The Sedona Conference Working Group 11 Midyear Meeting 2023

Date: 
Thursday, November 2, 2023 - 8:45am to Friday, November 3, 2023 - 1:00pm

Location:
Hotel Haya
Tampa, FL

Register today for the 2023 Midyear Meeting of Working Group 11 on Data Security and Privacy Liability (WG11), to be held at the Hotel Haya in Tampa, Florida, on Thursday-Friday, November 2-3, 2023. A welcome reception will be held on the evening of Wednesday, November 1, from 6:00-8:00 pm.

The meeting's primary focus will be on new drafts and brainstorming group outlines in need of WG11 member review and comment, including the following topics:

  • Commentary on HIPAA updates
  • Privacy and cybersecurity legal implications of AI
  • Online tracking

The meeting will also feature the following sessions:

  • A KYC model for data breaches?
  • Town hall
  • Whether WG11 should draft a second edition of the Data Privacy Primer
  • Privacy and data security legislative and regulatory update
  • The state of standing post-TransUnion

Hotel Reservation Information:

We obtained a very favorable group room rate at The Hotel Haya of $199 per night (plus taxes) for a limited block of rooms on the evenings of November 1-2. The room block expired on October 1, however, a few rooms are still available as of this writing. Reservation information will be provided in your meeting registration confirmation email.  If The Hotel Haya is sold out by the time you register for the WG11 meeting, you will need to book a hotel room at a nearby hotel.  

CLE:

The Sedona Conference will seek CLE accreditation for this meeting in selected jurisdictions (except Virginia) as dictated by attendance.

Dialogue Leaders

Julian Ackert
iDiscovery Solutions
iDS

Washington, DC, USA
Kate Baxter-Kauf
Lockridge Grindal Nauen PLLP

Minneapolis, MN, USA
Maureen M. Brady
McShane & Brady, LLC

Kansas City, MO, USA
Nabeel Cheema
US Securities & Exchange Commission

Washington, DC, USA
Chris Cronin
HALOCK Security Labs

Schaumburg, IL, USA
Brett Doran
Greenberg Traurig LLP

Chicago, IL, USA
Starr Turner Drum
Polsinelli

Birmingham, AL, USA
Ian Engdahl
Hausfeld LLP

Washington, DC, USA
Elizabeth Green
Dell Technologies

London, United Kingdom
Eric B. Gyasi
BakerHostetler LLP

New York, NY, USA
Jenn Odell Hatcher
Shook, Hardy & Bacon

Kansas City, MO
Serge D. Jorgensen
The Sylint Group

Sarasota, FL, USA
Jerami D. Kemnitz
Littler Mendelson P.C.

Minneapolis, MN, USA
Wayne Matus
SafeGuard Privacy Inc.

Sarasota, FL, USA
Colman McCarthy
Shook, Hardy & Bacon, LLP

Kansas City, MO, USA
Tim Murphy
Pennsylvania Office of Attorney General

Philadelphia, PA, USA
James J. Pizzirusso
Hausfeld

Washington, DC, USA
Jon Polenberg
Becker & Poliakoff, P.A.

Fort Lauderdale, FL, USA
Matthew Prewitt
ArentFox Schiff LLP

Chicago, IL, USA
Corban S. Rhodes
DiCello Levitt LLP

New York, NY, USA
Tatiana Rice
Future of Privacy Forum

Washington, DC USA
Jake Simpson
The Sylint Group

Sarasota, FL, USA
Jim A. Trilling
Federal Trade Commission

Washington, DC, USA
Hon. Christopher Tuite
US District Court - Middle District of Florida

Tampa, FL, USA
Jami Mills Vibbert
Arnold & Porter

New York, NY, USA

WG11 MidYear Meeting 2023 Agenda

Time  Session  Panelists
  Wednesday, November 1, 2023  
6:00 — 8:00 p.m. Welcome reception  
  Thursday, November 2, 2023  
8:00 — 8:45 a.m. Breakfast & sign-in  
8:45 — 9:00 a.m. Welcome and Overview Drum, Weinlein
9:00 — 10:15 a.m. Commentary on HIPAA updates  
  The panel will lead a dialogue on its draft commentary on whether HIPAA adequately covers consumer health data and non-traditional health data uses, given HIPAA’s focus on healthcare providers that bill insurance, the proliferation of health data generated outside of the traditional medical and insurance fields, and the innovative new uses of health data in which companies are engaging. The draft commentary addresses whether HIPAA, and specifically the HIPAA Security and Breach Notification Rule, need to be updated given changes in technology and the threat landscape. Brady, Cronin, Rhodes, Vibbert*
10:15 — 11:15 a.m. A KYC model for data breaches?  
  Threat actors are highly incentivized to successfully acquire information necessary for identify theft, insurance fraud, and bank fraud. This panel will consider whether more proactive legal measures should be taken to reduce the ability for these criminals to use the data that they’ve stolen. For example, credit card companies have dedicated substantial efforts and funds to reduce the value of stolen credit cards and have declared that merchants not adequately confirming the validity of a card pre-acceptance will be responsible for the charge. Should other entities that allow fraudsters to convert stolen information into cash by filing claims, opening accounts, and otherwise monetizing their crime bear some of the cost and burden for fraud committed by threat actors? Ackert, Cronin, Engdahl, Gyasi, Jorgensen*
11:15 — 11:30 a.m. Morning Break  
11:30 — 12:45 p.m. Privacy and cybersecurity legal implications of AI  
  Artificial Intelligence (AI) has the potential to solve some of the world’s most complex problems and to bring about a sea-change of innovation, but also raises myriad challenges for the future of work, privacy, and data governance. AI, in all of its forms, requires data, and often the more data the better. This raises questions about from where such data is collected, how it is used and processed, its security, the ways in which AI can be harnessed for cyberattacks or to bypass security measures or exploit system security and privacy vulnerabilities, and the possible need for consent and the form and mechanism for obtaining it. While many jurisdictions are beginning to consider and enact laws to address these questions, this body of law remains in a nascent state and much remains to be discussed and decided. A panel of brainstorming group members will lead a dialogue on its outline which analyzes what legal issues related to the topics of privacy, consent, and cybersecurity impacting the development and use of AI might be worthy of a drafting team effort to prepare a Commentary on said issue(s). Ackert, Green*, Simpson, Polenberg
12:45 — 2:00 p.m. Lunch  
2:00  — 3:15 p.m. Town hall  
  WG11 Steering Committee members will lead a dialogue amongst the WG11 members in attendance on progress made on the work product of the Working Group, and by the Working Group as a whole. WG11 member input will be sought regarding the future direction of WG11, including ideas for existing and new commentaries and projects. Baxter-Kauf, Cronin, Drum*, Kemnitz, McCarthy, Murphy, Vibbert
3:15 — 3:30 p.m. Afternoon Break  
3:30 — 4:45 p.m. Data Privacy Primer, Second Edition  
  A panel of WG11 members will lead a dialogue on whether WG11 should draft a Second Edition of The Sedona Conference Data Privacy Primer, and if so, what types of updates would be potentially beneficial, including: 1) whether updates should be made to address key federal and state legislative changes and case law updates since January 2018; and 2) whether international privacy laws and principles should be added to the Primer. McCarthy*, Prewitt, Rice, Trilling
5:00 — 7:00 p.m. Reception (guests invited)  
  Friday, November 3, 2023  
8:00 — 9:00 a.m. Breakfast & sign-in  
9:00 — 10:15 a.m. Privacy and data security legislative and regulatory update
  The panel will lead a dialogue on some of the most important actual and proposed legislative and regulatory enactments during the past year in the privacy and data security space. The panel will also cover recent enforcement actions at the state and federal level, relevant regulatory litigation outcomes, and preview how upcoming legislative enactments impact the growing patchwork of compliance requirements in this space. Cheema, Murphy*, Trilling
10:15 — 10:30 a.m. Morning Break  
10:30 — 11:45 a.m. Online tracking  
  Online tracking and retargeting technologies increasingly present unique challenges to organizations’ legal and marketing teams as technologies evolve, compliance obligations change, and laws that have been in place for years like the Video Privacy Protection Act and two-party wiretapping statutes are being reinterpreted and tested by consumers in online marketing contexts. A panel of brainstorming group members will lead a dialogue on their outline which evaluates the evolving online tracking legal landscape and assesses whether one or more topics in this arena could be appropriate for an eventual Commentary. Baxter-Kauf, Hatcher, Matus*, Pizzirusso
11:45 — 1:00 p.m. The state of standing post-TransUnion  
  The Spokeo v. Robins, 578 U.S. 330 (2016) decision created a circuit split over what constitutes “concrete harm” for purposes of Article III standing. In June 2021, in TransUnion v. Ramirez, 141 S. Ct. 2190 (2021), the Supreme Court addressed a component of that split and rejected the proposition that a plaintiff automatically satisfies the “concrete harm” requirement when a statute purports to authorize a person to sue to enforce a statutory right, finding that “only those plaintiffs who have been concretely harmed by a defendant’s statutory violation may sue that private defendant over that violation in federal court.” However, courts are still reaching different conclusions on what constitutes “concrete harm,” and a new circuit split is emerging with respect to intangible harms often alleged in privacy and cybersecurity and privacy litigation. This panel will address the current landscape of standing decisions in privacy and cybersecurity litigation post-TransUnion and will lead a dialogue on the implications of this evolving circuit split going forward. Baxter-Kauf, Doran, Drum*, Hon. Tuite
1:00 — 2:00 p.m. Grab-and-go lunch (provided)  

*Panel Moderator

Date: 
Thursday, November 2, 2023 - 8:00am to Friday, November 3, 2023 - 2:00pm