Time |
Session |
Panelists |
|
Wednesday, November 1, 2023 |
|
6:00 — 8:00 p.m. |
Welcome reception |
|
|
Thursday, November 2, 2023 |
|
8:00 — 8:45 a.m. |
Breakfast & sign-in |
|
8:45 — 9:00 a.m. |
Welcome and Overview |
Drum, Weinlein |
9:00 — 10:15 a.m. |
Commentary on HIPAA updates |
|
|
The panel will lead a dialogue on its draft commentary on whether HIPAA adequately covers consumer health data and non-traditional health data uses, given HIPAA’s focus on healthcare providers that bill insurance, the proliferation of health data generated outside of the traditional medical and insurance fields, and the innovative new uses of health data in which companies are engaging. The draft commentary addresses whether HIPAA, and specifically the HIPAA Security and Breach Notification Rule, need to be updated given changes in technology and the threat landscape. |
Brady, Cronin, Rhodes, Vibbert* |
10:15 — 11:15 a.m. |
A KYC model for data breaches? |
|
|
Threat actors are highly incentivized to successfully acquire information necessary for identify theft, insurance fraud, and bank fraud. This panel will consider whether more proactive legal measures should be taken to reduce the ability for these criminals to use the data that they’ve stolen. For example, credit card companies have dedicated substantial efforts and funds to reduce the value of stolen credit cards and have declared that merchants not adequately confirming the validity of a card pre-acceptance will be responsible for the charge. Should other entities that allow fraudsters to convert stolen information into cash by filing claims, opening accounts, and otherwise monetizing their crime bear some of the cost and burden for fraud committed by threat actors? |
Ackert, Cronin, Engdahl, Gyasi, Jorgensen* |
11:15 — 11:30 a.m. |
Morning Break |
|
11:30 — 12:45 p.m. |
Privacy and cybersecurity legal implications of AI |
|
|
Artificial Intelligence (AI) has the potential to solve some of the world’s most complex problems and to bring about a sea-change of innovation, but also raises myriad challenges for the future of work, privacy, and data governance. AI, in all of its forms, requires data, and often the more data the better. This raises questions about from where such data is collected, how it is used and processed, its security, the ways in which AI can be harnessed for cyberattacks or to bypass security measures or exploit system security and privacy vulnerabilities, and the possible need for consent and the form and mechanism for obtaining it. While many jurisdictions are beginning to consider and enact laws to address these questions, this body of law remains in a nascent state and much remains to be discussed and decided. A panel of brainstorming group members will lead a dialogue on its outline which analyzes what legal issues related to the topics of privacy, consent, and cybersecurity impacting the development and use of AI might be worthy of a drafting team effort to prepare a Commentary on said issue(s). |
Ackert, Green*, Simpson, Polenberg |
12:45 — 2:00 p.m. |
Lunch |
|
2:00 — 3:15 p.m. |
Town hall |
|
|
WG11 Steering Committee members will lead a dialogue amongst the WG11 members in attendance on progress made on the work product of the Working Group, and by the Working Group as a whole. WG11 member input will be sought regarding the future direction of WG11, including ideas for existing and new commentaries and projects. |
Baxter-Kauf, Cronin, Drum*, Kemnitz, McCarthy, Murphy, Vibbert |
3:15 — 3:30 p.m. |
Afternoon Break |
|
3:30 — 4:45 p.m. |
Data Privacy Primer, Second Edition |
|
|
A panel of WG11 members will lead a dialogue on whether WG11 should draft a Second Edition of The Sedona Conference Data Privacy Primer, and if so, what types of updates would be potentially beneficial, including: 1) whether updates should be made to address key federal and state legislative changes and case law updates since January 2018; and 2) whether international privacy laws and principles should be added to the Primer. |
McCarthy*, Prewitt, Rice, Trilling |
5:00 — 7:00 p.m. |
Reception (guests invited) |
|
|
Friday, November 3, 2023 |
|
8:00 — 9:00 a.m. |
Breakfast & sign-in |
|
9:00 — 10:15 a.m. |
Privacy and data security legislative and regulatory update |
|
The panel will lead a dialogue on some of the most important actual and proposed legislative and regulatory enactments during the past year in the privacy and data security space. The panel will also cover recent enforcement actions at the state and federal level, relevant regulatory litigation outcomes, and preview how upcoming legislative enactments impact the growing patchwork of compliance requirements in this space. |
Cheema, Murphy*, Trilling |
10:15 — 10:30 a.m. |
Morning Break |
|
10:30 — 11:45 a.m. |
Online tracking |
|
|
Online tracking and retargeting technologies increasingly present unique challenges to organizations’ legal and marketing teams as technologies evolve, compliance obligations change, and laws that have been in place for years like the Video Privacy Protection Act and two-party wiretapping statutes are being reinterpreted and tested by consumers in online marketing contexts. A panel of brainstorming group members will lead a dialogue on their outline which evaluates the evolving online tracking legal landscape and assesses whether one or more topics in this arena could be appropriate for an eventual Commentary. |
Baxter-Kauf, Hatcher, Matus*, Pizzirusso |
11:45 — 1:00 p.m. |
The state of standing post-TransUnion |
|
|
The Spokeo v. Robins, 578 U.S. 330 (2016) decision created a circuit split over what constitutes “concrete harm” for purposes of Article III standing. In June 2021, in TransUnion v. Ramirez, 141 S. Ct. 2190 (2021), the Supreme Court addressed a component of that split and rejected the proposition that a plaintiff automatically satisfies the “concrete harm” requirement when a statute purports to authorize a person to sue to enforce a statutory right, finding that “only those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.” However, courts are still reaching different conclusions on what constitutes “concrete harm,” and a new circuit split is emerging with respect to intangible harms often alleged in privacy and cybersecurity and privacy litigation. This panel will address the current landscape of standing decisions in privacy and cybersecurity litigation post-TransUnion and will lead a dialogue on the implications of this evolving circuit split going forward. |
Baxter-Kauf, Doran, Drum*, Hon. Tuite |
1:00 — 2:00 p.m. |
Grab-and-go lunch (provided) |
|