Laurie Mims, partner at litigator Keker, Van Nest & Peters focuses part of her practice on trade secret matters, particularly within the biotechnology space, she discusses vulnerabilities within pharma amid hacking efforts and precautions pharmaceutical companies can take to protect their IP. –KB
Contract Pharma: Given the high cost of R&D that goes into developing a new vaccine, what threat do hacking schemes pose for pharmaceutical companies in the U.S.? Between competitors?
Laurie Mims: The recent indictment of two Chinese nationals for hacking and trade secret conspiracy and misappropriation heightens awareness of the serious threat such attacks present to pharmaceutical companies developing and commercializing lifesaving drugs. Theft of confidential research materials belonging to companies developing biologics and other drugs and medical devices, including treatments and vaccines for COVID-19, is especially concerning because protection of these companies’ hard-won proprietary knowledge—garnered from months if not years of scientific research by many dedicated scientists—is vital to support innovation.
While pharma and biotech companies patent their discoveries of new molecules, most of their research findings and manufacturing processes, including their knowledge of which methods do not work, are protected only as trade secrets. If these trade secrets are misappropriated, either through external infiltrators or, as is more commonly the case, through current and former employees, other companies—including Chinese government-backed entities—can bypass the research and development phase a and gain a significant, competitive economic advantage.
CP: What vulnerabilities exist within these companies that may make it easier for ‘hackers' to infiltrate company systems?
LM: The nature of the research, development, and manufacturing work-environment at biopharmaceutical companies unfortunately can make these businesses particularly vulnerable to theft of electronically-stored proprietary and trade-secret information. These companies strive to foster a collaborative work-environment with consistent, GMP-compliant procedures by promoting sharing of discoveries and best practices and methods among their scientists and specialized manufacturing personnel, as well as in many instances, sharing this proprietary information with key partners including CROs, CMOs, and equipment manufacturers under nondisclosure agreements. But providing access to wide audiences both inside and outside of these companies creates many potential entry points for a hacker or other IP thief.
CP: What additional precautions can pharmaceutical companies take to protect their IP?
LM: The number one precaution that biopharmaceutical companies can take is to advise and train their employees, consultants, and partners on the importance of keeping the company’s confidential information secure. Companies should make sure these holders of their prized IP understand its confidential nature and treat it with the upmost care, including by refraining from making copies of non-public documents on their laptop hard drives, on thumb drives or other external media, and from transmitting non-public information through non-secure means such as email, including to other employees or partners, or even to their own personal email accounts.
To ensure that company information security policies are being followed, biopharmaceutical companies should monitor employee access and use of confidential documents and conduct audits of compliance with procedures. They should also make it easy, convenient, and if possible, anonymous, for employees to report suspicious activities or intrusions into their computers or accounts, and encourage such reporting. When dealing with partners, collaborators, and vendors that need access to their IP, biopharmaceutical companies should ensure strong nondisclosure agreements and policies are in place, and log and audit access to confidential materials. To the extent feasible, all disclosures to people outside the company should be made in cloud-based, encrypted, password-protected locations, with no ability for printing or screenshots, rather than by transfer of the electronic documents themselves to places outside the company’s secured servers and databases.
CP: What can we expect next regarding this investigation of the two hackers in China who were targeting U.S. companies that were conducting COVID-19 research?
LM: Typically when defendants are outside the United States like the alleged perpetrators here, the next step in the criminal action would be efforts by the Department of Justice to extradite them to the U.S. for prosecution. However, since there is no extradition treaty between the U.S. and China, and the alleged hackers are accused of working at the behest of the Chinese government, it is unlikely that extradition will be accomplished. Beyond this one prosecution, the FBI and Cybersecurity and Infrastructure Security Agency have since May 2020 been working to raise awareness of the threat to COVID-19 research and have expressed a commitment to actively investigate potential targeting and compromises of U.S. organizations conducting COVID-19-related research. If biopharmaceutical companies have concerns or have detected suspicious activity, they are advised to contact the FBI Private Sector Coordinator at their local FBI Field Office. See https://www.fbi.gov/contact-us/field-offices
Laurie has extensive experience litigating complex civil matters, including securities class actions and shareholder derivative actions. She has tried a variety of cases, including several as first chair. While Ms. Mims has represented institutional and individual clients from a wide range of industries, most of her clients are in the biotechnology and venture capital fields.