Data Privacy And Cybersecurity Considerations For Life Science Companies

By Melissa Bianchi, Alyssa Golay, & Scott Loughlin

From startups to multinationals, the value of data continues to grow for pharma, biotechs, and device companies. While the value has come into focus, so have the risks. Large-scale data breaches have led to public outcry and heightened scrutiny of privacy and security practices. Simultaneously, legislatures are focusing on data, increasing data risks and liabilities. Managing the interaction of new data requirements in and outside of the United States continues to be an area of focus in the life sciences community and will be for years to come, particularly as comprehensive privacy legislation and regulatory reform at the state level — and perhaps at the federal level — gains momentum.

For example, California recently enacted the California Consumer Privacy Act (CCPA). Unlike other U.S. privacy laws, which generally focus on specific industry sectors, the CCPA broadly applies to businesses that collect personal information about California residents. When it applies, the CCPA restricts the types of data transfers in which companies can engage, imposes additional notice obligations, and grants individuals broad rights to their data. As one of the most comprehensive privacy laws enacted in the United States thus far, the CCPA provides an opportunity for companies to assess compliance with general privacy principles and capitalize on prior compliance efforts.

Failure to comply with data-related laws can result in material liability, and regulators are enhancing civil penalties and, in some cases, making noncompliance criminal. For instance, HIPAA violations have recently resulted in a settlement of $16 million, and the FTC has imposed penalties of more than $20 million for data practices deemed unfair or deceptive. In Europe, the General Data Protection Regulation (GDPR) caps fines at the greater of €20 million or 4 percent of worldwide turnover. While the maximum fine per intentional violation is $7,500 under the CCPA, there is no cap on the number of fines, and individuals may bring a civil ac tion in the event of a data breach. Amendments have been proposed to expand the CCPA’s private right of action to cover violations of any CCPA right.

In addition to opening the door for regulators to initiate broader reviews into regulatory compliance, data breaches can result in significant liabilities beyond fines, such as liability arising out of contract disputes, product recalls, resignation of prominent executives, and plummeting stock prices. Costs of breach response, investigation, remediation, and notice also can be considerable. Follow-on reputational and operational harms can be damaging, and data breaches are now routinely followed by class-action lawsuits and shareholder derivative litigation.

Life sciences companies can take this opportunity to survey the data-risk and compliance landscape and to continue to develop and refine strategies to meet evolving threats and obligations. Outlined below are common challenges for life sciences companies under new legal requirements like the CCPA, methods for assessing the operational impacts of these requirements, and strategies for navigating new laws.

EVALUATE THE SCOPE OF COVERED OPERATIONS AND DATA

With each new law comes an obvious question. Does it apply? While the question is simple, the answer is often not. As demonstrated by the GDPR and CCPA, these laws can apply to companies located in and outside of their physical territories and may create complications for routine uses or transfers of data that are not obviously tied to the states, regions, or governments enacting the new laws.

Given this complexity, a company must decide whether to segment and customize its operations or data practices to meet specific jurisdiction requirements or whether to apply those practices to all company data. For example, a company may elect to segregate data collected from EU residents and operations conducted in Europe to implement EU-specific practices and processes in an effort to limit its compliance with the GDPR’s extensive requirements. Other companies find that more challenging and instead apply a consistent compliance framework to the entire enterprise. A fundamental challenge is to gather the right information to make these types of decisions by taking inventory of the company’s data assets and mapping data transfers to identify what could be subject to the law.

Adding to the complexity, some, but not all, data or operations may be exempt from new legislation. The CCPA provides a good example of this challenge. The CCPA contains several exemptions that may permit life sciences companies to limit their compliance obligations or exempt their activities entirely, including carve-outs for nonprofit entities, covered entities and business associates governed by HIPAA, healthcare providers subject to California’s Confidentiality of Medical Information Act, and clinical trials subject to the Common Rule.

The definition of covered data may include an exception or special requirements for certain types of data, such as deidentified data. That said, it is important to identify and evaluate existing processes for deidentification and map the resulting deidentified data to the various definitions. The CCPA, GDPR, and HIPAA articulate different standards and acceptable techniques for deidentifying data. As a result, it is possible to identify circumstances where data may be considered deidentified according to HIPAA, yet not sufficiently anonymized under the GDPR or CCPA.

TAILOR COMPLIANCE PROGRAMS AND BUILD ON EXISTING PRACTICES

Data-sharing relationships are increasingly under scrutiny. Nearly all life sciences companies engage in data sharing in one form or another, and those arrangements will need to be assessed in light of each law’s requirements. Data sharing and service provider relationships are common in the life sciences, and, unless an exemption applies, disclosures in those relationships may be considered “sales” under the CCPA, which permits consumers to opt out of such disclosures and limits the recipient’s ability to use the data.

New proposed laws grant individuals additional rights with respect to certain types of data. The CCPA, for example, grants individuals new rights regarding personal information such as the right to access, request deletion, be informed of certain transactions, opt out of or opt in to sales, and receive equal service and price even if they exercise their rights. Any new privacy law may also require a company to impose contractual restrictions upon vendors, clients, or subcontractors to effectuate those rights.

Companies subject to HIPAA and the GDPR are familiar with imposing contractual restrictions upon vendors, clients, or subcontractors and responding to individuals’ rights requests. Many have processes in place to receive, verify, and respond to requests that are likely more advanced than those of companies not currently subject to such laws. Companies may be able to leverage this experience complying with complex legal regimes, capitalize on existing procedures, and develop additional policies and mechanisms where necessary to meet new requirements.

DEMONSTRATE A COMMITMENT TO COMPLIANCE

Despite their relative advantage in meeting the requirements of new privacy laws, even the most sophisticated life sciences companies may face difficulty implementing new programs within compressed timelines and constantly evolving regulations. Compliance is a continuous process, and companies can demonstrate their commitment to compliance by identifying the key issues, dealing with them in a practical and credible way, setting and handling priorities at the right time, devoting the appropriate resources, and abiding by the principles underlying the regulation. Embracing core data privacy and security principles highlighted in recent regulatory developments can enable life sciences companies to unlock the value of data while preserving consumer trust and advancing innovations in health and technology.

MELISSA BIANCHI is a partner in Hogan Lovells’ Washington, D.C. office where she leads the firm’s digital health initiative, bringing together a cross-disciplinary approach to digital health products.

ALYSSA GOLAY is an associate in Hogan Lovells’ Washington, D.C. office and focuses her practice on health privacy, consumer protection, and biometric laws.

SCOTT LOUGHLIN is a partner in Hogan Lovells’ Washington, D.C. office where he helps clients unlock the value of data while managing cybersecurity, compliance, and third-party risks.