The German Federal Office for Information Security (BSI) has determined the suitability of an industry-specific security standard (B3S) with which hospitals can align their IT security measures. The B3S standard was developed by the German Hospital Association (DKG).
NEWS FOR LAWYERS AND SOURCING PROFESSIONALS
Please join us for the next installment of the Morgan Lewis Life Sciences Growth Webinar series, which will focus on university licensing. Topics to be discussed include:
- Academia/industry perspective differences
- Overarching academic policies and laws
- Specific academic licensing terms
- Post-licensing action items
This webinar will be hosted by Benjamin H. Pensak, a partner in our San Francisco office and Stephen L. Altieri, a partner in our Boston office. This event will take place on November 5, 2019, from 12:30 pm to 1:30 pm (ET). Registration and additional information for the event can be found here.
CLE credit: CLE credit in CA, FL, IL, NJ, NY, PA, TN, TX, and VA is currently pending approval for live viewings only. Credit in NJ is via reciprocity.View past and upcoming presentations.
The Q2 2019 issue of Morgan Lewis’s Life Sciences International Review was recently released. The review includes updates relevant to the life sciences industry from across the world, including the United States, Europe, and Asia. The topics range from intellectual property and data privacy to international trade and labor and employment. We found it to be an excellent read for anyone interested in keeping up with current trends in the life sciences sector.
Two of the topics that we found to be of particular interest were about data privacy in the European Union and foreign investments in the United States biotechnology industry. The review looks at the opinion adopted by the European Data Protection Board (EDPB) regarding the interplay between the General Data Protection Regulation and the forthcoming Clinical Trials Regulation. The review also discusses the increased activity by the Committee on Foreign Investment in the United States (CFIUS) in scrutinizing life sciences transactions, which has led to several transactions being blocked or mitigated.
The Life Sciences International Review is a quarterly newsletter published by Morgan Lewis lawyers with important updates and insights for the life sciences sector. Be sure to look for the next publication coming in the fall!
No one knows at the moment what the relationship will be between the United Kingdom and the European Union the day after Brexit on 31 October.
The life sciences sector is arguably the most closely harmonized within the European Union. Both medicinal products and medical devices are very much subject to Brussels-driven legislation. In addition to the regulatory issues that would result from Brexit, there could be substantial supply chain interference.
In Part 1 of this series, we provided an overview of data (or knowledge) commons and some key issues to consider, but how does one actually create and manage a data commons? To find your feet in this budding field, build on the theoretical foundation; address the specific context (including perceived objectives and constraints); deal with the thorny issues (including control and change); establish a core set of principles and rules; and, perhaps most importantly, plan for and enable change.
You may have heard of the “tragedy of the commons,” where a resource is depleted through collective action, but knowledge is different from other resources—knowledge can be duplicated, aggregated, integrated, analyzed, stored, shared, and disseminated in countless ways. Given that knowledge is a critical resource for seemingly intractable problems, the opportunity of the commons (or the tragedy of the lack of commons) is worth thoughtful consideration.
Imagine that you or a loved one is suffering from a terminal or debilitating disease and that data and knowledge are out there, waiting to be combined and harnessed for a cure or a transformational treatment. Imagine that self-interest (including attribution), legal restrictions (including intellectual property protections), inertia, complexity and difficulty of collective action, and other weighty forces are between you and that breakthrough discovery. Though not a new concept, commons have been garnering attention lately as an alternative framework for catalyzing groundbreaking research and development, particularly when relevant data and knowledge are scattered and particularly in the life sciences community. But before we all throw away our patents and data-dump our trade secrets, there are some thorny aspects to governing a data (or knowledge) commons. For example:
- A commons is essentially its own society. Anyone who has been part of a homeowners’ association knows that collective governance is almost always muddy. Aligning incentives, objectives, and values can be challenging.
- Founders may have trouble relinquishing control or enabling change. Participants may become confused or upset if rules or priorities change.
- Commons are not as well understood and tested. They must coexist with, and within, other systems that may be more rigid and rules-based. Participants may be logistically, intellectually, and otherwise tied to traditional methods and may prefer semi-exclusive zones rather than open collaboration.
- It may be difficult to measure the effectiveness or value of commons.
- Policing activities (e.g., authentications or restrictions) may be burdensome. And once the cat is out of the bag, it’s difficult to undo uses or disclosures.
- Commons managers may not be willing to take on certain responsibilities or liabilities that would make participants more comfortable.
- Different types of information and tools have different levels of sensitivity and protection. Certain information, like personal data, is highly regulated.
Scholars have taken theoretical frameworks built for natural resources and adapted them to the data commons setting. Key findings include that data commons must be designed to evolve and that communities with high levels of shared trust and values are most likely to succeed. Whereas governance through exclusivity (e.g., patents) is useful when trust levels are low, a resource sharing governance model (e.g., commons) can be effective when trust levels are high.
If you’d like to know more:
- We will be hosting a webinar with one of the aforementioned scholars—Professor Michael J. Madison, faculty director at PittLaw—on Tuesday, December 18, 2018, from 12:00 pm to 1:00 pm ET. Register and join us for the discussion.
- In a subsequent post, we will provide some tips and considerations with respect to drafting policies, standard terms, data contribution agreements, and other governing documents for data commons.
Knowledge sharing has long been an important element of academic research. And now collective sharing and governance of data assets throughout the scientific community, including for-profit participants, is gaining momentum. During their webinar, Out in the Open: The Knowledge Commons Framework, Emily Lowe, Ben Klaber, and Professor Michael J. Madison, faculty director at PittLaw, will discuss issues related to knowledge commons. Topics will include the following:
- A fundamental overview of knowledge commons, including the framework’s strengths and weaknesses
- Standard requirements regarding data contribution, access, use, sharing, protection, and attribution
- How to decide if a knowledge commons framework is right for your business, and if so, how to implement it successfully
Washington, DC partners Giovanna M Cinelli, Kenneth J. Nunnenkamp, and Stephen Paul Mahinka and Boston partner Carl A. Valenstein recently published a LawFlash on the recent action taken by the Committee on Foreign Investment in the United States (CFIUS) to implement a pilot program under the Foreign Investment Risk Review and Modernization Act (FIRRMA). FIRRMA, which was enacted in August 2018, reformed the CFIUS screening process for foreign investment in the United States and, among other things, permits CFIUS to establish pilot programs to test the viability of certain of its provisions. The LawFlash addresses the objectives and the scope of the announced pilot program, including the countries and types of investments covered by the program. It also describes the new requirement for mandatory declarations "for certain transactions involving investments by foreign persons in certain U.S. businesses that produce, design, test, manufacture, fabricate, or develop one or more critical technologies" implemented by the pilot program. The pilot program becomes effective November 10, 2018.
For more information on the pilot program, please read the LawFlash.
The Illinois Biometric Information Privacy Act (IBIPA) has been grabbing headlines of late as class action lawsuits under IBIPA’s private right of action are piling up, but an Illinois state appeals court recently held that a plaintiff “must allege some actual harm,” potentially stemming the flood of litigation.
Noting that biometric identifiers are biologically unique and permanent (unlike, for example, passwords) and thus irreparably problematic if compromised, IBIPA regulates the collection, retention, disclosure, and destruction of biometric identifiers and biometric information.
Under the statute, “biometric identifiers” are retina or iris scans, fingerprints, voiceprints, and hand or face geometry scans. Some exceptions, such as writing samples, written signatures, and physical descriptions, are specifically listed. The second category of regulated data, “biometric information,” broadly includes any information “based on an individual’s biometric identifier used to identify an individual.” Companies, therefore, can’t evade the purview of the law by converting a biometric identifier into a new identifier—say, a unique number.
On Thursday, June 22, Morgan Lewis partners W. Reece Hirsch and Mark L. Krotoski and associate Jacob J. Harper will discuss best practices for defending against data breaches involving protected health information. Topics will include the following:
- Implementing an effective security breach response plan
- Responding to the threat of ransomware such as WannaCry
- Lessons learned from recent Office for Civil Rights (OCR) enforcement actions
- What the HIPAA Phase 2 audits can tell us about OCR’s breach response expectations