Regulatory Insights for Life Sciences and Health Care Investments: Data Privacy and Cybersecurity

Hogan Lovells
Contact

Hogan Lovells

Investing in the life sciences industry without an understanding of the key regulatory factors that could determine a product’s success or failure could cost you millions of dollars.

As the industry readies itself for the 2019 edition of the annual pilgrimage to the J.P. Morgan Healthcare Conference in San Francisco, our market-leading Global Regulatory Team has prepared a series of updates covering the following topic areas that we hope will help guide your 2019 investment decisions.

How to value data in health care and life sciences transactions

Data is key in health care and life sciences transactions. Sellers often tout the value of their untapped data and interested acquirers may develop a business plan for that data post-closing. While the data may offer attractive possibilities, well-advised buyers carefully consider the data’s legal value and limitations. Three questions can strike at the core of the data’s value: 

  • What laws may restrict the transfer or anticipated use of the data post-closing? 
  • What contractual terms or representations the seller has made may restrict the use or disclosure of the data? 
  • Is the data associated with material liabilities? 

The answers to these questions may affect deal valuation, the scope of due diligence, the transaction documents, and post-closing planning. 

CCPA, GDPR add new restrictions to data use 

Health data, in particular, is subject to stringent federal and state regulations in the United States and Europe. These laws can apply to entities located inside and outside of their jurisdictions and may create complications for the legal use or transfer of the data after closing. And these laws are frequently changing, including several dramatic shifts in the past year alone.

California, for example, recently enacted the California Consumer Privacy Act of 2018 (CCPA) which restricts the collection, use, and disclosure of personal information (defined to specifically include health and medical information). Although the CCPA exempts some health care and life sciences entities, it does not exempt them all. When it applies, it restricts the types of data transfers in which companies can engage, and it grants individuals broad rights to their data including the ability limit certain uses. As a result, the CCPA’s requirements and impact will be an area of focus in the health care community as it continues to unfold. These issues and specific considerations for health care companies are discussed in more detail in Hogan Lovells’ series on the CCPA.  

Under the recently enacted General Data Protection Regulation (GDPR) in the EU, health data is treated as a special category of personal data, which is considered sensitive and subject to more stringent requirements and restrictions. Processing of this data is prohibited entirely unless certain exceptions apply. For example, processing may not be prohibited where an individual has explicitly consented, or where it is necessary for purposes in the public interest. EU member states are also able to impose further conditions or limitations. In addition to granting individuals rights with respect to their data and constraining data transfers, the GDPR requires certain agreements and contractual provisions to be included in contractual arrangements with a company’s vendors and subcontractors. Additional guidance for investors about the GDPR and complying with its requirements is available on the Hogan Lovells blog.

Managing the intersection of these new requirements with existing obligations and regulations means sophisticated buyers are carefully developing plans for lawful data use post-closing. During due diligence, buyers identify the sources and content of the data and confer with counsel to determine legal restrictions on the transfer and future use of that data. By taking these measures before signing, a buyer can avoid the disappointment of being unable to lawfully use the data as planned, and any resultant devaluation of the investment. 

Contract terms often restrict data use and disclosure

Nearly all health care and life sciences companies engage in data sharing in one form or another. Not only are these data transfers and uses potentially governed by multiple laws, but contractual restrictions also often apply. These contractual limitations can take a number of forms, including business associate agreements, data processing agreements, data transfer arrangements, clinical study agreement and vendor contracts with clients or service providers. Contractual limitations may severely limit the value of data, negatively impact plans to use the data post-closing, or impose substantial technology investment and compliance costs.

Companies are increasingly imposing obligations on the recipients of their data. A business-to-business vendor, for example, may obtain volumes of valuable data from its corporate clients. Those vendors, however, are increasingly required to comply with contracts that impose stringent restrictions on the use and disclosure of that data, such as the common restriction that a vendor use and disclose the client’s data only to perform the contracted services, and not use or disclose the data for any other purpose. Even after the agreement expires or terminates, the vendor is often required to return or destroy the client’s data. 

In addition to these limitations, vendor and client contracts often include significant privacy and data security obligations, such as requirements to:

  • Provide data breach notification and remediation within a specific time period, and indemnify for any breach-related costs;
  • Comply with specific privacy and data security laws, regulations and/or industry standards; 
  • Engage independent third parties to perform periodic IT and security assessments or audits;
  • Segregate a client’s data from other clients’ data;
  • Implement specific encryption technology and access controls; and
  • Adopt security programs consistent with established security standards. 

Ongoing compliance with these obligations may require cybersecurity investments and compliance costs that may become even more pronounced and costly in the event they apply to a company’s larger IT infrastructure post-closing. 

Data breaches may carry massive liabilities

Failure to comply with data-related laws can result in material liability, and regulators are increasing civil penalties and, in some cases, making non-compliance criminal. For instance, amendments to the Health Insurance Portability and Accountability Act (HIPAA) allow US regulators to impose penalties of up to $1.5 million annually per type of violation, and other US regulators have imposed penalties in excess of $20 million for data practices deemed unfair or deceptive under US consumer protection laws. 

The GDPR and CCPA both carry significant maximum fines for non-compliance. The GDPR caps fines at the greater of €20 million or 4% of worldwide turnover. Although the CCPA only allows for fines of up to $7,500 per intentional violation, it notably does not place a cap on the total number of fines. The CCPA also permits individuals to bring a civil action to recover damages or obtain an injunction in the event of a data breach.

Yet, these government fines and penalties may be dwarfed by the cost of a data breach. While a breach may open the door for regulators, large data breaches can also cost much more and result in significant reputational harm. In addition, data breaches are now routinely followed by class action lawsuits and shareholder derivative litigation, which can exponentially increase liabilities.

Strategies for minimizing data privacy risks

In order to minimize data privacy risks, buyers should expand their due diligence review of data practices and guard their investments by, among other things:

  • Reviewing data compliance programs, data-related contracts, and security processes; 
  • Engaging lawyers and IT assessment firms to review the technical systems, internal policies, and employee practices;
  • Negotiating specific data-related representations, warranties, closing conditions, and indemnities in the transaction documents; 
  • Acquiring representation and warranty insurance to protect against unintentional and unknown breaches of a seller’s representations and warranties made in the transaction documents; and
  • Developing post-closing remediation plans to address any identified weaknesses. 

Through these measures, smart buyers can appropriately evaluate data assets, including their value, limits, and liabilities.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Hogan Lovells | Attorney Advertising

Written by:

Hogan Lovells
Contact
more
less

Hogan Lovells on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.