Customer Data and Reputational Risk in the Pharmaceutical Industry

Transcription

1 1 Customer Data and Reputational Risk in the Pharmaceutical Industry Sensitive Data: A Chain of Trust Organizations of all types, from banks to government agencies to healthcare providers, are taking steps to protect themselves against the potentially catastrophic loss of sensitive data, intellectual property and business intelligence. In this environment, pharmaceutical companies are becoming more aware of the distinct data-related risks they face. Consumers provide pharmaceutical companies with personal information for a number of reasons. Visitors to a company s website, for instance, often are asked to provide personal data potentially including their name, address, phone number, gender, age and medical conditions in order to receive newsletters, notifications of drug interactions or free samples from a physician; participate in discount programs; or interact with an online community who have the same medical condition. While pharmaceutical companies research and development activities tend to be protected by rigorous security frameworks, their customer-focused efforts are not subject to the same standards of protection. Sales and marketing projects commonly are outsourced to third-party vendors ranging from boutique marketing agencies to larger firms that provide shared services for multiple companies. Relationships with these service providers often involve the unregulated exchange of sensitive customer data. Just as customers typically do not know how their data is handled or protected by the pharmaceutical company, the handling company often is not fully aware of the dataprotection processes or security standards of the vendors it hires. The result is an uneasy chain of trust in which risks remain at least partially unknown and standards are not clearly defined. Reputational Risk While contracts with service providers may limit the pharmaceutical company s legal liability, they do little to protect the company against reputational risk, which has the potential to be even more damaging. In the case of a media story about a privacy violation or loss of sensitive data, few consumers will read the fine print and distinguish between the large, well-known company and the obscure service provider responsible for handling the data. An example occurred in September 2007, when clothing retailer Gap Inc. announced it had lost the unencrypted personal data, including Social Security numbers, of 800,000 job applicants. Buried in the details of the story and probably irrelevant to most consumers was the fact that it was an undisclosed, third-party, human resources service provider, not Gap, which actually lost the data. As consumers become more aware of identity theft and other fraud, continuing reports of new incidents fuel their growing suspicion. Even when blame for data loss can be assigned publicly to another well-known party such as when Citigroup blamed UPS for a 2005 loss of customer data reputational damage to both parties can be substantial. Unanswered Questions Other industries that handle large quantities of sensitive customer information, such as healthcare and financial services, are subject to regulatory scrutiny and specific data-handling 1 protiviti

2 guidelines. But pharmaceutical companies, beyond abiding by general regulations that affect all industries, are for the most part left to establish their own standards and procedures. Whether a project involves a large, onetime transfer of data to the service provider or an ongoing exchange, data can be compromised at multiple points. This raises data security questions, such as: What controls are in place to limit the likelihood or consequences of losing data during transmission to the service provider? What are the service provider s security-related procedures while using a company s data? What assurance is there that they are being followed? What happens to the data after the project s completion? This last susceptibility is often the source of the greatest uncertainty, as questions arise about who owns the data, how and when it must be destroyed, and certification of that destruction. While each contract may specify some of these matters, the accumulation of different contracts for different vendors leaves plenty of room for confusion and risk. What is missing is a model to limit risk. By establishing sound risk management practices, companies can greatly reduce ongoing reputational, financial and legal risks related to customer data, resulting in greater security and more efficient working relationships with service providers. Uncovering Current Practices Efforts to mitigate data risk should begin with a thorough examination of the ways in which data is processed and exchanged by the pharmaceutical company. Initial goals might include identifying all the business processes that handle sensitive data, the volume and exact type of data being shared, and the service providers involved in each process. These efforts cannot rest entirely on delineating official processes, however. Even if a detailed process flow already has been established, it is unlikely to tell the whole story about how data actually is handled. For example, an employee may routinely share data in response to informal requests, bypassing the protections inherent in standard procedures. Thorough interviews with sales and marketing personnel can reveal surprising gaps between official procedures and day-to-day habits. Electronic monitoring of server traffic which need not use state-of-the-art technology to be effective can augment these firsthand accounts with hard evidence of data leaks. Rooting Out Risk Once internal processes have become more transparent, the company can consider ways to limit data risks after it has been shared with the service provider. Perhaps the simplest and most powerful practice companies can implement is removing or de-identifying as much sensitive data as possible before sharing it with a third party, thereby eliminating complexities and concerns at the root. To do so, the company might begin by analyzing how much of the data each service provider actually needs in order to perform its work, and then compare it to the types of data the provider currently receives. Sales and marketing projects rarely require all the fields of customer data the pharmaceutical company possesses. 2 protiviti

3 In the case of a marketing study examining different age categories, for example, most of the customer data fields could be removed before the data is shared with the service provider. Even when a data field cannot be eliminated, it often can be de-identified. Specific information can be made more general; for instance, providing customers states of residence instead of street addresses. These measures may add an extra step to the data-handling process, making it more timeconsuming than simply sending the whole customer file. The mitigating effect they can have on risk, however, is worthwhile. Limiting the amount and type of shared data eases the burden on every other aspect of customer data security and vendor management, including end-ofproject procedures for destroying or returning data. Better Vendor Management By establishing standard procedures for assessing the security of all service providers currently engaged ones, as well as candidates for future projects pharmaceutical companies can improve data security and build more efficient, reliable vendor relationships. Using objective criteria to assess the customer data risks of doing business with both existing and potential vendors leads to better-informed decisions about whether or not to work with them. Generally, these criteria should include controls around security administration and change control. Without such criteria, these important decisions may be made on an ad hoc, subjective basis that leaves the company more vulnerable to unknown or insufficient security practices on the part of vendors. A consistently implemented procedure for vendor risk assessment can substantially reduce data risk on an ongoing basis. When evaluating potential vendors, the expected control items should be conveyed during the request for proposal (RFP) process so that candidates are not surprised by the expectations. If an RFP process is not used, the controls should be tested before the contract begins, which is the easiest time for a vendor to respond quickly to any required changes. Assessment of a vendor may result in any of the following measures: Provide less data or less identifiable data to reduce risk up front. If sensitive data must be shared, validate the vendor s security controls using a standardized process. Negotiate contract changes to shift burden of risk. Choose to stop doing business with the vendor. Some existing vendors may be reluctant to have their practices assessed or make changes in those processes, but most are likely to appreciate the benefits of being certified by the pharmaceutical company. By proving they can handle data in a manner that is in line with the company s standards, they have an inside track for future projects. While assessment measures may seem to add a layer of complexity to vendor relationships, they actually may have the opposite effect. If certain vendors do not meet security standards or are not willing to have their processes assessed, the pharmaceutical company ultimately may consolidate its active vendors down to a trusted few, simplifying overall vendor management. Whether or not such consolidation occurs, decisions about the companies entrusted with sensitive customer data become more objective and reliable. Pharmaceutical companies that actively address customer data risk, both internally and in their vendor relationships, position themselves to better protect both their customers and reputations. 3 protiviti

4 Learning from Other Industries Of course, the pharmaceutical industry is not the only one in which companies share significant amounts of customer information with vendors. However, unlike the pharmaceutical industry, other industries have regulations in place that specifically address the appropriate handling and protection of customer data. For example, in the banking industry, the Gramm-Leach-Bliley Act (GLBA) includes vendor management requirements that extend privacy and information security requirements to third-party agreements. In the healthcare industry, under the Health Insurance Portability and Accountability Act (HIPAA), service providers given access to patients protected health information must sign a Business Associate agreement that outlines appropriate handling of customer information, including the return or destruction of the data. These regulations share a similar approach: Identifying where a company has sensitive data, performing a risk assessment, and then implementing a structured plan to mitigate the risks. Pharmaceutical companies seeking to develop effective strategies to mitigate their own risk might find it valuable to learn more about these regulations in greater depth. They also should take note that individual states such as California are enacting their own distinct legislation. Even when processes are strictly regulated, each company must invest significant effort to interpret the rules and establish its own standards of discipline. Another development in the financial industry also may be worth watching. In 2006, a nonprofit financial industry consortium called BITS launched the Financial Institution Shared Assessments Program (FISAP) to establish industry-standard procedures that financial institutions should use to evaluate the security controls of their IT service providers. A primary goal of FISAP, which currently is gaining acceptance, is to reduce monitoring and compliance costs for both financial institutions and their service providers. 4 protiviti

5 About Protiviti Protiviti ( is a global consulting and internal audit firm composed of experts specializing in risk, advisory and transaction services. We help solve problems in finance, operations, technology, litigation, and governance, risk and compliance (GRC). Our highly trained, results-oriented professionals serve clients in the Americas, Asia- Pacific, Europe and the Middle East and provide a unique perspective on a wide range of critical business issues. Protiviti has more than 60 locations worldwide and is a wholly owned subsidiary of Robert Half International (NYSE symbol: RHI). Founded in 1948, Robert Half International is a member of the S&P 500 index. Protiviti s Pharmaceutical Services Practice Protiviti s practice includes professionals with deep industry experience in pharmaceutical/biotechnology and medical devices. Life sciences organizations are constantly challenged by their need to grow and profit while complying with a wide range of complex and rapidly evolving government regulations. Whether the top concern is internal audit, regulatory compliance, improving revenues, managing costs, evaluating and safeguarding intellectual property, or leveraging new technology, Protiviti brings industry knowledge and deep skills to help pharmaceutical, biotech and medical-device companies overcome risks and maintain their financial health. Protiviti views compliance requirements as an opportunity to improve an organization s operations and financial performance. Our solutions are designed to improve business performance while achieving compliance objectives. For additional information about the issues reviewed in this white paper or Protiviti s services, please contact: Edward J. Scheuer Managing Director ed.scheuer@protiviti.com John F. Bingham Director john.bingham@protiviti.com Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services Protiviti Inc. An Equal Opportunity Employer.