New Standards Needed to Close Cybersecurity Risk Gaps in Clinical Trial Agreements
Sites and sponsors may think they have their master clinical trial agreement (CTA) terms and clauses locked in, but protection against data breaches is seldom one of the concepts covered adequately, if at all.
Unfortunately, there are no standard contract terms covering cybersecurity in the clinical trials world, says attorney Katherine Leibowitz of Leibowitz LLC. Sites increasingly are adding some terms to the CTAs they negotiate with sponsors, Leibowitz told attendees at the 2022 SCOPE Summit in Orlando, Fla., last week, but without a mutual understanding of what those terms mean, neither party is fully protected.
“Uniform language doesn’t exist,” she said, encouraging sites and sponsors to “be bold” in inventing one. “It’s an opportunity for you to be proactive, to add your own terms or to have terms in the back of your pocket.” Such terms as “breach,” “security area,” “improper use or disclosure” and “deemed appropriate” need to be clearly defined in a CTA.
“It’s better not to state in the CTA that you will follow ‘reasonable’ or ‘industry standard’ cybersecurity practices — they don’t exist,” Leibowitz, who has more than 20 years’ experience as outside counsel for sponsors of multicenter trials, said.
Mutuality is key, she stressed. Although sponsors carry primary liability for data breaches, CTAs should spell out sites’ — and vendors’ — obligations in the event of a hacking incident. What incidents should they report and how; what costs will be covered by the sponsor vs. the site; which party will indemnify the other in specific instances?
“Interconnectivity of players and technology creates numerous touchpoints among sponsors, trial sites and vendors,” she said, and malware can enter at any of these touchpoints. “Cyber risk is mutual.”
CTAs should include mutual security and liability language, including standards, notice of incidents, costs and more. “Prepare to negotiate from a place of mutuality to protect both parties and encourage reasonable terms,” Leibowitz advised.
When reviewing a CTA for areas impacted by cyber risk, start with clauses on remote monitoring, security, confidentiality, indemnification, limitation of liability and insurance. But other areas of the contract can contain less obvious risks, she warned, such as confidential institutional information and policies, use of study data, legal and regulatory compliance, force majeure and contractors/personnel.
Remote monitoring agreements between sponsors and sites, as well as End User License Agreements (EULA) vendors require, can muddy the contract waters if they contain terms that contradict the CTA, Leibowitz added. “We should be adding language to the CTAs that rejects inconsistent terms of a remote monitoring agreement or an EULA.”
The biggest takeaway for these two documents, she said, “is that they are inconsistent with the CTA and they undermine the terms of the CTA, particularly the indemnification and limitation of liability.” Sites and sponsors should conduct an analysis of these agreements to see where there may be conflicts. “Knock out conflicting terms from those documents in the CTA.”
Remote monitoring itself must be carefully handled in a CTA. Remote source data verification should not be done directly in a site’s electronic health records system, Leibowitz said. “These systems are not designed for monitoring. They expose you to liability for too much information. And as one colleague of mine put it, this is data breach by design.”
CTAs should require all parties to maintain insurance against data breach liability. But, she warns, “don’t agree to maintain insurance sufficient to cover your obligations under the agreement. You have no idea at the end what those obligations are going to ultimately be.”
Leibowitz is in favor of liability caps in CTAs but acknowledges that the industry isn’t there yet. “Eventually there will probably be various caps and baskets in CTAs and vendor agreements, but not yet.”
“Remember that ‘standard’ cybersecurity language does not yet exist for CTAs. You can and should push back on imbalanced terms,” she said. “Mutuality is fair and in everyone’s interest.”
To read CenterWatch Weekly’s most recent article on CTAs, which covers how sponsors and sites can negotiate intellectual property protections, click here: https://bit.ly/3LpjtG6.