The end of last month the Sedona Conference and its Working Group 11 on Data Security and Privacy Liability (WG11) announced that The Sedona Conference Commentary on Quantifying Violations under U.S. Privacy Laws (“Commentary”) has been published for public comment.  Read on for some key takeaways.

First, for those who are not so familiar, a brief introduction.  What is The Sedona Conference?  It is a nonpartisan, research and educational institute dedicated to the advanced study of law and policy in the areas of antitrust law, complex litigation, intellectual property rights, and data security and privacy law.

Since its inception, The Sedona Conference has had multiple Working Groups.  These Working Groups, or “think-tanks”, are tasked with confronting some of the most challenging legal issues.  For example, the first Working Group (WG1) met on October 17-18, 2002, and was dedicated to the development of guidelines for electronic document retention and production.  The guidelines became the industry standard for managing electronic discovery compliance, and eventually led to the enactment of the federal rules on eDiscovery in 2006.

Fast forward 19 years, the mission of Working Group 11 (WG11) is to identify and comment on trends in data security and privacy law, in an effort to help organizations prepare for and respond to data breaches, and to assist attorneys and judicial officers in resolving questions of legal liability and damages.  In this recently released public comment version of its publication on quantifying violations under U.S. privacy laws, the Sedona Conference is now seeking comments, which will be reviewed and incorporated as deemed appropriate, prior to the release of the final version of the publication.  The comments can be submitted until June 26, 2021.

With the increase in state privacy and data breach laws, there are a lot of uncertainties regarding damages and statutory penalties.  WG11 is hoping to address this pressure point for the industry.  For example, many state laws do not clearly define how a “violation” should be calculated (is it the number of days information may have been exposed, or alternatively, the number of times it may have been exposed?)

Some of WG11’s suggested possible methodologies for calculating violations include: calculation based singularly on defendant’s failure to comply, regardless of number of impacted consumers or parts of the law violated, while other suggestions include calculations based exclusively on number of parts of the statute violated.  Other formulations include calculating violations based on the number of consumers impacted, or the number of pieces of personal information impacted, or even the number of days violation occurred.  By using hypotheticals under California Consumer Privacy Act, Colorado Security Breach Notification Law and the Illinois Biometric Information Privacy Act, WG11 has also addressed the ongoing challenges both the industry and the judiciary is facing in determining “violations.”

Comments on the draft can be submitted to

For more on this, stay tuned.  CPW will be there.