Agenda

Time Session Panelist
  Tuesday, April 26  
7:30 — 8:30 Breakfast & sign-in  
8:30 — 8:45 Welcome & overview Meal, Weinlein
8:45 — 10:00 When are ransomware payments illegal under current U.S. law? Chen, Gray*, Saikali, Wescott
  There is currently no legal authority that guides determination of whether a threat actor to whom one is considering making a ransomware payment either is itself, or is acting for the benefit of, an organization/entity listed on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), such that making a ransomware payment to that threat actor would be prohibited. A panel of WG11 brainstorming group members will lead a dialogue with all attendees on their outline which evaluates whether WG11 should develop an independent standard and/or factors that would provide guidance on this issue.  
10:00 — 10:15 Morning Break  
10:15 — 11:30 Coordination of multiple litigation and regulatory fronts arising out of major privacy and cybersecurity events Falk, Pizzirusso, PowellShonkaSwetnam*
  A company that suffers a major privacy or cybersecurity event may find itself the target of class actions, state Attorneys General investigations, Federal Trade Commission or other federal agency actions, and foreign regulatory inquiries. While these disparate company adversaries often focus on similar or identical issues, coordination across the adversary group is rare. While some companies facing this situation prefer to engage with a coordinated adversary group to achieve efficiencies and perhaps even global resolution, others endeavor to discourage or prevent any such coordination from occurring. In this session, we will discuss the benefits of and impediments to coordination among the company’s adversaries in this situation, as well as the company’s strategic arguments for encouraging or discouraging such coordination.  
11:30 — 12:30 Notice and consent – biometric facial recognition data Altman, Baxter-Kauf, Evers*, Falk
  A panel of WG11 drafting team members will lead a dialogue with all attendees on the latest draft of their Commentary which puts forth legal principles that should govern whether, under what circumstances, and what manner of, notice and consent of an individual should be required in connection with the collection, creation, use, and disclosure by the private and public sectors of that individual’s biometric facial recognition data. The draft Commentary also provides legislators and other policymakers with guidance for implementing new and amending existing notice and consent requirements in connection with an individual’s biometric facial recognition data.  
12:30 — 1:30 Lunch  
1:30 — 2:30 Model data breach notification law Keller, Meade*, Promislow, Tully
  A panel of WG11 drafting team members will lead a dialogue with all attendees on the latest draft of their Commentary to guide the development of data breach notification laws. Drawing upon best practices in data privacy and incident response, the Commentary describes how data breach notification laws should address different aspects of data breach notification, including what constitutes a notifiable breach, what methods of notification should be permissible, and whether there should be timelines for notification.  
2:00 — 3:45 Privacy and data security legislative and regulatory update Cattanach, D'Ambra, DeGroffDrum*, Kemnitz
  The panel will lead a dialogue on some of the most important actual and proposed legislative and regulatory enactments during the past year in the privacy and data security space. We will cover not only the most significant enactments of the past year, but also currently proposed enactments that raise important privacy and data security issues, with the goal of bringing WG11 members up-to-the-minute on where the codified law in the space currently is – and more importantly, where it could be heading in the future.  
3:45 — 4:00 Afternoon Break  
4:00 — 5:00 WG11 town hall Drum, Jorgensen, Keller, Meal*, Moncure, Pizzirusso, Promislow, Saikali, Wilan
  WG11 Steering Committee members will lead a dialogue amongst the WG11 members in attendance on progress made on the work product of the Working Group, and by the Working Group as a whole. WG11 member input will be sought regarding the future direction of WG11, including ideas for existing and new commentaries and projects.  
5:00 — 7:00 Reception (guests invited)  
     
  Wednesday, April 27  
8:30 — 9:30 Breakfast & sign-in  
9:30 — 10:45 Incident response: The unresolved questions JorgensenMeadeMoncure, Saikali*, Vibbert
 

A panel of leading outside counsel, corporate counsel and technologists with extensive experience in incident response will facilitate a dialogue on the most challenging questions companies face when responding to a suspected data breach. These are questions that often are not addressed or resolved by data breach notification laws, including the difficult decisions companies must make relating to scope of investigations, the use of third-party data review firms, timing of notification, effective use of substitute notice, and challenges specific to vendor data breaches. The dialogue will be a highly interactive one based on a series of short scenarios.

 
  Morning Break  
11:00 — 12:00 Second edition of The Sedona Conference Commentary on Application of Attorney-Client Privilege and Work-Product Protection to Documents and Communications Generated in the Cybersecurity Context Baxter-Kauf*, McNamara, Melchiondo, Wilan 
  A panel of WG11 drafting team members will lead a dialogue with all attendees on their draft of the second edition of the Privilege Commentary. The draft addresses new caselaw developments regarding attorney-client privilege and attorney work product in the context of litigation related to cyber incidents. The draft also includes additional focus on certain specific areas of legal response to cyber incidents that were only touched on or were outside the scope of the first edition of the Privilege Commentary.  
12:00 — 1:00 Biometric privacy primer Kalat, McCarthy, PromislowRay*
 

A panel of WG11 drafting team members will lead a dialogue with all attendees on the latest draft of their Primer which provides guidance to practitioners, judges and policymakers regarding how biometric information and biometric data are legally defined, how biometric systems work, and the privacy, data security and related issues they raise.

 
1:00 — 2:00 Grab-and-go lunch  

 

Date: 
Tuesday, April 26, 2022 - 8:45am to Wednesday, April 27, 2022 - 1:00pm