Managing Data Privacy Risk

SEPTEMBER 13, 2017

CLE provided by Maier Law Group

for Life Science Companies

Audio

2

Speaker Panel

ABD Insurance & Financial ServicesEric TausendAVP, Executive Protection Services

ABD Insurance & Financial ServicesCristina Varner (Moderator)SVP, Life Sciences Practice Leader

Maier Law GroupDiana MaierEmployment and Data Privacy Attorney for Life Sciences

Carolyn BrugueraLaw Office of Carolyn M. BrugueraHealth Care Compliance Counsel

Today’s TopicsHow and when HIPAA applies to life sciences

companies Examples of Current Government Enforcement The new General Data Privacy Regulation

(GDPR)How to safely and legally conduct transfers of

data from the EU to the US using the health data exception

Approaches to managing Cybersecurity RiskCybersecurity and the board of directors: fiduciary

duties and governance

Carolyn BrugueraLaw Office of Carolyn M. Bruguera, Esq.

Essential HIPAA Elements

5

Privacy Rule

Security Rule

Enforcement Rule

Privacy RuleA covered entity may not use or disclose protected health information without patient authorization, except • To the individual• For Treatment, Payment, and Health Care Operations• with Opportunity to Agree or Object• Incident to an otherwise permitted use and disclosure• For Public Interest and Benefit Activities • Limited Data Set for the purposes of research, public health or

health care operations.

Covered entities are required to disclose PHI to patients requesting access to PHI and to HHS in connection with compliance/enforcement.

6

Security RuleRequires Covered Entities to maintain reasonable and appropriate administrative, technical and physical safeguards to• Ensure the confidentiality, integrity and availability of e-

PHI Identify and protect against reasonably anticipated threats

• Protect against reasonably anticipated impermissible uses or disclosures

• Ensure compliance by entity’s workforce

• Policies and procedures• Periodic risk assessments

7

Enforcement Rule

• Contains provisions compliance, investigations and hearings

• Imposes civil monetary penalties provisions for compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.

• HITECH Act of 2009 provided for higher penalties, direct liability of business associates

• Previously: $100/violation max fine; $25,000 max aggregate

• Now: $50,000/occurrence; $1,500,000 per section violation per year with criminal penalties up to one year imprisonment

8

Who Must Comply with HIPAA

Covered entities: i.e.,• Health care providers who transmit PHI

electronically in covered transactions• Health Plans• Health Care Clearinghouses

Business Associates• Perform specified functions or activities involving

use or disclosure of PHI on behalf of, or provides services to, a covered entity

9

When is a Life Sciences Company Subject to HIPAA?

• When it’s a covered entity (e.g., provides health care services and supplies) and transmit phi in covered transactions (e.g., bills Medicare or other payers) or

• When it’s a business associate

Generally, life sciences companies are not covered entities or business associates.

10

Practical Issues

• Clinical Trials• Marketing• Product support• Business Associate Agreements• Business Associate obligations

11

HIPAA and Clinical Trials

• Typically, Sponsors and CROs not Covered Entities or Business Associates• Specific exception for research purposes• Caution: Avoid entering into a Business Associate

Agreement when not necessary

• Handling of PHI governed by CTA or DUA

12

HIPAA and Clinical Trials

Exceptions to requirement of individual patient authorizations• IRB or Privacy Board waiver

• De-identified health information

• Specified activities preparatory to research

• Limited Data Set with a Data Use Agreement

13

Marketing and HIPAACovered entity may not use or disclose information for marketing purposes without individual’s written authorization.

ExceptionsThe definition of “marketing” does not include:• Information by the covered entity about its own products or

services• Ex: new equipment at hospital

• Communications for treatment of the individuals• Ex: prescription refill reminders

The following do not require the covered entity to obtain authorization:• Face-to-face marketing• Providing modest promotional giftsHowever third party financial support may affect the above

14

Not All Activities Require a BAA

• Treatment disclosure to company as health care providerE.g., representative providing product support in OR

• Disclosure for payment of health care providerE.g., in order to permit payment of company

• Public health disclosuresE.g., reporting adverse event or quality issue

• Sponsoring clinical researchE.g. limited data set, de-identified data, patient authorization

15

BAA Pitfalls

• Entered when not required• Overbroad

• Should require only compliance with the requisite provisions of law (45 CFR 164.504(e))

• Should relate only to the activities for which the BAA is required

• Failure to manage

16

What Obligations Do Business Associates Have?• Limit use and disclosure of PHI to minimum • Conduct risk analysis• Appoint security officer• Implement technical, administrative and physical

safeguards, including HIPAA policies and procedures• Train affected personnel• Enter business associate agreements with

subcontractors requiring PHI covered by BAA• Provide access to PHI to covered entity or individual

(per BAA)• Identify and Report Breaches

17

HITECH Act Impact

• Business Associates now directly liable• Periodic audits • Breach notification requirements• New Penalties• Criminal Liability

18

HIPAA Enforcement Against Business AssociatesJune 2016 - Catholic Health Care Services of the Archdiocese of Philadelphia - $650,000 penalty and CAP

September 2016 – Care New England Health System -$400,000 and CAP

Also settlements in 2016 and 2017 for failure by covered entities to enter business associate agreements

19

HIPAA Enforcement Against Life Sciences Company EmployeeNovember 2016 - Werner-Chilcott district manager instructed sales representatives to access patient confidential information and prepare insurance authorizations for physicians to sign.

DM pleaded guilty to violating criminal provisions of HIPAA (one year of probation and $10k fine)

20

Government Agencies & Life Sciences Companies

• Potential civil penalties from OCR, FTC, State Attorneys General

• Potential criminal penalties from DOJ, OCR, and local District Attorneys

• SEC monitors disclosures about products at public companies

• FDA may seize a medical device that is vulnerable to attack

21

Medical Device Cybersecurity – Pending LegislationS.1656, Medical Device Cybersecurity Act of 2017 by Sen Blumenthal (D-CT)• introduced on 7/27/17

S.1691, IoT Cybersecurity Improvement Act of 2017 by Sen Warner (D-VA)• introduced on 8/1/17• cosponsored by Sens Wyden (D-OR), Gardner (R-CO),

& Daines (R-MT)

Draft, IoMT Cyber Bill, by Rep Dave Trott (R-MI)• not yet introduced

22

Diana MaierEmployment and Privacy Attorney for Life SciencesMaier Law Group

The General Data Protection Regulation (GDPR)• Primary EU law regulating use of personal

information• Enforced May 2018

24

GDPR And Life Sciences Companies

• If established in EU (old rule) or• Offer goods and services to EU citizens or• Monitor behavior of EU citizens and• process personal data of EU citizens

25

So, You’re Probably Subject To GDPR If:

• Clinical trials using data from EU• Have employees in the EU• Market to EU• Process personal data on behalf of an EU

entity

26

GDPR Sensitive Personal Data (SPD) Exceptions

Baseline rule: no processing of SPDExceptions:• Explicit consent• In vital interests of an individual• Scientific research/public health• Necessary for the practice of preventive or

occupational medicine, medical diagnosis

27

Consent Forms Under GDPR

• Freely given• Specific• Informed• Unambiguous• Agreement• Revocable (at any time)

28

GDPR: Scientific Research Exception

• Specified safeguards implemented• Data minimization (Data pseudonymization)• Does it apply to commercial research?• Scientific research not defined under GDPR

29

General Requirements For Any Company Subject To GDPR • Data protection by design• Data Protection Impact Assessment (PIA) if

processing health data on a large scale• Data protection officer when the company

monitors individuals or health data on a large scale

• Penalties: up to about $21 million Euros or 4% of annual worldwide turnover (whichever higher)

• Reporting breaches if there could be a high risk to individuals

30

In Sum, Determine:

• Does GDPR apply to your organization?• Do you have a data protection regime that

passes GDPR muster?• Have you established a valid legal basis for

processing sensitive personal data?• Have you updated consent forms to comply

with GDPR?• Do you use key coded data? Have you

determined whether it complies with GDPR?

31

In Sum, Determine:

• Have you implemented appropriate policies and procedures to ensure data protection by design?

• Do you carry out privacy impact assessments?

• If your organization is a data processor, can it comply with its new obligations under GDPR?

32

Exporting Personal Data of EU Citizens to US• Governed by GDPR: no exporting to “non-

adequate” jurisdictions. US is not adequate.• Prohibited unless a specific exception applies OR• Implement appropriate mechanism for importing

personal data• Model Contracts

• Binding Corporate Rules

• Privacy Shield

33

A Word on Brexit

• If the UK leaves the EEA, data exports from the EU to the UK will get complicated

• UK will not automatically be an “adequate” jurisdiction. Only 11 countries are adequate.

• It will have to pass something like the GDPR and amend other practices

• So data imports from EU prohibited into UK unless a specific exception applies OR Implement appropriate mechanism for importing personal data

34

I. Assessment Tool

• Identify strengths and weaknesses• Prioritize specific areas for improvement• Access link:

www.maierlawgroup.com/assessment• Password: MLGsecurity

35

Eric TausendAVP, Executive Protection ServicesABD Insurance and Financial Services

The Board’s Role in Risk Management

37

The board cannot and should not be involved in actual day-to-day risk management. Rather the board’s role is one of risk oversight, ensuring that: • The company implements risk management

policies and procedures;• That the policies and procedures are functioning

appropriately; and • That the board fosters a risk-aware culture

within the company

Duty of Oversight – Cybersecurity and Data Privacy

38

The duty of oversight, as applied to a board’s oversight of corporate cybersecurity, poses interesting challenges: • Unlike many other areas of board oversight (e.g.

financial accounting, traditional risk management, etc.), cyber exposure is new and rapidly changing

• The challenge for board members is to fulfill their duty and stay abreast of the issues, while being removed from the day-to-day challenges of monitoring, detecting, and responding to cyber risks

Duty of Oversight – Cybersecurity and Data Privacy

39

“Effective board oversight of management’s efforts to address [cyber risks] is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.”

– SEC Commissioner Luis Aguilar, June 10, 2014

Fiduciary Duty of Oversight – Legal Framework

40

A board member’s “duty of oversight” or “fiduciary duty to monitor” corporate risk is governed by Caremark (698 A.2d 959 (Del.Ch. 1996)) and its progeny (e.g. Stone v. Ritter, 911 A.2d 362 (Del. 2006). Under Caremark, liability can attach to individual board members where either:

1. The board member utterly fails to implement a system or controls; or2. Having implemented such system or controls, the board member consciously fails to monitor or oversee its operations.

Duty of Oversight – Claims Examples

41

Typical Fact Pattern• Company suffers large data breach• Shareholders bring derivative lawsuit alleging that board members:

• Failed to take ensure that the company implemented reasonable systems and controls to protect data, prevent and detect data breaches; or

• Consciously failed to monitor and oversee such systems and controls• NOTE: Most states’ laws (including DE and CA) prohibit corporate

indemnification of judgements or settlements of derivative suits Examples:• Target• Wyndham Worldwide Corp. • Home Depot • Yahoo (also the subject of securities class action lawsuit) • The Wendy’s Company • Equifax

Duty of Oversight – Claims Outcomes

42

• To date, most derivative suits have been unsuccessful• Exception: Home Depot (settled on appeal of initial dismissal)

• $1.125M to plaintiffs and corporate governance reforms • High procedural hurdles to proceed with a derivative claim

• Plaintiffs must either:• Make pre-lawsuit demand (often denied by board, and

denial subject to deferential business judgment rule); or• Plead demand futility

• Securities class action lawsuits pose additional challenges as share prices usually do not move much, so it’s difficult to establish loss• Exceptions: Yahoo, Equifax

Duty of Oversight – Other Fallout

43

• Reputational harm and loss of directorships also a possibility

• In 2014 Institutional Shareholder Services recommended that Target’s shareholders vote against the election of 7 of targets 10 directors (those sitting on the audit and corporate responsibility committees)

• ISS alleged these individuals were inadequately prepared for risks of doing business in e-commerce, reasoning that the “failure of the committees to ensure appropriate management of these risks set the stage for the data breach, which has resulted in significant losses to the company and its shareholders”

Duty of Oversight – Fulfilling the Duty

Board members should proactively and regularly:1. Understand the exposures and threats faced by

the company• What data is at risk?

• PHI, PII, source code, IP/trade secrets, financial info, confidential info

2. Ensure that a framework is in place to manage associated risk

• Prevention

• Detection

• Response and Recovery

44

Duty of Oversight – Fulfilling the DutySome lessons from Target

• Factors that the Special Litigation Committee reviewed, considered, and relied upon in determining that the directors and officers discharged their fiduciary duties included:

• Pre-breach policies and procedures design to establish a reasonable information security program that incorporated technical, administrative, and physical controls for data security.

• The existence of network-security insurance that mitigated the cost of the breach.

• Pre-breach vendor security procedures.• Employee training related to data security requirements.

• While future courts will review derivative actions on a case-by-case basis, the Target defendants’ situation illustrates the importance of being able to demonstrate a strong, even if imperfect, cybersecurity program. The more evidence directors can produce to demonstrate that they prioritize and enforce cybersecurity, the more difficult it will be for plaintiffs to sustain breach of fiduciary duty claims against them following a breach.

45

Making Cybersecurity a Board Priority

46

NYSE, Managing Cyber Risk: Are Companies Safeguarding Their Assets?, 2015A survey of over 200 audit committee members

“Our research shows that one in four (26%) respondents said their Chief Information Security Officer (CISO) or Chief Security Officer (CSO) makes a security presentation to the Board only once a year, while 30% of respondents said their senior security executive makes quarterly security presentations. But 28% of respondents said their security leaders make no presentations at all.”

PWC, 2015 U.S. State of Cybercrime Survey

Corporate Governance – SEC Guidance

47

2011 SEC suggests addressing cybersecurity risks and cyber incidents in registration statements, periodic reports, and current reports if:

• Cost or consequence is “material;”• Reasonably likely to have a “material” impact on

operations, liquidity, or financial condition; or• Calls into question previously reported financial

information

Corporate Governance

48

• More public companies described “cybersecurity” as a risk in their financial disclosures in the first half of 2017 than in all of 2016, suggesting that board and C-suite fears over data breaches may be escalating.

• A Bloomberg BNA analysis found 436 companies cited “cybersecurity” as a risk factor in their Securities and Exchange Commission periodic filings in the first six months of 2017, compared to 403 companies in 2016 and 305 companies in 2015.

• In 2010 only 8 companies made such disclosures.

Bloomberg, Corporate Cyber Risk Disclosures Jump Dramatically in 2017, July 26, 2017

Corporate Governance – SEC Enforcement

49

• To date, SEC has not brought any enforcement actions, but is reportedly investigating Yahoo in what may become the long-anticipated test case.

• Yahoo announced two breaches in 2016• In September 2016, Yahoo disclosed the 2014 breach that

affected 500M user accounts• In December 2016, Yahoo disclosed the 2013 breach that

affected 1B user accounts

• SEC reportedly looking into the apparent delay in disclosure after becoming aware of the breach and whether the disclosures eventually made were in accordance with the 2011 SEC guidance

Q&A

Thank you!Carolyn Brugueracarolyn@medtechcounsel.com

Diana Maierdiana@maierlawgroup.comwww.maierlawgroup.com

Eric TausendEric.Tausend@theabdteam.com

Cristina VarnerCristina.Varner@theabdteam.com