By: Rebecca L. Rakoski, Esquire
Patrick D. Isbill, Esquire
The Vitruvian Man by Leonardo DaVinci may need a half-millenium update when considering the latest developments in the field of synthetic biology and the inescapable modern-day overlap with cybersecurity and data privacy laws. What comes next can only be described as maybe incredible for an emerging vanguard industry that should look to the partial evolutionary arc of cybersecurity and data protection in other industries, like healthcare and finance, to avoid getting mired in indecision and lack of readiness. The potential impact, and needless to say tension, from both a financial and data integrity standpoint is also nothing short of extraordinary. Add to it the ethical issues that should be discussed and resolved beforehand and it becomes clear the biotechnology industry is set to meet its groundbreaking moment no matter where any legal guardrails are, or arguably are not, at the moment.
Defining Synthetic Biology
So what exactly is synthetic biology anyway? And what does it have to do with data privacy? In a nutshell – a lot. This area of research is multidisciplinary, and it attempts to create or rather redesign biological systems, turning yesterday’s transcendent visions into today’s usable technology. The National Institutes of Health (NIH) is recognized as the largest biomedical research agency in the world. According to the National Human Genome Research Institute (NHGRI), which directs the advancement of genomics research at NIH, “synthetic biology is a field of science that involves redesigning organisms for useful purposes by engineering them to have new abilities.” It is also in simple terms a mechanism typically used by scientists to “stitch together long stretches of DNA and insert them into an organism’s genome.”
Synthetic biology pulls from multiple scientific disciplines. Everything from biomedical engineering and genetics to molecular biology, computer science, and biophysics. Each set of methodologies from their specialized subset of biology must work in harmony. Needless to say, it would be a gross understatement to stress just how difficult this biological redesign is to achieve. Companies around the globe, as well as numerous countries worldwide, are right now betting they can, conducting cutting edge research to essentially remake nature’s power in an attempt to address pressing global issues in medicine, mechanical engineering, agriculture, and even further to the colonization of other planets. Examples from the NHGRI include microorganisms employed for bioremediation and environmental disaster cleanup, rice engineered to contain beta-carotene for combating malnutrition, and/or yeast adapted to produce rose oil to further ecological preservation efforts.
Data Equals Money But Not Exactly Privacy
Data is not only the new oil but is the foundation of many businesses in the ultra competitive arena of the digital economy. Data now has a value, and the volume of data produced and stored when it comes to creating and testing these applications is simply incomprehensible. This data can be personal to the individual providing it but proprietary to the company using it. For synthetic biology, a prime example may be the unthinkable thesis for now of downloading the human mind into a synthetic and/or biological medium, perhaps not just pushing the concept of artificial intelligence to the next level but bulldozing it forward. The thought of classifying this type of personal identifiable information (PII) under a statute or regulation may be legally inconceivable today. The law of course is not ideally structured to meet these vanguard moments head on, often running to catch up but eventually settling on a framework that addresses both equity and ethics. It is this lag however that sparks the most debate and attendant consequences.
Data privacy and cybersecurity laws nevertheless play a big role in this directional discussion. Legal analysts and observers alike generally agree on a three-tiered set of starter issues that need to be addressed in regulating this emerging technology. These include, but are certainly not limited to, legal liability (biosafety), ethical boundaries (creation of new life forms), and cybersecurity/data privacy (biosecurity). Cybersecurity and data privacy being more of a lever or gatekeeper of sorts, potentially heading off or resolving some of the issues arising from the other two.
Data privacy and cybersecurity are often understood to be interconnected but also segmented for purposes of legal analysis. Like a chess board, each move for one typically causes a corresponding reaction/legal problem for the other if not properly considered, tailored, or accounted for. To be clear, each one is definable by the other, but each one maintains its own definition. Data privacy is typically associated with the collection of personal information. This accumulation of data is then subject to numerous types of actions. For example, this information can be used for a business purpose, it can be shared for both financial and non-financial reasons like market research and consumer analytics, and/or it could be simply warehoused with the intent of using it at some unknown point in the future for an equally undetermined purpose. The last example gives the most pause to privacy legal observers given its outright lack of specificity, unbounded intent, and essentially limitless possibilities for misuse.
Cybersecurity, on the other hand, is the mechanism by which this informational data is defended or protected from vulnerability to system compromise. Such protection from infringement usually looks like theft, loss, and/or unauthorized use or even unintended access that could spark unpredictable consequences. When it comes to corporate security for almost every industry, and especially for biotechnology, this mechanism is generally the layer protecting core company assets and bracing the company’s risk management strategy. It is also the foundation for rising government agency enforcement actions for violating the law by failing to maintain disclosed controls and procedures to protect this data.
Data Integrity: Preserves Legal Truth, Protects Business
Any experienced cyber attorney who represents a company in emerging technologies knows that data integrity, or the basis for the specific service application or product being sold, is dependent on well-planned risk management. Not every turn is predictable and there is a reason why regulations typically allow for risk mitigation instead of doubling down on risk surety. Preserving data integrity protects companies from unknowing legal exposure.
When it comes to biosecurity, the Federal Select Agents Program (FSAP) under the purview of the United States government regulates the possession of high-risk infectious agents for research and other purposes. But what about the alteration of data and/or scientific methodologies through industrial sabotage instead of flat out theft? For example, data surreptitiously altered from a synthetic biology application as a result of underdeveloped cybersecurity protocols may lead a company to unknowingly market research that exposes it to a products liability lawsuit for negligence, or worse unknowingly mass produce a harmful and potentially unpredictable construct. This exposure could then open up expansive ethical inquiries over data accuracy and possibly trigger data privacy laws given the classification of the data and where it is located.
In addition, most life sciences companies, biotechnology especially, must guard against industrial espionage and protect core company assets like trade secrets. These bits of information and/or years of research, no matter how large or significant, can damage the structural framework of the company’s operations if compromised by either a competitor or nation-state and threaten the company’s financial stability. This type of data is a top-tier target for a cyber event or breach, which can lead to a legal cascade of issues like violations of intellectual property and classified information. If the company is non-governmental and publicly traded, it could likely trigger an investigation by the Securities and Exchange Commission (SEC) for violations of what is disclosed to the public and what may have been previously disclosed to investors, especially when it comes to violations of disclosure controls and procedures related to cybersecurity vulnerability. Such a cascade effect is not unforeseeable, or all that improbable, and goes back to what had been previously mentioned. The interconnected nuances of data privacy and cybersecurity laws play an enormous part in setting the legal guideposts for this emerging technology and must be clearly understood by any company and its legal counsel looking to do business in the industry.
Setting a Legally Defensible Position
Domestically, data privacy and cybersecurity laws are derived from the jurisdiction where the data subject resides and also triggered by that somewhat metaphysical combination of PII as defined by those jurisdictions and in some instances protected health information (PHI). But internationally, where personal data has a substantially broader definition, the European Union’s definition of “personal data” under the General Data Protection Regulation (GDPR) includes any clearly identifiable information about a particular person. For example, this can include names, identification numbers, and location data, as well as other instances of structured and unstructured data. In addition, the GDPR has more specific requirements around the processing of sensitive or “special categories of personal data.” These “special categories” include things like genetic and biometric data. Therefore, companies pioneering synthetic biology technology must be diligently aware of the laws that affect data collection and impact the work with such data.
The answer then is to create a legally defensible position in relation to the data being collected. Companies in this space need to pay particular attention to data collection activities, consent, processing activities, changes to those processing activities, and the ability to understand and respond to data subject inquiries. Creating a comprehensive data privacy and cybersecurity program is not only critical to complying with these laws but also paramount to protecting intellectual property rights and maintaining the integrity of a particular study.
Many discussions are for sure ahead for the biotech industry over the ethics of certain applications and the limits of using synthetic biology. The law and regulatory oversight can help keep those discussions focused and lead to decisions recognizing the advantages of some discoveries and the irresponsibility of others. The legal framework however does not have to begin at ground zero. The evolution of cybersecurity and data privacy regulations in life sciences has already in part crossed this terrain. These lessons can without a doubt help the biotech industry stay on track to achieve what most of us value most – the improvement of the human condition.
For businesses in this area, the message is simple. Understanding data privacy laws and the effective implementation of measured cybersecurity to protect core assets and proprietary data is important. Staying proactive but trained to be reactive (if necessary) helps to also mitigate any surprises on the turns, as will relying on experienced privacy/cyber counsel, which may also be in the form of fractional counsel, who should be part of the roundtable of decision makers. Using legal strategy over tactics by remaining agile, but rooted within legally defensible positions tailored in finding practical solutions to lower the company’s risk profile and preserving data integrity through data protection, is vital to staying ahead and competitive in this rapidly changing sector.
Reprinted with permission from the October 11, 2023, issue of the New York Law Journal. Further duplication without permission is prohibited. All rights reserved. © 2023 ALM Media Properties, LLC.
This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.