Clinical Research Organizations (CROs) may be engaged by the life science companies to conduct a variety of services from developing study protocols to managing the site, handling and evaluating data and even assisting with regulatory obligations. This wide range of services that may be administered by the CRO creates specific exposures and liabilities.
We are going to address three types of claims that are happening with more frequency:
1. Data Extortion
Data extortion is becoming a more common exposure for any business that houses data that can be accessed on the internet. When a CRO agrees to manage and/or evaluate data collected from the study there is usually a cyber liability exposure created as the data is stored on a server.
It is more and more common that hackers are finding their way to these databases and then holding the data hostage for a ransom. Obviously, this is a scary scenario as it is unclear how you will prevent recurrence or what will be done with the data by the hacker even if you are able to secure its return. Here is what you should do:
i. Encrypt your database. According to Google, Encryption works by replacing data with unreadable code known as ciphertext. To decrypt the ciphertext back to its original form, you need to employ the key used in the encryption algorithm.
ii. Buy cyber liability insurance. Attackers are becoming more and more sophisticated. Even if your key is secured in a manner that is difficult to obtain sophisticated algorithms are constantly evolving to beat encryption and access data. A properly crafted cyber liability insurance policy is your fail-safe security measure.
2. Sexual Misconduct
Some studies will require employees of the CRO to come in contact with participants. Sexual misconduct is that type of exposure that can create large loss liabilities. Make sure that your liability policy is either silent on sexual misconduct or provides adequate limits for the exposure. This is a particularly sensitive need when studies involve products that impact children, women and/or products that impact people of a sexual nature but allegations of sexual misconduct could occur in almost any situation.
3. Product Liability
A CRO, especially one that conducts clinical trials, should make sure their professional liability policy also includes product liability. While CROs generally do not manufacture a product or create their own product liability exposure, the companies they work for (clinical trial sponsors, etc.) may. A CRO’s client may not carry adequate clinical trial and product liability limits, they could become insolvent or have a lapse in coverage on their policy. If the CRO is named in a complaint their policy may need to respond.