16th Annual Sedona Conference Institute: Data Privacy & Cybersecurity Litigation

Thursday, April 13, 2023 - 8:30am to Friday, April 14, 2023 - 1:00pm
Reston, VA
United States


Hyatt Regency Reston, 1800 Presidents Street, Reston, VA 20190

Program Description:

Over the past few years, privacy and cybersecurity litigation has increased exponentially and evolved dramatically, creating novel strategic decision points for practitioners throughout the litigation lifecycle.  In addition to data breach-based claims, causes of action under BIPA, CPRA, GDPR, VPPA, CIPA and other privacy-focused statutes have dominated the class action space. New theories of harm are frequently emerging, some led by state attorneys general and federal and international regulators.

Practitioners must consider privilege and preservation issues unique to this domain well in advance of litigation. Cross-border discovery issues frequently arise. And practitioners often must contemplate novel applications of well-worn issues like standing, class certification, and settlement to ever-evolving fact patterns.

This Sedona Conference Institute program will kick off with a simulated tabletop exercise involving a cyber incident in which certain key players – IT, HR, inside and outside counsel, management, forensic investigators, regulators, and others – address the incident with an eye towards potential litigation. Over the next two days, a faculty of jurists, regulators, and leading practitioners in this domain will take deep dives into the issues raised in the tabletop and other emerging issues in data privacy and cybersecurity litigation, including:

  • Internal investigations and audits
  • Conducting discovery
  • Privilege and ethical issues
  • Insurance coverage
  • Cross-border data transfers
  • State, federal, and international regulations and enforcement
  • Special considerations for privacy statute-based claims 

The program will take place on April 13 and 14.  There will be a welcome reception on the evening of April 12, from 5:30 - 7:30 pm (Eastern time). 

A more detailed Agenda is below.  

Hotel Reservation Information:

We have obtained a very favorable group room rate at The Hyatt Regency Reston of $289 per night (plus tax) for a limited block of rooms on the nights of April 12 and 13.  The group rate is for single and double occupancy.  The room block expires on March 21.  After the room block expires, rooms are subject to availability.  Reservation information will be provided in your registration confirmation email. 


The Sedona Conference will seek CLE accreditation for this program in selected jurisdictions, as dictated by attendance.  



Birmingham, AL, USA

Bennett Jones LLP

Toronto, ON, Canada


U.S. District Court, Southern District of New York

New York, NY, USA

iDiscovery Solutions

Washington, DC, USA

Lockridge Grindal Nauen PLLP

Minneapolis, MN, USA

Volkswagen Group of America

Herndon, VA, USA

Orrick, Herrington & Sutcliffe

London, United Kingdom

Medidata Solutions, Inc.

New York, NY, USA

BakerHostetler LLP

New York, NY, USA

U.S. Court of Appeals for the Third Circuit

Wilmington, DE, USA

The Sylint Group

Sarasota, FL, USA


New York, NY, USA

SafeGuard Privacy Inc.

Sarasota, FL, USA

Baker & Hostetler LLP

Wilmington, DE USA

Ropes & Gray

Washington, DC, USA

Eckert Seamans

Pittsburgh, PA, USA

Orrick Herrington & Sutcliffe LLP
Cleveland State University College of Law

Boston, MA, USA


Spring, TX, USA

Pennsylvania Office of Attorney General

Philadelphia, PA, USA


Washington, DC, USA

Future of Privacy Forum

Washington, DC USA

Lockton Companies

Dallas, TX, USA

Shook, Hardy & Bacon L.L.P.

Miami, FL, USA

Office of the Attorney General of Virginia

Richmond, VA, USA

Redgrave LLP

Chantilly, VA, USA

Crowell & Moring LLC

San Francisco, CA, USA

Indiana Attorney General

Indianapolis, IN, USA

Arnold & Porter

New York, NY, USA


Washington, DC

Seyfarth Shaw LLP

Chicago, IL USA

2023 TSCI Agenda

Time Session Panelists
  Wednesday, April 12, 2023  
5:30 — 7:30 Evening Welcome Reception  
  Thursday, April 13, 2023  
7:30 — 8:30 Buffet Breakfast & Sign-in  
8:30 — 8:45 Welcome & Announcements Drum, Promislow, Withers
8:45 — 10:15 Session 1: Privacy and Security Tabletop Exercise Carr, Fedeles, Meade, Jorgensen, Promislow*
  In this session, practitioners will present simulated privacy and data security scenarios that could create notification obligations, regulatory risk, or civil litigation exposure. The remaining panel sessions will offer guidance on addressing and mitigating key risks associated with the scenarios presented in this session.  
10:15 — 10:30 Morning Break  
10:30 — 11:45 Session 2: Assessing Security Risk and Liability Exposure: What is the Current State of "Reasonable Security" Ackert, Meal*, Murphy, Vibbert
  Rapid technological advances have fostered innovations by threat actors and those seeking to prevent security incidents. Certain security measures considered "state of the art" a few years ago, may now be obsolete or at least insufficient in isolation. This panel will examine the current legal and technology landscape to help in-house counsel, external counsel and organizations prioritize cybersecurity resource allocation.  
11:45 — 1:00 Session 3: Cybersecurity and Privacy Audits and Internal Investigations Brady, Lutkus, Matus*, McNicholas
  The landscape of reasonable security measures and privacy requirements is constantly shifting. It's important to stay on top of existing requirements and to address issues that point to privacy or security gaps in ways that both correct deficiencies and preserve relevant evidence where investigations and litigation are reasonably anticipated. This panel will cover the "dos and don'ts" of audits and internal investigations.  
1:00 — 2:15 Lunch  
2:15 — 3:30 Session 4: Privilege Issues and Ethics in Privacy Litigation and Incident Response Aaron, Baxter-Kauf, Fedeles, Gyasi, Vibbert*
  The privilege landscape in privacy and cybersecurity adversarial proceedings has evolved significantly over the past decade, and privilege considerations often come into play in cybersecurity and privacy matters well before litigation is "reasonably anticipated." This panel will cover privilege considerations and discuss how counsel and their clients can ethically set privilege parameters in these matters.  
3:30 — 3:45 Afternoon Break  
3:45 — 5:00 Session 5: Privacy and Cybersecurity Insurance McAndrew, Romine, Saikali*, Wall
  With the rise of cyber incidents and exponential growth in privacy lawsuits, coverage under cyber liability insurance policies is at an inflection point. This panel will address key legal issues relating to the scope of first and third-party coverage for privacy and data security incidents, coverage issues relating to emerging theories of liability, and how companies can adapt to an evolving insurance marketplace.  
5:30 — 7:00 Reception (guests invited)  
  Friday, April 14, 2023  
7:30 — 8:30 Buffet Breakfast & Sign-in  
8:30 — 9:45 Session 6: Cross-Border Data Transfer Considerations Carr, Moncure, Shonka*, State, Wall

Incident response and data privacy and security litigation often cross international borders. Ensuring that personal data is transferred in compliance with applicable laws is essential to avoid "sideshow" supplementary disputes or enhanced penalties. In this session, practitioners who frequently conduct cross-border transfers in the context of investigations and litigation will offer guidance on minimizing data transfer risks.

9:45 — 11:00 Session 7: Regulatory and Judicial Roundtable Aaron, Jordan, Murphy, Promislow*, Swetnam

In this session, we'll hear from the judges and regulators who are overseeing enforcement and litigation in the privacy and security space and get insights into what they expect from the practitioners and organizations involved in privacy and security-focused investigations and disputes.

11:00 — 11:15 Morning Break  
11:15 — 12:30 Session 8: Emerging Issues in Privacy and Security Litigation

Drum*, Jorgensen, Pizzirusso, Rice, Yovanic,

  In this final session, seasoned practitioners will cover trends cropping up in data breach suits and in the ever-growing acronym-soup of statutory-based privacy litigation (BIPA, CCPA, CIPA, VPPA, etc.). This panel will also revisit the tabletop hypotheticals presented in the first session and address some of the lessons learned throughout the program.  
12:30 — 12:45 Wrap-up Drum, Promislow, Withers
13:00 — 14:00 Adjournment and Grab-&-Go Lunch (provided)  

Panel Moderator*

Thursday, April 13, 2023 - 8:30am to Friday, April 14, 2023 - 1:00pm