16th Annual Sedona Conference Institute: Data Privacy & Cybersecurity Litigation

Thursday, April 13, 2023 - 8:30am to Friday, April 14, 2023 - 1:00pm
Reston, VA
United States

Location:  Hyatt Regency Hotel, Reston, Virginia

Over the past few years, privacy and cybersecurity litigation has increased exponentially and evolved dramatically, creating novel strategic decision points for practitioners throughout the litigation lifecycle.  In addition to data breach-based claims, causes of action under BIPA, CPRA, GDPR, VPPA, CIPA and other privacy-focused statutes have dominated the class action space. New theories of harm are frequently emerging, some led by state attorneys general and federal and international regulators.

Practitioners must consider privilege and preservation issues unique to this domain well in advance of litigation. Cross-border discovery issues frequently arise. And practitioners often must contemplate novel applications of well-worn issues like standing, class certification, and settlement to ever-evolving fact patterns.

This Sedona Conference Institute program will kick off with a simulated tabletop exercise involving a cyber incident in which certain key players – IT, HR, inside and outside counsel, management, forensic investigators, regulators, and others – address the incident with an eye towards potential litigation. Over the next two days, a faculty of jurists, regulators, and leading practitioners in this domain will take deep dives into the issues raised in the tabletop and other emerging issues in data privacy and cybersecurity litigation, including:

  • Internal investigations and audits
  • Conducting discovery
  • Privilege and ethical issues
  • Insurance coverage
  • Cross-border data transfers
  • State, federal, and international regulations and enforcement
  • Special considerations for privacy statute-based claims 


Maynard Cooper & Gale

Birmingham, AL, USA

Bennett Jones LLP

Toronto, ON, Canada


U.S. District Court, Southern District of New York

New York, NY, USA

iDiscovery Solutions

Washington, DC, USA

Volkswagen Group of America

Herndon, VA, USA

U.S. Court of Appeals for the Third Circuit

Wilmington, DE, USA

The Sylint Group

Sarasota, FL, USA


Purchase, NY, USA

Orrick Herrington & Sutcliffe LLP

Boston, MA, USA


Denver, CO, USA

Redgrave LLP

Chantilly, VA, USA

Indiana Attorney General

Indianapolis, IN, USA


Washington, DC

The Sedona Conference

Phoenix, AZ, USA

2023 TSCI Agenda

Time Session Panelists
  Wednesday, April 12, 2023  
5:30 — 7:30 Evening Welcome Reception  
  Thursday, April 13, 2023  
7:30 — 8:30 Buffet Breakfast & Sign-in  
8:30 — 8:45 Welcome & Announcements Drum, Weinlein
8:45 — 10:15 Session 1: Privacy and Security Tabletop Exercise  
  In this session, practitioners will present simulated privacy and data security scenarios that could create notification obligations, regulatory risk, or civil litigation exposure. The remaining panel sessions will offer guidance on addressing and mitigating key risks associated with the scenarios presented in this session.  
10:15 — 10:30 Morning Break  
10:30 — 11:45 Session 2: Assessing Security Risk and Liability Exposure: What is the Current State of "Reasonable Security"  
  Rapid technological advances have fostered innovations by threat actors and those seeking to prevent security incidents. Certain security measures considered "state of the art" a few years ago, may now be obsolete or at least insufficient in isolation. This panel will examine the current legal and technology landscape to help in-house counsel, external counsel and organizations prioritize cybersecurity resource allocation.  
11:45 — 1:00 Session 3: Cybersecurity and Privacy Audits and Internal Investigations  
  The landscape of reasonable security measures and privacy requirements is constantly shifting. It's important to stay on top of existing requirements and to address issues that point to privacy or security gaps in ways that both correct deficiencies and preserve relavant evidence where investications and litigation are reasonably anticipated. This panel will cover the "dos and don'ts" of audits and internal investigations.  
1:00 — 2:15 Lunch  
2:15 — 3:30 Session 4: Privilege Issues and Ethics in Privacy Litigation and Incident Response  
  The privilege landscape in privacy and cybersecurity adversarial proceedings has evolved significantly over the past decade, and privilege considerations often come into play in cybersecurity and privacy matters well before litigation is "reasonably anticipated." This panel will cover privilege considerations and discuss how counsel and their clients can ethically set privilege parameters in these matters.  
3:30 — 3:45 Afternoon Break  
3:45 — 5:00 Session 5: Privacy and Cybersecurity Insurance  
  With the rise of cyber incidents and exponential growth in privacy lawsuits, coverage under cyber liability insurance policies is at an inflection point. This panel will address key legal issues relating to the scope of first and third-party coverage for privacy and data security incidents, coverage issues relating to emerging theories of liability, and how companies can adapt to an evolving insurance marketplace.  
5:30 — 7:00 Reception (guests invited)  
  Friday, April 14, 2023  
7:30 — 8:30 Buffet Breakfast & Sign-in  
8:30 — 9:45 Session 6: Cross-Border Data Transfer Considerations  

Incident response and data privacy and security litigation often cross international borders. Ensuring that personal data is transferred in compliance with applicable laws is essential to avoid "sideshow" supplementary disputes or enhanced penalties. In this session, practitioners who frequently conduct cross-border transfers in the context of investigations and litigation will offer guidance on minimizing data transfer risks.

9:45 — 11:00 Session 7: Regulatory and Judicial Roundtable  

In this session, we'll hear from the judges and regulators who are overseeing enforcement and litigation in the privacy and security space and get insights into what they expect from the practitioners and organizations involved in privacy and security-focused investigations and disputes.

11:00 — 11:15 Morning Break  
11:15 — 12:30 Session 8: Emerging Issues in Privacy and Security Litigation


  In this final session, seasoned practitioners will cover trends cropping up in data breach suits and in the ever-growing acronym-soup of statutory-based privacy litigation (BIPA, CCPA, CIPA, VPPA, etc.). This panel will also revisit the tabletop hypotheticals presented in the first session and address some of the lessons learned throughout the program.  
12:30 — 12:45 Wrap-up  
13:00 — 14:00 Adjournment and Grab-&-Go Lunch (provided)  

Panel Moderator*

Thursday, April 13, 2023 - 8:30am to Friday, April 14, 2023 - 1:00pm