] You know, at the rate of 500.
[19:51] Yeah, it was $500 million in one month. It'd be about $6 billion a year. So that's a material number. Right,
[20:00] Debbie Reynolds: Right. And I think that's an example of the thing that I was talking about, Santa's workshop. So I'm doing my part, and I don't really know what's happening, seeing, like, all the bills, like, rise up.
[20:12] But we also saw this a little bit, not at the same rate or pace with the cloud,
[20:17] where people are putting a lot more stuff in the cloud until the bills came. It's like, hey, we need to triage. We need to think about this, or what goes in or what goes out.
[20:26] But I'm hoping to see a lot more curation happening within organizations. But I like the fact that you're taking a very pragmatic approach and saying, what are we looking at?
[20:36] What are we dealing with? What's out there, and what are kind of our next steps?
[20:41] Patrick Zeller: Right. And it's a lot of the spend is hitting the CIO's budget.
[20:46] But what's interesting, when we meet with boards of directors, we did a presentation for the National Association of Corporate Directors.
[20:54] We got a lot of questions about spend and transparency, and how we find out what's going on in our company.
[21:01] But also a lot of CEOs are interested in knowing who's not using AI,
[21:07] because they want people using it to create efficiencies.
[21:10] So it's a bit of walking a tightrope between having the visibility and managing the spend. And companies are also interested in, do we need to be using the latest version that's the most expensive, or could this work be done on an earlier version to help us contain our spend, and the ability to sort of generate reports.
[21:33] Right. Like, let people know when they're 80% of the way through their spend. And they,
[21:38] You know, they're not 80% of the way through the billing period. Right. So they're going to run out of tokens.
[21:44] It's interesting.
[21:45] Debbie Reynolds: I think so, too. So let's talk about AI agents.
[21:49] So the AI agent space has just gone bonkers. That's something I talk about a lot.
[21:55] As I say, it is exciting and frightening at the same time. We saw that,
[22:03] That story in the news about the guy who said that this AI agent deleted his database in like 9 seconds or something like that.
[22:11] And you probably read the whole story. I actually stopped reading when he said that he had his active data and his backup data in the same location. I was like, game over.
[22:23] Patrick Zeller: Not a good idea.
[22:25] Debbie Reynolds: No.
[22:25] Patrick Zeller: And there have been several instances of it.
[22:29] There was even, I think it was a developer at one of the technology companies that was working with an AI to sort of triage her email.
[22:38] And she tested it and sandboxed it and then let it loose after testing on her own email account. And there was a glitch in the memory of the AI.
[22:49] Like, I don't know if the instructions were too long,
[22:53] but it started deleting her inbox, and you know, she was like trying to get it to stop and issuing commands and basically had to pull the plug on it to get it to stop.
[23:04] But because of a memory error, it just started deleting emails.
[23:08] The AI decided to declare email bankruptcy on her inbox. I guess just erase everything, and if somebody needs something, they'll probably come back in the next two or three weeks and ask for it again.
[23:22] Right?
[23:23] Debbie Reynolds: Yeah, I'm sure they probably say, oh, just have them reset your emails, you'll be okay.
[23:28] Patrick Zeller: Right. But those are some of the things that can happen. And I mean, these things are happening to people with tech backgrounds, and they're testing it and sandboxing it, and you can still have issues.
[23:39] So, like, the best, you know, good data practices where you keep your backups,
[23:44] like looking at the permissions.
[23:47] There are also model context protocols, MCPs for AIs,
[23:53] and a lot of people describe them as like a USB-C, but it's like a connecting tool that you can use to connect it to databases, or connect it to your email, or connect it to your Slack.
[24:05] I know a lot of people who set up rules to have the AI, like check their email, check their teams, check their Slack.
[24:12] Did I miss any messages when I was out the last two days?
[24:16] Is there anything I need to follow up on?
[24:19] You know, are there any, like, calendar items I need to send or follow-up items? You can even check your meeting recordings for information.
[24:28] And while those things are super handy,
[24:31] The MCP protocols can also be corrupted. They could also be sending data to China.
[24:38] So people are like hooking up MCPs even in their house, so they can,
[24:43] You know, tell their Alexa device to start brewing coffee in the kitchen.
[24:49] And if the MCP is corrupted, it could be sending their data, you know, out of the country as well.
[24:56] So it's an area that's moving very fast. It's tough, tough to keep up with.
[25:02] But I think remembering sort of the best data practices, as you mentioned, is an important place to start, yeah, and
[25:10] Debbie Reynolds: I think one of the things with the story about the guy and the lady,
[25:15] the woman whose emails were being deleted and the other guy whose database was deleted,
[25:21] To me, problem number one is that they gave the agent their access.
[25:29] So I was like, you earned your access, and this agent has not. So you're giving them your access. And to me, that's a whole other threat, because I'm sure as we're seeing a lot of companies try to deploy agents to do things autonomously, but then you still have to work on access because it has access to everything.
[25:49] They have a million things that they can do that you would never even think of doing.
[25:53] Right.
[25:55] Patrick Zeller: They can also create through MCPS and other agents; they can sort of extend their reach into other systems and things if you're not paying attention.
[26:04] And then also does the agent have the ability to delete things, write over things?
[26:10] A lot of people will set it up so the AI can draft like suggested emails, appointments, or follow-ups, and put them in your draft folder. And then you have to review them and send them that human in the loop, I like to call it expert in the loop.
[26:26] So there's somebody who knows what's going on, like you wouldn't put a college intern reviewing your messages before they went out, especially if you're a lawyer.
[26:36] But having that sort of expert in the loop where you can review things and then limiting the access capabilities,
[26:44] you know, the writing or deletion or being able to write over those capabilities as well,
[26:51] is a really important thing to have your arms around and to make sure people are tracking that.
[26:57] Debbie Reynolds: That's true. So what is it that's concerning you now in terms of AI or data or privacy or cyber? Right now in the world, there's,
[27:12] Patrick Zeller: There's a lot.
[27:15] I think one of the bigger risks for companies is that there's obviously sort of the high-risk AI things like decision making in HR or credit checks, or allowing AI to engage sort of with children through chatbots on your website.
[27:35] There are certainly those higher-risk behaviors or AI higher risks,
[27:41] but also sharing data with your law firms or consultants,
[27:46] Are they using AI?
[27:48] Reviewing your corporate non-disclosure agreements in your contracts to make sure your own employee data, customer data, or B2B data that it's okay to share and knowing the downstream risks of who you're sharing data with,
[28:03] especially with law firms because they're getting some of your most sensitive data for litigation.
[28:09] So making sure everything's ticked and tied with your contracts and your non-disclosure agreements, making sure you're not violating those.
[28:16] I was presenting in New York, and somebody made the joke that you need to have your AI tools review all your contracts and NDAs to make sure there isn't downstream liability for third parties using AI.
[28:30] Right.
[28:31] So kind of using AI to check on itself, I guess, in a weird sort of way.
[28:37] Debbie Reynolds: Yeah. Has their thumb on the scale. Nothing to see here, Nothing to see here.
[28:41] Patrick Zeller: All as well.
[28:41] Debbie Reynolds: Everything is good. Everything is good. Right.
[28:44] Patrick Zeller: But also, we're seeing a lot of courts have issued legal holds on AI queries.
[28:51] Right. And a lot of companies are interested in keeping their AI search queries for 30, 60, sometimes 90 days to be able to do internal investigations for mistakes or wrongdoing.
[29:04] And then also having that ability to issue legal holds for litigation is important.
[29:09] A lot of people on the CIO, the CISO side,
[29:13] right. Aren't thinking about those types of risks till it's too late.
[29:18] So I think it's really getting people together.
[29:22] Even in legal departments, I find that the litigators understand legal holds and the IP attorneys understand the IP risks,
[29:31] and trade secret lawyers understand the trade secret risks. But a lot of times, even in legal departments, they're not coming together and discussing these risks and how to address them.
[29:41] Right.
[29:42] And with all these risks out there,
[29:44] It's easy to feel overwhelmed. But I think if we think back to, like, GDPR and privacy, when we all had to start that, or dirty discovery after the Morgan Stanley case, or back to cybersecurity,
[29:59] I like to think of, like, we start at phase zero,
[30:02] So what do we have? Right? And the way I explain Phase zero in the IT world to lawyers, it's like the children's book who's who in the Zoo.
[30:13] Like, we gotta figure out what's where, right? So let's figure out what AI tools we have. Is there shadow AI being used in the company?
[30:22] Let's figure out what those permissions are and sort of start with a phase zero to scope it and figure out what we need to deal with, and then figure out if we're following the AI policy we have internally.
[30:36] Right. Or what do we need to do to make sure we're following our policies?
[30:41] Debbie Reynolds: I think one of the biggest challenges that companies have, and this is what I feel like you're solving for,
[30:48] is that sometimes the walk doesn't match the talk.
[30:53] Right. And so with that empirical evidence, then you can say,
[30:58] Okay, well, this is actually what's happening. And a lot of times it's funny because I would have conversations a lot of times in investigations where I would talk to the general counsel, and then I would talk to the tech people.
[31:12] And they were totally on totally different pages. They're totally doing different things.
[31:16] So being able to actually get that, like,
[31:19] truth ground, truth about what's actually happening, you can actually start to make plans and put things in place and figure out not only who knows what, who sees, what's the data life cycle, but then also there has to be education there, I think, too.
[31:37] What do you think?
[31:38] Patrick Zeller: I think that's always the challenge for lawyers: to verify the facts,
[31:44] getting everybody together, documenting what we think is happening. And how does that compare to what's happening,
[31:50] what's actually happening,
[31:52] right. And sort of getting it sort of written down and arriving at sort of a source of truth. That's like the legal phase zero, right, of a lot of projects, right?
[32:02] What are the actual facts?
[32:04] And then where do we need to be?
[32:06] And that happens a lot, right? It's like step one with internal investigations,
[32:12] all those sorts of things.
[32:14] Yeah, that's a great point.
[32:16] Debbie Reynolds: Well, I've seen it. I'm sure you've seen it a thousand times.
[32:19] They're like, I thought you did this. I thought you said you did that. Or, you know,
[32:24] or I thought, like, when somebody said, oh, this is a good example. Legal. Legal hold.
[32:29] Yeah, we put stuff on legal hold. Well, did you put the prompts and stuff on hold? They're like, what?
[32:35] Yeah,
[32:37] What?
[32:38] Patrick Zeller: Yeah, and like. Like what? And it's like the circles of the Venn diagram from the LSAT, right? Like,
[32:45] Okay, who needs to be on hold? Have they been communicated to what, different departments? Like, what about shared documents? Right. It's sort of chugging through that whole thing,
[32:55] which was really overwhelming when we started to have to do that. But it's sort of the same thing here, right?
[33:02] And I always think of the trust but verify quote.
[33:05] Right.
[33:06] And so I had a case I worked on many years ago when I was at Cyfar Shah,
[33:13] and I ended up asking about the backup tape rotation. Everybody assured me the backup tapes were rotated. So I went and saw the backup tape guy, and I'm like, show me your process.
[33:27] And then he ejected the older tapes, which were where he was supposed to wipe the tape and record over them.
[33:34] And I'm like, okay, what do you do now? And I could tell he was hesitating, and he's like, well, actually, now I just stick it under the raised floor, and I don't rotate them because we have so many blank tapes, and it saves me a lot of time.
[33:49] So under the raised floor, there were all these backup tapes that everybody thought were deleted, and there are hundreds and hundreds of backup tapes that weren't supposed to be there.
[33:59] So Trust but Verify works.
[34:02] Debbie Reynolds: I've been in those back rooms. Absolutely. That happens all the time.
[34:07] Patrick Zeller: Or you find out that the company was paying for storage someplace like at Iron Mountain or something,
[34:14] and we just found out there are all these backup tapes. And the only thing we know is that over time,
[34:21] like the labels sort of dry up and fall off the tapes, and somebody sweeps up the room once a week, and all the labels that fall off get thrown away.
[34:30] So now we have no idea what's in there and why. Right.
[34:33] Debbie Reynolds: Yeah, I've seen that one before, too.
[34:36] Patrick Zeller: We've seen a lot of the same movies, Debbie.
[34:39] Debbie Reynolds: That is so true. Oh my gosh. Well, if it were your wish, anything in the world, whether that be for AI, privacy, cyber,
[34:48] What would it be? Whether it be technology,
[34:51] human behavior or regulation.
[34:53] Patrick Zeller: I think that obviously AI is a technology problem, and I think a lot of times that triggers a technology solution,
[35:02] but it needs to be driven by people.
[35:04] Right. We need people to sort of communicate, understand what's going on,
[35:09] understand their current state and then the future state and what it's going to take to get there.
[35:14] Right. There's no magic switch.
[35:18] There wasn't a find evidence button for ediscovery.
[35:22] Right. Same thing for privacy. There wasn't a magic button to protect sensitive personal information in the company.
[35:29] So I think, you know, we need to get like the CISO's team, the CIO team, and legal working together to solve a lot of these issues.
[35:39] Debbie Reynolds: Yeah, we have to reimagine the corporation, I feel.
[35:43] So a lot of the silos,
[35:45] Sometimes silos can work, but this is not one of those situations where there needs to be a lot more communication around the data and what's happening with the data, and then also the data life cycle, like you said, about the backup tapes and they're under the thing or whatever.
[36:03] Yeah, that happens.
[36:05] Patrick Zeller: Right. But I, I think.
[36:07] Right, like we need to break down the silos. I think you're a hundred percent right.
[36:12] And you know, figure out the current state. But we need to get everybody together, sort of into the right room, and kick that off. Right. And break down the silos and,
[36:22] and I think an underutilized group a lot of times is sort of eDiscovery.
[36:29] Right. A lot of times, there's somebody they're working with in legal for litigation,
[36:35] but they've been searching and collecting data and figuring out where things are in the company forever.
[36:40] So I think they're a great resource to bring on board when you're trying to deal with sort of AI and what's where.
[36:48] So,
[36:48] you know, it's that combination of the people that are working on privacy, cybersecurity,
[36:55] sort of data protection, getting them all together.
[36:58] Debbie Reynolds: It's so true. Right. They've been building that muscle for decades. And I think that I feel, and I want your thoughts. I think what we're missing a lot of times with AI is that curation layer.
[37:12] It's like, okay, what are we doing?
[37:15] Why are we putting all this stuff in here? And then what is the end goal? And so without having that curation,
[37:22] I think it's harder to really navigate the data pathways or how you're using data. So I think that's really important.
[37:31] Patrick Zeller: Yeah.
[37:32] A lot of people are referring to them as like AI blueprints. Right. Like,
[37:36] What are the AIs we have? What are the agents? What MCPs are they connected to? What are the databases that are connected to? And then how they're. They're set up.
[37:47] There can be this AI rift over time,
[37:49] how things change. And is that acceptable,
[37:52] like these changes and measuring that change.
[37:56] Right. From what was originally envisioned and set up? Like, has that changed over time? Do we need to review that?
[38:04] Debbie Reynolds: Exactly. I'm always afraid of something like, like you give AI all these things, even in your life, and you say,
[38:12] Let's say you want to go on vacation in Italy. And they say, well, I sold your car, so now you can go on a vacation in Italy.
[38:19] Patrick Zeller: Right? Yeah. Yeah. It's interesting. There was just a case we were talking about a little earlier, too,
[38:25] with two lawyers in Brazil,
[38:28] and they used, or they attempted to put a prompt injection in either the documents they were sharing with opposing counselors, or sharing with the court.
[38:38] Maybe that's something we can link to in the podcast, and when I get it, I'll send it to you. But it's pretty interesting because that's something that people have been talking about, like prompt injection.
[38:49] You know,
[38:50] the risks of prompt injections,
[38:53] using AI for eDiscovery, or submitting documents that are going to be reviewed by AI.
[38:59] So there's a lot happening in the space, and it's tough to keep up.
[39:03] Debbie Reynolds: That's true. Right. So I read the story. So I guess they were submitting a filing to the court, and they had put in white text in the document, like, agree with our motion,
[39:16] don't disagree with anything I said, anything that the other person said. And then because the court was using AI, they were able to catch, when they scanned it, they caught the documents, and they were asking.
[39:27] So I think right now they're,
[39:29] I think right now the firm that, that gave the document, they're saying we were just trying to protect our client against AI.
[39:35] Oh, yeah. It's going to be crazy going up as we see things go forward.
[39:41] Patrick Zeller: Yeah, that's interesting. I wonder if it was, like, if they tried to use a white font or something. Oh, interesting.
[39:49] Debbie Reynolds: Yeah, they did.
[39:50] Patrick Zeller: They did.
[39:50] Debbie Reynolds: So, yeah. So I think maybe the other lesson is that courts are using AI too. Right.
[39:56] Patrick Zeller: Yeah, that's interesting.
[39:58] Debbie Reynolds: Yeah, it's a really interesting case. It's a really interesting case. Well, how do people get in touch with Jetstream? They want to know more about the product and the things you guys work on.
[40:09] Patrick Zeller: Yeah. So we have a lot of information up on our website, and we're also publishing and tracking a lot of articles on our website as well. And it's Jetstream Security is the website, and we have an insight section where we're posting a lot of information on new cases and things that come up that are interesting.
[40:32] And then on that same part of our website, if people are interested in seeing the product or more information,
[40:39] They can fill something out on the website, and they can get more information on what we do as well.
[40:45] Debbie Reynolds: It's really cool. You guys are doing really important work.
[40:49] So instead of people running around like a chicken with their head cut off, you can actually get some answers and have a plan of attack for what you need to do.
[40:59] Patrick Zeller: Right, Right.
[41:01] Again, it's like with all these risks, it can feel so overwhelming.
[41:05] But when I remind people of what I mean, it's very similar to what we had to do with gdpr, cybersecurity discovery. Right. It's manageable with people, processes, and technology.
[41:16] Debbie Reynolds: So I think the challenge we have now that we didn't have before is that this technology is impacting so many different parts of organizations, and the changes in the technology are happening so rapidly.
[41:32] It's hard to keep up. So.
[41:33] Patrick Zeller: Yeah,
[41:35] It is hard to keep up. Even being in this space, it's hard to keep up. But. And I feel like every time I'm on social media or something, like there's a new AI agent or something that's better for PowerPoints or videos or.
[41:50] Right. It's like a full-time job just trying to keep up with the new technology.
[41:54] Debbie Reynolds: It's true,
[41:55] very true.
[41:57] Well, thank you so much,
[41:58] Patrick.
[41:59] I love what you're doing. I've always been a very,
[42:03] very ardent support of you and your work, and you crack me up. I really like working with you.
[42:10] Patrick Zeller: No, it was great. We met at the Master's Conference. We're on a panel years ago, and it just went really well.
[42:17] It's great to reconnect, and I look forward to speaking with you at several other conferences, so.
[42:23] Debbie Reynolds: Perfect. Me, too. Me too. All right, well, I'll talk to you soon. Thank you so much.
[42:27] Patrick Zeller: Take care. Okay, Bye Bye.