The Sedona Conference Working Group 11 Annual Meeting 2022

Date: 
Tuesday, April 26, 2022 - 8:45am to Wednesday, April 27, 2022 - 1:00pm

Location: 

The Camby

Phoenix, AZ

The 2022 Annual Meeting of Working Group 11 on Data Security and Privacy Liability (WG11) will be held at The Camby in Phoenix, Arizona, on Tuesday-Wednesday, April 26-27, 2022. A welcome reception will be held in the evening of Monday, April 25, from 6:00-8:00 pm.

Session Information:

The meeting’s primary focus will be on new drafts and brainstorming group outlines in need of WG11 member review and comment, including the following topics:

  • When are ransomware payments illegal under current U.S. law?
  • Model data breach notification law
  • Biometric privacy primer
  • Notice and consent – biometric facial recognition data
  • Privilege Commentary, Second Edition

In addition, the meeting will feature the following sessions:

  • Coordination of multiple litigation and regulatory fronts arising out of major cybersecurity events
  • Incident response: The unresolved questions
  • Privacy and data security legislative and regulatory update
  • WG11 town hall

Please find the timed agenda with detailed session descriptions below. Please look for an email announcement when we add dialogue leaders and biographies.

Hotel Reservation Information:

We have obtained a very favorable room rate at The Camby of $259 per night (plus tax) for a limited block of rooms on the nights of April 25-26. For those who wish to arrive early, leave late, or otherwise extend their stay, the group rate is available for three nights preceding and three nights following the dates of the room block, subject to room availability. Accordingly, if you wish to book for additional nights, you should do so as soon as possible. This room block expires on March 25. Reservation information will be provided in your meeting registration confirmation email.

CLE:

The Sedona Conference will seek CLE accreditation for this event in selected jurisdictions, as dictated by attendance.

Health and Safety Protocols: 

The Sedona Conference encourages all meeting attendees to be vaccinated.  We will follow all federal, state, and local health and safety protocols in effect at the time and place of the meeting.  The seating at the WG11 meeting will be spread out and take full advantage of the size of the meeting room.  We will provide color-coded lanyards for your name tag that will signify your comfort level with social interaction at the meeting.  Green: I am open to shaking hands and conversing in less than 6 feef of proximity while still respecting personal space; Yellow: I welcome conversation but prefer extra personal space, so please keep you distance and don't touch; Red: Please keep at least 6 feet of distance from me when conversing and don't touch.  

Dialogue Leaders

Alexander Altman
Arnold & Porter Kaye Scholer LLP

New York, NY, USA
Kate Baxter-Kauf
Lockridge Grindal Nauen PLLP

Minneapolis, MN, USA
Kaleigh Boyd
Tousley Brain Stephens

Seattle, WA, USA
Robert E. Cattanach
Dorsey & Whitney LLP

Minneapolis, MN, USA
Carol Alexis Chen
Winston and Strawn LLP

Los Angeles, CA, USA
Andrea L. D'Ambra
Norton Rose Fulbright US LLP

New York, NY, USA
Stevie DeGroff
Colorado Department of Law

Denver, CO, USA
Starr Turner Drum
Polsinelli

Birmingham, AL, USA
Arianna Evers
WilmerHale

Washington, DC, USA
Sheryl Falk
Crowe LLP

Houston, TX, USA
John C. Gray
Lewis Roca

Phoenix, AZ, USA
Serge D. Jorgensen
The Sylint Group

Sarasota, FL, USA
David Kalat
Berkeley Research Group

Chicago, IL, USA
Amy E. Keller
DiCello Levitt LLP

Chicago, IL, USA
Jerami D. Kemnitz
Littler Mendelson P.C.

Minneapolis, MN, USA
Colman McCarthy
Shook, Hardy & Bacon, LLP

Kansas City, MO, USA
Douglas McNamara
Cohen Milstein

Washington, DC, USA
Matthew Meade
Eckert Seamans

Pittsburgh, PA, USA
Douglas Meal
Orrick Herrington & Sutcliffe LLP
Cleveland State University College of Law

Boston, MA, USA
Kelly Ruane Melchiondo
Bilzin Sumberg Baena Price & Axelrod LLP

Miami, FL, USA
David Moncure

Denver, CO, USA
James J. Pizzirusso
Hausfeld

Washington, DC, USA
Ruth Elizabeth Promislow
Bennett Jones LLP

Toronto, ON, Canada
Prof. Brian Ray
Cleveland State University College of Law

Cleveland, OH, USA
Alfred Saikali
Shook, Hardy & Bacon L.L.P.

Miami, FL, USA
David C. Shonka
Redgrave LLP

Chantilly, VA, USA
Douglas S. Swetnam
Indiana Attorney General

Indianapolis, IN, USA
Martin T. Tully
Redgrave LLP

Chicago, IL, USA
Jami Mills Vibbert
Arnold & Porter

New York, NY, USA
Larry Wescott
Arete Incident Response

Washington, DC, USA
Jonathan M. Wilan
Sidley Austin LLP

Washington, DC, USA

Agenda

Time Session Panelist
  Tuesday, April 26  
7:30 — 8:30 Breakfast & sign-in  
8:30 — 8:45 Welcome & overview Meal, Weinlein
8:45 — 10:00 When are ransomware payments illegal under current U.S. law? Chen, Gray*, Saikali, Wescott
  There is currently no legal authority that guides determination of whether a threat actor to whom one is considering making a ransomware payment either is itself, or is acting for the benefit of, an organization/entity listed on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), such that making a ransomware payment to that threat actor would be prohibited. A panel of WG11 brainstorming group members will lead a dialogue with all attendees on their outline which evaluates whether WG11 should develop an independent standard and/or factors that would provide guidance on this issue.  
10:00 — 10:15 Morning Break  
10:15 — 11:30 Coordination of multiple litigation and regulatory fronts arising out of major privacy and cybersecurity events Falk, Pizzirusso, PowellShonkaSwetnam*
  A company that suffers a major privacy or cybersecurity event may find itself the target of class actions, state Attorneys General investigations, Federal Trade Commission or other federal agency actions, and foreign regulatory inquiries. While these disparate company adversaries often focus on similar or identical issues, coordination across the adversary group is rare. While some companies facing this situation prefer to engage with a coordinated adversary group to achieve efficiencies and perhaps even global resolution, others endeavor to discourage or prevent any such coordination from occurring. In this session, we will discuss the benefits of and impediments to coordination among the company’s adversaries in this situation, as well as the company’s strategic arguments for encouraging or discouraging such coordination.  
11:30 — 12:30 Notice and consent – biometric facial recognition data Altman, Baxter-Kauf, Evers*, Falk
  A panel of WG11 drafting team members will lead a dialogue with all attendees on the latest draft of their Commentary which puts forth legal principles that should govern whether, under what circumstances, and what manner of, notice and consent of an individual should be required in connection with the collection, creation, use, and disclosure by the private and public sectors of that individual’s biometric facial recognition data. The draft Commentary also provides legislators and other policymakers with guidance for implementing new and amending existing notice and consent requirements in connection with an individual’s biometric facial recognition data.  
12:30 — 1:30 Lunch  
1:30 — 2:30 Model data breach notification law Keller, Meade*, Promislow, Tully
  A panel of WG11 drafting team members will lead a dialogue with all attendees on the latest draft of their Commentary to guide the development of data breach notification laws. Drawing upon best practices in data privacy and incident response, the Commentary describes how data breach notification laws should address different aspects of data breach notification, including what constitutes a notifiable breach, what methods of notification should be permissible, and whether there should be timelines for notification.  
2:00 — 3:45 Privacy and data security legislative and regulatory update Cattanach, D'Ambra, DeGroffDrum*, Kemnitz
  The panel will lead a dialogue on some of the most important actual and proposed legislative and regulatory enactments during the past year in the privacy and data security space. We will cover not only the most significant enactments of the past year, but also currently proposed enactments that raise important privacy and data security issues, with the goal of bringing WG11 members up-to-the-minute on where the codified law in the space currently is – and more importantly, where it could be heading in the future.  
3:45 — 4:00 Afternoon Break  
4:00 — 5:00 WG11 town hall Drum, Jorgensen, Keller, Meal*, Moncure, Pizzirusso, Promislow, Saikali, Wilan
  WG11 Steering Committee members will lead a dialogue amongst the WG11 members in attendance on progress made on the work product of the Working Group, and by the Working Group as a whole. WG11 member input will be sought regarding the future direction of WG11, including ideas for existing and new commentaries and projects.  
5:00 — 7:00 Reception (guests invited)  
     
  Wednesday, April 27  
8:30 — 9:30 Breakfast & sign-in  
9:30 — 10:45 Incident response: The unresolved questions JorgensenMeadeMoncure, Saikali*, Vibbert
 

A panel of leading outside counsel, corporate counsel and technologists with extensive experience in incident response will facilitate a dialogue on the most challenging questions companies face when responding to a suspected data breach. These are questions that often are not addressed or resolved by data breach notification laws, including the difficult decisions companies must make relating to scope of investigations, the use of third-party data review firms, timing of notification, effective use of substitute notice, and challenges specific to vendor data breaches. The dialogue will be a highly interactive one based on a series of short scenarios.

  
  Morning Break  
11:00 — 12:00 Second edition of The Sedona Conference Commentary on Application of Attorney-Client Privilege and Work-Product Protection to Documents and Communications Generated in the Cybersecurity Context Baxter-Kauf*, McNamara, Melchiondo, Wilan 
  A panel of WG11 drafting team members will lead a dialogue with all attendees on their draft of the second edition of the Privilege Commentary. The draft addresses new caselaw developments regarding attorney-client privilege and attorney work product in the context of litigation related to cyber incidents. The draft also includes additional focus on certain specific areas of legal response to cyber incidents that were only touched on or were outside the scope of the first edition of the Privilege Commentary.  
12:00 — 1:00 Biometric privacy primer Kalat, McCarthy, PromislowRay*
 

A panel of WG11 drafting team members will lead a dialogue with all attendees on the latest draft of their Primer which provides guidance to practitioners, judges and policymakers regarding how biometric information and biometric data are legally defined, how biometric systems work, and the privacy, data security and related issues they raise.

  
1:00 — 2:00 Grab-and-go lunch  

 

Date: 
Tuesday, April 26, 2022 - 8:45am to Wednesday, April 27, 2022 - 1:00pm