Cybersecurity vulnerabilities embedded in AI and machine learning pose significant litigation risks as life sciences companies move to digital technologies.
As pharmaceutical and medical device companies (collectively, “life sciences companies”) increasingly embrace advanced and interconnected technologies to aide research and development and other business critical efforts, they must also prepare for the litigation risks these technologies present. Cybersecurity vulnerabilities, technology failures, partnerships with technology companies, and alleged biases embedded in AI and machine learning systems all pose significant litigation risk for life sciences companies. Yet, a recent Hogan Lovells survey of pharmaceutical and other life sciences executives1 indicates that many companies have not taken steps to examine and mitigate these risks.
While 56% of life sciences companies say technology is a core part of their growth strategy, only 37% are confident their senior executives understand the risks associated with technologies. And, just 8% percent of boards at life sciences companies deem technology risk to be as important as financial risk and other traditional risks. Below we examine key technology risks for life sciences companies and steps companies can take to mitigate these risks
A data breach can lead to confidential medical data being exposed, and significant reputational damage, so it is important to have an up-to-date cyber incident response plan. Such a breach may prompt regulatory investigations by multiple government enforcement agencies, collective and class action law suits, and even shareholder class actions. Moreover, while the adoption of IoT devices by pharmaceutical companies has allowed the industry to automate important business processes, the vast amounts of data stored and shared by these smart devices and systems compounds the cybersecurity-related litigation risk.
In addition, consumers are increasingly focused on their privacy rights and many jurisdictions have tightened data privacy regulations in recent years. Failures to comply with fast-changing privacy regulations threaten significant reputational and financial consequences. Moreover, uses of consumers’ data in ways that are not anticipated or beneficial to the consumer, even if legally compliant, could erode consumer trust.
Despite growing awareness about litigation risk related to a cybersecurity incidents, approximately half (56%) of life sciences companies said their businesses’ cybersecurity response plans are out of date, and just 33% of life sciences companies said they involve their legal teams in their creation. Life sciences companies should ensure they have incident response plans that reflect input from legal counsel, and that they periodically conduct a cyber security response simulation exercise. It is also increasingly important that the board play an active role in overseeing management of cyber risks because major strategic business decisions, such as investing in new technology, can expand these risks, and regulators increasingly expect board directors to be actively overseeing them.
It is important to note that all these efforts can be undermined if a company’s suppliers do not also have adequate cybersecurity practices. If cyber vulnerabilities are introduced into your company’s supply chain, this can undermine your company’s defenses. Pharmaceutical companies must therefore confirm suppliers have adequate cybersecurity practice in place. Companies should also take steps to add privacy and cybersecurity specialists to their product development teams to avoid developing products that unknowingly raise consumer privacy issues.
A failure in a life sciences company’s critical technology could expose companies to costly products liability lawsuits or compromise confidential data. The first step to mitigating such risks is to identify business-critical technologies. Yet, the Hogan Lovells survey found that 42% of companies in the life sciences industry have not identified what their critical technologies are, and 61% of business leaders are not actively considering how to prevent and mitigate the risk of a major technology failure.
After business-critical technologies have been identified, companies need policies and procedures to follow if one of them fails. A “crisis-management playbook” helps companies to mitigate risks, identify gaps in defenses, and deal efficiently with issues as they arise. Producing such a playbook needs to be a collaborative effort. As with cyber incident response plans, multiple parties will have to be involved, including management, technology, and legal teams. Such a plan should include:
Teams must, of course, also be trained to act on this information and respond effectively to a major technology failure event. One of the best ways to reinforce that training is to simulate the response through tabletop exercises.
The drive to get access to innovative technologies understandably leads pharmaceutical companies to enter transactions with companies – many of them start-ups − in new or emerging markets. Thus, life sciences companies are increasingly partnering with technology companies through joint ventures, mergers and acquisitions, and by outsourcing key business functions to technology companies. These ventures frequently must navigate regulatory regimes that may not have been designed with the current technology in mind. To mitigate the litigation risk raised by such deals, legal counsel should be involved in shaping the transaction from the outset.
Counsel should therefore work closely with technical teams throughout the entire lifecycle of a transaction. It is particularly important to identify any potential issues raised by the technology that may not be covered by generic representations and warranties and to craft specific language to address these issues. The legal team should also consider the extent the company’s right to seek compensation from a JV partner or the directors of an acquired company need to be protected if there is a problem.
In the U.S., CFIUS has become active in scrutinizing deals involving Chinese companies’ investments into technology businesses, so it’s essential to clarify what party bears the risk of CFIUS intervention and how a conflict will be resolved if one party believes the other has not made every effort to obtain CFIUS approval. Pharmaceutical companies should of course also confirm how IP will be shared when entering into JVs with counterparties in other jurisdictions.
Most improvements in AI systems are made because of advances in machine learning. However, algorithms underlying machine learning often reflect unwanted biases found within the data on which they are trained. Algorithmic bias could lead to giving priority to certain patient populations over others when it comes to treating complex medical conditions. For instance, bias in AI systems could impact the development in precision medicines in a way that benefits certain patient groups more than others. By way of illustration, if a skin-cancer detection algorithms is trained based on light-skinned individuals, the algorithm will not be as effective in detecting skin cancers among darker-skinned patients. Algorithmic bias can also be embedded in business operations such as in technologies used to screen resumes and determine which applicants are qualified for open positions.
Concerns about such bias are well documented. In fact, a U.S. Food and Drug Administration patient engagement committee recently issued a paper examining the potential for bias in AI and machine learning in the development of medical devices. Nonetheless, less than half (40%) of the world’s largest pharmaceutical and life sciences companies report they do not check that the technology supplied to them has been vetted for bias. To mitigate the risk of algorithmic bias, pharmaceutical companies should catalog what datasets are underlying AI and machine learning technologies they employ and move to eliminate any bias in those datasets. In addition, companies should seek warranties and assurances that any software they procure from a third party does not contain biases, and conduct due diligence to confirm this fact.
As pharmaceutical companies increasingly use technology to drive growth, their C-suites will need to prioritize risk mitigation and should consider the following actions.
Tanja Eisenblätter is a partner at Hogan Lovells based in Hamburg, and heads the firm's Litigation practice in EMEA and APAC.
Lauren Colton is a partner in Hogan Lovells’ Baltimore office who heads the firm’s Products Law group.