Brett Tarr - Founder and President, Discovery Advisors, LLC
Career Accomplishments
I am a highly accomplished leader with 20 years of experience solving complex data-centric problems for organizations of all sizes. I am a recognized leader across multiple specialized industries, including Privacy, AI, Information Governance, Legal Operations, and E-Discovery. I bring a holistic, innovative approach across technology, legal, and entertainment industries, demonstrating a unique combination of legal, business, and technical skills that make me an ideal fit for an organization that wants to invest in governing its data in a compliant manner.
Most recently, I have developed an artificial intelligence (AI) governance framework for Collibra, a data governance software company that is actively developing AI-enabled tools within its platform. This AI governance framework includes the development of AI use case intake forms that ask for basic elements of a potential AI product (including inputs, outputs, training sets, inference data, sensitive categories such as confidential/proprietary/PII/client data, levels of human oversight, along with security/access/protocols/additional safeguards. The AI framework itself is focused on ethical AI use principles such as fairness and non-discrimination, transparency and explainability, accountability, beneficence and non-maleficence, as well as compliance with emerging regulatory standards in the EU and several US states.
I have designed and implemented processes to support comprehensive privacy programs that comply with the complex mix of state, federal, and international privacy regulations (including regulatory frameworks such as GDPR, PIPL, CCPA, HIPAA, among others). These privacy programs include numerous assessments, including legitimate interest assessments (LIA), privacy impact assessments (PIA), and data protection impact assessments (DPIA), along with drafting clear privacy policies and customer-facing privacy notices that document how each organization collects, uses, processes, shares, stores, and deletes data for its customers and its employees. Additional elements of the privacy programs I've developed include records of processing activities (ROPA) that are required under Article 30 of the EU General Data Protection Regulation (GDPR) that identify the categories of data that a company collects and uses for various business processes, along with noting sub-processors and others with whom such data may be shared.
I created and launched an incident response (IR) program at Collibra that involved creating both an IR policy as well as an advanced comprehensive IR playbook that created a complex categorization matrix, captures detailed workflows for 15 business teams, including specific deliverables, roles, and timelines for each team, as well as providing clear indicators for handoffs between teams to ensure that all incidents are thoroughly identified, categorized, staffed, and remediated. Outside counsel and external consultants reviewing this IR playbook have uniformly commented it is the most comprehensive and best-organized IR program they have ever seen.
I designed and built an enterprise e-discovery program for Caesars Entertainment, including implementing multiple technology tools for preservation/collection/review/analysis and a detailed playbook to manage the discovery process from inception to completion. This program was able to document over $925 million in cost savings from 2013-2019 based on the ability to more precisely target, collect, and process data, along with the use of advanced technology tools to expedite the process and reduce reliance on traditional human attorney review. I captured savings of $250 million in leading the response to Ceasars' $23B bankruptcy and associated lienholder litigation.
I have created information governance programs that support risk management, compliance, and improved cost efficiencies at multiple companies over the past 15 years. From independent consulting engagements with automotive retailers to the $6B entertainment giant Caesars Entertainment and, most recently, the $300 million SaaS company Collibra, I have been able to develop a combination of process and technology to support the entire information lifecycle that includes creation, communication, storage, sharing, protection, privacy compliance, and targeted disposition of data. Some of the key elements of information governance programs include the creation of company-specific retention policies and schedules, the design and execution of storage structures that meet the needs of each unique business team across the enterprise, and technologies that support the automation of retention and disposition to reduce the manual work required by frontline employees in the company. Additionally, I worked individually with 65 different teams at Collibra to design team-level storage structures that supported the unique needs of each team, then applied retention rules at a granular folder level that enables business teams to have ongoing access to critical business files without over-retaining information that is stale, out-of-date, or would create undue risk for the enterprise. These retention schedules were then codified through the implementation and migration of enterprise unstructured data into the AODocs software platform that automated retention at the folder level without requiring users to add manual labels to any files they create.
Additionally, I have built a legal operations function from the ground up for 3 different organizations, supporting the corporate law department's efforts to modernize and implement technologies that drive cost reduction, ROI, and advanced metrics/analytics to support the legal team as a business partner rather than a cost center for their respective organizations. Some elements of information governance that I have launched include comprehensive vendor management programs that support proper security, privacy, and risk vetting, architecting workflows for procurement, and implementing a procure-to-pay platform at Collibra that was implemented in only 12 weeks. This technology reflected clear workflows for 10 business teams in sequential/parallel procurement processes. It streamlined the contract review process and vendor questionnaires that allow organizations to capture critical vendor/application insights without bogging down the procurement process with extensive throughput time from traditional 200+ question vendor surveys. Additional technology implementations as part of legal operations programs I've built include the design, implementation, and operation of software programs at Caesars Entertainment and EY that address e-billing, contracts lifecycle management, matter management, data mapping, e-discovery, anti-money-laundering, and document management and retention.
As a result of these accomplishments, I have been a frequent speaker at legal and privacy industry conferences for nearly 20 years, having presented over 50 times and published more than 40 articles/whitepapers on a variety of topics ranging from how to build vendor management programs, to building privacy programs in a post-GDPR world, effective ways to build metrics and analytics programs to track law department operations, selecting the right technology for your organization/team, and more recently how to license and use AI in a way that is both responsible and also facilitates trust between the enterprise and its customers/clients. author. I have become a recognized expert in privacy, information governance, artificial intelligence, legal operations, and e-discovery. My peers regularly reach out to me, seeking guidance and benchmarking data.
EDUCATION
Duke University School of Law
Juris Doctor | 1994 - 1997
Georgia State University
MBA - Business Administration, Marketing, Finance | 2001 - 2003
University of California - Los Angeles
BA - History, Psychology | 1992 - 1994
EXPERIENCE
OneTrust
August 2025 - Present
Global Head of Privacy & AI Governance
Executive Summary:
I am a senior leader driving global privacy and AI governance strategy at a $550M SaaS company, supporting compliance with GDPR, CPRA, and international data protection laws while also enabling privacy-by-design across enterprise products.
Technology and AI-Automation:
I designed AI-driven automation to scale DSAR and vendor risk processes, reducing compliance cycle times while supporting product development and sales team enablement.
AI Governance & Automation:
I developed a formal AI governance framework to support the company's responsible use of artificial intelligence-enabled tools. I also designed and deployed AI-driven workflow automation to streamline Data Subject Access Requests (DSARs) and privacy impact assessments, reducing processing time by 45% and scaling compliance operations.
Privacy-by-Design Enablement:
I provide strategic counsel on privacy, governance, and risk management for 5 enterprise SaaS products (privacy management, GRC, third-party risk, AI governance, consent management), ensuring compliance with GDPR, CPRA, LGPD, PIPL, and CCPA. I help the product teams build fit-for-purpose design that accelerate customer adoption and increase sales revenue.
Global Data Policy Harmonization:
I consolidated and redesigned enterprise data retention and minimization policies into a unified framework aligned with GDPR, CPRA, PIPEDA, and global data protection regulations. I also updated enterprise Data Classification, DLP, Acceptable Use, and Departing Employee policies to enhance compliance maturity and audit readiness.
Third-Party Risk & Vendor Management:
I have re-engineered the vendor risk management program by integrating agentic AI automation and privacy assessments into onboarding workflows. This has resulted in increasing vendor assessment throughput by 82% in the first month while meeting GDPR, ISO 27001, and SOC2 requirements.
Training & Organizational Enablement:
I advise Product, Marketing, and Sales teams on privacy-by-design and AI risk. I also developed and delivered a 10-hour Privacy Foundations curriculum for global go-to-market teams, strengthening organizational privacy culture and compliance awareness.
March 2021 – April 2025
Associate General Counsel — December 2022 - Present
I am a member of the Collibra Legal Team, responsible for building processes, policies, and workflows around how the organization manages its data and meets its privacy compliance obligations. My role was originally drafted narrowly to focus specifically on privacy program development. Still, once I joined the organization, the role expanded based on my skillset and experience in information governance, cybersecurity, and legal operations. I was promoted from my original role as Senior Privacy Counsel to Associate General Counsel in recognition of the enhanced scope responsibilities I took on building an information governance program, an incident response program, a vendor management program, and leading technology deployments for business teams, including procurement.
While my primary role is building organizational policy and processes to ensure regulatory compliance and preparation for IPO, my day-to-day activities go well beyond this mandate. I lead a team of 7 people across Privacy, Information Governance and Governance, Risk & Compliance that supports internal audits, external audits (SOC2, ISO), EU and US state privacy compliance. My team interfaces with every team across the enterprise to ensure audit readiness, maintain compliance with various regulatory frameworks, and facilitate the incident response process.
In my role, I am essentially responsible for defining, organizing, and documenting how the company creates, uses, shares, stores, protects, and remediates all enterprise data. This includes data retention programs, designing shared drive structures and group-based access rules, creating policies around technology-acceptable use, data standards, data classification, data loss prevention, departing employee business continuity, and traditional privacy assessments and privacy policies.
In mid-2024, I was asked to develop a framework to manage Artificial Intelligence (AI) enabled products procured by and built by the organization to ensure compliance with emerging AI use laws/regulations and legal and ethical guidelines. Collibra is among the first organizations to create a formal AI governance framework.
Also, in 2024, I worked with the members of our Governance, Risk and Compliance (GRC) team to attain the brand new ISO 42001 certification for Artificial Intelligence systems. Collibra is one of the first 100 organizations in the world to achieve this certification.
Another AI-related achievement was developing an enterprise-level functional assessment tool to support compliance with the EU AI Act. This process involved breaking down every element of the EU AI Act, categorizing AI use cases by risk category (prohibited, high risk, general use, minimal risk), and creating logic that supports a user inputting various data elements of an AI product (these elements include items such as data inputs, data outputs, training sets, inference data, categories of data that are included such as PII, IP, or PHI, levels of human oversight, whether the outputs are being productized, etc.). The end result is a functional assessment that can be delivered as part of the Collibra Data Intelligence platform in conjunction with our new AI Governance offering to allow organizations to determine what steps they must take to develop or use specific types of AI products.
In 2022, my team was tasked with developing a formal enterprise incident response program based on the piecemeal security workflows that had been loosely documented. I sat down with my team and focused on building a framework that the incident response program would operate, ultimately settling on a 4-phase approach that includes 1) Detection and Categorization, 2) Containment, 3) Remediation/Resolution, 4) Review and Root Cause Analysis. Each of the 10 teams with roles in the incident response process had the specific steps they needed to undertake for each of the 4 phases of the incident response process, including a list of the key roles on each team and the specific tasks they would be asked to execute. Flow charts were developed to not only visualize what each team was responsible for but also to document the interaction between ALL of the teams across the entire process, including which teams are responsible for communicating to customers, to the general public, to regulators, and which internal teams and roles are required to sign off and approve these communications. Ultimately, the Collibra Incident Response Policy and Playbook were published after 8 months of painstaking work, with our outside privacy counsel and external privacy consultants reviewing the playbook and expressing how thorough and impressive they found the document. We run tabletop exercises yearly in January to evaluate ongoing maintenance of the incident response program and annual red team assessments and penetration testing as required under SOC and ISO certifications. In 4 years of running these 3 testing programs, Collibra has never had a significant finding by any entities responsible for conducting tabletop, red teaming, or pen testing.
One of my earliest projects at Collibra involved designing and implementing a formal retention policy and developing records retention schedules. The retention policy and schedule were designed to require little understanding of the technical components of retention management. Each business team was given a default retention period (e.g. Finance default retention is 7 years). Then, certain categories of business data that required variable retention were listed as exceptions to that default retention (e.g., Finance team meetings receive 1 year of retention, budgets receive 2 years of retention, and performance appraisals receive 3 years of retention). I then met with the leadership of Collibra's 65 business teams to understand whether they had any current structured approach to how and where they stored their business data. Discovering that most teams had not given this significant thought, I set out to single-handedly design detailed folder and storage structures for each business team, and then, after meeting with each team to review these structures, we agreed upon retention periods for each of the top-level folders. After 4 months of meetings and follow-up meetings, the result was a system of 115 team share drives, with group and role-based access rules for every drive and each top-level folder that was explicitly agreed upon by the leaders of each Collibra business team to ensure proper buy-in. Once the drive and folder structures were configured and the retention periods were agreed upon, I worked with a technology vendor to implement automated retention controls on top of the Google Workspace share drives where Collibra business teams stored their data. This involved coordinating the migration of 115 drives while ensuring no downtime for access to business files despite having business teams that spanned 8 time zones from Brussels, Belgium to Los Angeles, CA. This scheduling was a unique challenge because there was only a 6-hour window between the end of the day on the West Coast of the US and the teams in Belgium and Poland coming online in the morning local time. The result was a seamless file storage system where access was automated by role, and retention was managed in an automatic manner that did not involve end users having to check in and check out files, nor did they have to assign retention labels to any individual document. Retention was automated based on the location where the files were stored, given the detailed retention rules implemented for each folder within each team share drive.
In addition to these large-scale projects, I authorized company policies around Privacy, Retention, Incident Response, Data Classification, Data Loss Prevention, Departing Employee Management, Technology Acceptable Use, Data Standards, and Global Ethics.
Another role I took on was the development of a formal vendor management program, as the previous procurement regime was relatively informal and did not have documented standards for how new vendors and renewing vendors were vetted. As is my usual approach, I sat down with the key stakeholders in the procurement process, including 9 functional teams: Finance, Accounting, Procurement, IT, Security, Legal, Privacy, Risk, and Information Governance to map out the existing process, the needs of each team, and pain points in the current process. The result was a basic workflow that identified the primary workflows for each team along with a compressed design that supported more steps being taken in parallel rather than each step being sequential and dependent on other teams completing their work before the next team could begin theirs. With this blueprint in hand, I worked with the procurement team to evaluate 5 vendors for Procure-to-Pay (P2P) SaaS solutions, including drafting more than half of the questions for the RFP that was issued. Once we decided upon our chosen vendor, I was put in charge of implementing the P2P solution. I brought in 1 stakeholder from each of the 9 teams involved in the overarching procurement process, and we met with the vendor team to share our workflow blueprint. I worked with the vendor team to create questionnaires for both the internal buyer and the questionnaire that would ultimately feed directly into our application inventory and our retention and privacy compliance databases. I designed a set of questions that captured financial, privacy, technical, risk, security, and compliance data in only 55 questions. As a result of having documented our current process and the proposed new process so well, we could fully implement the procurement solution in 12 weeks. I was responsible for leading the initiative and also designed the entire user acceptance testing process, ultimately going live on the 81st day of the project. Over time, we have surveyed various business teams that use the procurement process to gauge how the new process and platform are working, and the results consistently show 95% satisfaction with the new procurement process. This program has been transformative for the organization as not only has it reduced average procurement ticket throughput from 5 months down to 45 days, but it has also allowed for enhanced reporting and analytics that have reduced duplicative spending and cut overall procurement costs by 35% from December 2023 go live to the current day.
Senior Counsel, Privacy & Information Governance — March 2021 - December 2022
I joined Collibra as a legal team member, where I was responsible for building and managing the privacy compliance program. My original role was focused on developing and day-to-day management of the privacy program, but it quickly grew to include information governance based on a pressing need. My background in information governance and legal operations led the General Counsel to lean on me to build out additional components of the legal team as the company was looking towards going public at the time and needed significant maturation of their process and policy documentation.
In my first year, I built the privacy program for a $300 million SaaS company, including leading a team of 3 people to manage traditional privacy functions, including legitimate interest assessments, privacy impact assessments, data protection impact assessments, as well as creating and managing the Article 30 Records of Processing for the company. I was responsible for drafting internal privacy policies and public-facing privacy notices for our customers. My team built a system of privacy liaisons wherein every business team has at least one representative who meets with the privacy team each quarter to review key privacy developments, identify new data processing activities, and report on new technologies/applications onboarded. Additionally, my team developed the New Product Initiative (NPI) program that allows the continued growth and development of new products consistent with the principles of privacy-by-design and compliant with GDPR, US state privacy laws, and other international privacy regulations.
In this role, I regularly advised product, engineering, and technical teams to support the product development lifecycle and partner with the marketing team to ensure that customer outreach programs operated within the parameters of US, EU, and other international privacy regulations. The product and engineering teams would frequently bring me into meetings to present new products or enhanced features of the Collibra Data Intelligence platform to ensure that these use cases aligned with existing legitimate interest and consent mechanisms established with our customers. One example was our decision to use customer data to improve the product. There is a gray area in privacy regulation about whether product improvement is an expected use when a user consents to share their data in using a product, so we spent more than 2 months discussing the pros and cons, the potential risk to the organization versus the benefit of having live user metrics before coming to a compromise decision that allows all parties to feel comfortable with our position. In working with the marketing teams, discussions often center around acquiring potential buyers from conference and event attendee lists, whether someone having their badge scanned at a conference was enough to support targeted outreach for product demos, and similar matters. This role was critical to the organization's ability to grow but had to be done to ensure the potential risk of using customer data beyond the scope of the initial collection purpose was below an agreed-upon threshold.
I was also responsible for building programs and workflows to address data classification, data subject access requests (DSAR), and a departing employee business continuity program. Each of these programs reflected the need to organize and use business and customer data in ways that supported the business while complying with US state, EU, and international privacy regulations. Data classification is a requirement under the GDPR, so I had to find a way to allow the organization to classify every information asset without creating an enormous burden on our front-line workers to add copious amounts of metadata every time they create a document. I devised a system that applied automated labels to data based on where information was stored in the Google workspace environment, with the drive level providing the "owner" of the data at a team level and the folder structure providing additional classification about whether data was ok to release publicly, for internal use only, was confidential, or was classified, with data standards applied to each of these facets of data classification. DSAR is a mechanism that allows individuals (both customers and employees) to request access to or correction of records the organization holds and uses. I built a DSAR response workflow that incorporated 9 different business teams, ranging from Marketing to IT to HR, with clear instructions on searching, formatting, storing, and delivering these results within the regulatory compliance timeframe of either 30 or 45 days. The departing employee business continuity program involved building a cross-functional team that included IT, security, risk, privacy, and people team members to coordinate specific actions that need to take place when someone departs the organization to ensure that critical business information, meetings, contacts, and other data are retained and made available to those team members remaining with the organization. There are several privacy-related issues associated with employee departures that limit the ability of IT teams to either review a user's Google Drive, access the departed employee's mailbox, or search through Slack messaging history, so this process required building an enablement program for managers to train employees how and where to store information such that these files would be accessible after a person's departure without the risk of granting blanket access to personal drives and emails that could contain sensitive personal information.
In recognition of my success in building these programs and standing up the privacy program, I was promoted to Associate General Counsel and given additional responsibilities over the GRC team and the ability to hire additional personnel for a formal information governance team.
August 2019 - December 2020
Senior Manager — August 2019 - December 2020
I was hired as Senior Manager at EY in the Forensics division at the Los Angeles office. While the title itself is fairly generic, I focused on working with 3 directors based on the East Coast to build out EY's capabilities in legal operations and information governance to address a perceived market disadvantage versus other Big 4 Consulting competitors. EY has dabbled in legal operations and information governance, taking on smaller assessments and individual technology implementations. Still, when I was hired, they were not in the business of standing up entire functional programs. My role was to build compliance and information governance solutions for technology firms to reduce risk and to help key clients organize their legal department operations in a manner that would present those legal teams as value-added business partners rather than as a simple cost center. While the forensics division of EY has thousands of employees, there was a small team of 5 of us who made up the information governance and legal operations teams, all hired in the same timeframe of mid-2019 to help EY reduce the gap with their top competitor Deloitte who had advanced programs around both information governance and legal operations.
At EY, I helped develop Information Governance and Legal Operations solutions for multiple corporate law departments and implemented best-practice processes and solutions to ensure optimum performance and regulatory compliance. Each client represented a unique set of variables, as some were public companies in heavily regulated industries, others were fast-moving technology companies in less regulated industries, and others were long-time family-owned businesses that had grown over decades in completely unregulated industries.
Examples of some of the types of engagements I was involved in and had to staff and lead teams of junior associates include building data maps and a privacy compliance program for a leading technology company, building records retention policies and schedules for several federal contractor firms, and developing CCPA compliance program for a $50 billion healthcare organization, a $40 billion retailer, and a $9 billion entertainment company.
One example of this type of program building is my efforts to drive the process improvement strategy for a $6 billion automotive retailer in developing an information lifecycle management program, defining the director-level role that would assume function leadership, and then developing the policies, standards, governance structure, privacy-by-design workflows, and retention schedules to support the program on a day-to-day basis. I spent 9 months meeting with members of the risk, IT, security, and legal teams to understand how the company operated, how their retail outlets interacted with the corporate offices, the categories of information collected from customers created by the business teams, and how all of this information was being stored. Once collected, the business unit defined, categorized, and structured this information to ensure access to the right information was readily available to each team that needed it. Older Lotus notes communications systems were migrated to the newer Microsoft Office platform, enablement materials were created to support transitioning employees to the new Outlook email platform and Teams chat platform. A retention policy and schedules were created that provided easy-to-understand categories and relatively simple retention hierarchies that could be expanded over time as the organization matured and grew into its new communications and productivity platforms. I drafted a job description for a director who would be hired to lead the information lifecycle management program, including a blueprint for the flow of information through the organization, along with short-term, mid-term, and long-term action items to solidify and maintain support for the program amongst company executives and across business teams. I recently checked in on this client 6 years after the project’s completion and can report that the director hired in 2020 is still in place. The program has been seen as a rousing success for the organization and the chief risk officer, who was the project sponsor.
August 2012 - May 2019
http://www.caesarsentertainment.com
Chief Counsel – Privacy, E-Discovery & Information Governance — May 2015 - May 2019
In the spring of 2015, I was promoted to Chief Counsel in the law department at Caesars Entertainment. I took on additional responsibilities for building the enterprise privacy strategy in the management of customer, enterprise, and employee data and also building a legal operations program. I led a team of 3 privacy attorneys but led a team of 1 for legal operations.
I was tasked with developing programs and workflows to ensure the company would comply with the forthcoming EU General Data Protection Regulation (GDPR) privacy laws and, later, the California Consumer Privacy Act (CCPA). With respect to legal operations, I was responsible for identifying key technology platforms that could be adopted to enable more efficient workflows in the day-to-day operations of the law department, as well as building a vendor management program around the outside law firms and technology vendors the law department was engaging with. Lastly, I was tasked with developing reporting and metrics that could be reported to the entire organization's CFO and the Board of Directors.
On the privacy front, I reviewed then-current laws and regulations to draft an internal privacy policy and external facing privacy notice to let employees and customers know how the company would collect, process, store, protect, and manage customer and employee information, with specific attention on the credit applications that customers complete to obtain casino lines-of-credit. I undertook a comprehensive analysis of every business process that collected or used employee or customer data, documenting these business processes in Caesars Entertainment's records of processing (ROPA). I also spent 3 months completing legitimate interest assessments (LIA), privacy impact assessments, and, where appropriate, data protection impact assessments (DPIA) for all of the personal data processing workflows in the company. I worked with more than 25 business teams to establish a privacy-by-design process along with reconfiguring the enterprise mobility and BYOD programs, creating enterprise data classification taxonomy, maintaining and ensuring compliance with all regulatory requirements including GDPR, CCPA, HIPAA, PII, COPPA, AML, and PCI data standards, and creating privacy-by-design program that ensured every business team that interacted with employee or customer data understood the risks, parameters, and controls that must be in place to collect and process such data. Additional efforts involved liaising with the marketing team to ensure that customer outreach contained the proper opt-in language for consent-based data processing and reviewing the language and disclosures that went into marketing outreach. My team worked with hotel operations at the then 55 Caesars Entertainment properties to ensure that EU customers who arrived at our US-based properties were given the proper notice and disclosures when they checked into hotel rooms and also worked with casino operations and surveillance teams to ensure that video monitoring contained appropriate notice and disclosure for areas that were under surveillance. Finally, I led the implementation of OneTrust’s privacy software suite to organize the company's privacy assessments and create/manage the workflows for data subject access requests (DSAR), identifying all of the business teams and systems that would be in scope for such requests and developing sequential workflows to ensure that the proper information could be collected, reviewed, encrypted, and delivered to the requesting parties within the defined regulatory response period.
My role with legal operations involved a heavy focus on strategic design, as there would be multiple prongs of the legal operations function, including organizational structure and work teams, budgeting and financial planning, identification of all current technologies,/vendors/outside counsel, as well as an assessment of which of these systems/companies/firms were performing well and which had gaps that needed to be addressed. There was no practical system for measuring and reporting on the efficacy and spending of the law department, so the first step was to identify and implement an e-billing platform that would consolidate all law department spending in one place and centralize financial reporting. The e-billing implementation took 20 weeks and involved bringing together a team of 15 people across all 8 of the law department's primary business functions. Within the next 4 years, additional technology implementations followed for matter management, contracts lifecycle management, document and retention management, and anti-money-laundering platforms. Each of these technology implementations followed a similar playbook of bringing in a cross-functional team made up of all 8 law department teams, assessing what was working well and where the pain points were, mapping out the workflows for each process (e,g. mapping the litigation lifecycle for matter management), and then working with the vendor teams to build out customized workflows that met the organizational needs of our specific law department, followed by a period of user acceptance testing and QC before ultimately going live.
We selected Sky Analytics as our metrics and analytics platform to measure and track performance. We ensured that all of the technology platforms we implemented could be integrated directly with Sky Analytics to ensure a steady, unbroken stream of data would be fed into the analytics platform. We discussed the appropriate set of metrics that we wanted to report to the finance team and the Board. We began generating regular monthly reports to track spending, quality, throughput time, and performance against the budget.
I led a team of 5 that completed a review of our existing roster of outside counsel, identifying over 100 firms that had represented Caesars Entertainment in the past 5 years. Over 5 months, we consolidated this to 25 law firms, broken out by subject matter expertise, geography, and experience in the jurisdictions where Caesars had properties. We negotiated a series of rate cards and developed blended rates that would de-incentivize law firms from staffing our projects with too many high-priced partners who would delegate the work to mostly junior attorneys with far less experience.
Counsel, Litigation & E-Discovery
August 2012 - May 2015
I joined Caesars Entertainment in the summer of 2012 as Legal Counsel, working on the litigation team and tasked with building an enterprise e-discovery program in response to a recent adverse court sanction that fined the company $500,000 for failure to properly preserve key enterprise data linked to an active litigation matter. I had one technical employee on my team, and together, we were asked to set up a program that would allow the organization to meet its obligations in the litigation discovery process without exposing it to further sanctions.
As such, I led the development of a formal e-discovery program, with full responsibility for procuring, implementing, and managing multiple technology platforms to support the preservation, collection, processing, review, and production of data for enterprise litigation. I started by procuring a legal hold platform to ensure that data would be properly preserved to avoid the immediate risk of spoliation sanctions from occurring again. The legal hold implementation only took 60 days and involved integration with the enterprise HRIS system to ensure access to all active employees/contractors as potential custodians who would receive legal hold notices.
With that foundation locked in, I built a detailed playbook to document how the team would conduct searches to identify relevant electronically stored information (ESI) for each investigation or legal matter, including negotiating master services agreements with two national e-discovery vendors that would provide innovative and efficient workflows to reduce the amount of data that needed to be collected, cull down initial data sets to ensure that data promoted to review was not excessively over-inclusive.
When I joined the organization in 2012, the average volume of data collected was 50GB, which was processed at an average rate of $350 per GB and then reviewed by outside counsel attorneys at $200-500 per hour. Through negotiating service agreements with legal technology service providers and reconfiguring how we conducted initial collection searches, we were able to reduce our average data collection down to 25GB of data, which was processed at $200 per GB of data and reviewed by the vendor's contract attorneys at $30-50 per hour. As a result of these changes, I demonstrated quantifiable cost savings in excess of $250 million in the first 2 years of the program. By the end of my 7-year tenure, the e-discovery savings alone were calculated to be over $925 million.
During this period, I led the discovery portion of the $23 billion Caesars Entertainment bankruptcy filing along with 6 concurrent lienholder litigation matters stemming from that same bankruptcy. I worked with counsel from 7 different law firms who represented the various Caesars entities, coordinating the smooth flow of information between firms and reusing collected data to avoid duplication of effort and excessive cost.
As part of developing the e-discovery function, I advised the company to build out a formal information governance program, as doing so would allow for the faster, more efficient identification and collection of information for litigation, regulatory, and compliance matters. This led to creating and implementing the Caesars Entertainment information governance function that I owned and managed. In growing this program, I met with every team in the Caesars corporate structure (over 65 teams) to understand how each team created, used, shared/communicated, stored, and retained their business information. This led to the creation of the enterprise retention policy and retention schedule, a set of standards that remains intact more than 10 years from the initial creation date. In conjunction with the retention schedules, I also designed and implemented an enterprise data classification program that incorporated elements such as data type, business owner, retention period, and any sensitive categories of data (e.g., PII, PHI, PCI data).
In recognition of my leadership and success in building the e-discovery and information programs, I was promoted to Chief Counsel in May 2015 and given additional privacy and legal operations responsibilities.
October 2009 - Present
http://www.discoveryourdata.com
President — October 2009 - Present
In October 2009, I founded Discovery Advisors, LLC, an independent consulting firm. This single-member LLC has been my vehicle for delivering a wide range of consulting services and has remained active for the past 16 years. Consulting engagements under the Discovery Advisors umbrella have taken the form of short-term projects to create content for legal technology service providers, development of programs for clients that they could then market to their customers, all the way up to multi-year engagements to build out entire functions/programs within the client organization.
When I have a full-time outside employer, I do not seek active consulting engagements, though I have continued to publish articles, ghostwrite articles, and speak at various conferences and industry events on a range of privacy, information governance, artificial intelligence, legal operations, and e-discovery topics.
Examples of the types of engagements that I have undertaken under the Discovery Advisors banner include developing literature for e-discovery companies as they looked to rebrand. When Global Legal Discovery wanted to rebrand their organization and expand their e-discovery services catalog, I was contracted to completely re-design their services catalog, draft all of the content for their catalog and fact sheets and also undertake a full re-design and re-launch of their public-facing website. I spent 4 months working with the Global team to understand how they wanted to position themselves in the marketplace, suggested certain additional service offerings that would position them to generate new customers and additional revenue, and ultimately delivered a combination of print and digital assets that Global then publicly launched, achieving new incremental revenue of $500,000 in 2011.
An E-Discovery SaaS company hired me to launch their new online-hosted e-discovery review platform in 2010. This included drafting a 5,000-word whitepaper on the new iConnect NEXT platform launch and preparing and publishing three press releases to support the new software launch.
In 2012, I worked with legal staffing company Cambridge Partners to help them build an in-house discovery center that would allow them to staff large-scale discovery review projects in their offices in Atlanta. Prior to this, Cambridge has exclusively placed attorneys in on-site roles, so this project required a combination of office design and layout, computer equipment purchase and software configuration, designing an operational playbook to guide Cambridge through each step of a review project from initial training of the attorneys on the specific subject matter, introducing the coding panel and data tags, and developing a process to batch, distribute, and QC the work being done by the attorneys. Within 4 months, Cambridge Partners was able to successfully host their first in-house discovery review project, staffing 25 attorneys on a review project that lasted 3.5 weeks and generated $140,000 in revenue (25 attorneys, billing at $40/hour, working 40-hour workweeks) for that project alone. In total, Cambridge Partners generated $1.4 million in new incremental revenue in Q4 2011 and an additional $4.4 million in revenue in 2012 based on the new service offerings I developed for them.
When a large e-discovery consulting firm wanted to bid on a government project related to the National Archives, I was contracted to draft and put together the bid/request for proposal to the Federal Government. Over 3 weeks, I met with nearly 50 people across the consulting firm to understand their methodology, technology bundle, and workflows to create a comprehensive and cohesive $9 million bid for the project. The consulting firm was so happy with my work putting together the proposal that they asked me to stay on and manage the project once the National Archives accepted their bid. I could not commit to a 3-year project and declined to take on the additional role.
I served as a traveling consultant for multiple e-discovery service providers in 2010, helping them garner new accounts totaling over $2 million for a combination of offerings, including information governance, e-discovery program, and privacy program development.
Additionally, I worked with numerous corporate legal departments in selecting and implementing litigation support providers and e-discovery technologies, establishing litigation support systems and practices, and developing vendor selection processes around the provision of e-discovery services.
In 2019, when I resumed taking active clients for Discovery Advisors after leaving Caesars Entertainment, I assisted an automotive retailer in developing an information lifecycle management (ILM) program over a period of 10 months, building a new enterprise function that is still intact today and staffed by a full-time ILM Director.
August 2006 - October 2009
General Counsel — September 2007 - October 2009
In September 2007, I was asked to take on the additional responsibility of being the General Counsel for eMag Solutions, in addition to my existing role as Director of Marketing. The company did not have a formal law department, so I was the only attorney, working directly with the President, CEO, and outside directors to address all legal, compliance, and risk matters impacting the company.
One of my primary responsibilities as General Counsel was drafting and reviewing legal agreements, including master services agreements and statements of work for customer engagements, outside counsel engagement letters, and software licensing agreements.
I was also tasked with developing a consulting services arm for the organization and their e-discovery service offerings around the oration of backup tapes and processing electronically stored information (ESI). From early 2008 until the 3rd quarter of 2009, I was able to develop the company's consulting services platform, resulting in a 250% increase in new clients within the first 18 months of deployment. I traveled to customer sites and provided consulting services around information management and e-discovery preparation for multiple clients across industries, including oil and gas, banks and financial institutions, pharmaceutical companies, healthcare insurance companies, and medical device manufacturers implementing solutions to reduce legal risk and improve organizational response to litigation, regulatory and compliance matters. Each consulting engagement looked different from those before and those that followed, as the unique position of a customer, the level of regulation they faced, the size and complexity of the organization, and their risk tolerance were all contributing factors in the specific programs developed for each.
I worked directly with a large healthcare insurance provider to develop their data retention and legal hold policies and build their e-discovery playbook, generating $500,000 in revenue for my employer.
I helped an oil and gas company in Texas implement defensible deletion of its enterprise data, destroying over 250,000 boxes of legacy data and generating nearly $200,000 in revenue for my employer.
In 2008, I successfully led the company's efforts to become the first e-discovery company to achieve ISO27001 certification for information security protocols in our data center.
I was also responsible for developing and implementing a program targeting the retention of organizational information and business continuity management resulting from departing employees in mid-sized and large corporations. This Departing Employee Data Program included successful implementations in 10 organizations in 2009, generating nearly $350,000 in new revenue.
Director of Marketing
August 2006 - October 2009
In the Summer of 2006, I joined eMag Solutions as their Director of Marketing, leading a team of 5 to grow the traditional backup tape restoration services company into a full-service e-discovery provider. During my 3+ years at eMag Solutions, the company grew from a $10 million per year niche provider of backup tape services into a full-service e-discovery company generating $40 million in 2009.
In leading the marketing team, I implemented a complete public relations, advertising, and trade show program, resulting in a 46% increase in revenue from 2007 to 2008, where 58 new Fortune 1,000 clients were added. This overhaul included a complete re-design of the marketing materials, shifting from folders filled with 10 individual datasheets to an integrated 18-page catalog of services that I authored both the substantive content and the graphic design elements. This was done by developing an expanded set of service offerings. Whereas the company had traditionally only handled backup tape restoration, the new catalog promoted a full set of downstream services around the identification, preservation, collection, processing, review, and production of data from both backup tapes and email and file storage systems for eMag customers.
I was responsible for working with the product team to design and deliver the innovative eMag PreVu early case assessment tool to support the company's existing service offerings, generating $4 million in new incremental revenue in the first year of operation. This process involved daily meetings with the product team to review both functionality and graphic user interface (GUI) design elements that would make the user experience both intuitive and efficient. In 2008, eMag PreVu was listed among the top 10 early case assessment tools by the influential Socha-Gelbmann E-Discovery Rankings Report.
On the traditional marketing front, I developed an expanded advertising program, where each year, we developed an advertising theme and purchased space in key industry publications such as Law & Technology News, ACC Docket, ILTA Peer-to-Peer, Corporate Counselor, and Legal Times. Some of the themes for these advertising campaigns included "Don't Gamble With Your Data," using a Vegas-style theme of casino games, and "Who Do You Trust With Your Data," emphasizing the new ISO 27001 certification.
In addition to the expanded advertising campaign and new print marketing materials, I was responsible for overhauling the company website. I broke the website into services targeted to Corporations, Law Firms, and Government. Under each heading was a set of services tailored to each client segment, including detailed descriptions of how these service offerings could reduce client risk, along with flow charts showing examples of typical engagement workflows. The newly launched website in May 2007 generated 10x the views of the prior version of the website tracked over the prior 10 months.
Another aspect of the marketing program was an expanded focus on trade shows and conferences. With an increase from 3 to 10 events per year, I needed to develop an effective trade show display that would draw attention from event participants, deliver the relevant information in digestible bytes, and be easy to manage for sales teams that would be staffing the events. The fabric pop-up design we selected could be fully set up in under 2 minutes and included interchangeable panels that allowed us to customize the messaging based on the audience at each event (corporate law departments, law firms, technology companies, government/public sector). We introduced a spinning wheel (similar to the Wheel of Fortune style wheel with multiple panels and spokes), with the number a person landed on representing the number of keys they could select from a basket to try and unlock the padlock on a glass box containing a prize (e.g. GPS device, Blackberry, iPhone, Netbook laptop). The combination of cutting-edge design elements and participation-centric attractions increased the average booth attendance from the prior event, which was 80-100, up to 400+ unique visitors per event.
August 2003 - June 2006
http://www.kingandspalding.com
Associate Attorney — August 2003 - June 2006
I joined the business litigation team at the Atlanta office of King & Spalding (an AmLaw 50 law firm) in the summer of 2003 after completing my MBA program at Georgia State University. I was responsible for managing the discovery process for multiple firm clients, primarily focused on textile and breach of contract litigation.
Within the first 6 months of joining the firm, I was asked to assist with the development of a new firm service offering: the development of an in-house e-discovery center that would centralize the entire discovery process within the law firm in a dedicated facility adjacent to the firm's downtown Atlanta office. As such, I worked with the mass tort and environmental law teams in developing a playbook that saw the firm hire 150 full-time contract attorneys, 55 project managers, and 40 law clerks to support large volume discovery work for the firm.
As the discovery center was set up, I oversaw 60+ discovery projects from inception to final production for various client matters, including tobacco litigation, insurance fraud, corporate share backdating suits, telecommunications disputes, and pharmaceutical product litigation.
INSIGHT
Where do you most want to travel, but have never been?
I have had the opportunity to do extensive traveling over the past decade, including 5 different continents. I am an experienced photographer, and I use my travels as an opportunity to build photo journals that chronicle my adventures. The main image on this personal website is a photo I took in Denali National Park in September 2024 that was selected for publication in a regional photography magazine for amateur photographers. My next trip is to Spain and Portugal in late spring 2024, but the big destination that I'm hoping to plan is a trip to Australia. In addition to being my 6th continent, it also represents a unique biome that includes such spectacles as the Great Barrier Reef, the Outback, and the Great Pacific Road. Ideally, I would like to be able to spend 3 weeks in Australia touring major cities like Sydney and Melbourne, but also heading to the less-traveled areas in Western Australia around Perth and Adelaide.
What's your story?
I have lived in many different places and had the opportunity to meet many interesting people and have unique experiences. I grew up in New England, moving around CT and MA for my early years. Through my years of playing soccer, I've been able to travel to destinations in both South America and Europe, experiencing different cultures and languages at an early age. I moved out to Los Angeles, CA, for my undergraduate education at ULCA before spending 15 years in the Southeast, including law school in Durham, NC, and business school in Atlanta, GA. My professional life has taken me from Atlanta to Las Vegas and finally back to Los Angeles once again. My experience in different regions, meeting so many different types of people, has given me a really unique perspective and the ability to engage with people across many different backgrounds, cultures, and customs and learn from them in ways that inform both my personal and professional life.
If you had 6 months to live starting now, what would you do with the rest of your life?
If I had 6 months left to live, I would want to travel the world, visit the friends that I have made across the globe and have them show me around their homes and their lives. I would make sure to visit all of my family and share my travel photo albums and stories of my journeys with them to leave lasting memories that would endure long after I'm gone.
What is the story of my background image
I have always been passionate about photography, since I was 8 years old and had Ansel Adams photography covering the walls of my childhood bedroom. I have been lucky enough to travel all over the world, and in my travels I typically takes thousands of pictures to record my travels. The photo I've chosen for my background is a photo I took in Denali National Park in central Alaska in September 2024. It is rare to get a clear view of Denali, the highest mountain peak in North America, in fact the chances on any given day of clearly seeing the peak average around 20%. Not only did my group get a fantastic view of the mountain, but we also happened to be there during the 1 week of fall foliage each year when the trees/foliage change colors. The vibrant reds are the final stages of the Fireweed plant before it sheds its leaves for winter. The juxtaposition of Denali and the majestic mountain range, the bright blue skies, and the deep red of the fireweed made for a perfect picture, and it was ultimately featured on National Audobon's website and recognized in the Audobon Photography Awards.
Contact Brett:
Brett Tarr
Assoc. General Counsel, Legal Technology Leader in Privacy, AI, Information Governance
(404) 808-5180