Data Security And Privacy Liability – Takeaways From The Sedona Conference Working Group 11 Annual Meeting In Redmond, WA

Duane Morris Takeaways: Data privacy and data breach class action litigation continue to explode. At the Sedona Conference Working Group 11 on Data Security and Privacy Liability, at Microsoft's campus in Redmond, Washington, on May 7, 2025, Justin Donoho of the Duane Morris Class Action Defense Group served as a dialogue leader for two panel discussions, "Individual Liability for Data Security Failures" and "Privacy and Data Security Litigation Update." The working group meeting, which spanned two days and had over 50 participants, produced excellent dialogues on these topics and others including AI statutory guidance, shifting U.S. federal regulatory priorities in the privacy and data security landscape, privacy and data security state regulator roundtable, emerging issues and trends in the cyber threat landscape, and law firm data security.

The Conference's robust agenda featured over 30 dialogue leaders from a wide array of backgrounds, including government officials, data security industry experts, a district court judge, in-house attorneys, cyber and data privacy law professors, plaintiffs' attorneys, and defense attorneys. In a masterful way, the agenda provided valuable insights for participants toward this working group's mission, which is to identify and comment on trends in data security and privacy law, in an effort to help organizations prepare for and respond to data breaches, and to assist attorneys and judicial officers in resolving questions of legal liability and damages.

Justin had the privilege of speaking about current trends in cases seeking individual liability for data security failures and in data privacy class actions. A few of the highlights from his presentations included discussing the SEC's case brought against SolarWinds' CISO Michael Brown, which has CISOs worldwide on the edges of their seats (discussed in Justin's article here), and two recent cases resulting in helpful precedent for defendants facing cases alleging privacy violations for their uses of website advertising technologies (adtech), including a case that disposed of an adtech class action due to consent by browsewrap (see here), and a case that dismissed an adtech class action due to ambiguities found in a wiretap statute (see here).

Finally, one of the greatest joys of participating in Sedona Conference meetings is the opportunity to draw on the wisdom of fellow presenters and other participants from around the globe. Highlights included:

1. A lively dialogue among some of my panelists and other participants regarding trends in decisions regarding Article III standing and the costs and benefits defendants should consider when deciding whether to seek dismissal due to plaintiffs' lack of Article III standing.
2. State regulators giving candid advice regarding what and what not to do following data breaches in terms of notifying their offices, participating in investigations, and attempting to negotiate settlements.
3. Experts of all stripes dissecting the Colorado Privacy Act, Colorado AI Act, and those statutes' application to AI hiring tools in an effort to offer guidance to future legislators drafting similar statutes.
4. Seasoned defense attorneys discussing how federal agencies responsible for rules regarding privacy and data security have responded to the new presidential administration's "Regulatory Freeze Pending Review" memorandum, the personnel changes, actions, and reviews taken during the first months of the new administration, and the implications for regulated organizations.
5. Cyber and cyber insurance experts leading a dialogue about emerging risks, regulatory challenges, liability concerns, and underwriting processes relating to cybersecurity.
6. Law firm consultants addressing current issues with AI that law firms should consider when crafting their cybersecurity assessments, policies, and procedures.

Thank you to the Sedona Conference Working Group 11 and its incredible team, the fellow dialogue leaders, the engaging participants, and all others who helped make this meeting in Redmond, Washington, an informative and unforgettable experience.

For more information on the Duane Morris Class Action Group, including its Data Privacy Class Action Review e-book, and Data Breach Class Action Review e-book, please click the links here and here.

Disclaimer: This Alert has been prepared and published for informational purposes only and is not offered, nor should be construed, as legal advice. For more information, please see the firm's full disclaimer.