Investing in the life sciences industry without an understanding of the key regulatory factors that could determine a product’s success or failure could cost you millions of dollars.
As the industry readies itself for the 2019 edition of the annual pilgrimage to the J.P. Morgan Healthcare Conference in San Francisco, our market-leading Global Regulatory Team has prepared a series of updates covering the following topic areas that we hope will help guide your 2019 investment decisions.
Data is key in health care and life sciences transactions. Sellers often tout the value of their untapped data and interested acquirers may develop a business plan for that data post-closing. While the data may offer attractive possibilities, well-advised buyers carefully consider the data’s legal value and limitations. Three questions can strike at the core of the data’s value:
The answers to these questions may affect deal valuation, the scope of due diligence, the transaction documents, and post-closing planning.
CCPA, GDPR add new restrictions to data use
Health data, in particular, is subject to stringent federal and state regulations in the United States and Europe. These laws can apply to entities located inside and outside of their jurisdictions and may create complications for the legal use or transfer of the data after closing. And these laws are frequently changing, including several dramatic shifts in the past year alone.
California, for example, recently enacted the California Consumer Privacy Act of 2018 (CCPA) which restricts the collection, use, and disclosure of personal information (defined to specifically include health and medical information). Although the CCPA exempts some health care and life sciences entities, it does not exempt them all. When it applies, it restricts the types of data transfers in which companies can engage, and it grants individuals broad rights to their data including the ability limit certain uses. As a result, the CCPA’s requirements and impact will be an area of focus in the health care community as it continues to unfold. These issues and specific considerations for health care companies are discussed in more detail in Hogan Lovells’ series on the CCPA.
Under the recently enacted General Data Protection Regulation (GDPR) in the EU, health data is treated as a special category of personal data, which is considered sensitive and subject to more stringent requirements and restrictions. Processing of this data is prohibited entirely unless certain exceptions apply. For example, processing may not be prohibited where an individual has explicitly consented, or where it is necessary for purposes in the public interest. EU member states are also able to impose further conditions or limitations. In addition to granting individuals rights with respect to their data and constraining data transfers, the GDPR requires certain agreements and contractual provisions to be included in contractual arrangements with a company’s vendors and subcontractors. Additional guidance for investors about the GDPR and complying with its requirements is available on the Hogan Lovells blog.
Managing the intersection of these new requirements with existing obligations and regulations means sophisticated buyers are carefully developing plans for lawful data use post-closing. During due diligence, buyers identify the sources and content of the data and confer with counsel to determine legal restrictions on the transfer and future use of that data. By taking these measures before signing, a buyer can avoid the disappointment of being unable to lawfully use the data as planned, and any resultant devaluation of the investment.
Contract terms often restrict data use and disclosure
Nearly all health care and life sciences companies engage in data sharing in one form or another. Not only are these data transfers and uses potentially governed by multiple laws, but contractual restrictions also often apply. These contractual limitations can take a number of forms, including business associate agreements, data processing agreements, data transfer arrangements, clinical study agreement and vendor contracts with clients or service providers. Contractual limitations may severely limit the value of data, negatively impact plans to use the data post-closing, or impose substantial technology investment and compliance costs.
Companies are increasingly imposing obligations on the recipients of their data. A business-to-business vendor, for example, may obtain volumes of valuable data from its corporate clients. Those vendors, however, are increasingly required to comply with contracts that impose stringent restrictions on the use and disclosure of that data, such as the common restriction that a vendor use and disclose the client’s data only to perform the contracted services, and not use or disclose the data for any other purpose. Even after the agreement expires or terminates, the vendor is often required to return or destroy the client’s data.
In addition to these limitations, vendor and client contracts often include significant privacy and data security obligations, such as requirements to:
Ongoing compliance with these obligations may require cybersecurity investments and compliance costs that may become even more pronounced and costly in the event they apply to a company’s larger IT infrastructure post-closing.
Data breaches may carry massive liabilities
Failure to comply with data-related laws can result in material liability, and regulators are increasing civil penalties and, in some cases, making non-compliance criminal. For instance, amendments to the Health Insurance Portability and Accountability Act (HIPAA) allow US regulators to impose penalties of up to $1.5 million annually per type of violation, and other US regulators have imposed penalties in excess of $20 million for data practices deemed unfair or deceptive under US consumer protection laws.
The GDPR and CCPA both carry significant maximum fines for non-compliance. The GDPR caps fines at the greater of €20 million or 4% of worldwide turnover. Although the CCPA only allows for fines of up to $7,500 per intentional violation, it notably does not place a cap on the total number of fines. The CCPA also permits individuals to bring a civil action to recover damages or obtain an injunction in the event of a data breach.
Yet, these government fines and penalties may be dwarfed by the cost of a data breach. While a breach may open the door for regulators, large data breaches can also cost much more and result in significant reputational harm. In addition, data breaches are now routinely followed by class action lawsuits and shareholder derivative litigation, which can exponentially increase liabilities.
Strategies for minimizing data privacy risks
In order to minimize data privacy risks, buyers should expand their due diligence review of data practices and guard their investments by, among other things:
Through these measures, smart buyers can appropriately evaluate data assets, including their value, limits, and liabilities.