Updates and Breaking News on Gene Patents, PHI in the Cloud, Class Actions on ClickWraps and SEC Disclosures On Cybersecurity.
Some recent developments in the great, wide world of technology include:
(i) The Supremes, in a unanimous decision (what?) ruled that naturally occurring genes could not be the subject of patent protection. However, if you can create a gene artificially, you might still qualify. Therefore, the creative force described in the Hebrew bible, missed his or her chance when on the sixth day, he or she created all those man genes. Further, the one year bar and the first to file things have cluttered up the claim. Also, since man was supposedly created in the image of the creator, there's that pesky prior art issue. See Assn. for Molecular Pathology v. Myriad Genetics, Inc
(ii) The recently released rules under HIPAA provide that entities that store protected health information ("PHI") for a covered entity are business associates even if the storage provider does not routinely access the information. [See 45 CFR Parts 160 and 164 IV(3)]On the other hand, a data transmission organization (such as the U.S. Postal Service or internet service providers) that serve as a mere conduit are not business associates even if they do access the information occasionally in order to provide the service. So, cloud providers of storage of PHI must sign a business associate agreement. It is not clear how long one must hold on to a piece of information to be a storer as opposed to a transferor or if encrypting the information in storage without the key would serve to exclude the storage provider from the definition of a business associate.
(iii) In a recent decision by the Seventh Circuit in Harris v. comScore, Inc., the court allowed the certification of a class to stand. The class was composed of entities that had downloaded comScore's software that gathered information on the user's activities and sent the information back to comScore's servers. One of the basic allegations of the plaintiff class was that comScore's clickwrap license was ineffective. We have discussed this before in this post. The court did not make factual finding as to any issues and this is only a class certification hearing and comScore may have legitimate individual defenses to many of the allegations. However, comScore will have to deal with this in the context of a class action.
(iv) The Securities and Exchange Commission has regulations in place regarding a publicly traded company's obligation to disclose its controls for cybersecurity and is now considering increasing the stringency of those rules. A recent study by Willis Fortune 500 finds that a substantial percentage of reporting companies fails (in Willis' opinion) to adequately disclose such company's exposure to cybersecurity issues and the impact on the company if an event occurs. Look for this to increase in importance as the supposed cybersecurity wars increase in intensity.