The Sedona Conference Working Group 11 Midyear Meeting 2021

Date

Thu, 10/28/2021 - 08:30 - Fri, 10/29/2021 - 13:00

Location:

The St. Regis

Houston, TX

The 2021 Midyear Meeting of Working Group 11 on Data Security and Privacy Liability (WG11) will be held at the St. Regis in Houston, Texas, on Thursday-Friday, October 28-29, 2021. A welcome reception will be held in the evening of Wednesday, October 27, from 6:00-8:00 pm.

Session Information:

The meeting's primary focus will be on new drafts and brainstorming group outlines in need of WG11 member review and comment, including the following topics:

Biometric privacy primer
Notice and consent - biometric facial recognition data
Privilege Commentary, Second Edition
Impact of pandemic response on global privacy
Advisability of adopting a strict liability regime for data breaches involving personal information

In addition, the meeting will feature the following sessions:

Privacy and data security legislative and regulatory update
Privacy and data security litigation update
Ransomware: the ever-evolving landscape and emerging legal regime
WG11 town hall

Please find the timed agenda with detailed session descriptions, along with confirmed dialogue leaders and biographies, below.

Hotel Reservation Information:

We have obtained an extremely favorable group room rate at the St. Regis Hotel of $235 per night (plus tax) for a limited block of rooms on the nights of October 27-28. For those who wish to arrive early, leave late, or otherwise extend their stay, the group rate is available for three nights preceding and three nights following the dates of the room block, but subject to standard guestroom availability. Accordingly, if you wish to book for additional nights, you should do so as soon as possible. This block of rooms will be held until October 6, 2021, after which the rooms will be made available to the general public. Reservation information will be provided in your meeting registration confirmation email.

CLE:

The Sedona Conference will seek CLE accreditation for this event in selected jurisdictions, as dictated by attendance.

Health and Safety Protocols:

The Sedona Conference will follow all federal, state, and local health and safety protocols in effect at the time and place of the meeting. Here is a link to the enhanced cleaning and safety protocols currently in place at The St. Regis Houston: https://whattoexpect.marriott.com/houxr. The seating at the meeting will be spread out and take full advantage of the size of the meeting room. In addition to various sanitation measures, The Sedona Conference will provide color-coded lanyards for your name tag that will signify your comfort level with social interaction at the meeting. GREEN: I am open to shaking hands and conversation in less than 6 feet proximity while still respecting personal space; YELLOW: I welcome conversation but prefer extra personal space, so please keep your distance and don't touch. RED: Please converse and keep at least 6 feet of distance from me and don't touch.

Washington, DC, USA

New York, NY, USA

Denver, CO, USA

Minneapolis, MN, USA

Seattle, WA, USA

New York, NY, USA

Chicago, IL, USA

Birmingham, AL, USA

Sarasota, FL, USA

Chicago, IL, USA

Houston, TX, USA

New York, NY, USA

Fayetteville, AR, USA

San Jose, CA, USA

Boston, MA, USA

Denver, CO, USA

Philadelphia, PA, USA

Boston, MA, USA

New York, NY, USA

Cleveland, OH, USA

Dallas, TX, USA

Miami, FL, USA

Mt. Pleasant, SC, USA

Oak Park, IL, USA

Chicago, IL, USA

New York, NY, USA

Oakland, CA, USA

Phoenix, AZ, USA

Washington, DC, USA

Phoenix, AZ, USA

Philadelphia, PA, USA

Agenda

Time	Session	Panelists
	Thursday, October 28
7:30 — 8:30	Breakfast & sign-in
8:30 — 8:45	Welcome & overview	Meal, Weinlein
8:45 — 10:00	Biometric privacy primer	Ackert, Doran, Kalat, Ray*, Weaver
	A panel of WG11 drafting team members will lead a dialogue with all attendees on the draft of their Primer which provides guidance to practitioners, judges and policymakers regarding how biometric information and biometric data are legally defined, how biometric systems work, and the privacy, data security and related issues they raise.
10:00 — 10:15	Morning Break
10:15 — 11:15	Privacy and data security legislative and regulatory update	Kobus, Rabinowitz, Shepley, Tully*
	The panel will lead a dialogue on some of the most important actual and proposed legislative and regulatory enactments during the past year in the privacy and data security space. We will cover not only the most significant enactments of the past year, but also currently proposed enactments that raise important privacy and data security issues, with the goal of bringing WG11 members up-to-the-minute on where the codified law in the space currently is – and more importantly, where it could be heading in the future.
11:15 — 12:15	Impact of pandemic response on global privacy	Bailey*, Moncure, Wilan
	In response to the COVID-19 pandemic, governments and private companies around the globe have collected significant amounts of personal information, including health and tracing information, in the name of public health. The response has led to significant controversy, with some asserting that privacy protections and personal freedoms have been unduly and too quickly sacrificed in support of public health initiatives, and others arguing that privacy laws in some case unduly hampered commonsense solutions. A panel of WG11 brainstorming group members will lead a dialogue with all attendees on their outline which evaluates whether a drafting team could prepare a Commentary that would provide value to practitioners and policymakers in addressing this conflict. Critically, the outline also addresses whether a potential Commentary that explores broader themes of the conflict between privacy and public interest in the event of an emergency, drawing on lessons from the pandemic, would be more useful.
12:15 — 1:30	Lunch
1:30 — 2:30	Advisability of adopting a strict liability regime for data breaches involving personal information	Bailey, D'Ambra*, O'Neill, Segui
	The “reasonable data security” regime has resulted in uncertainty within the business and legal community as to what the regime requires and made legal disputes in the wake of data breaches vastly more expensive to resolve – all without diminishing the volume of data breaches to any perceptible extent or providing equal protections for similarly situated consumers. One solution might be adopting a strict liability standard in the event of data breaches involving personal information. Strict liability regimes may be justified in contexts where a business’ products or services inevitably result in events that potentially cause consumer injury, regardless of the care taken to prevent such events, and it makes policy sense to have the business rather than its customers bear the cost of any such injury. Such a regime can also have the benefit of simplicity and predictability. A panel of brainstorming group members will lead a dialogue on their outline which evaluates whether WG11 should prepare a Commentary on the advisability of adopting a strict liability regime for data breaches.
2:30 — 3:45	Second edition of The Sedona Conference Commentary on Application of Attorney-Client Privilege and Work-Product Protection to Documents and Communications Generated in the Cybersecurity Context	Baxter-Kauf*, Lunsford, Romine
	Since the release of the first edition of the Privilege Commentary, there have been significant new caselaw developments addressing attorney-client privilege and attorney work product in the context of litigation related to cyber incidents. There has also emerged additional focus on certain specific areas of legal response to cyber incidents that were only touched on or were outside the scope of the original Privilege Commentary, including: (a) entity specific guidance on the extension of privilege in the cybersecurity context including with regard to insurer/insureds, service providers/vendors, joint defense groups/joint common interest groups, agency/affiliate relationships, and communications between different/unrelated companies on areas of mutual interest/risk; and (b) exploration of the difference between business and legal advice, including, but not limited to, in the context of PR work in response to a cyber-incident. A panel of WG11 drafting team members will lead a dialogue with all attendees on their draft of the second edition of the Privilege Commentary which addresses both the emerging caselaw and the additional focus areas.
3:45 — 4:00	Afternoon Break
4:00 — 5:00	WG11 town hall	Drum, Jorgensen, Moncure, Meal*, Saikali, Wilan
	WG11 Steering Committee members will lead a dialogue amongst the WG11 members in attendance on progress made on the work product of the Working Group, and by the Working Group as a whole. WG11 member input will be sought regarding the future direction of WG11, including ideas for existing and new commentaries and projects.
5:00 — 7:00	Reception (guests invited)

Time	Session	Panelists
	Friday, October 29
8:30 — 9:30	Breakfast & sign-in
9:30 — 10:45	Notice and consent – biometric facial recognition data	Altman, Baxter-Kauf, Drum*, McMasters
	A panel of WG11 drafting team members will lead a dialogue with all attendees on the draft of their Commentary which puts forth legal principles that should govern whether, under what circumstances, and what manner of, notice and consent of an individual should be required in connection with the collection, creation, use, and disclosure by the private and public sectors of that individual's biometric facial recognition data. The draft Commentary also provides legislators and other policymakers with guidance for implementing new and amending existing notice and consent requirements in connection with an individual's biometric facial recognition data.
10:45 — 11:00	Morning Break
11:00 — 12:00	Privacy and data security litigation update	Powell, Vibbert, Withers, Yannella*
	The panel will lead a dialogue on some of the most important privacy and data security actions since this session was last held in September 2020. We will cover not only the most significant court decisions of the past year, but also court filings that raise novel claims and defenses (even if the cases themselves are pending or have settled), with the goal of bringing WG11 members up-to-the-minute on where the case law currently is – and more importantly, where it could be heading in the future.
12:00 — 1:00	Ransomware: the ever-evolving landscape and emerging legal regime	Jorgensen, Ko, Murphy, Saikali, Wilan*
	A series of high-profile ransomware attacks in 2021 has put renewed focus on a long-standing cyber threat vector. These attacks have created headline news stories, resulted in guidance from the White House and U.S. Department of Justice, and even spurred talk of legislative bans on ransomware payments by some in the U.S. Congress. In the meantime, threat actors continue to pivot and evolve in their approaches. During this session, a group of experts who have advised on the legal and technical response to ransomware attacks will lead a dialogue on the evolving landscape in light of these developments including: (1) the emerging legal regime; (2) pay or no-pay decisions and execution; (3) developing and testing ransomware response protocols; (4) business continuity planning; (5) contractual and vendor risk; and (6) insurance issues. Also, the dialogue leaders will look ahead and explore next generation "ransomware 2.0" threats, including exfiltration & extortion and data integrity attacks.
1:00 — 2:00	Grab-and-go lunch

*Panel Moderator

Date::

Thursday, October 28, 2021 - 08:30 to Friday, October 29, 2021 - 13:00

The Sedona Conference Working Group 11 Midyear Meeting 2021

About

Contact

Join our mailing list