managing data privacy risk · 2020. 6. 8. · limited data set for the purposes of research, public...
TRANSCRIPT
Managing Data Privacy Risk
SEPTEMBER 13, 2017
CLE provided by Maier Law Group
for Life Science Companies
Audio
2
Speaker Panel
ABD Insurance & Financial ServicesEric TausendAVP, Executive Protection Services
ABD Insurance & Financial ServicesCristina Varner (Moderator)SVP, Life Sciences Practice Leader
Maier Law GroupDiana MaierEmployment and Data Privacy Attorney for Life Sciences
Carolyn BrugueraLaw Office of Carolyn M. BrugueraHealth Care Compliance Counsel
Today’s TopicsHow and when HIPAA applies to life sciences
companies Examples of Current Government Enforcement The new General Data Privacy Regulation
(GDPR)How to safely and legally conduct transfers of
data from the EU to the US using the health data exception
Approaches to managing Cybersecurity RiskCybersecurity and the board of directors: fiduciary
duties and governance
Carolyn BrugueraLaw Office of Carolyn M. Bruguera, Esq.
Essential HIPAA Elements
5
Privacy Rule
Security Rule
Enforcement Rule
Privacy RuleA covered entity may not use or disclose protected health information without patient authorization, except • To the individual• For Treatment, Payment, and Health Care Operations• with Opportunity to Agree or Object• Incident to an otherwise permitted use and disclosure• For Public Interest and Benefit Activities • Limited Data Set for the purposes of research, public health or
health care operations.
Covered entities are required to disclose PHI to patients requesting access to PHI and to HHS in connection with compliance/enforcement.
6
Security RuleRequires Covered Entities to maintain reasonable and appropriate administrative, technical and physical safeguards to• Ensure the confidentiality, integrity and availability of e-
PHI Identify and protect against reasonably anticipated threats
• Protect against reasonably anticipated impermissible uses or disclosures
• Ensure compliance by entity’s workforce
• Policies and procedures• Periodic risk assessments
7
Enforcement Rule
• Contains provisions compliance, investigations and hearings
• Imposes civil monetary penalties provisions for compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.
• HITECH Act of 2009 provided for higher penalties, direct liability of business associates
• Previously: $100/violation max fine; $25,000 max aggregate
• Now: $50,000/occurrence; $1,500,000 per section violation per year with criminal penalties up to one year imprisonment
8
Who Must Comply with HIPAA
Covered entities: i.e.,• Health care providers who transmit PHI
electronically in covered transactions• Health Plans• Health Care Clearinghouses
Business Associates• Perform specified functions or activities involving
use or disclosure of PHI on behalf of, or provides services to, a covered entity
9
When is a Life Sciences Company Subject to HIPAA?
• When it’s a covered entity (e.g., provides health care services and supplies) and transmit phi in covered transactions (e.g., bills Medicare or other payers) or
• When it’s a business associate
Generally, life sciences companies are not covered entities or business associates.
10
Practical Issues
• Clinical Trials• Marketing• Product support• Business Associate Agreements• Business Associate obligations
11
HIPAA and Clinical Trials
• Typically, Sponsors and CROs not Covered Entities or Business Associates• Specific exception for research purposes• Caution: Avoid entering into a Business Associate
Agreement when not necessary
• Handling of PHI governed by CTA or DUA
12
HIPAA and Clinical Trials
Exceptions to requirement of individual patient authorizations• IRB or Privacy Board waiver
• De-identified health information
• Specified activities preparatory to research
• Limited Data Set with a Data Use Agreement
13
Marketing and HIPAACovered entity may not use or disclose information for marketing purposes without individual’s written authorization.
ExceptionsThe definition of “marketing” does not include:• Information by the covered entity about its own products or
services• Ex: new equipment at hospital
• Communications for treatment of the individuals• Ex: prescription refill reminders
The following do not require the covered entity to obtain authorization:• Face-to-face marketing• Providing modest promotional giftsHowever third party financial support may affect the above
14
Not All Activities Require a BAA
• Treatment disclosure to company as health care providerE.g., representative providing product support in OR
• Disclosure for payment of health care providerE.g., in order to permit payment of company
• Public health disclosuresE.g., reporting adverse event or quality issue
• Sponsoring clinical researchE.g. limited data set, de-identified data, patient authorization
15
BAA Pitfalls
• Entered when not required• Overbroad
• Should require only compliance with the requisite provisions of law (45 CFR 164.504(e))
• Should relate only to the activities for which the BAA is required
• Failure to manage
16
What Obligations Do Business Associates Have?• Limit use and disclosure of PHI to minimum • Conduct risk analysis• Appoint security officer• Implement technical, administrative and physical
safeguards, including HIPAA policies and procedures• Train affected personnel• Enter business associate agreements with
subcontractors requiring PHI covered by BAA• Provide access to PHI to covered entity or individual
(per BAA)• Identify and Report Breaches
17
HITECH Act Impact
• Business Associates now directly liable• Periodic audits • Breach notification requirements• New Penalties• Criminal Liability
18
HIPAA Enforcement Against Business AssociatesJune 2016 - Catholic Health Care Services of the Archdiocese of Philadelphia - $650,000 penalty and CAP
September 2016 – Care New England Health System -$400,000 and CAP
Also settlements in 2016 and 2017 for failure by covered entities to enter business associate agreements
19
HIPAA Enforcement Against Life Sciences Company EmployeeNovember 2016 - Werner-Chilcott district manager instructed sales representatives to access patient confidential information and prepare insurance authorizations for physicians to sign.
DM pleaded guilty to violating criminal provisions of HIPAA (one year of probation and $10k fine)
20
Government Agencies & Life Sciences Companies
• Potential civil penalties from OCR, FTC, State Attorneys General
• Potential criminal penalties from DOJ, OCR, and local District Attorneys
• SEC monitors disclosures about products at public companies
• FDA may seize a medical device that is vulnerable to attack
21
Medical Device Cybersecurity – Pending LegislationS.1656, Medical Device Cybersecurity Act of 2017 by Sen Blumenthal (D-CT)• introduced on 7/27/17
S.1691, IoT Cybersecurity Improvement Act of 2017 by Sen Warner (D-VA)• introduced on 8/1/17• cosponsored by Sens Wyden (D-OR), Gardner (R-CO),
& Daines (R-MT)
Draft, IoMT Cyber Bill, by Rep Dave Trott (R-MI)• not yet introduced
22
Diana MaierEmployment and Privacy Attorney for Life SciencesMaier Law Group
The General Data Protection Regulation (GDPR)• Primary EU law regulating use of personal
information• Enforced May 2018
24
GDPR And Life Sciences Companies
• If established in EU (old rule) or• Offer goods and services to EU citizens or• Monitor behavior of EU citizens and• process personal data of EU citizens
25
So, You’re Probably Subject To GDPR If:
• Clinical trials using data from EU• Have employees in the EU• Market to EU• Process personal data on behalf of an EU
entity
26
GDPR Sensitive Personal Data (SPD) Exceptions
Baseline rule: no processing of SPDExceptions:• Explicit consent• In vital interests of an individual• Scientific research/public health• Necessary for the practice of preventive or
occupational medicine, medical diagnosis
27
Consent Forms Under GDPR
• Freely given• Specific• Informed• Unambiguous• Agreement• Revocable (at any time)
28
GDPR: Scientific Research Exception
• Specified safeguards implemented• Data minimization (Data pseudonymization)• Does it apply to commercial research?• Scientific research not defined under GDPR
29
General Requirements For Any Company Subject To GDPR • Data protection by design• Data Protection Impact Assessment (PIA) if
processing health data on a large scale• Data protection officer when the company
monitors individuals or health data on a large scale
• Penalties: up to about $21 million Euros or 4% of annual worldwide turnover (whichever higher)
• Reporting breaches if there could be a high risk to individuals
30
In Sum, Determine:
• Does GDPR apply to your organization?• Do you have a data protection regime that
passes GDPR muster?• Have you established a valid legal basis for
processing sensitive personal data?• Have you updated consent forms to comply
with GDPR?• Do you use key coded data? Have you
determined whether it complies with GDPR?
31
In Sum, Determine:
• Have you implemented appropriate policies and procedures to ensure data protection by design?
• Do you carry out privacy impact assessments?
• If your organization is a data processor, can it comply with its new obligations under GDPR?
32
Exporting Personal Data of EU Citizens to US• Governed by GDPR: no exporting to “non-
adequate” jurisdictions. US is not adequate.• Prohibited unless a specific exception applies OR• Implement appropriate mechanism for importing
personal data• Model Contracts
• Binding Corporate Rules
• Privacy Shield
33
A Word on Brexit
• If the UK leaves the EEA, data exports from the EU to the UK will get complicated
• UK will not automatically be an “adequate” jurisdiction. Only 11 countries are adequate.
• It will have to pass something like the GDPR and amend other practices
• So data imports from EU prohibited into UK unless a specific exception applies OR Implement appropriate mechanism for importing personal data
34
I. Assessment Tool
• Identify strengths and weaknesses• Prioritize specific areas for improvement• Access link:
www.maierlawgroup.com/assessment• Password: MLGsecurity
35
Eric TausendAVP, Executive Protection ServicesABD Insurance and Financial Services
The Board’s Role in Risk Management
37
The board cannot and should not be involved in actual day-to-day risk management. Rather the board’s role is one of risk oversight, ensuring that: • The company implements risk management
policies and procedures;• That the policies and procedures are functioning
appropriately; and • That the board fosters a risk-aware culture
within the company
Duty of Oversight – Cybersecurity and Data Privacy
38
The duty of oversight, as applied to a board’s oversight of corporate cybersecurity, poses interesting challenges: • Unlike many other areas of board oversight (e.g.
financial accounting, traditional risk management, etc.), cyber exposure is new and rapidly changing
• The challenge for board members is to fulfill their duty and stay abreast of the issues, while being removed from the day-to-day challenges of monitoring, detecting, and responding to cyber risks
Duty of Oversight – Cybersecurity and Data Privacy
39
“Effective board oversight of management’s efforts to address [cyber risks] is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting companies and their consumers, as well as protecting investors and the integrity of the capital markets.”
– SEC Commissioner Luis Aguilar, June 10, 2014
Fiduciary Duty of Oversight – Legal Framework
40
A board member’s “duty of oversight” or “fiduciary duty to monitor” corporate risk is governed by Caremark (698 A.2d 959 (Del.Ch. 1996)) and its progeny (e.g. Stone v. Ritter, 911 A.2d 362 (Del. 2006). Under Caremark, liability can attach to individual board members where either:
1. The board member utterly fails to implement a system or controls; or2. Having implemented such system or controls, the board member consciously fails to monitor or oversee its operations.
Duty of Oversight – Claims Examples
41
Typical Fact Pattern• Company suffers large data breach• Shareholders bring derivative lawsuit alleging that board members:
• Failed to take ensure that the company implemented reasonable systems and controls to protect data, prevent and detect data breaches; or
• Consciously failed to monitor and oversee such systems and controls• NOTE: Most states’ laws (including DE and CA) prohibit corporate
indemnification of judgements or settlements of derivative suits Examples:• Target• Wyndham Worldwide Corp. • Home Depot • Yahoo (also the subject of securities class action lawsuit) • The Wendy’s Company • Equifax
Duty of Oversight – Claims Outcomes
42
• To date, most derivative suits have been unsuccessful• Exception: Home Depot (settled on appeal of initial dismissal)
• $1.125M to plaintiffs and corporate governance reforms • High procedural hurdles to proceed with a derivative claim
• Plaintiffs must either:• Make pre-lawsuit demand (often denied by board, and
denial subject to deferential business judgment rule); or• Plead demand futility
• Securities class action lawsuits pose additional challenges as share prices usually do not move much, so it’s difficult to establish loss• Exceptions: Yahoo, Equifax
Duty of Oversight – Other Fallout
43
• Reputational harm and loss of directorships also a possibility
• In 2014 Institutional Shareholder Services recommended that Target’s shareholders vote against the election of 7 of targets 10 directors (those sitting on the audit and corporate responsibility committees)
• ISS alleged these individuals were inadequately prepared for risks of doing business in e-commerce, reasoning that the “failure of the committees to ensure appropriate management of these risks set the stage for the data breach, which has resulted in significant losses to the company and its shareholders”
Duty of Oversight – Fulfilling the Duty
Board members should proactively and regularly:1. Understand the exposures and threats faced by
the company• What data is at risk?
• PHI, PII, source code, IP/trade secrets, financial info, confidential info
2. Ensure that a framework is in place to manage associated risk
• Prevention
• Detection
• Response and Recovery
44
Duty of Oversight – Fulfilling the DutySome lessons from Target
• Factors that the Special Litigation Committee reviewed, considered, and relied upon in determining that the directors and officers discharged their fiduciary duties included:
• Pre-breach policies and procedures design to establish a reasonable information security program that incorporated technical, administrative, and physical controls for data security.
• The existence of network-security insurance that mitigated the cost of the breach.
• Pre-breach vendor security procedures.• Employee training related to data security requirements.
• While future courts will review derivative actions on a case-by-case basis, the Target defendants’ situation illustrates the importance of being able to demonstrate a strong, even if imperfect, cybersecurity program. The more evidence directors can produce to demonstrate that they prioritize and enforce cybersecurity, the more difficult it will be for plaintiffs to sustain breach of fiduciary duty claims against them following a breach.
45
Making Cybersecurity a Board Priority
46
NYSE, Managing Cyber Risk: Are Companies Safeguarding Their Assets?, 2015A survey of over 200 audit committee members
“Our research shows that one in four (26%) respondents said their Chief Information Security Officer (CISO) or Chief Security Officer (CSO) makes a security presentation to the Board only once a year, while 30% of respondents said their senior security executive makes quarterly security presentations. But 28% of respondents said their security leaders make no presentations at all.”
PWC, 2015 U.S. State of Cybercrime Survey
Corporate Governance – SEC Guidance
47
2011 SEC suggests addressing cybersecurity risks and cyber incidents in registration statements, periodic reports, and current reports if:
• Cost or consequence is “material;”• Reasonably likely to have a “material” impact on
operations, liquidity, or financial condition; or• Calls into question previously reported financial
information
Corporate Governance
48
• More public companies described “cybersecurity” as a risk in their financial disclosures in the first half of 2017 than in all of 2016, suggesting that board and C-suite fears over data breaches may be escalating.
• A Bloomberg BNA analysis found 436 companies cited “cybersecurity” as a risk factor in their Securities and Exchange Commission periodic filings in the first six months of 2017, compared to 403 companies in 2016 and 305 companies in 2015.
• In 2010 only 8 companies made such disclosures.
Bloomberg, Corporate Cyber Risk Disclosures Jump Dramatically in 2017, July 26, 2017
Corporate Governance – SEC Enforcement
49
• To date, SEC has not brought any enforcement actions, but is reportedly investigating Yahoo in what may become the long-anticipated test case.
• Yahoo announced two breaches in 2016• In September 2016, Yahoo disclosed the 2014 breach that
affected 500M user accounts• In December 2016, Yahoo disclosed the 2013 breach that
affected 1B user accounts
• SEC reportedly looking into the apparent delay in disclosure after becoming aware of the breach and whether the disclosures eventually made were in accordance with the 2011 SEC guidance
Q&A