Blog Post

Samantha Cirillo

In June 2015, California passed a new law barring religious and personal-belief exemptions from the state’s existing mandatory immunization law.[1] Beginning at the start of the 2016 school year, unvaccinated children may only enroll in school with a medical waiver from a licensed physician. [2] While approximately 30 states have removed the personal-belief exemption, California has become one of only 3 states, along with West Virginia and Mississippi, to bar religious exemptions as well.[3] The new law, SB 277, will affect nearly 80,000 students that currently claim personal-belief exemptions. [4]

The law requires that as of July 1, 2016 newly enrolled children will need to be vaccinated absent a sufficient medical waiver.[5] If a child has filed a personal-belief exemption before January 1, 2016, they must comply with the law before reaching the 7th grade. [6] However, children currently in the 7th grade or higher will remain exempt.[7] Parents still have the ability to decline vaccines for their children, however, unvaccinated or partially vaccinated children must be homeschooled. [8]

The law was passed only months after a measles outbreak in California which started in Disneyland and spread to over 150 cases statewide. [9] Although there are many supporters who argue that SB 277 is a necessary protection for schoolchildren, the law has had its fair share of opposition. Parents argue that the law is violating their right to make decisions about their children’s health and safety. [10] The opposition towards vaccines has grown with the increasing number of parents asserting a link between vaccination and autism. [11]

Opponents of the law have held numerous protests and have used social media to raise awareness of the potential risks associated with vaccinations. Actor Jim Carrey, expressed his disapproval on twitter,  calling Governor Jerry Brown a “corporate facist” who is poisoning our children. [12] Carrey has often voiced his concern with the levels of mercury, aluminum and thimerosal in the mandatory vaccines. [13]

An additional argument that has gained a lot of attention in the recent months is whether SB 277 interferes with a child’s right to public education.[14] To address these concerns, a group of parents and a non-profit organization, Education 4 All, filed suit in the U.S. District Court claiming that SB 277 violates the state constitution. [15] The court has denied the petitioner’s’ request for a preliminary injunction which would allow the law to be suspended while the case is being decided. [16] The court stated that there is a long history of requiring children to be vaccinated before entering school and the law will only benefit and protect the community as a whole. [17]

Ultimately, parents may have the right to make health decisions for their own children. But, do they also have the right to put other students, as well as the community in danger as a result of their decisions?

­­

1  Patrick McGreevy and Rong-Gong Lin II, California Assembly approves one of the toughest mandatory vaccination laws in the nation, L?? A?????? T???? (June 25, 2015), http://www.latimes.com/local/political/la-me-pc-vaccine-mandate-bill-up-for-vote-thursday-in-california-assembly-20150624-story.html

2 Paul Sisson, Federal judge denies injunction against California vaccination law for schoolchildren, L?? A?????? T???? (Aug. 26, 2016), http://www.latimes.com/local/lanow/la-me-ln-california-vaccination-schools-20160826-snap-story.html

3 Melissa Healy, Pediatricians urge states to get tough on parents who don’t want to vaccinate their kids, L?? A?????? T???s (Aug. 29, 2016), http://www.latimes.com/science/sciencenow/la-sci-sn-pediatricians-vaccines-exemptions-20160828-snap-story.html

4 Phil Willon & Melanie Mason, California Gov. Jerry Brown signs new vaccination law, one of nation’s toughest, L?? A?????? T???? (June 30, 2015), http://www.latimes.com/local/political/la-me-ln-governor-signs-tough-new-vaccination-law-20150630-story.html

5 Id.

6  Id.

7 Id.

8 Paul Sisson, supra note 2.

9 Veronica Rocha, Jim Carrey calls Gov. Brown a ‘facist’ for signing new vaccination law, L?? A?????? T???? (July 1, 2015), http://www.latimes.com/local/lanow/la-me-ln-actor-jim-carrey-vaccines-20150701-story.html

10 Phi Willon & Melanie Mason, supra note 4.

11 Id.

12 Veronica Rocha, supra note 9.

13 Id.

14 Soumya Karlamangla, Opponents sue to stop California’s vaccination law, L?? A?????? T???? (July 5, 2016), http://www.latimes.com/local/lanow/la-me-ln-vaccination-lawsuit-20160705-snap-story.html

15 Id.

16 Id.

17 Paul Sisson, supra note 2.

Christopher W. Folk

Governor Cuomo released proposed regulations yesterday through the Department of Financial Services (“DFS”) that would require Covered Entities to hire Chief Information Security Officers (“CISO”) and perform a number of other cybersecurity tasks which seems like a good step towards enhanced cybersecurity, but is it really?

First, let us examine what entities are actually covered under these new “regulations.” Under § 500.1 Definitions

Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.

A person is further defined as any individual, partnership, corporation, association or any other entity.

So take the realm of persons and entities engaged in business in New York and extract out the piece that includes: banking, insurance, and financial services and you have the business sector that would be impacted by Cuomo’s regulations.

Now that we have identified the “who” let us examine the “what.”  Under these regulations, each covered entity must develop a cybersecurity program designed to “ensure the confidentiality, integrity, and availability of the Covered Entity’s Information Systems (“IS”).” The cybersecurity program must:

• identify internal and external cyber risks;
  • identify Nonpublic Information (“NpI”) stored by Covered Entity’s IS
  • identify the sensitivity of NpI
  • identify access to NpI
• use policies, procedures and also defensive infrastructure to protect IS from
  • either unauthorized access; or
  • other malicious acts
• detect Cybersecurity events;
• respond to identified or detected Cybersecurity events to mitigate;
• recover from Cyber events and restore normal operations and services; and
• fulfill all regulatory reporting requirements

Furthermore, a Cybersecurity Policy must be implemented and maintained and must minimally address the following:

• Information Security;
• data governance and classification;
• access controls and identity management;
• business continuity and disaster recovery planning and resources;
• capacity and performance planning;
• systems operations and availability concerns;
• systems and network security;
• systems and network monitoring;
• systems and application development and quality assurance;
• physical security and environmental controls;
• customer data privacy;
• vendor and third-party service provider management;
• risk assessment; and
• incident response

Some of the other activities the Covered Entities must undertake include:

• The designation of a Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the cybersecurity program and enforcement of the cybersecurity policy;
• Penetration Testing and Vulnerability Assessments;
• Implementation and maintenance of an audit trail;
• Review and limitation of access privileges;
• Construct written procedures for in-house applications and procedures for assessing and testing commercial applications;
• conduct risk assessments;
• employ cybersecurity personnel and provide them with on-going training and updates related to cybersecurity
• develop written policies and procedures with respect to IS “accessible to, or held by, third parties…;”
• implement multi-factor authentication (“MFA”);
• impose time limits on data retention;
• provide and attend on-going training;
• encryption:
  • data-in-transit: encrypt unless infeasible, in that case, use appropriate alternative controls (for up to one year after regulation becomes effective);
  • data-at-rest: encrypt where feasible, where not, use alternative control for up to five years from the date regulation takes effect;
• develop a written incident response plan;
• report cybersecurity events to the superintendent if affecting NpI; send yearly compliance reports as well;
• Exemptions:
  • fewer than 1,000 customers in each of last three calendar years;
  • less than $5,000,00 in gross annual revenue for each of the last three fiscal years;
  • less than $10,000,000 in year-end total assets (calculated according to GAAP)
• Effective date: January 1, 2017

It certainly sounds like covered entities have been given a comprehensive list of to-do’s; however, when one looks more closely it becomes clear that the devil is in the details (or rather the lack thereof).

At a very high level, one can look to previous statements by the Cuomo administration touting how business-friendly New York is and how much the Government is doing to attract and retain businesses to the Empire State.  If you then look at these regulations in the context of a business climate you must consider what the true goals of the regulations are.  If the desire is to increase New York’s cybersecurity posture and to help both consumers as well as businesses to navigate these ever-changing and difficult technical areas then you have to consider — “was there perhaps a clearer, more efficient, and more compelling approach?”  These pages and pages of regulatory verbiage make it seem as though NY is committed to improving cybersecurity, by encouraging (mandating) that certain businesses move in this direction and that ultimately this helps to protect our personally identifiable information (“PII”).

If the Administration wanted to “help” make NY more cyber-secure then working with entities and providing resources and assistance would seem a more prudent approach than simply deciding to promulgate regulations through DFS that will impact a very narrow business sector.  While the insurance, financial, and banking sector is arguably critical and replete with NpI and PII singling this sector out merely because they are licensed and can be controlled by DFS doesn’t serve the greater purpose.  The Administration should be building relationships and helping small businesses, new businesses, existing businesses to adopt sound cybersecurity policies and to be able to do so without having to bring in expensive outside expertise.  The reality is that once you couple the sectors not covered by these regulations with those that are able to exempt out, you end up with a significant number of entities and persons that have access to, use, and retention of PII and that lack the technical expertise and the resources to adequately protect this PII.

 

Issues: CISO Mandate

According to a blog by the NCX Group “The Real Reason why Organizations aren’t hiring CISOs” CISOs are often perceived as the holy grail, having a mix of technical as well as business skills, while being able to single-handedly thwart attacks, maintain a constant state of vigil in an ever-changing vulnerability paradigm and bring bottom-line value to an organization.  Furthermore, a recent article in Forbes “Top U.S. Cybersecurity Salaries Rise to $420,000” notes that the average salary for a CISO in New York City is $406,000.  Thus, even if some of these entities were to use a virtual CISO (“vCISO”) or a virtual Security Operations Center (“vSOC”) the outlay is likely to be significant and to what end?  Hiring a CISO or contracting with a vCISO is one small piece of the pie, there is still an inordinate amount of legwork required to assess the current state of Information Security, to develop protocols and processes, to implement new security controls, user training, all of these are very real and direct hits to the bottom line and if the result is that firms simply relocate across the Hudson to avoid these new regulations is that really a win for NY and for customers?

 

Issues: Third Parties

The regulations here require that NpI held by third parties doing business with the Covered Entity must include provisions within the contracts that include a number of cybersecurity provisions such as the third party must encrypt NpI data-at-rest and data-in-transit; must use Multi-Factor Authentication; third party must warrant that the service or product is devoid of any malware or other mechanisms that might impair the IS or NpI of the covered entity; and the Covered Entity shall have the right to perform cybersecurity audits of the third party service provider.

This is extremely problematic.  Consider, the case of a Covered Entity that has been using Amazon Web Services (“AWS”) for its hosting and cloud computing needs.  Once these new regulations are implemented the Covered Entity must execute a new agreement with AWS which includes the aforementioned clauses.  Unfortunately, the Covered Entity is going to be looking for a new service provider because AWS is not going to rewrite their boiler-plate contracts for a small Fortune 1000 covered entity. Even in the case of a Fortune 100 company, AWS is unlikely to execute a contract whereby they allow a customer to perform cybersecurity audits against AWS systems.  In the vast majority of these cases, the third party is not going to be on parity with the Covered Entity and is going to have an unfair bargaining position. Thus the Covered Entity will be faced with moving to a smaller third party that has some flexibility in their contract provisions, relocating these services back in-house, or will simply fail to comply.  Any of those scenarios seems replete with cybersecurity issues.

 

Issue: Encryption

Under these regulations, NpI that is deemed “infeasible” to encrypt will be exempt for a period of 1 to 5 years (1 year for data-in-transit and 5 years for data-at-rest).  First of all, the proliferation of data-at-rest-encryption (“DARE”) runs counter with the regulations that would allow data-at-rest to remain unencrypted for up to five years after this regulation takes effect.  While in-flight data which can also be encrypted by any number of either open-source or commercial means must be encrypted no later than one year after the regulations are implemented.  How does this disparity further cybersecurity goals?  What is the value of encrypting NpI while it is being transmitted and then allowing it to remain unencrypted at either end or whenever at-rest?  As someone looking for exploits, this advises the world to focus on data-at-rest knowing that there is a strong likelihood that it will be sitting around unencrypted whereas data moving through the network is likely going to be more difficult to correlate and exfiltrate.

 

Summary

If New York actually wants to improve the cybersecurity climate and remain business-friendly, then the creation of a NY-CISO and a NY Security Operations Center that is tasked with helping entities develop and adopt wise cybersecurity policies is more likely to yield positive results and a faster return on investment.  In truth, the larger entities that would be subject to the DFS regulations already have or are in the process of adding a CISO and they understand that their stakeholders demand at least basic cybersecurity hygiene.  Consequently, it is likely that all of the time and effort that went into the development of these regulations, the press releases, the “Victory for NY Cybersecurity” speeches, could have been devoted to building a team that could actually go out and assist businesses and individuals rather than just creating feel-good, do-little verbiage laden regulations [Editor’s Note: the author acknowledges that he has no data with respect to the cost incurred to develop and promote these regulations.  However, the author posits that this effort cost something and that these resources would have been better spent doing rather than drafting].

 

Consider a Different Approach

Create the NY-CISO, implement a team that will work alongside entities to help them move to a cyber-secure posture.  Help businesses across NY, not just the big businesses in New York City.  Build a cybersecurity cooperative that encourages information sharing and rewards rather than punishing businesses for initiating contact and securing PII.  Provide NY businesses with the same liability relief as businesses enjoy under the Cybersecurity Information Sharing Act (“CISA”) of 2015 (entities that share information are shielded from liability that arises as the result of a data breach).  Cybersecurity should be viewed as a basic function of the State and as such, the State should create an agency or department that is equipped with handling cybersecurity matters and is able to improve the NY cybersecurity climate in both the public and private sectors.  If we learned anything from the OPM Data Breach it is that the public sector is not, and should not be exempt from cyber-hygiene and cybersecurity policies and protocols.  The banking, insurance, and financial services industries are not the only ones that use and retain PII.  Therefore, we need to tackle cybersecurity across the spectrum and not in the myopic view of DFS’s definition of covered entities.  The goal should be to protect PII and any business that deals with PII should receive cybersecurity assistance to further the fundamental goals of the state. The cost of breaches for both consumers and businesses is enormous and it is therefore in New York’s best interest to invest in education, training, and assistance to make NY a leader in cybersecurity and a model for the Nation.  Rather than drafting legislation to mandate compliance and to determine “what” businesses need to do NY should invest in enhancing its industries which will foster increased business development and promote rather than prevent in-migration of people and businesses looking for a cyber-secure environment.

 

By David Huter

On 3 April 2016, the German newspaper Süddeutsche Zeitung announced that 11.5 million confidential documents had been leaked from the firm to journalists.[1] This is the biggest information leak, ever.[2] To give an idea of how big this is, if you add up all the major leaks in the past 5 years, then it won’t even equal a quarter of the information that was released in the panama papers.[3] Wiki-leaks/cable-gate was 1.7 Gigabytes, Swiss-leaks/ICIJ was 3.3 Gigabytes, Luxemburg leaks/ICIJ was 4 Gigabytes, and the next closest was the Offshore-leaks at 260 Gigabytes.[4] By comparison the Panama Papers is equal to 2600 Gigabytes, or 2.6 Terabytes of data dating back to the 1970s.[5]

What is said in the Panama Papers?[6] It shows how many people have hidden their income and participated in tax evasion for decades.[7] “Twelve national leaders are among 143 politicians, their families and close associates from around the world known to have been using offshore tax havens.”[8] A distinction is to be made between what a tax shelter and a tax haven is.[9] “Tax havens are locations around the globe known for having lax or nonexistent tax laws that allow individuals or companies to vastly reduce their tax liabilities by holding their assets offshore. Tax shelters are simply investment accounts, securities, investment and tax-planning strategies that minimize tax liability within your own country’s tax system.”[10] Both are legal to an extent, but what the Panama papers reveal are processes of many individuals who have committed tax evasion to utilize tax havens and avoid paying taxes at all cost to the US government and many other countries around the world.[11]

Bradley Birkenfeld, a Swiss banker and American citizen, is who is thought to be the mastermind behind the leak.[12] He denies these allegations, although he was the whistleblower and received compensation for it (as well as prison time), and actually believes this is the work of the CIA.[13] The idea is reinforced by the fact that no American politicians’ names are included in the information.[14] Regardless Birkenfeld explains that there was a process or “maze” that banks and lawyers would go through to hide the earnings of their clients; and that process almost always included the law firm Mossack Fonseca.[15]

Mossack Fonseca is a panama Based Law firm who began legally providing its trust services in 1993.[16] It has 44 law offices all over the world, including nine in China.[17] The firm has publically denied allegations against it and said that the papers have “misrepresented” their work.[18]  They further state that even if their clients have participated in tax evasion it is because their clients have “misused” their services; and that they try to prevent this by taking active precautionary steps.[19]

Regardless of Mossack Fonseca’s statements denying media allegations, and questions behind the mastermind of the leak this is a colossal exposure to tax evaders all over the world. Information like this is what many countries have been looking for to fix their tax codes. Many tax codes, including the United States Code Title 26, will likely be updated. Furthermore, many countries will be able to pursue the evaded taxes as far back as the statute of limitations for their countries may go.

[1] Frederik Obermaier et al., Süddeutsche Zeitung, Das sind die Panama Papers, Süddeutsche Zeitung (Apr. 3, 2016 7:50 PM), http://panamapapers.sueddeutsche.de/articles/56ff9a28a1bb8d3c3495ae13/ (last visited Apr. 15, 2016).

[2] Id.

[3] Id.

[4] Id.

[5] Id.

[6] Luke Harding, What are the Panama Papers? A guide to history’s biggest data leak, theguardian (Apr. 5, 2016, 5:42 AM), http://www.theguardian.com/news/2016/apr/03/what-you-need-to-know-about-the-panama-papers.

[7] Id.

[8] Id.

[9] Claire Boyte-White, Tax Haven Vs. Tax Shelters: Is There a Difference?, Investopedia, http://www.investopedia.com/articles/personal-finance/093015/tax-haven-vs-tax-shelters-there-difference.asp (last visited Apr. 15, 2016).

[10] Id.

[11] Jeff Gray, ‘Panama Papers’ reveal offshore tax evasion, money laundering among global elite, The Globe and Mail (Apr. 3, 2016, 9:02 PM), http://www.theglobeandmail.com/news/world/leaked-data-from-panamanian-law-firm-point-to-prominent-figures/article29507129/ (last updated Apr. 4, 2016, 6:23 AM).

[12] Eamon Javers, Swiss banker whistleblower: CIA behind Panama Papers, CNBC (Apr. 12, 2016, 12:11 PM), http://www.cnbc.com/2016/04/12/swiss-banker-whistleblower-cia-behind-panama-papers.html.

[13] Id.

[14] Id.

[15] Id.

[16] Mossack Fonseca & Co., The Legal 500, http://www.legal500.com/firms/51479-mossack-fonseca-co/offices/54418-panama-/profile (last visited Apr. 15,2016).

[17] Matt Herring, Shells and shelves, The Economist (Apr. 7, 2016), http://www.economist.com/node/21552196.

[18] Statement Regarding Recent Media Coverage, Mossack Fonseca, http://mossfonmedia.com/wp-content/uploads/2016/04/Statement-Regarding-Recent-Media-Coverage_4-1-2016.pdf (last visited Apr. 15, 2016).

[19] Id.

Samuel Miller

In a story published by BBC News, two Americans have been charged for allegedly helping hack high-ranking U.S. government officials. Andrew Otto Boggs, 22, and Justin Gray Liverman, 24, are allegedly members of the ‘Crackas With Attitude’ group, a hacking organization which has been blamed for the attacks.[1]  According to the report, the email accounts of the Director of the CIA, the Chief of National Intelligence, and other high-ranking officials were all hit by ‘Crackas With Attitude’, which also obtained and distributed information of 29,000 FBI and Homeland Security agents and workers.[2]

From October 2015 to February 2016, ‘Crackas With Attitude’ utilized a hacking technique known as social engineering, whereby the attacking entity relies heavily on human interaction to obtain access to data and other sensitive information.[3]  This process, though deceptively rudimentary in concept, often involves deceiving people and organizations into breaking through their normal security procedures.

According to the BBC, “[t]he hackers also posed as technicians from Internet Service Providers (ISPs) and other service companies to get passwords re-set so they could take over accounts and get at federal computer systems.”[4]  Mashable further reported, in regards to the hackers, “[t]hey also uploaded personal information from the victims to public sites, made harassing phone calls to the victims and their family members, and defaced victims’ social media accounts.”[5]  In the affidavit released by the United States Department of Justice, the 37-page document details the enterprises of Boggs and Liverman over the course of the hacking spree, which included breaching “victims’ email, Facebook, and internet accounts, as well as the hacking of the Law Enforcement Enterprise Portal (LEEP), a computer system for U.S. law enforcement, intelligence and criminal justice professionals.”[6]  Furthermore, the FBI is continuing to work on investigating and building their case against ‘Crackas With Attitude’ in conjunction with the Crown Prosecution Service in the United Kingdom, where there are three additional individuals suspected of assisting ‘Crackas With Attitude’.[7]

 

[1] BBC News, Arrests over hacks of CIA and FBI staff BBC News (2016). http://www.bbc.com/news/technology-37316615 (last visited Sep 11, 2016).

[2] BBC News, supra note 1.

[3] Tim Chester, FBI arrests two members of hacker group Crackas With Attitude Mashable (2016), http://mashable.com/2016/09/08/hackers-arrested-fbi/#brm18lxedzqq (last visited Sep 11, 2016).

[4] BBC News, supra note 1.

[5] Chester, supra note 3.

[6] Chester, supra note 3.

[7] BBC News, supra note 1.

Nick Dellefave

A new drug may soon become a part of the treatment protocol for pancreatic cancer patients. The drug, IMM-101, was the subject of a patent granted to Immodulon Therapeutics, Inc. in December 2013.[1] IMM-101 is a bacterially derived systemic immunomodulator administered intradermally, meaning it is created using killed bacteria, it modifies the operation of the immune system, and it is given via an injection into the skin.[2][3][4] The drug works by stimulating innate and adaptive T-cells, which attack the cancerous growth.[5] Pancreatic cancer in particular is characterized by a shield of cells protecting the tumor.[6] For this reason, IMM-101 must be administered in concert with gemcitabine, a chemotherapy drug, which serves to break down the protective shield.[7]
Early clinical trials have yielded promising results. Median overall survival for pancreatic cancer patients treated with IMM-101 was 7.5 months, versus 4.4 months with chemotherapy alone.[8] Notably, patients did not exhibit any adverse effects, a rare phenomenon among cancer treatment drugs.[9] For this reason alone, the drug is likely to find acceptance in the oncology community, although FDA approval is still pending.[10]

[1] Cancer Therapy, U.S. Patent No. 8,617,520 (filed Feb. 15, 2012) (issued Dec. 31, 2013).

[2] Caroline Helwick, Pancreatic Cancer: Latest Drug Development Hits and Misses, The ASCO Post (Feb. 25, 2015), http://www.ascopost.com/issues/february-25-2015/pancreatic-cancer-latest-drug-development-hits-and-misses/.

[3] Derek Lowe, Pancreatic Cancer Progress? Maybe, Science Translational Medicine (Sept. 9, 2016), http://blogs.sciencemag.org/pipeline/archives/2016/09/09/pancreatic-cancer-progress-maybe.

[4] K. Noel Masihi, Fighting Infection Using Immunomodulatory Agents, 1 Expert Opinion on Biological Therapy 641, 642 (2001).

[5] Sarah Boseley, New drug ‘wakes up’ immune system to fight one of deadliest cancers, The Guardian (Sept. 6, 2016, 4:00 PM), https://www.theguardian.com/science/2016/sep/06/new-drug-wakes-up-immune-system-to-fight-one-of-deadliest-cancers.

[6] Id.

[7] Id.

[8] Helwick, supra.

[9] Id.

[10] Immodulon Therapeutics, http://www.immodulon.com (last visited Sept. 15, 2016).

Aiden Scott

In recent years, 3D printing has ejected itself from the realm of obscurity and became a household term. Currently, 3D printing is proving itself to be incredibly useful in a multitude of industries. Particularly, the potential uses of 3D printing in the biotechnology industry have sparked debate about new technologies and ideas will be protected. Throughout his article, 3D Printed Human Organs and the Debate on Applicable Patent Law, Andrew Armstrong explores the complex interaction between the rapidly evolving technology of 3D printing human organs, and U.S. patent law

Armstrong notes that “3D printed body parts, namely comprised of comparatively simple structures like titanium replacement hip joints, bring in an estimated $537,000,000 annually.”[1] By comparison these structures are much more simple to create than the complete functioning organs that 3D printing may soon provide a means of creation.[2] Due to the amount of money at stake in this emerging market Armstrong believes “there will be a rush to patent the technology that enables 3D printed organs, which brings the debate over applicable patent law to the forefront.”[3]   

At the forefront of this debate is the America Invents Act (AIA) which provides that “no patent may issue on a claim directed to or encompassing a human organism.”[4] The AIA’s language is notably ambiguous, lacking guidance to tell those applying for patents what a “human organism” is.[5] It is because of this ambiguous language that Armstrong believes the courts might be left to interpret the law, absent any congressional clarification.[6]

He notes that there may be precedent set by the Supreme Court in Diamond v. Chakrabarty, where the court established a two prong test to determine whether “Mohan Chakrabarty’s patent application on a bacterium capable of breaking down crude oil was valid because it was “non-naturally occurring,” and because it was a “product of human ingenuity””.[7] However, after Armstrong consults with Christopher Peil, an experienced Silicon Valley patent attorney, he is reminded that the AIA must be satisfied, along with the two part test established in Chakrabarty.[8] Armstrong adds that the AIA “doesn’t provide the USPTO and/or the courts with much guidance in understanding and applying the law”.[9]

Armstrong concludes that “although the concept of 3D printed human organs would seem to meet both prongs of the Chakrabarty test,” that there is still a tremendous hurdle to overcome in the form of the “ambiguity over the intent of the American Invents Act with respect to this issue.”[10] In any case it appears that issue of patentability of human organs will prove to be a daunting problem for the courts courts to resolve if legislation remains in its current state.

 

[1] Andrew Armstrong, 3D Printed Human Organs and the Debate on Applicable Patent Law, ipwatchdog (Oct. 7, 2015)http://www.ipwatchdog.com/2015/10/07/3d-printed-human-organs-and-the-debate-on-applicable-patent-law/id=62307/ (citing Heidi Ledford, The Printed Organs Coming to a Body Near You, 520 Nature 273, 273 (2015).

[2] Andrew Armstrong, 3D Printed Human Organs and the Debate on Applicable Patent Law, ipwatchdog (Oct. 7, 2015)http://www.ipwatchdog.com/2015/10/07/3d-printed-human-organs-and-the-debate-on-applicable-patent-law/id=62307/.

[3] Id.

[4]Id. (quoting Gene Quinn, AIA Oddities: Tax Strategy Patents and Human Organisms, ipwatchdog (Sept. 12, 2013) http://www.ipwatchdog.com/2013/09/12/aia-oddities-tax-strategy-patents-and-human-organisms/id=45113/.

[5] Andrew Armstrong, 3D Printed Human Organs and the Debate on Applicable Patent Law, ipwatchdog (Oct. 7, 2015)http://www.ipwatchdog.com/2015/10/07/3d-printed-human-organs-and-the-debate-on-applicable-patent-law/id=62307/.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Id.

Teal Johnson

The University of Michigan has a new apparel contract with Nike worth about $170 million.  Apart from the student-athletes sporting Nike garb, the contract included a clause that could have much larger implications.  This clause could allow Nike to collect personal data from Michigan athletes with the use of wearable technology.  Currently, that could be through heart rate monitors, GPS trackers and other devices that log biological activities.  Eventually this could lead to information gathered through “smart clothing” which contains sensors in the wearable material.  The concern is protection of the players because according to Tatiana Melnik, a health care lawyer, the federal Health Insurance Portability and Accountability Act does not apply to biometric data.

Other universities have contracts including health monitoring devices but Michigan’s allows Nike broad rights “to utilize” that information.  There is a provision that the data will remain anonymous and comply with “all applicable laws” but there is a lack of regulation in this area and the threat of hacking.  Many are concerned with the players being adequately represented because of their amateur status they have limited leverage to influence agreements such as this.  Privacy experts say that the data could harm the student athlete’s future if it were to not remain anonymous.  There is potential to reveal intimate details or harm future career opportunities.

The silver lining is that the contract appears to give the university a veto power of sorts: allowing the data to “be subject to university approval.”  Although the information collection is limited to games, practices and other events where coaches or staff appear in official capacities, there is still a major concern for privacy.  Privacy and athletes’ rights advocates worry that legal standards will be outpaced by the technology and some athletes may suffer.

Read the original article here.