The Sedona Conference Working Group 11 Midyear Meeting 2020

Date: 
Wednesday, September 30, 2020 - 12:00pm to Thursday, October 1, 2020 - 4:15pm

Location: Online (Zoom)

The 2020 Midyear Meeting of Working Group 11 on Data Security and Privacy Liability (WG11) will be held online on Wednesday-Thursday, September 30-October 1, 2020, from Noon-4:15 pm EDT each day.

The meeting’s primary focus will be on new outlines and drafts in need of WG11 member review and comment, including the following topics:

  • Biometric privacy laws
  • Model data breach notification law

In addition, the meeting will feature the following sessions:

  • Privacy and data security litigation update, which will address some of the most significant court decisions and filings and regulatory actions from the past twelve months
  • Key privacy and data security considerations in cyber insurance
  •  A dialogue with global data protection authorities

The Sedona Conference will seek CLE accreditation in accordance with rules and regulations set forth by individual jurisdictions for virtual meetings. Various state MCLE authorities require that we verify your live, active participation throughout the program.

 

Dialogue Leaders

Kate Baxter-Kauf
Lockridge Grindal Nauen PLLP

Minneapolis, MN, USA
David Cohen
Orrick Herrington & Sutcliffe LLP

New York, NY, USA
Elissa Kim Doroff
NFP

New York, NY, USA
Starr Turner Drum
Polsinelli

Birmingham, AL, USA
Arianna Evers
WilmerHale

Washington, DC, USA
Alexander Filip
Data Protection Authority of Bavaria for the Private Sector

Ansbach, Germany
Kamal Ghali
Chaiken Ghali LLP

Atlanta, GA, USA
Serge D. Jorgensen
The Sylint Group

Sarasota, FL, USA
Amy E. Keller
DiCello Levitt LLP

Chicago, IL, USA
Ryan G. Kriger
Federal Trade Commission, Division of Privacy and Information Protection

Montpelier, VT, USA
Commissioner Michael McEvoy
Information and Privacy Commissioner for British Columbia

Victoria, BC, Canada
Matthew Meade
Eckert Seamans

Pittsburgh, PA, USA
Douglas Meal
Orrick Herrington & Sutcliffe LLP
Cleveland State University College of Law

Boston, MA, USA
David Moncure

Denver, CO, USA
Frank Nolan
Eversheds Sutherland (US) LLP

New York, NY, USA
Michael Phillips
Arceo.ai

New York, NY, USA
James J. Pizzirusso
Hausfeld

Washington, DC, USA
Ruth Elizabeth Promislow
Bennett Jones LLP

Toronto, ON, Canada
CJ Pruzinsky
Arceo.ai

Brooklyn, NY, USA
Prof. Brian Ray
Cleveland State University College of Law

Cleveland, OH, USA
NEIL A RIEMANN
Parry Law PLLC

Raleigh, NC, USA
Dalia Ritvo
Colorado Office of the Attorney General

Denver, CO, USA
Alfred Saikali
Shook, Hardy & Bacon L.L.P.

Miami, FL, USA
Dr. Ralf Sauer
European Commission

Brussels, Belgium
Dr. Christian Schröder
Orrick Herrington & Sutcliffe LLP

Düsseldorf, Germany
Elysia Solomon
Albertsons Companies, Inc.

Chicago, IL, USA
Sarah St. Clair
Fifth Third Bank

Cincinnati, OH, USA
Jim David Sullivan
BIO-key International, Inc.

Milton, GA, USA
Martin T. Tully
Redgrave LLP

Chicago, IL, USA
Jami Mills Vibbert
Arnold & Porter

New York, NY, USA
Lesley Weaver
Bleichmar Fonti & Auld LLP

Oakland, CA, USA
Craig W. Weinlein
The Sedona Conference

Phoenix, AZ, USA
Alexander M. White
Privacy Commissioner for Bermuda

Hamilton, Bermuda
Kenneth J. Withers
The Sedona Conference

Phoenix, AZ, USA

AGENDA

DAY 1 - Wednesday, September 30 (all times EDT)
Time Session Panelists
12:00 — 12:15 Welcome & overview Meal, Weinlein
12:15 — 1:30 [Session 1] Biometric privacy laws Baxter-Kauf, Evers, Nolan, Ray*, Ritvo, Sullivan
  In the past decade, the use of biometric data has increased exponentially. Biometric data presents a unique intersection of security protection and privacy risk. For example, while biometric identifiers provide enhanced and efficient authentication protections, their almost complete inalterability also increases the potential for harm if misused or compromised. Further, while the use of biometric identifiers may enhance the ability of government to police criminal activity, such use also gives rise to privacy considerations. A panel of WG11 brainstorming group members will lead a dialogue with all attendees on their outline, which addresses whether, in order to guide the development of biometric privacy laws, it is desirable or necessary to have a set of uniform principles in the context of both the private and public collection and use of biometric data, and whether it is even possible to consider one without the other. The outline also addresses which principles or aspects of a biometric privacy law should be considered by a future drafting team with a view to developing a recommended approach on those particular points.  
1:30 — 1:45 Break  
1:45 — 2:45

[Session 2] Privacy and data security litigation update

 Solomon, Weaver, Cohen, Withers*
  The panel will lead a dialogue on some of the most important privacy and data security actions since this session was last held in September 2019. We will cover not only the most significant court decisions of the past year, but also court filings that raise novel claims and defenses (even if the cases themselves are pending or have settled) and significant regulatory actions, with the goal of bringing WG11 members up-to-the-minute on where the case law currently is – and more importantly, where it could be heading in the future.  
2:45 — 3:00 Break  
3:00 — 4:15

[Session 3] Key privacy and data security considerations in cyber insurance

 Doroff, Phillips, Pruzinsky, Saikali*, St. Clair
 

As companies develop and adopt new and emerging technology, they face challenges regarding the way the technology collects, uses, shares, and stores personal information. These challenges have given rise to new questions of coverage under cyber liability insurance policies. This panel of cyber insurance executives, providers, and counsel will facilitate a dialogue that will address:

  • Legal issues relating to the scope of first and third-party coverage for privacy and data security incidents, including the insurability of regulatory fines and penalties
  • Coverage issues relating to new and emerging technology
  • The potential impact of developments relating to ransomware that will impact insurability of ransomware events in the future
  • Necessary changes to the underwriting process to sufficiently identify and insure applicants’ risks
  • Traps for the unwary - how every company should be thinking about acquiring and using their cyber liability insurance policies

A primary goal of the panel is to identify issues that may be appropriate for a formal commentary by WG11.

  
DAY 2 - Thursday, October 1 (all times EDT)
Time Session Panelists
12:00 — 1:30 [Session 4] A dialogue with global data protection authorities Filip, Sauer, Schröder*, White, McEvoy
  Global data protection authorities will lead a dialogue on their respective enforcement priorities and advisory roles under global data protection regimes and their views on the most important legal issues and questions awaiting resolution under the data protection regulatory regimes they administer and under international data protection law generally. Topics will include the impact of Schrems II and the global COVID-19 pandemic on data security and protection. The panel will also discuss other emerging data protection trends and regulations, cooperation and collaboration among and between different DPAs, and the potential convergence of global data protection laws.  
1:30 — 1:45 Break  
1:45 — 2:30 [Session 5] WG11 town hall Drum, Jorgensen, Meal*, Moncure, Pizzirusso, Promislow, Riemann, Saikali, Vibbert
  WG11 Steering Committee members will lead a dialogue amongst the WG11 members in attendance on progress made on the work product of the Working Group, and by the Working Group as a whole. WG11 member input will be sought regarding the future direction of WG11, including ideas for existing and new commentaries and projects.  
2:30 — 2:45 Break  
2:45 — 4:15 [Session 6] Model data breach notification law Ghali, Keller, Kriger, Meade*, Promislow, Tully
 

A panel of WG11 drafting team members will lead a dialogue with all attendees on the latest draft of their Commentary to guide the development of data breach notification laws. Drawing upon best practices in data privacy and incident response, the Commentary describes how data breach notification laws should address different aspects of data breach notification, including what constitutes a notifiable breach, what methods of notification should be permissible, and whether there should be timelines for notification.  The session will begin with the panel providing an overview of the latest draft and key aspects of the draft in need of member feedback.  Members will then be placed into breakout groups to allow for more fulsome dialogue on those key aspects of the draft.  The plenary session will then be reconvened, with each breakout group providing a brief report to the plenary group, to be followed by any additional dialogue amongst the plenary group on the content of the report-outs or other aspects of the outline.

  

* Panel Moderator