New Technologies Come with New Litigation Risks
Mitigating cybersecurity and data privacy risks
A data breach can lead to confidential medical data being exposed, and significant reputational damage, so it is important to have an up-to-date cyber incident response plan. Such a breach may prompt regulatory investigations by multiple government enforcement agencies, collective and class action law suits, and even shareholder class actions. Moreover, while the adoption of IoT devices by pharmaceutical companies has allowed the industry to automate important business processes, the vast amounts of data stored and shared by these smart devices and systems compounds the cybersecurity-related litigation risk.
In addition, consumers are increasingly focused on their privacy rights and many jurisdictions have tightened data privacy regulations in recent years. Failures to comply with fast-changing privacy regulations threaten significant reputational and financial consequences. Moreover, uses of consumers’ data in ways that are not anticipated or beneficial to the consumer, even if legally compliant, could erode consumer trust.
Despite growing awareness about litigation risk related to a cybersecurity incidents, approximately half (56%) of life sciences companies said their businesses’ cybersecurity response plans are out of date, and just 33% of life sciences companies said they involve their legal teams in their creation. Life sciences companies should ensure they have incident response plans that reflect input from legal counsel, and that they periodically conduct a cyber security response simulation exercise. It is also increasingly important that the board play an active role in overseeing management of cyber risks because major strategic business decisions, such as investing in new technology, can expand these risks, and regulators increasingly expect board directors to be actively overseeing them.
It is important to note that all these efforts can be undermined if a company’s suppliers do not also have adequate cybersecurity practices. If cyber vulnerabilities are introduced into your company’s supply chain, this can undermine your company’s defenses. Pharmaceutical companies must therefore confirm suppliers have adequate cybersecurity practice in place. Companies should also take steps to add privacy and cybersecurity specialists to their product development teams to avoid developing products that unknowingly raise consumer privacy issues.
Mitigating the risk of technology failures
A failure in a life sciences company’s critical technology could expose companies to costly products liability lawsuits or compromise confidential data. The first step to mitigating such risks is to identify business-critical technologies. Yet, the Hogan Lovells survey found that 42% of companies in the life sciences industry have not identified what their critical technologies are, and 61% of business leaders are not actively considering how to prevent and mitigate the risk of a major technology failure.
After business-critical technologies have been identified, companies need policies and procedures to follow if one of them fails. A “crisis-management playbook” helps companies to mitigate risks, identify gaps in defenses, and deal efficiently with issues as they arise. Producing such a playbook needs to be a collaborative effort. As with cyber incident response plans, multiple parties will have to be involved, including management, technology, and legal teams. Such a plan should include:
- Information defining circumstances that trigger contacting the in-house legal team;
- Escalation procedures that outline when senior management should be informed and consulted;
- Information identifying circumstances that require a report to regulators and detailed information about regulators in each jurisdiction in which your business operates.
Teams must, of course, also be trained to act on this information and respond effectively to a major technology failure event. One of the best ways to reinforce that training is to simulate the response through tabletop exercises.
Legal teams should be involved in any technology partnerships at the ground floor
The drive to get access to innovative technologies understandably leads pharmaceutical companies to enter transactions with companies – many of them start-ups − in new or emerging markets. Thus, life sciences companies are increasingly partnering with technology companies through joint ventures, mergers and acquisitions, and by outsourcing key business functions to technology companies. These ventures frequently must navigate regulatory regimes that may not have been designed with the current technology in mind. To mitigate the litigation risk raised by such deals, legal counsel should be involved in shaping the transaction from the outset.
Counsel should therefore work closely with technical teams throughout the entire lifecycle of a transaction. It is particularly important to identify any potential issues raised by the technology that may not be covered by generic representations and warranties and to craft specific language to address these issues. The legal team should also consider the extent the company’s right to seek compensation from a JV partner or the directors of an acquired company need to be protected if there is a problem.
In the U.S., CFIUS has become active in scrutinizing deals involving Chinese companies’ investments into technology businesses, so it’s essential to clarify what party bears the risk of CFIUS intervention and how a conflict will be resolved if one party believes the other has not made every effort to obtain CFIUS approval. Pharmaceutical companies should of course also confirm how IP will be shared when entering into JVs with counterparties in other jurisdictions.
Check your AI technologies for bias
Most improvements in AI systems are made because of advances in machine learning. However, algorithms underlying machine learning often reflect unwanted biases found within the data on which they are trained. Algorithmic bias could lead to giving priority to certain patient populations over others when it comes to treating complex medical conditions. For instance, bias in AI systems could impact the development in precision medicines in a way that benefits certain patient groups more than others. By way of illustration, if a skin-cancer detection algorithms is trained based on light-skinned individuals, the algorithm will not be as effective in detecting skin cancers among darker-skinned patients. Algorithmic bias can also be embedded in business operations such as in technologies used to screen resumes and determine which applicants are qualified for open positions.
Concerns about such bias are well documented. In fact, a U.S. Food and Drug Administration patient engagement committee recently issued a paper examining the potential for bias in AI and machine learning in the development of medical devices. Nonetheless, less than half (40%) of the world’s largest pharmaceutical and life sciences companies report they do not check that the technology supplied to them has been vetted for bias. To mitigate the risk of algorithmic bias, pharmaceutical companies should catalog what datasets are underlying AI and machine learning technologies they employ and move to eliminate any bias in those datasets. In addition, companies should seek warranties and assurances that any software they procure from a third party does not contain biases, and conduct due diligence to confirm this fact.
As pharmaceutical companies increasingly use technology to drive growth, their C-suites will need to prioritize risk mitigation and should consider the following actions.
- Taking steps to enhance board oversight of technology risk by increasing the time the board spends discussing risk, adding new technology roles to the board, and creating a technology risk board committee where relevant.
- Reviewing cyber incident response plans to ensure they have adequate input from the legal team, are up-to-date, and are regularly practiced through appropriate simulation exercises.
- Taking steps to ensure suppliers have adequate cybersecurity practices in place.
- Adding privacy and cybersecurity specialists to your product development teams.
- Identifying business-critical technologies and developing “crisis-management playbooks” to mitigate risks associated with these technologies.
- Involving the legal team in the entire lifecycle of transactions that relate to technology acquisitions.
- Taking steps to eliminate bias in AI and machine learning technologies – both those technologies that are developed in-house and those procured from a third party.
- Establish and publish principles that will provide a clear framework for how technologies that raise ethical issues will be used and ensure that senior management and the legal team are involved in this effort.
- The survey, entitled “How to prevail when technology fails” is based on 550 interviews with General Counsels, data privacy officers or equivalent of some of the world’s largest multinational companies. They operate in seven sectors: technology & telecoms (82), financial services and insurance (82), life sciences (82), automotive (83), consumer (83), diversified industrials (83), energy and natural resources (55). Of those, 82 respondents were from the life sciences industry.
Tanja Eisenblätter is a partner at Hogan Lovells based in Hamburg, and heads the firm’s Litigation practice in EMEA and APAC.
Lauren Colton is a partner in Hogan Lovells’ Baltimore office who heads the firm’s Products Law group.