The Sedona Conference Working Group 11 Midyear Meeting 2022

Wednesday, November 2, 2022 - 8:45am to Thursday, November 3, 2022 - 1:00pm

The Ritz-Carlton
Cleveland, Ohio

The 2022 Midyear Meeting of Working Group 11 on Data Security and Privacy Liability (WG11) will be held at The Ritz-Carlton in Cleveland, Ohio, on Wednesday-Thursday, November 2-3, 2022. A welcome reception will be held in the evening of Tuesday, November 1, from 6:00-8:00 pm.

Session Information

The meeting’s primary focus will be on new drafts and brainstorming group outlines in need of WG11 member review and comment, including the following:

  • Incident Response Guide, Second Edition
  • Notice and consent – biometric facial recognition data
  • Ransomware payments

In addition, the meeting will feature the following sessions:

  • Privacy and cybersecurity legislative update
  • Emerging issues in privacy and cybersecurity class action litigation
  • Legal considerations for the lifecycle of employee personal data
  • Balancing privacy and data security against efficacy in NextGen healthcare 
  • WG11 town hall

Hotel Information 

While we obtained a very favorable room rate at The Ritz-Carlton of $290 per night (plus tax) for a block of rooms on the nights of November 1-2, the room block expired on October 11. The Ritz-Carlton is now sold-out.  There are many other hotels in downtown Cleveland, however, for you to select.    


The Sedona Conference will seek CLE accreditation for this event in selected jurisdictions, as dictated by attendance.

Confirmed Dialogue Leaders

iDiscovery Solutions

Washington, DC, USA

Arnold & Porter Kaye Scholer LLP

New York, NY, USA

Strategic Discovery Counsel PLLC

Houston, TX, USA

Lockridge Grindal Nauen PLLP

Minneapolis, MN, USA

McCarthy Tetrault LLP

Vancouver, BC, Canada

Redgrave LLP

Minneapolis, MN, USA

Baker & Hostetler LLP

Cleveland, OH

Dorsey & Whitney LLP

Minneapolis, MN, USA

Markovits, Stock & DeMarco, LLC

Cincinnati, OH, USA

Norton Rose Fulbright US LLP

New York, NY, USA


Birmingham, AL, USA


Cleveland, OH, USA


Washington, DC, USA

Lewis Roca

Phoenix, AZ, USA

BakerHostetler LLP

New York, NY, USA


Cincinnati, OH, USA

Paul Hastings

New York, NY, USA

The Sylint Group

Sarasota, FL, USA

DiCello Levitt LLP

Chicago, IL, USA

Littler Mendelson P.C.

Minneapolis, MN, USA


Chicago, IL, USA

Eckert Seamans

Pittsburgh, PA, USA

Orrick Herrington & Sutcliffe LLP
Cleveland State University College of Law

Boston, MA, USA

Pennsylvania Office of Attorney General

Philadelphia, PA, USA


Washington, DC, USA

Cleveland State University College of Law

Cleveland, OH, USA

Arnold & Porter

Hinsdale, IL, USA

Shook, Hardy & Bacon L.L.P.

Miami, FL, USA

Redgrave LLP

Chantilly, VA, USA

Dell Technologies

Johns Creek, GA, USA

Foley & Lardner LLP

Tampa, FL, USA

Indiana Attorney General

Indianapolis, IN, USA

Arnold & Porter

New York, NY, USA

The Sedona Conference

Phoenix, AZ, USA

Arete Incident Response

Washington, DC, USA

Sidley Austin LLP

Washington, DC, USA


Time Session Panelists
  Wednesday, November 2  
8:00 — 9:00 Breakfast & sign-in  
9:00 — 9:15 Welcome & overview Drum, Weinlein
9:15 — 10:30 Incident Response Guide, Second Edition Averitt, BoothCattanach, Meade*, Swanson

A panel of WG11 brainstorming group members will lead a dialogue with all attendees on their outline which evaluates whether WG11 should draft a Second Edition of the Incident Response Guide, and if so, (1) whether a discussion about international incident response should be included; (2) whether emerging types of incidents, such as ransomware, should be addressed; and (3) whether updates should be made to address key legislative changes since January 2020. 

10:30 — 10:45 Morning Break  
10:45 — 12:00 Legal considerations for the lifecycle of employee personal data Ackert, D'Ambra, Jorgensen, KemnitzShonka*
  Now is a good time for every business, no matter its size, to pause and consider the privacy rights and interests of its prospective, current, and past employees. The collection (and disposition) of personal information about each person begins with the first contact, continues through the pre-employment stage, and accumulates rapidly and perhaps exponentially after hiring as the employee registers for and receives benefits, gets (or gives) employee evaluations, receives pay raises and promotions, takes mandatory training, faces health issues, is issued ID or other access cards, and in some cases is remotely tracked or monitored for various business purposes. And then there is retirement. Throughout the process questions abound as to how the records containing this personal information are protected, managed, disclosed, and disposed of. This panel examines those issues and explores whether WG11 should consider a project that addresses this important topic.  
12:00 — 1:00 Lunch  
1:00 — 2:15 Notice and consent – biometric facial recognition data AltmanBaxter-KaufDrumEvers*
  A panel of WG11 drafting team members will lead a dialogue with all attendees on the latest draft of their Commentary which puts forth legal principles that should govern whether, under what circumstances, and what manner of, notice and consent of an individual should be required in connection with the collection, creation, use, and disclosure by the private and public sectors of that individual’s biometric facial recognition data. The draft Commentary also provides legislators and other policymakers with guidance for implementing new and amending existing notice and consent requirements in connection with an individual’s biometric facial recognition data.  
2:15 — 3:30 Ransomware payments GrayGyasi, JenningsRaymondShook*, Wescott
  A panel of drafting team members will lead a dialogue on their progress in exploring issues related to statutory liability associated with ransomware payments, including the development of a framework for measuring that liability.  
3:30 — 3:45 Afternoon Break  
3:45 — 5:00 WG11 town hall Drum*, Jorgensen, Keller, Meal, MurphyPizzirusso, Saikali, Wilan
  WG11 Steering Committee members will lead a dialogue amongst the WG11 members in attendance on progress made on the work product of the Working Group, and by the Working Group as a whole. WG11 member input will be sought regarding the future direction of WG11, including ideas for existing and new commentaries and projects.  
5:00 — 7:00 Reception (guests invited)  
  Thursday, November 3  
8:00 — 9:90 Breakfast & sign-in  
9:00 — 10:15

Emerging issues in privacy and cybersecurity class action litigation

CarneyCoatesKeller, KlingerPizzirusso, Saikali*

Data breach class actions are evolving rapidly and involve multiple unique strategic decision points for practitioners and courts. This panel will cover some of the key pivotal processes in the lifecycle of data breach class actions including the coordination and consolidation of data breach class actions; the class certification process; and settlement.

10:15 — 10:30 Morning Break  
10:30 — 11:45 Balancing privacy and data security against efficacy in NextGen healthcare  Bulander, DunifonMeade, VibbertWilan* 
  Advances in medical technology, including the application of AI and Big Data, bring the promise of unprecedented medical breakthroughs and improved individual outcomes. The pandemic pushed rapid advances in tele-health, and we are increasingly connected to devices that provide and store personal health-related information. While the law has long provided protections related to the privacy and security of medical and health information, questions arise as to whether those legacy and emerging laws adequately address these emerging digital risks, or on the flip side, may serve to unduly limit the benefits of emerging health-care technology. This panel will explore how the existing legal foundations apply to new and emerging technology and practices in the health and wellness areas, including whether new guidelines or best practices could help bridge the potential conflicts between privacy and efficacy.  
11:45 — 1:00 Privacy and data security legislative and regulatory update Meal*, HoffmanMurphy, RaySwetnam

The panel will lead a dialogue on important updates in the U.S. federal legislative and regulatory space, including the status of the American Data Privacy and Protection Act (ADPPA) and the FTC’s proposed rulemaking efforts in the privacy and data security arena. It will also focus on important updates in U.S. state legislative and enforcement activity, focusing particularly on the enhanced consumer privacy laws taking effect next year in California, Virginia, Colorado, Connecticut, and Utah.

1:00 — 2:00 Grab-and-go lunch  

Panel Moderator*

Wednesday, November 2, 2022 - 8:45am to Thursday, November 3, 2022 - 1:00pm