By Melissa Bianchi, Alyssa Golay, & Scott Loughlin
In addition to opening the door for regulators to initiate broader reviews into regulatory compliance, data breaches can result in significant liabilities beyond fines, such as liability arising out of contract disputes, product recalls, resignation of prominent executives, and plummeting stock prices. Costs of breach response, investigation, remediation, and notice also can be considerable. Follow-on reputational and operational harms can be damaging, and data breaches are now routinely followed by class-action lawsuits and shareholder derivative litigation.
Life sciences companies can take this opportunity to survey the data-risk and compliance landscape and to continue to develop and refine strategies to meet evolving threats and obligations. Outlined below are common challenges for life sciences companies under new legal requirements like the CCPA, methods for assessing the operational impacts of these requirements, and strategies for navigating new laws.
EVALUATE THE SCOPE OF COVERED OPERATIONS AND DATA
With each new law comes an obvious question. Does it apply? While the question is simple, the answer is often not. As demonstrated by the GDPR and CCPA, these laws can apply to companies located in and outside of their physical territories and may create complications for routine uses or transfers of data that are not obviously tied to the states, regions, or governments enacting the new laws.
Given this complexity, a company must decide whether to segment and customize its operations or data practices to meet specific jurisdiction requirements or whether to apply those practices to all company data. For example, a company may elect to segregate data collected from EU residents and operations conducted in Europe to implement EU-specific practices and processes in an effort to limit its compliance with the GDPR’s extensive requirements. Other companies find that more challenging and instead apply a consistent compliance framework to the entire enterprise. A fundamental challenge is to gather the right information to make these types of decisions by taking inventory of the company’s data assets and mapping data transfers to identify what could be subject to the law.
Adding to the complexity, some, but not all, data or operations may be exempt from new legislation. The CCPA provides a good example of this challenge. The CCPA contains several exemptions that may permit life sciences companies to limit their compliance obligations or exempt their activities entirely, including carve-outs for nonprofit entities, covered entities and business associates governed by HIPAA, healthcare providers subject to California’s Confidentiality of Medical Information Act, and clinical trials subject to the Common Rule.
The definition of covered data may include an exception or special requirements for certain types of data, such as deidentified data. That said, it is important to identify and evaluate existing processes for deidentification and map the resulting deidentified data to the various definitions. The CCPA, GDPR, and HIPAA articulate different standards and acceptable techniques for deidentifying data. As a result, it is possible to identify circumstances where data may be considered deidentified according to HIPAA, yet not sufficiently anonymized under the GDPR or CCPA.
TAILOR COMPLIANCE PROGRAMS AND BUILD ON EXISTING PRACTICES
Data-sharing relationships are increasingly under scrutiny. Nearly all life sciences companies engage in data sharing in one form or another, and those arrangements will need to be assessed in light of each law’s requirements. Data sharing and service provider relationships are common in the life sciences, and, unless an exemption applies, disclosures in those relationships may be considered “sales” under the CCPA, which permits consu to opt out of such disclosures and limits the recipient’s ability to use the data.
New proposed laws grant individuals additional rights with respect to certain types of data. The CCPA, for example, grants individuals new rights regarding personal information such as the right to access, request deletion, be informed of certain transactions, opt out of or opt in to sales, and receive equal service and price even if they exercise their rights. Any new privacy law may also require a company to impose contractual restrictions upon vendors, clients, or subcontractors to effectuate those rights.
Companies subject to HIPAA and the GDPR are familiar with imposing contractual restrictions upon vendors, clients, or subcontractors and responding to individuals’ rights requests. Many have processes in place to receive, verify, and respond to requests that are likely more advanced than those of companies not currently subject to such laws. Companies may be able to leverage this experience complying with complex legal regimes, capitalize on existing procedures, and develop additional policies and mechanisms where necessary to meet new requirements.
DEMONSTRATE A COMMITMENT TO COMPLIANCE
Despite their relative advantage in meeting the requirements of new privacy laws, even the most sophisticated life sciences companies may face difficulty implementing new programs within compressed timelines and constantly evolving regulations. Compliance is a continuous process, and companies can demonstrate their commitment to compliance by identifying the key issues, dealing with them in a practical and credible way, setting and handling priorities at the right time, devoting the appropriate resources, and abiding by the principles underlying the regulation. Embracing core data privacy and security principles highlighted in recent regulatory developments can enable life sciences companies to unlock the value of data while preserving consumer trust and advancing innovations in health and technology.
MELISSA BIANCHI is a partner in Hogan Lovells’ Washington, D.C. office where she leads the firm’s digital health initiative, bringing together a cross-disciplinary approach to digital health products.
ALYSSA GOLAY is an associate in Hogan Lovells’ Washington, D.C. office and focuses her practice on health privacy, consumer protection, and biometric laws.
SCOTT LOUGHLIN is a partner in Hogan Lovells’ Washington, D.C. office where he helps clients unlock the value of data while managing cybersecurity, compliance, and third-party risks.