Agenda

Time Session Panelists
  Thursday, October 28  
7:30 — 8:30 Breakfast & sign-in  
8:30 — 8:45 Welcome & overview  
8:45 — 10:00 Biometric privacy primer  
  A panel of WG11 drafting team members will lead a dialogue with all attendees on the draft of their Primer which provides guidance to practitioners, judges and policymakers regarding how biometric information and biometric data are legally defined, how biometric systems work, and the privacy, data security and related issues they raise. 

 

10:00 — 10:15 Morning Break  
10:15 — 11:15 Privacy and data security legislative and regulatory update  
  The panel will lead a dialogue on some of the most important actual and proposed legislative and regulatory enactments during the past year in the privacy and data security space. We will cover not only the most significant enactments of the past year, but also currently proposed enactments that raise important privacy and data security issues, with the goal of bringing WG11 members up-to-the-minute on where the codified law in the space currently is – and more importantly, where it could be heading in the future.  
11:15 — 12:15 Impact of pandemic response on global privacy  
  In response to the COVID-19 pandemic, governments and private companies around the globe have collected significant amounts of personal information, including health and tracing information, in the name of public health. The response has led to significant controversy, with some asserting that privacy protections and personal freedoms have been unduly and too quickly sacrificed in support of public health initiatives, and others arguing that privacy laws in some case unduly hampered commonsense solutions. A panel of WG11 brainstorming group members will lead a dialogue with all attendees on their outline which evaluates whether a drafting team could prepare a Commentary that would provide value to practitioners and policymakers in addressing this conflict. Critically, the outline also addresses whether a potential Commentary that explores broader themes of the conflict between privacy and public interest in the event of an emergency, drawing on lessons from the pandemic, would be more useful.  
12:15 — 1:30 Lunch  
1:30 — 2:30 Advisability of adopting a strict liability regime for data breaches involving personal information  
  The “reasonable data security” regime has resulted in uncertainty within the business and legal community as to what the regime requires and made legal disputes in the wake of data breaches vastly more expensive to resolve – all without diminishing the volume of data breaches to any perceptible extent or providing equal protections for similarly situated consumers. One solution might be adopting a strict liability standard in the event of data breaches involving personal information. Strict liability regimes may be justified in contexts where a business’ products or services inevitably result in events that potentially cause consumer injury, regardless of the care taken to prevent such events, and it makes policy sense to have the business rather than its customers bear the cost of any such injury. Such a regime can also have the benefit of simplicity and predictability. A panel of brainstorming group members will lead a dialogue on their outline which evaluates whether WG11 should prepare a Commentary on the advisability of adopting a strict liability regime for data breaches.  
2:30 — 3:45 Second edition of The Sedona Conference Commentary on Application of Attorney-Client Privilege and Work-Product Protection to Documents and Communications Generated in the Cybersecurity Context  
  Since the release of the first edition of the Privilege Commentary, there have been significant new caselaw developments addressing attorney-client privilege and attorney work product in the context of litigation related to cyber incidents. There has also emerged additional focus on certain specific areas of legal response to cyber incidents that were only touched on or were outside the scope of the original Privilege Commentary, including: (a) entity specific guidance on the extension of privilege in the cybersecurity context including with regard to insurer/insureds, service providers/vendors, joint defense groups/joint common interest groups, agency/affiliate relationships, and communications between different/unrelated companies on areas of mutual interest/risk; and (b) exploration of the difference between business and legal advice, including, but not limited to, in the context of PR work in response to a cyber-incident. A panel of WG11 drafting team members will lead a dialogue with all attendees on their draft of the second edition of the Privilege Commentary which addresses both the emerging caselaw and the additional focus areas.  
3:45 — 4:00 Afternoon Break  
4:00 — 5:00 WG11 town hall  
  WG11 Steering Committee members will lead a dialogue amongst the WG11 members in attendance on progress made on the work product of the Working Group, and by the Working Group as a whole. WG11 member input will be sought regarding the future direction of WG11, including ideas for existing and new commentaries and projects.
5:00 — 7:00 Reception (guests invited)  
Time Session Panelists
  Friday, October 29  
8:30 — 9:30 Breakfast & sign-in  
9:30 — 10:45 Notice and consent – biometric facial recognition data
 

A panel of WG11 drafting team members will lead a dialogue with all attendees on the draft of their Commentary which puts forth legal principles that should govern whether, under what circumstances, and what manner of, notice and consent of an individual should be required in connection with the collection, creation, use, and disclosure by the private and public sectors of that individual's biometric facial recognition data. The draft Commentary also provides legislators and other policymakers with guidance for implementing new and amending existing notice and consent requirements in connection with an individual's biometric facial recognition data.

 
10:45 — 11:00 Morning Break  
11:00 — 12:00 Privacy and data security litigation update  
  The panel will lead a dialogue on some of the most important privacy and data security actions since this session was last held in September 2020. We will cover not only the most significant court decisions of the past year, but also court filings that raise novel claims and defenses (even if the cases themselves are pending or have settled), with the goal of bringing WG11 members up-to-the-minute on where the case law currently is – and more importantly, where it could be heading in the future.  
12:00 — 1:00 Ransomware: the ever-evolving landscape and emerging legal regime  
 

A series of high-profile ransomware attacks in 2021 has put renewed focus on a long-standing cyber threat vector. These attacks have created headline news stories, resulted in guidance from the White House and U.S. Department of Justice, and even spurred talk of legislative bans on ransomware payments by some in the U.S. Congress. In the meantime, threat actors continue to pivot and evolve in their approaches. During this session, a group of experts who have advised on the legal and technical response to ransomware attacks will lead a dialogue on the evolving landscape in light of these developments including: (1) the emerging legal regime; (2) pay or no-pay decisions and execution; (3) developing and testing ransomware response protocols; (4) business continuity planning; (5) contractual and vendor risk; and (6) insurance issues. Also, the dialogue leaders will look ahead and explore next generation "ransomware 2.0" threats, including exfiltration & extortion and data integrity attacks.

 
1:00 — 2:00 Grab-and-go lunch  

*Panel Moderator

Date: 
Thursday, October 28, 2021 - 8:30am to Friday, October 29, 2021 - 1:00pm