November 30, 2022


Welcome to the 23rd issue of Decoded for the year.

As we come up to the end of 2022, we invite you to provide us any feedback regarding issues you would like us to revisit. Is there a topic that you find interesting and could use some guidance? Would you like our opinion about a particular issue or case? Please email us your thoughts and we will address them in our last 2022 issue, which will be published in a couple of weeks.

We hope you enjoy this issue and, as always, thank you for reading.

Nicholas P. Mooney II, Co-Editor of Decoded, Chair of Spilman's Technology Practice Group, and Co-Chair of the Cybersecurity & Data Protection Practice Group


Alexander L. Turner, Co-Editor of Decoded and Co-Chair of the Cybersecurity & Data Protection Practice Group

Complex, Customized CRISPR Combo Could Help Patients Cure Their Own Cancer

“In a small phase 1 clinical trial run by PACT Pharma, researchers edited the genes of 16 patients’ immune cells to work against their cancer, then engineered thousands of cells containing the edited genes and reinserted them into their bodies.”

Why this is important: For the first time in humans, CRISPR/Cas9 gene editing has been combined with T cell receptor (“TCR”) therapy to engineer patients’ immune cells to attack their own tumors, greatly moving forward the possibilities for developing highly effective personalized cancer treatments.

CRISPR, first discovered in the early 90s and exponentially improved throughout the early 2000s and 2010s, is a now world-renowned technology for precise gene editing at a relatively affordable cost. Most research up to this point has been focused on isolated animal and human cells and allows scientists to add, remove, and alter genome sequences. Its applications are broad, but most anticipated therapeutic uses are focused on repairing mutated and defective gene sequences at the core of many serious and life-threatening diseases and conditions. Use of CRISPR therapeutically in humans so far has been limited to early-stage trials mostly targeting single-gene disorders.

TCR therapy, on the other hand, is a personalized immunotherapy, which is currently FDA approved for treating certain blood cancers. TCR therapy isolates a patient’s natural T cells, modifies them to express artificial antigen receptors, and releases them back into the patient’s body to supercharge their immune system and attack cancerous cells. While incredibly promising, TCR therapy is not a one-size-fits-all approach and is not available to all patients or for all cancer types.

While CRISPR/Cas9 has shown to be effective for single gene disorders, it has so far lacked broad application to a wide array of cancers. TCR therapy, alternatively, is effective for blood cancers, but has so far struggled to be highly effective for solid tumors, which have various barriers to overcome. The combination of these two therapies to attack solid tumor cancers is thus groundbreaking in both spheres and an area to keep close watch on as researchers and biopharmaceutical companies continue to push the therapy further along through FDA approval.

However, as genome editing advances, ethical concerns will continue to arise and move closer to the forefront of public discourse. Current therapies and uses are legally limited to editing somatic cells in the U.S. and cannot change germ-line cells, which may pass the edits to future generations. With developed therapies entering the market and broader access for patients, it appears ethics will ultimately limit the technology’s full potential in the decades ahead. --- Shane P. Riley

Attorney General Josh Shapiro Announces $391 Million Settlement with Google Over Location Tracking Practices

“This $391,500,000 settlement is the largest multistate Attorney General privacy settlement in the history of the United States.”

Why this is important: Another week, another settlement between state Attorneys General and a tech company related to data privacy. Pennsylvania, along with 39 other states, recently entered into the largest multistate data privacy settlement with Google for $391.5 million. Of the total settlement, Pennsylvania will receive $19.6 million. The matter involved Google’s location tracking practices associated with Google account settings. The Attorneys General initiated the investigation following a 2018 Associated Press article uncovering that Google records users' movements even when users tell Google to turn of location tracking. The location information of users was used to build user profiles and push targeted ads. The Attorneys Generals’ investigation found that Google’s conduct regarding its use of users’ location data constituted violations of state consumer protection laws since at least 2014. In addition to the recordbreaking settlement, Google agreed to: 

  • Show additional information to users whenever they turn an account setting "on" or "off;"
  • Make key information about location tracking unavoidable for users (i.e., not hidden);
  • Create an enhanced "Location Technologies" webpage where users can get detailed information about the type(s) of location data Google collects and how it's used;
  • Put limits on its use and storage of certain types of location information; and
  • Make Google account controls more user-friendly.

This settlement punishes Google for violating consumer protection laws, and gives users greater transparency on how to manage their data and how their data is used. --- Alexander L. Turner

NFL Expands Program to Use Sensor-Loaded Mouthguards to Gather Head Impact Data

“Data from the sensors could show what the human head experiences during an impact, improving efforts to understand and reduce concussions in football.”

Why this is important: This research program can be important if it leads the NFL (and football programs at all levels) to implement helmet technologies that provide true protection against brain trauma in players. That remains to be seen. Twenty years ago, Virginia Tech began studying helmets to reduce damage caused by head injuries in football. Those studies continue today. The current system for rating protection levels in helmets came out of that research. Arizona State University followed up on that research by adding biomarker components to its protocol. Biomarkers remain a critical component of injury analysis and prevention. This mouthguard-sensor program follows many years of helmet-based sensor research on extra-cranial impact forces, but investigators are hopeful that the mouthguard-based sensor data can provide key insight into the internal forces contributing to head injury. The program is being implemented through a partnership with Align Technology (maker of the Invisalign system) at eight university football programs (up from four the prior year). Approximately 250 college-level players can opt-in to the voluntary protocol. Interestingly, reports indicate that mouthguard-based sensor data collection is being simultaneously conducted with players from at least four and as many as 10 NFL clubs. (The NFL is notoriously tight-lipped on injury-related research involving its own players). For years, the NFL did not see much advantage to addressing the consequences of a player having “his bell rung” during a game. Recent rule changes (and an updated league-wide concussion protocol) have made some progress in reducing violent head impacts, such as the updated “targeting” penalty, for example. The current gaps in the NFL’s concussion protocols were on full display this fall, with notable instances involving players from the Miami Dolphins and Tampa Bay Buccaneers programs. Hopefully, this focus and funding can provide meaningful protections for current and former players. --- Hugh B. Wellons and Brian H. Richardson

California’s New Child Privacy Law Could Become National Standard

“The first-in-the-nation legislation, which goes into effect in 2024, imposes sweeping restrictions on internet companies that serve minors, requiring that they design their platforms with children’s ‘well-being’ in mind and barring eight common data-collection practices.”

Why this is important: The California Age-Appropriate Design Code Act will go into effect on July 1, 2024. This legislation will impose certain requirements on businesses that provide online services or features likely to be accessed by children. The term “child” includes all minors up to 18 years of age. Proponents of the legislation include privacy, consumer and child advocates while the tech industry expressed concerns regarding the legislation. The law prohibits companies from engaging in certain activities including: selling children’s personal data and tracking their location (subject to certain exceptions). Companies are also required to have strict privacy settings by default and the policies must be explained in child-friendly language. They are further required to audit their products to record any potential harms to children. 

Although companies can expect further guidance to be released in early 2024, businesses must take steps to examine their products and determine if the legislation applies. Of particular importance is an assessment of whether or not a service is “likely to be accessed” by children. This broad terminology could have widespread application requiring entities to closely examine not just social media networks, but websites, apps and online retailers. Before launching new services, companies will need to conduct a data protection impact assessment to ensure that they are in compliance with the legislation. Since the California legislation may be replicated in other states, organizations should act promptly to determine the law’s applicability and to develop a compliance plan, if necessary. --- Annmarie Kaiser Robey 

Sony Files Patent for Tracking In-Game Digital Assets with NFTs

“The patent would allow gamers to own unique in-game assets and collectibles from their favorite esports stars.”

Why this is important: Sony’s utility patent application, filed in May 2021 and first published November 11, 2022, broadly claims “a system and method for tracking digital assets associated with video games.” The claimed system would allow in-game items to be authenticated using non-fungible tokens (“NFTs”) tracked through a distributed ledger, or blockchain. The filing shows the latest permeation of blockchain technology into gaming and entertainment. Using NFTs and the ledger to prove the provenance of items and other in-game digital art will raise their value significantly since, traditionally, it is not possible to distinguish them from a copy or another instance of the item in-game. If granted, Sony will have a monopoly on this particular method until the early 2040s, leaving competitors looking to monetize these assets with few options other than working with Sony, and giving up a piece of their profits, or attempting to engineer their own method as quickly as possible. Time will tell how gamers across the world respond to the injection of NFTs, and higher costs, into their favorite games, but with gaming and blockchain both on the rise, it appears inevitable that they will supercharge each other’s foothold in the digital economy moving forward. --- Shane P. Riley

Duke, WakeMed Ask Court to Dismiss Lawsuit Over Sending Patient Data to Facebook

“This lawsuit, and others filed in the past several weeks, centers around the use of ‘Meta pixel’ on the health systems’ websites.”

Why this is important: New lawsuits have been filed against Duke, WakeMed, and other healthcare systems related to their relationships with Meta, Facebook’s parent company. It is alleged that Duke and WakeMed violated federal and state privacy laws when they allegedly shared patient data with Meta. Specifically, the patients’ claims involve the use of Meta’s “Meta pixel” on the healthcare systems’ websites. This product was marketed as a way for healthcare systems to track the effectiveness of their targeted advertising. Meta describes Meta pixel as “a snippet of JavaScript code that allows you to track visitor activity on your website. It works by loading a small library of functions that you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion). Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting, for Advantage+ catalog ads campaigns, and to analyze that effectiveness of your website's conversion funnels.” This product is a type of web beacon, otherwise known as a pixel tag or clear GIF, that is clear, one-pixel-by-one-pixel graphic image that is delivered through a web browser to the user’s computer. The web beacon is a tag that records an end user’s visit to a website, and provides specific profiles of user behavior back to the owner of the website. The plaintiffs allege that Meta was using its “Meta pixel” product to collect patient’s protected health information by allowing Meta to create a digital trail of each visitor’s visit to the healthcare provider’s website. This trail would allow Meta to know what portions of the website they were visiting, including any web portals they may access on the healthcare systems’ website. The issue is that the use of Meta pixels may allow the visitor to be matched with his or her Facebook profile. The lawsuits against Duke and WakeMed, along with other similar lawsuits around the country, are being challenged via Motions to Dismiss because the plaintiffs have failed to plead sufficient facts to show that they have standing to bring their claims. --- Alexander L. Turner

More Schools are Considering Zero Trust. Here’s Why.

“As cyberattacks and ransomware threats against K–12 institutions rise, more IT leaders are learning about the zero-trust cybersecurity model.”

Why this is important: K-12 institutions historically have been prime targets for threat actors because they hold sensitive information and traditionally have deployed underdeveloped security measures. This situation was made worse by the COVID-19 pandemic as many schools quickly transformed to virtual learning without first having in place protections against cyber vulnerabilities. These issues have forced educators and IT staff to rethink cyber protections for K-12 institutions. Many times, the concept of zero trust is being considered. “Zero trust” is the name given to a security system that begins every interaction in an untrusted state. Its name is a bit of a misnomer as a zero trust system is not configured to literally trust no one. Rather, in a zero trust environment, instead of grouping internal users into different network segments and providing varying degrees of security or separating the internet from the internal network, a zero trust environment focuses on individual users and requires them to pass strong identity confirmations to gain access to the network.

While implementing a zero trust approach might sound like an easy decision, it should be remembered that this approach only will work if it is adopted schoolwide. It is not as simple as purchasing a piece of hardware and flipping a switch. All levels of school personnel must support the move to this approach. Then, IT staff experienced in deploying and maintaining a zero trust environment will be needed to properly manage the system. Schools also need to consider issues related to any applicable budget, insurance coverage, data backups, and disaster plans, among other things, if they are to successfully implement a zero trust environment. --- Nicholas P. Mooney II

Amazon Launches Virtual Healthcare Clinic in U.S. for Common Ailments

“Amazon has for years sought to expand its presence in healthcare, where it is a small player.”

Why this is important: “The doctor [might not] see you now.” Amazon has launched its updated platform for providing virtual clinical healthcare in the treatment of common ailments. Amazon had previously piloted its “Amazon Care” program for employees, and appears set to phase-out that program in favor of this new public version under the Amazon Clinic brand. The platform is currently set to provide care for only certain conditions, some of which require a prior diagnosis. Services are based on a flat-fee model, with no insurance plans being accepted. Interestingly, the service claims that in some instances, “no appointments, video calls, or live chat required” for treatment. It remains to be seen how this model will fare in the healthcare market. Perhaps this model of drastically reduced human contact with a treating physician is the natural result of the endless direct-to-consumer marketing that has dominated the healthcare and pharmaceutical market in the United States for more than a generation. Will consumers find it more convenient to use Amazon’s virtual service in addition to maintaining an ongoing relationship with a primary care provider? Many providers already provide access to virtual services to streamline care for such common conditions. Consumers should pay close attention to disclosures and data releases as they weigh their virtual healthcare options. Providers should consider whether their patients could benefit from offering virtual options that can continue to build a doctor-patient relationship. --- Brian H. Richardson

Biotechnology Industry Gets a Boost from Community College Degrees

“Research supported by Joyce Foundation and Ascendium Education Group at the think-tank New America found that twenty-five U.S. states allow community colleges to offer bachelor’s degrees, a departure from their historical roots offering associate degrees that lead to transfer to a 4-year university where students would complete a bachelor’s degree.”

Why this is important: Many people believe that in order to work in an advanced technology field you have to have a degree from a traditional four-year college. That does not appear to be the case with biotechnology. MiraCosta College in California was the first community college in the country to offer a bachelor’s degree in biomanufacturing back in 2014. This degree differs from a traditional bachelor degree insofar as it offers a degree in the production side instead of the research side of the biotechnology industry. Since the commencement of this program, MiraCosta College has graduated almost 100 alumni who were able to get jobs with 60 biotechnology employers in the region. Many of these employers, including Genentech, ThermoFisher and MilliporeSigma have donated equipment, supplies, and hosted interns. The program has been a success because it built on MiraCosta’s already established associate’s degree and credentialing programs. Biotech employers were looking for manufacturing workers who have a strong theoretical understanding of biomanufacturing so that they are prepared to tackle possible problems on the manufacturing floor. With the Biden administration’s push for more biomanufacturing in the United States, MiraCosta’s program is now being replicated in other California community colleges, and throughout the country. --- Alexander L. Turner

Senator Proposes Cybersecurity Mandates for Health Systems

“Virginia Democrat Sen. Mark Warner, chairman of the Senate Select Committee on Intelligence, has released a white paper detailing a series of potential regulatory requirements for health systems aimed at improving cybersecurity across the industry.”

Why this is important: Congress continues to try and strengthen the cybersecurity of the U.S. critical industries. Healthcare is a critical component of the U.S. economy. A reflection of the importance of the healthcare industry is the fact that it continues to be a target for cyber criminals. Cyberattacks on the healthcare industry continue to increase throughout the year. These cyberattacks endanger patient safety and expose their protected health information (“PHI”) to theft. Recently, Virginia Senator Mark Warner released a white paper outlining proposed regulations and recommendations to strengthen healthcare providers’ cybersecurity and provide assistance to respond to attacks. With attacks increasing every year, Senator Warner feels that now is the time to address this issue before it gets worse. One issue that Senator Warner addresses in his white paper is the vulnerabilities that are incorporated in medical devices. His recommendations parallel with the requirements contained in the proposed Patch Act, including requiring a software bill of materials for medical devices and all healthcare industry software. He also recommends establishing minimum cybersecurity practices, addressing insecure legacy systems, and reviewing Medicare payment policies that should be changed to incorporate cybersecurity expenses. Implementing Senator Warner’s recommendations would be a tremendous undertaking, but he believes that the healthcare industry needs to make cybersecurity a primary priority. --- Alexander L. Turner

The Failure of FTX may Inspire Even Tighter Regulation of Crypto-Currency

“This encourages stronger regulation, which may discourage future developments in this industry.”

Why this is important: FTX was a high-flying cryptocurrency exchange, successful and popular in the industry. Famous actors recorded ads played during the Super Bowl! Many of those actors accepted payment in FTX-traded crypto. Values soared. Until it all fell apart in just a few weeks. These unfortunate facts certainly will point out the risks of an “exchange” with nothing truly material behind it but belief. [As an aside, that describes trades in many national currencies, as well, but we’ll see where that goes.] Cryptocurrency values plummeted. Expect more investigations, more sensitivity to “fraud,” and much more regulation restricting or limiting this industry. This industry flourished, in part, because it was so free-wheeling, so experimental, so creative. That may not be the case in the future, as it deals with more legal restrictions and a tough economy. Many analysts say that this industry will never recover. --- Hugh B. Wellons 

New Federal IT Requirements Coming to Higher Ed, Educause Says

“There are some big changes on the horizon for universities’ IT policies, relating to cybersecurity, data privacy, and web accessibility.”

Why this is important: As we have discussed in the past few editions of The Academic Advisor, our e-newsletter focused on education law, the education sector has increasingly become the target of cyberattacks. This includes both school districts and colleges and universities. One development is the fast-approaching deadline for colleges and universities to comply with the December 9, 2022 deadline for implementing certain cybersecurity protections and requirements imposed by the Federal Trade Commission (“FTC”). Those requirements include appointing a person or team to coordinate an institutional information security program, conducting risk assessments, and developing information-security controls. Despite the impending deadline, because the FTC does not see the educational sector as particularly problematic in instituting such requirements, the FTC is likely to be flexible in requiring the implementation of all of its provisions.  

Both the states and the federal government continue trying to address cybersecurity and cyber accessibility issues. Cyber incident reporting is a new proposition that is still being discussed by the FTC. If implemented, it could require educational institutions to report a data breach to the FTC if the breach affects at least 1,000 people. Clarification is being sought regarding whether this will affect colleges and universities. While a comprehensive federal data privacy standard has currently stalled in Congress, discussions at the state and federal levels continue. This includes potential changes to web accessibility requirements as put forth by the U.S. Department of Justice and the U.S. Department of Education’s Office for Civil Rights. --- Alexander L. Turner

Pharma Earnings Outline Drug Law’s Looming Impact on Sales, Development

“While many companies are still unsure of the law’s effects, some have begun to warn investors about the likelihood of lower sales and reduced profitability.”

Why this is important: The U.S. drug pricing law enacted in August may have substantial impacts on pharmaceutical sales and profits. Drug development companies are predicting substantial impacts to their bottom lines. The question will be whether this reduces drug development, which could hurt everyone.

--- Hugh B. Wellons

5 Takeaways from the FDA’s List of AI-Enabled Medical Devices

“As the number of devices increases, the agency is looking to adapt its regulatory framework to the new technology, including faster approval of algorithm updates.”

Why this is important: The FDA created a Digital Health Center of Excellence to help medical device companies using artificial intelligence. Use of AI in such devices exploded in 2022, with 91 approvals in 2022 just through early October. This makes an efficient regulatory process critical to these devices. --- Hugh B. Wellons

LinkedIn Share This Email
This is an attorney advertisement. Your receipt and/or use of this material does not constitute or create an attorney-client relationship between you and Spilman Thomas & Battle, PLLC or any attorney associated with the firm. This e-mail publication is distributed with the understanding that the author, publisher and distributor are not rendering legal or other professional advice on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use.

Responsible Attorney: Michael J. Basile, 800-967-8251