The Sedona Conference Working Group 11 Annual Meeting 2019

Date: 
Thursday, February 28, 2019 - 8:00am to Friday, March 1, 2019 - 1:00pm

Location:
The St. Regis
Houston, TX

The 2019 Annual Meeting of Working Group 11 will be held at the St. Regis in Houston, TX, on Thursday, February 28 – Friday, March 1, 2019. A welcome reception will be held at the hotel from 6:00-8:00 p.m. on Wednesday, February 27.

The meeting’s main focus will be on new drafts and brainstorming group outlines in need of WG11 member review and comment, including the following topics:

  • Model data breach notification law
  • Data security and privacy challenges in artificial intelligence (AI) systems
  • Reasonable security test
  • U.S. judicial enforcement of orders entered under the EU General Data Protection Regulation (GDPR)
  • Data security and privacy issues in civil litigation

In addition, the meeting will feature the following sessions:

  • Advising clients with limited resources on cost-effective data security and privacy strategies
  • Plaintiff’s bar roundtable
  • California Consumer Privacy Act (CCPA) penalties
  • Additional remedies for alleged Federal Trade Commission (FTC) Act Section 5 violations in the data security and privacy context

Please find the agenda and dialogue leaders below.

In addition to the agenda found below, please find a detailed agenda, with descriptions of each session, here.

Dialogue Leaders

iDiscovery Solutions

Washington, DC, USA

Robbins Geller Rudman & Dowd LLP

San Diego, CA, USA

Dorsey & Whitney LLP

Minneapolis, MN, USA

Orrick Herrington & Sutcliffe LLP

New York, NY, USA

Crowell & Moring LLP

New York, NY, USA

Maynard Cooper & Gale

Birmingham, AL, USA

WilmerHale

Washington, DC, USA

Winston & Strawn LLP

Houston, TX, USA

McGuire Law, P.C.
Supreme Court of Texas
Mastercard

Purchase, NY, USA

The Sylint Group

Sarasota, FL, USA

DiCello Levitt Gutzler LLC

Chicago, IL, USA

Vermont Office of the Attorney General

Montpelier, VT, USA

Driven, Inc.

Minnetonka, MN, USA

Gill Ragon Owen, P.A.
UnitedLex
Shook, Hardy & Bacon L.L.P.
Eckert Seamans

Pittsburgh, PA, USA

DaVita

Denver, CO, USA

Wyrick Robbins Yates & Ponton LLP

Raleigh, NC, USA

Hausfeld

Washington, DC, USA

Seyfarth Shaw
Bennett Jones LLP

Toronto, ON, Canada

Penry|Riemann PLLC

Raleigh, NC, USA

The Crypsis Group
Shook, Hardy & Bacon L.L.P.

Miami, FL, USA

Shook, Hardy & Bacon L.L.P.

Kansas City, MO, USA

Redgrave LLP

Chantilly, VA, USA

Karta Legal LLC
Tousley Brain Stephens, PLLC
Carlton Fields

Tampa, FL, USA

Federal Trade Commission
Actuate Law LLC

Chicago, IL, USA

Perez Art Museum Miami
Arnold & Porter Kaye Scholer LLP

New York, NY, USA

Morgan & Morgan
Venable LLP

San Francisco, CA, USA

Reasonable security test

Date: 
Thursday, February 28, 2019 - 8:40am to 9:55am
Panel Description: 

A panel of WG11 drafting team members will lead a dialogue on their draft Commentary that evaluates what “legal test” a court or other adjudicative body should apply, or what other approach it should follow, in a situation where a party has or is alleged to have a legal obligation to provide “reasonable security” for personal information and the issue is whether the party in question has met that legal obligation. While preparing this draft Commentary, the drafting team examined decisions of courts and regulatory bodies and the work of scholars and other writers in the field.

Model data breach notification law

Date: 
Thursday, February 28, 2019 - 9:55am to 10:45am
Panel Description: 

A panel of WG11 brainstorming group members will lead a dialogue with all WG11 members in attendance on their outline on the topic. The brainstorming group was tasked with: (1) analyzing existing model data breach notification laws, proposed federal legislation, and how countries besides the U.S. have regulated breach response; and, (2) based on the analysis of data breach notification laws and the deep experience of practitioners, proposing a path forward for developing a model data breach notification law. The model law would aim to mandate the most practical and useful framework for data breach response.

Data security and privacy issues in civil litigation

Date: 
Thursday, February 28, 2019 - 11:00am to 12:15pm
Panel Description: 

A panel of WG11 drafting team members will lead a dialogue on their revised draft Commentary addressing data security and privacy issues in civil litigation. After WG11 membership feedback, the drafting team has fairly significantly revised the approach and scope of the draft Commentary. The Commentary outlines a number of principles for parties seeking to protect personal data and other sensitive information during litigation.

U.S. judicial enforcement of orders entered under the EU General Data Protection Regulation (GDPR)

Date: 
Thursday, February 28, 2019 - 1:30pm to 2:30pm
Panel Description: 

A panel of WG11 drafting team members and a leading jurist will lead a dialogue on a draft Commentary which: (1) identifies and explains the legal principles a U.S. court would likely apply if asked to enforce an order entered under the GDPR by an EU court (or alternatively a Data Protection/Supervisory Authority (DPA) or the European Data Protection Board (EDPB)) against a U.S.-based company; and, (2) evaluates whether under those principles, a U.S. court would likely enforce various categories of orders that might be entered under the GDPR (e.g., injunctive orders, administrative actions, damage awards, penalty assessments).

Plaintiff’s bar roundtable

Date: 
Thursday, February 28, 2019 - 2:30pm to 3:45pm
Panel Description: 

A roundtable of leading plaintiff’s attorneys will dialogue with WG11 members in attendance on current issues and developments regarding data security and privacy in the plaintiff’s bar. Among other topics, the dialogue leaders will discuss how the plaintiff’s bar is handling emerging trends and issues in the industry, such as artificial intelligence (AI), GDPR, and privacy by design. They also will address what legal advice regarding data security and privacy looks like from the plaintiff’s standpoint.

WG11 town hall

Date: 
Thursday, February 28, 2019 - 4:00pm to 5:00pm
Panel Description: 

WG11 Steering Committee members will lead a dialogue amongst the WG11 members in attendance on progress made on the work product of the Working Group, and by the Working Group as a whole. WG11 member input will be sought regarding the future direction of WG11, including ideas for existing and new commentaries and projects.

Advising clients with limited resources on cost-effective data security and privacy strategies

Date: 
Friday, March 1, 2019 - 8:45am to 10:00am
Panel Description: 

Most commentary about developing or enhancing an entity’s data security and privacy program assumes the entity has the monetary and human resource capabilities to develop and execute a detailed program. Many entities, however, such as non-profits or start-ups, do not have such capabilities. Nevertheless, the lack of funds or human resources does not absolve such entities of implementing and maintaining appropriate data security and privacy best practices. The panel will lead a dialogue with all WG11 members in attendance on how entities with limited resources can develop and maintain a defensible data security and privacy program.

California Consumer Privacy Act (CCPA) penalties

Date: 
Friday, March 1, 2019 - 10:20am to 11:10am
Panel Description: 

The CCPA raises many questions for companies and privacy professionals. One unknown issue is how to interpret “per violation” for purposes of calculating CCPA penalties. The CCPA allows the California Attorney General to get penalties of “not more than two thousand five hundred dollars ($2,500) for each violation or seven thousand five hundred dollars ($7,500) for each intentional violation.” Is that per affected consumer? Per company action? Or per what? The panel will lead a dialogue on these questions and will consider the interpretive significance of the CCPA’s provision stating the damages recoverable in a private action: “not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”

Additional remedies for alleged Federal Trade Commission (FTC) Act Section 5 violations in the data security and privacy context

Date: 
Friday, March 1, 2019 - 11:10am to 12:00pm
Panel Description: 

The panel will explore whether, and if so, to what extent, the FTC can and should exercise what new Chairman Simons has called “untapped authority” under Section 5 of the FTC Act to impose additional remedies for alleged Section 5 violations in the privacy and data security context, beyond the remedies imposed in the FTC’s “standard” consent decree. In this regard, Chairman Simons and Commissioner Slaughter recently announced that the FTC is examining whether it can “further maximize its enforcement reach, in all areas, through strategic use of additional remedies” such as “monetary relief or notice to consumers.” No court has ever ruled on whether and when remedies of this sort are ever appropriate in a privacy or data security case. Chairman Simons’ statements suggest the FTC may pursue such relief more frequently and aggressively going forward. The panel will explore whether the FTC can, and should, do so.

Data security and privacy challenges in artificial intelligence (AI) systems

Date: 
Friday, March 1, 2019 - 12:00pm to 1:00pm
Panel Description: 

A panel of WG11 brainstorming group members will lead a dialogue on their outline providing proposed guidance on AI algorithm transparency. “Transparency” is defined here as all the information needed to provide a complete and understandable explanation of how a decision was or will be reached by an AI system. The outline focuses on both the disclosure requirements under present law and methods of disclosure that account for unique AI technology nuances, including both the AI algorithm and the input data sets used in the decision-making processes. The dialogue on the outline will be guided by a use case “fact pattern” to show how the guidance could be leveraged in a real-world scenario.