The Sedona Conference Working Group 11 Midyear Meeting 2021

Date: 
Thursday, October 28, 2021 - 8:30am to Friday, October 29, 2021 - 1:00pm

Location: 

The St. Regis

Houston, TX

 

The 2021 Midyear Meeting of Working Group 11 on Data Security and Privacy Liability (WG11) will be held at the St. Regis in Houston, Texas, on Thursday-Friday, October 28-29, 2021. A welcome reception will be held in the evening of Wednesday, October 27, from 6:00-8:00 pm.

Session Information:

The meeting's primary focus will be on new drafts and brainstorming group outlines in need of WG11 member review and comment, including the following topics:

  • Biometric privacy primer
  • Notice and consent - biometric facial recognition data
  • Privilege Commentary, Second Edition
  • Impact of pandemic response on global privacy
  • Advisability of adopting a strict liability regime for data breaches involving personal information

In addition, the meeting will feature the following sessions:

  • Privacy and data security legislative and regulatory update
  • Privacy and data security litigation update
  • Ransomware: the ever-evolving landscape and emerging legal regime
  • WG11 town hall

Please find the timed agenda with detailed session descriptions, along with confirmed dialogue leaders and biographies, below. 

Hotel Reservation Information:

We have obtained an extremely favorable group room rate at the St. Regis Hotel of $235 per night (plus tax) for a limited block of rooms on the nights of October 27-28. For those who wish to arrive early, leave late, or otherwise extend their stay, the group rate is available for three nights preceding and three nights following the dates of the room block, but subject to standard guestroom availability. Accordingly, if you wish to book for additional nights, you should do so as soon as possible. This block of rooms will be held until October 6, 2021, after which the rooms will be made available to the general public. Reservation information will be provided in your meeting registration confirmation email.

CLE:

The Sedona Conference will seek CLE accreditation for this event in selected jurisdictions, as dictated by attendance.

Health and Safety Protocols: 

The Sedona Conference will follow all federal, state, and local health and safety protocols in effect at the time and place of the meeting. Here is a link to the enhanced cleaning and safety protocols currently in place at The St. Regis Houston: https://whattoexpect.marriott.com/houxrThe seating at the meeting will be spread out and take full advantage of the size of the meeting room. In addition to various sanitation measures, The Sedona Conference will provide color-coded lanyards for your name tag that will signify your comfort level with social interaction at the meeting. GREEN: I am open to shaking hands and conversation in less than 6 feet proximity while still respecting personal space; YELLOW: I welcome conversation but prefer extra personal space, so please keep your distance and don't touch. REDPlease converse and keep at least 6 feet of distance from me and don't touch.

 

Dialogue Leaders

Julian Ackert
iDiscovery Solutions
iDS

Washington, DC, USA
Alexander Altman
Arnold & Porter Kaye Scholer LLP

New York, NY, USA
Mark T. Bailey
Office of the Colorado Attorney General

Denver, CO, USA
Kate Baxter-Kauf
Lockridge Grindal Nauen PLLP

Minneapolis, MN, USA
Kaleigh Boyd
Tousley Brain Stephens

Seattle, WA, USA
Andrea L. D'Ambra
Norton Rose Fulbright US LLP

New York, NY, USA
Brett Doran
Greenberg Traurig LLP

Chicago, IL, USA
Starr Turner Drum
Polsinelli

Birmingham, AL, USA
Serge D. Jorgensen
The Sylint Group

Sarasota, FL, USA
David Kalat
Berkeley Research Group

Chicago, IL, USA
David J. Ko
Federal Bureau of Investigation

Houston, TX, USA
Ted Kobus
BakerHostetler

New York, NY, USA
Anderson Lunsford
BreachRx

Fayetteville, AR, USA
Tom McMasters
Self-Employed

San Jose, CA, USA
Douglas Meal
Orrick Herrington & Sutcliffe LLP
Cleveland State University College of Law

Boston, MA, USA
David Moncure

Denver, CO, USA
Patrick Murphy
Ankura Consulting Group, LLC

Philadelphia, PA, USA
Tony O'Neill
Commonwealth of Massachusetts

Boston, MA, USA
Cole Rabinowitz
Paul Weiss

New York, NY, USA
Prof. Brian Ray
Cleveland State University College of Law

Cleveland, OH, USA
Sara E. Romine
Lockton Companies

Dallas, TX, USA
Alfred Saikali
Shook, Hardy & Bacon L.L.P.

Miami, FL, USA
Harper Segui
Milberg Coleman Bryson Phillips Grossman LLP

Mt. Pleasant, SC, USA
Joe Shepley
Alvarez and Marsal

Oak Park, IL, USA
Martin T. Tully
Redgrave LLP

Chicago, IL, USA
Jami Mills Vibbert
Arnold & Porter

New York, NY, USA
Lesley Weaver
Bleichmar Fonti & Auld LLP

Oakland, CA, USA
Craig W. Weinlein
The Sedona Conference

Phoenix, AZ, USA
Jonathan M. Wilan
Sidley Austin LLP

Washington, DC, USA
Kenneth J. Withers
The Sedona Conference

Phoenix, AZ, USA
Phil Yannella
Ballard Spahr LLP
Blank Rome

Philadelphia, PA, USA

Agenda

Time Session Panelists
  Thursday, October 28  
7:30 — 8:30 Breakfast & sign-in  
8:30 — 8:45 Welcome & overview Meal, Weinlein
8:45 — 10:00 Biometric privacy primer Ackert, Doran, Kalat, Ray*, Weaver
  A panel of WG11 drafting team members will lead a dialogue with all attendees on the draft of their Primer which provides guidance to practitioners, judges and policymakers regarding how biometric information and biometric data are legally defined, how biometric systems work, and the privacy, data security and related issues they raise. 

 
10:00 — 10:15 Morning Break  
10:15 — 11:15 Privacy and data security legislative and regulatory update Kobus, Rabinowitz, Shepley, Tully*
  The panel will lead a dialogue on some of the most important actual and proposed legislative and regulatory enactments during the past year in the privacy and data security space. We will cover not only the most significant enactments of the past year, but also currently proposed enactments that raise important privacy and data security issues, with the goal of bringing WG11 members up-to-the-minute on where the codified law in the space currently is – and more importantly, where it could be heading in the future.  
11:15 — 12:15 Impact of pandemic response on global privacy Bailey*, Moncure, Wilan
  In response to the COVID-19 pandemic, governments and private companies around the globe have collected significant amounts of personal information, including health and tracing information, in the name of public health. The response has led to significant controversy, with some asserting that privacy protections and personal freedoms have been unduly and too quickly sacrificed in support of public health initiatives, and others arguing that privacy laws in some case unduly hampered commonsense solutions. A panel of WG11 brainstorming group members will lead a dialogue with all attendees on their outline which evaluates whether a drafting team could prepare a Commentary that would provide value to practitioners and policymakers in addressing this conflict. Critically, the outline also addresses whether a potential Commentary that explores broader themes of the conflict between privacy and public interest in the event of an emergency, drawing on lessons from the pandemic, would be more useful.  
12:15 — 1:30 Lunch  
1:30 — 2:30 Advisability of adopting a strict liability regime for data breaches involving personal information Bailey, D'Ambra*, O'Neill, Segui
  The “reasonable data security” regime has resulted in uncertainty within the business and legal community as to what the regime requires and made legal disputes in the wake of data breaches vastly more expensive to resolve – all without diminishing the volume of data breaches to any perceptible extent or providing equal protections for similarly situated consumers. One solution might be adopting a strict liability standard in the event of data breaches involving personal information. Strict liability regimes may be justified in contexts where a business’ products or services inevitably result in events that potentially cause consumer injury, regardless of the care taken to prevent such events, and it makes policy sense to have the business rather than its customers bear the cost of any such injury. Such a regime can also have the benefit of simplicity and predictability. A panel of brainstorming group members will lead a dialogue on their outline which evaluates whether WG11 should prepare a Commentary on the advisability of adopting a strict liability regime for data breaches.  
2:30 — 3:45 Second edition of The Sedona Conference Commentary on Application of Attorney-Client Privilege and Work-Product Protection to Documents and Communications Generated in the Cybersecurity Context Baxter-Kauf*, Lunsford, Romine
  Since the release of the first edition of the Privilege Commentary, there have been significant new caselaw developments addressing attorney-client privilege and attorney work product in the context of litigation related to cyber incidents. There has also emerged additional focus on certain specific areas of legal response to cyber incidents that were only touched on or were outside the scope of the original Privilege Commentary, including: (a) entity specific guidance on the extension of privilege in the cybersecurity context including with regard to insurer/insureds, service providers/vendors, joint defense groups/joint common interest groups, agency/affiliate relationships, and communications between different/unrelated companies on areas of mutual interest/risk; and (b) exploration of the difference between business and legal advice, including, but not limited to, in the context of PR work in response to a cyber-incident. A panel of WG11 drafting team members will lead a dialogue with all attendees on their draft of the second edition of the Privilege Commentary which addresses both the emerging caselaw and the additional focus areas.  
3:45 — 4:00 Afternoon Break  
4:00 — 5:00 WG11 town hall Drum, Jorgensen, Moncure, Meal*, Saikali, Wilan
  WG11 Steering Committee members will lead a dialogue amongst the WG11 members in attendance on progress made on the work product of the Working Group, and by the Working Group as a whole. WG11 member input will be sought regarding the future direction of WG11, including ideas for existing and new commentaries and projects.
5:00 — 7:00 Reception (guests invited)  
Time Session Panelists
  Friday, October 29  
8:30 — 9:30 Breakfast & sign-in  
9:30 — 10:45 Notice and consent – biometric facial recognition data Altman, Baxter-Kauf, Drum*, McMasters
 

A panel of WG11 drafting team members will lead a dialogue with all attendees on the draft of their Commentary which puts forth legal principles that should govern whether, under what circumstances, and what manner of, notice and consent of an individual should be required in connection with the collection, creation, use, and disclosure by the private and public sectors of that individual's biometric facial recognition data. The draft Commentary also provides legislators and other policymakers with guidance for implementing new and amending existing notice and consent requirements in connection with an individual's biometric facial recognition data.
10:45 — 11:00 Morning Break  
11:00 — 12:00 Privacy and data security litigation update PowellVibbert, Withers, Yannella*
  The panel will lead a dialogue on some of the most important privacy and data security actions since this session was last held in September 2020. We will cover not only the most significant court decisions of the past year, but also court filings that raise novel claims and defenses (even if the cases themselves are pending or have settled), with the goal of bringing WG11 members up-to-the-minute on where the case law currently is – and more importantly, where it could be heading in the future.  
12:00 — 1:00 Ransomware: the ever-evolving landscape and emerging legal regime Jorgensen, Ko, Murphy, Saikali, Wilan*
 

A series of high-profile ransomware attacks in 2021 has put renewed focus on a long-standing cyber threat vector. These attacks have created headline news stories, resulted in guidance from the White House and U.S. Department of Justice, and even spurred talk of legislative bans on ransomware payments by some in the U.S. Congress. In the meantime, threat actors continue to pivot and evolve in their approaches. During this session, a group of experts who have advised on the legal and technical response to ransomware attacks will lead a dialogue on the evolving landscape in light of these developments including: (1) the emerging legal regime; (2) pay or no-pay decisions and execution; (3) developing and testing ransomware response protocols; (4) business continuity planning; (5) contractual and vendor risk; and (6) insurance issues. Also, the dialogue leaders will look ahead and explore next generation "ransomware 2.0" threats, including exfiltration & extortion and data integrity attacks.

  
1:00 — 2:00 Grab-and-go lunch  

*Panel Moderator

Date: 
Thursday, October 28, 2021 - 8:30am to Friday, October 29, 2021 - 1:00pm