LEGISLATION UPDATE Updates on EU Data Protection Regulation, Patient Privacy and Consent 10 Things Every Bio/Pharma Need to Know Now

Transcription

1 LEGISLATION UPDATE Updates on EU Data Protection Regulation, Patient Privacy and Consent 10 Things Every Bio/Pharma Need to Know Now CBI Global Life Science Compliance Meeting November 16, 2016

2 Contents 2 1. Introductions 2. Cybersecurity and Privacy Trends Impacting Pharma/Life Science & Device Companies Legislative and Regulatory Developments You Need to Know Now

3 Introductions 3 Holly Kramen, Vice President, Global Compliance Officer, Circassia Pharmaceuticals James H. Koenig, Leader, PH Privacy & Cyber Implementation Solutions Group, Paul Hastings LLP

4 Cybersecurity Trends Impacting Pharma/Life Sciences & Device Companies Section 3. Overview of a Proposed Assessment for Pfizer

5 Sophistication Capabilities Sophistication Understanding the Risk of Cybersecurity 5 In this new environment, threats are more diverse and capable, increasing the frequency and magnitude of cyber-attacks More Diverse More Capable Greater Impact The Threats have become more diverse and distributed Foreign Intelligence Services Cyber Criminals Terrorists Hactivists Hate Groups Risks include both malign and benign threats while growing in sophistication with lower barriers to entry The sophistication of available tools is growing High Sophistication Low While the sophistication required of actors is declining High Sophistication Low increasing both the frequency and impact of attacks 1,023,108,267 Records Compromised 2,122 Confirmed Data Breaches 79,790 Security Incidents 90%+ Stem from Common Over Techniques, 500,000 web although sites were risks vary by compromised industry, including: Compromised Credentials Malicious intrusions were up 40% - in RAM 2008 Scraper - Phishing Symantec generates > 10,000 - Spyware/Keylogger threat signatures a day compared 70%+ Alerted to 1000 per by Third week Party just a few years ago Economic impact from cyber attacks estimated $400M-$1B

6 Pharma/LS & Device Industries a Higher Threat Target 6 Cyber Tsunami - Cybercrime and Espionage Growth at Epidemic Proportions. Over 50% of Fortune 500 companies had a breach last year. New cyber and knowledgeable insider threats increasing incidents of IP and ID theft, insider trading, and other improper access to crown jewels. Most Pharma/LS breaches involve IP and other data not publically reported. Source: Verizon Breach Report

7 Pharma/LS & Device Industries a Higher Threat Target 7 Pharma/Life Sciences & Device Industries by the Numbers: 9th of 20 industries in Number of Security Incidents Source: Verizon Breach Report

8 Pharma/LS & Device Industries a Higher Threat Target 8 Pharma/Life Sciences & Device Industries by the Numbers: 9th of 20 industries in Number of Security Incidents 5th of 20 industries in Confirmed Data Losses Source: Verizon Breach Report

9 Pharma/LS & Device Industries a Higher Threat Target 9 Pharma/Life Sciences & Device Industries by the Numbers: 9th of 20 industries in Number of Security Incidents 5th of 20 industries in Confirmed Data Losses 3rd in Successful Attacks on Big Business Size Source: Verizon Breach Report

10 Pharma/LS & Device Industries a Higher Threat Target 10 Pharma/Life Sciences & Device Industries by the Numbers: 9th of 20 industries in Number of Security Incidents 5th of 20 industries in Confirmed Data Losses 4rd in Successful Attacks on Big Businesses Size 2nd in Least Resistant to Attacks for industries with 25+ Losses Source: Verizon Breach Report

11 10 Legislative and Regulatory Developments You Need to Know Now Section 3. Overview of a Proposed Assessment for Pfizer

12 10 Legislative and Regulatory Developments International Data Transfers Privacy Shield and Safe Harbor Invalidation of Safe Harbor (10/15) and rise of Privacy Shield (approved 7/16). Pharma Reaction. Much of Pharma/LS depended on Safe Harbor, but additional solutions put in place during gap. Yet, many have pursued Privacy Shield too. APEC Cross-Border Privacy Rules certification being pursued. 2. New Laws and Enforcements Several Jurisdictions New laws in LATAM, APEC, U.S. and other other jurisdictions. Investigations/Enforcements.Patient, HCP and employee data. EU s General Data Protection Regulation (GDPR) Comprehensive binding across Europe effective May 25, Key New Provisions Impacting IT and Data Management Right to Be Forgotten, Data Portability and Data De-Identification.

13 GDPR Highlights - Five Areas of Key Differences 13 The GDPR is long and complicated. For assessment, planning and implementation purposes, five (5) key points of impact the GDPR will have on business, compliance and IT are detailed below. 1. Scope 2. Penalties 3. Consent GDPR Key Differences & Points of Impact Increased Territorial Scope ( 3) Penalties 2%/4% Tiered Approach ( 83) (a) New Requirements Verifiable Consent ( 7) (b) Children & Parental Consent ( 8) 4. Rights 5. Process (c) Objecting and Profiling ( 21, 22) (a) Breach Notification ( 33, 34) (b) Access, Rectification & Portability ( 15, 16, 20) (c) To be Forgotten ( 17) (a) Data Protection by Design / Pseudonymization & Anonymization ( 6, 25, 32) (b) Data Protection Impact Assessments ( 35) (c) Accountability: Records of Processing / Data Protection Officer ( 30, 37-39) PH Privacy & Cyber Implementation Solutions

14 10 Legislative and Regulatory Developments Penalties South Korea s PIPA South Korea s Personal Information Protection Act (effective 7/16) enables treble dames and potentially jail time for a deliberate act or a serious error. EU s GDPR Will impose fines of up to 4% of a company s global revenue for GDPR infractions. In practice, the amount of the fine imposed will vary based on the nature of the violation. 4. Cyber Framework NISTFrameworks Companies and boards of directors increasingly have been using the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (since 2/14 inception) 5. Medical Devices U.S. FDA Issued Draft Guidance (1/22/16) highlighting the critical steps medical device manufacturers should take in order to ensure patient safety and public health. Design Considerations and Pre- Market Submission Recommendations for Interoperable Medical Devices.

15 10 Legislative and Regulatory Developments EU ClinicalTrialsRegulation (EU-CTR) (No. 536/2014) Replacing EU Clinical Trial Directive (EU CTD). Criticized for disharmonized interpretation/application between Member States burden, costs and delays. Effective EU CTR currently expected to come into effect in Goals. Create favorable environment for conducting trials in the EU, with high safety standards and increased transparency. Benefits. Harmonized e-submission/assessment process; data sharing. EU Clinical Trial Portal & Database. Single point for submitting EU trial data. Sponsor Workspace. Secure workspace to prepare/compile data to submit to database for assessment by Member States. Authority Workspace. Secure workspace for Member States to oversee trial. Public Website. Site to access detailed information on all EU clinical trials. Transparency. CTR requires all data in the database to be publicly available. Exemptions. To protect: (i) personal data; (ii) commercially confidential information; (iii) confidential communications between Member States; and (iv) supervision of clinical trials by Member States.

16 10 Legislative and Regulatory Developments Recent EC Recommendation on CTR June 2016 Recommendations (with public consultation through Aug. 31). In June 2016, the EC issued recommendations on a number of topics, including: (1) Layperson Summaries. Preparing layperson summaries of clinical trial results; and Creative Solutions Testing Local language, and ideally English (2) Minors. Ethical considerations for clinical trials with minors, including updates on data protection. Comply with EU Directive and forthcoming GDPR Future data uses with informed consent Specify level of protection for educational performance records Provide children access to health info

17 10 Legislative and Regulatory Developments EFPIA Disclosure Requirements Disclosure Code Introduced by EFPIA in Designed to increase transparency for interactions between the pharma industry and healthcare profession (HCPs). Must Disclose Transfers of Value ( ToVs ). Requires EFPIA member companies/members of EFPIA member associations to publicly disclose payments and other ToVs made to HCPs (e.g., fees for service/consultancy; contributions to costs of scientific or educational events) and HCOs (e.g., donations; fees for service/consultancy). Individual or Aggregate Reporting. Consent required to report HCP transfers of value on non-aggregated basis. First Disclosures Were Due June The first disclosures related to payments made in 2015 and were required to be made by June 2016.

18 10 Legislative and Regulatory Developments Potential Legislation Around icams Internet of Things, Cloud, Analytics, Mobile, Social - Important for Pharma/Life Science for DTC, clinical trial recruitment, and use of new technologies for marketing and monitoring drugs, patients and HCPs. Legislative Horizon. Concerns around machine learning. 10. Privacy and Security by Design/Default GDPR and U.S. FTC Pushing for Privacy and Security by Design and Default. Cases at FTC for mobile apps and other software applications Company Responses. Developing checklist and routines (for scrum development in SDLC and Change Controls Process to implement)

19 Questions? Presentation Copies: Jim Koenig