As machine learning and artificial intelligence are changing the face of technology and innovation as we know them, collections of data have the potential to be one of the greatest assets—or liabilities—for companies in the medtech industry. And data is not only more important, there is also exponentially more of it as insurance records, diagnostic and clinical information, and consumer medical data are all increasingly digitized. The changing role of data touches nearly every aspect of medtech industry, impacting considerations as varied as IT architecture and policy to intellectual property strategies to negotiating strategic alliances. The pace of innovation and change mean that it is now critical to consider how data fits into these operations on the front end. This article provides a survey of best practices that will serve forward-looking counsel well in navigating the sea change in the role and importance of data in medtech, focusing on licensing and trade secrecy.
With the revolution in data and technology, the trend in medtech transactions has been increasingly toward integrated solutions that enable development of information-rich relationships within the healthcare ecosystem, and away from simple “bolt-on” transactions like small, targeted acquisitions. These more complex transactions necessitate both protecting proprietary information and enabling data sharing. One of the most fruitful areas of this development involves licensing agreements between early-stage, innovative companies developing technology solutions partnering with established players in the healthcare and life sciences space. At the outset of such a deal, it is essential to define each party’s goals and perspective with respect to data. While the full scope of considerations in this respect is broader than can be addressed in a single article, some that are critically important include ownership, use, and obligations respecting data.
It is easy to see how a failure to define data ownership and use rights can lead to disputes down the road. But even a party attentive to the importance of data must be wary, as boilerplate provisions with generic terms are often not specific or granular enough for the purposes of complex data-sharing relationships, and it may be necessary to separately allocate rights to unmodified data sets (“raw” data) and to data outputs that have been modified, analyzed, etc. (“derived” or “usage” data). As one example of the shortcomings of boilerplate, now-standard provisions limiting data usage rights to anonymized, de-identified, or aggregate data sets is that such provisions may not be sufficient to ensure compliance with regulatory limitations and safe harbors. Such provisions should specifically define what constitutes adequate anonymization to comply with, for example, HIPAA’s provisions governing the de-identification of health information and the definition of anonymized for the Gramm-Leach-Bliley Act’s safe harbor. To illustrate the difficulty in applying such generic, boilerplate language, the term “aggregated” provides for significant ambiguity—the data must be aggregated with what? One additional data set? A meaningless data set? Enough additional data such that it can never practically be re-identified? The parties to a license that use and own the data will likely have different goals about what is permitted and required in this respect.
The greater the clarity with respect to the parties’ rights, obligations and ownership of data, the better. Each of these should be specifically delineated as to each type of data with respect to each party’s data inputs (if any), the different sources of data, the form of data, and the destination of data. A successful license will account for who collects data from the source, who owns the relationship with that data source, whether there are potential conflicts involved in the parties’ contemplated interaction with and use of data from that source, whether existing rights and consents are broad enough to encompass the contemplated use of the data, what uses of data are authorized or unauthorized, responsibility to maintain or secure data, and obligations upon potential noncompliance or data breach. As part of this exercise, each data touchpoint—from collection, delivery, maintenance, and control, to use—should be separately considered and addressed, identifying each third party and player involved in the process, to ensure all rights are appropriately provided for in the agreement. Furthermore, it is also critical to adequately account for the effects of termination, given that the vast majority of life sciences deals terminate before their natural expiration (or even before product launch), as a result of varied factors including technical failure, market changes, pipeline re-prioritization, M&A, etc. The agreement should explicitly provide for what rights and obligations regarding data will survive termination, revert or otherwise terminate, and the consideration (if any) for any such surviving rights.
Data in the medtech industry is something of a square peg in the round hole of traditional models of intellectual property protection. While patent and copyright protection can be available, their eligibility requirements are a higher bar for data than for other assets, and the nature of data poses particular problems when it comes to detecting infringement and enforcement. Such concerns for the lack of protection provided by other modes of intellectual property have made trade secrecy an increasingly important consideration for medtech companies considering how to safeguard data assets.
Protecting data assets using the trade secret laws first requires that we identify and determine what can be protected as a trade secret. Trade secrets can be defined simply as information that (1) derives independent economic value, actual or potential, from not being generally known to the public, and (2) is the subject of reasonable efforts under the circumstances to maintain its secrecy. This broad definition presents some unique issues in the medtech space. Protectable trade secrets can be found in the familiar example of a company’s products or services that embody its research and development. But the increased importance of data means that databases of information from patients, users or customers, how that data is kept and organized, algorithms for using, arranging, and organizing the data, and secondary information and trends gleaned from that information can be protectable as trade secrets as well. This counsels a broad look at a medtech company’s data assets in determining where to focus its efforts.
The rise of data and automation in the medtech space also poses challenges with the second requirement for trade secret protection—taking reasonable steps to maintain secrecy. Traditional physical safeguards and data security measures, such as password protection, restricted access, limited networks and physical barriers are necessary. A clear, written policy on handling confidential and trade secret information, followed up by periodic employee education and training on such policies, are also necessary for protecting trade secrets. Agreements—both with employees and external parties—are critical to protecting data-based trade secrets. Each employee should sign a confidentiality agreement to help enforce the policy. Particular care should be taken with exiting employees, including, if necessary, searches of a departing employees’ computer and devices, to ensure that protection for trade secret information is maintained. And perhaps of even more critical importance are confidentiality and non-disclosure agreements with any outside vendors and partners who may have access to confidential or trade secret information.
Data issues in the medtech sector present significant issues and pitfalls for companies attempting to monetize this significant asset. With careful planning and thoughtful drafting of policies and agreements, these issues can be avoided and ameliorated.