Sensitive Data: A Chain of Trust
Organizations of all types, from banks to government agencies to healthcare providers, are taking steps to protect themselves against the potentially catastrophic loss of sensitive data, intellectual property and business intelligence. In this environment, pharmaceutical companies are becoming more aware of the distinct data-related risks they face.
Consumers provide pharmaceutical companies with personal information for a number of reasons. Visitors to a company’s website, for instance, often are asked to provide personal data – potentially including their name, address, phone number, gender, age and medical conditions – in order to receive newsletters, notifications of drug interactions or free samples from a physician; participate in discount programs; or interact with an online community who have the same medical condition.
While pharmaceutical companies’ research and development activities tend to be protected by rigorous security frameworks, their customer-focused efforts are not subject to the same standards of protection. Sales and marketing projects commonly are outsourced to third-party vendors ranging from boutique e-mail marketing agencies to larger firms that provide shared services for multiple companies.
Relationships with these service providers often involve the unregulated exchange of sensitive customer data. Just as customers typically do not know how their data is handled or protected by the pharmaceutical company, the handling company often is not fully aware of the dataprotection processes or security standards of the vendors it hires. The result is an uneasy “chain of trust” in which risks remain at least partially unknown and standards are not clearly defined.
While contracts with service providers may limit the pharmaceutical company’s legal liability, they do little to protect the company against reputational risk, which has the potential to be even more damaging. In the case of a media story about a privacy violation or loss of sensitive data, few consumers will “read the fine print” and distinguish between the large, well-known company and the obscure service provider responsible for handling the data.
An example occurred in September 2007, when clothing retailer Gap Inc. announced it had lost the unencrypted personal data, including Social Security numbers, of 800,000 job applicants. Buried in the details of the story – and probably irrelevant to most consumers – was the fact that it was an undisclosed, third-party, human resources service provider, not Gap, which actually lost the data.
As consumers become more aware of identity theft and other fraud, continuing reports of new incidents fuel their growing suspicion. Even when blame for data loss can be assigned publicly to another well-known party – such as when Citigroup blamed UPS for a 2005 loss of customer data – reputational damage to both parties can be substantial.
Other industries that handle large quantities of sensitive customer information, such as healthcare and financial services, are subject to regulatory scrutiny and specific data-handling guidelines. But pharmaceutical companies, beyond abiding by general regulations that affect all industries, are for the most part left to establish their own standards and procedures.
Whether a project involves a large, onetime transfer of data to the service provider or an ongoing exchange, data can be compromised at multiple points. This raises data security questions, such as:
- What controls are in place to limit the likelihood – or consequences – of losing data during transmission to the service provider?
- What are the service provider’s security-related procedures while using a company’s data? What assurance is there that they are being followed?
- What happens to the data after the project’s completion?
This last susceptibility is often the source of the greatest uncertainty, as questions arise about who owns the data, how and when it must be destroyed, and certification of that destruction. While each contract may specify some of these matters, the accumulation of different contracts for different vendors leaves plenty of room for confusion and risk.
What is missing is a model to limit risk. By establishing sound risk management practices, companies can greatly reduce ongoing reputational, financial and legal risks related to customer data, resulting in greater security and more efficient working relationships with service providers.
Uncovering Current Practices
Efforts to mitigate data risk should begin with a thorough examination of the ways in which data is processed and exchanged by the pharmaceutical company. Initial goals might include identifying all the business processes that handle sensitive data, the volume and exact type of data being shared, and the service providers involved in each process.
These efforts cannot rest entirely on delineating official processes, however. Even if a detailed process flow already has been established, it is unlikely to tell the whole story about how data actually is handled. For example, an employee may routinely share data in response to informal e-mail requests, bypassing the protections inherent in standard procedures.
Thorough interviews with sales and marketing personnel can reveal surprising gaps between official procedures and day-to-day habits. Electronic monitoring of server traffic – which need not use state-of-the-art technology to be effective – can augment these firsthand accounts with hard evidence of data leaks.
Rooting Out Risk
Once internal processes have become more transparent, the company can consider ways to limit data risks after it has been shared with the service provider. Perhaps the simplest and most powerful practice companies can implement is removing or de-identifying as much sensitive data as possible before sharing it with a third party, thereby eliminating complexities and concerns at the root.
To do so, the company might begin by analyzing how much of the data each service provider actually needs in order to perform its work, and then compare it to the types of data the provider currently receives. Sales and marketing projects rarely require all the fields of customer data the pharmaceutical company possesses.
In the case of a marketing study examining different age categories, for example, most of the customer data fields could be removed before the data is shared with the service provider. Even when a data field cannot be eliminated, it often can be de-identified. Specific information can be made more general; for instance, providing customers’ states of residence instead of street addresses.
These measures may add an extra step to the data-handling process, making it more timeconsuming than simply sending the whole customer file. The mitigating effect they can have on risk, however, is worthwhile. Limiting the amount and type of shared data eases the burden on every other aspect of customer data security and vendor management, including end-ofproject procedures for destroying or returning data.
Better Vendor Management
By establishing standard procedures for assessing the security of all service providers – currently engaged ones, as well as candidates for future projects – pharmaceutical companies can improve data security and build more efficient, reliable vendor relationships.
Using objective criteria to assess the customer data risks of doing business with both existing and potential vendors leads to better-informed decisions about whether or not to work with them. Generally, these criteria should include controls around security administration and change control. Without such criteria, these important decisions may be made on an ad hoc, subjective basis that leaves the company more vulnerable to unknown or insufficient security practices on the part of vendors. A consistently implemented procedure for vendor risk assessment can substantially reduce data risk on an ongoing basis.
When evaluating potential vendors, the expected control items should be conveyed during the request for proposal (RFP) process so that candidates are not surprised by the expectations. If an RFP process is not used, the controls should be tested before the contract begins, which is the easiest time for a vendor to respond quickly to any required changes.
Assessment of a vendor may result in any of the following measures:
- Provide less data – or less identifiable data – to reduce risk up front.
- If sensitive data must be shared, validate the vendor’s security controls using a standardized process.
- Negotiate contract changes to shift burden of risk.
- Choose to stop doing business with the vendor.
Some existing vendors may be reluctant to have their practices assessed or make changes in those processes, but most are likely to appreciate the benefits of being “certified” by the pharmaceutical company. By proving they can handle data in a manner that is in line with the company’s standards, they have an inside track for future projects.
While assessment measures may seem to add a layer of complexity to vendor relationships, they actually may have the opposite effect. If certain vendors do not meet security standards or are not willing to have their processes assessed, the pharmaceutical company ultimately may consolidate its active vendors down to a “trusted few,” simplifying overall vendor management.
Whether or not such consolidation occurs, decisions about the companies entrusted with sensitive customer data become more objective and reliable. Pharmaceutical companies that actively address customer data risk, both internally and in their vendor relationships, position themselves to better protect both their customers and reputations.
Protiviti’s Pharmaceutical Services Practice
Protiviti’s practice includes professionals with deep industry experience in pharmaceutical/biotechnology and medical devices. Life sciences organizations are constantly challenged by their need to grow and profit while complying with a wide range of complex and rapidly evolving government regulations.
Whether the top concern is internal audit, regulatory compliance, improving revenues, managing costs, evaluating and safeguarding intellectual property, or leveraging new technology, Protiviti brings industry knowledge and deep skills to help pharmaceutical, biotech and medical-device companies overcome risks and maintain their financial health.
Protiviti views compliance requirements as an opportunity to improve an organization’s operations and financial performance. Our solutions are designed to improve business performance while achieving compliance objectives.
For additional information about the issues reviewed in this white paper or Protiviti’s services, please contact: