Information Security & Data Privacy

  • GRI

  • 418-1

    Substantiated complaints concerning breaches of customer privacy and losses of customer data

We believe in maintaining a proactive information security strategy to protect information assets against deliberate or inadvertent threats to safeguard our business.

Ensuring availability of critical systems and preventing unintended or unauthorized access to business and personal information is foundational to our business continuity and the people who rely on Johnson & Johnson each day.

Gary Harbison

Chief Information  Security Officer (CISO), Johnson & Johnson

Similarly, Johnson & Johnson is committed to data privacy and ensuring that protecting personal information is integral to our core way of operating. In addition to our Code of Business Conduct and compliance with the laws that apply to our operating companies’ handling of personal information, we maintain robust data privacy controls to protect the personal information of our employees, customers, partners and all those who entrust their information to us.

The complex patchwork of compliance obligations and active regulatory enforcement in many international markets imposes greater demands on data protection and cyber professionals to design the right type of governance models and solutions to ensure that Johnson & Johnson can compliantly pursue its data-related initiatives across the globe.

Winston Khoo

Chief Privacy Officer, Johnson & Johnson

We improved the robustness of our information security and privacy programs in 2022 in the following ways:

Enhancing protection against cyber risk in critical pharmaceutical research

We improved the cyber posture of multiple Pharmaceutical R&D sites, deploying additional cyber capabilities to protect both systems and data. These actions improved the protection of Company IP and the resilience of our R&D environments in meeting the needs of our healthcare partners and patients, reduced the potential for R&D to be negatively affected by a cyber event and increased the protection of Company IP. New capabilities included technology implementations in research and laboratory environments to provide increased visibility to the security posture of R&D systems and detection of potential cyber threats.

Expanding cyber capabilities

Through both investments in new capabilities and strategic partnerships, we improved the security of company products, data and systems. Our initiatives included a strategic investment in technology from an industry-leading security provider to enhance the security of our medical device product suite, the deployment of new capabilities supporting continued adoption of zero trust principles for increased cyber protection of both the Company and our customers and deployment of advanced AI-supported tools to better detect and block security threats.

Protecting personal information

We continued our commitment to protecting personal information of our consumers, clinical research participants and employees, expanding our efforts to ensure compliance with growing legal and regulatory data protection requirements that broaden the protection of individual data subject rights. At the same time, we continued to participate in industry associations and external forums to help shape new regulations under review on cross-border data flows, data localization and other healthcare initiatives in the privacy and cybersecurity space. Focus areas in 2022 included establishing compliance programs for new and expanded U.S. state privacy laws and multiple privacy and data security legal regulations in China. We also supported data science and digital initiatives, including defining standards for anonymization, pseudonymization and de-identification, to increase our ability to compliantly leverage data insights and promote digital health solutions in our sectors. We made progress on various key privacy processes designed to consistently support the rights of consumers and patients for the management of their personal data and delivered privacy support to ensure successful completion of major deals.

Reinforcing our cybersecurity and privacy frameworks

To ensure continuous evaluation and enhancement of the Johnson & Johnson cybersecurity program, we periodically undertake program maturity assessments and pursue security certifications. By way of example, in 2022, we engaged an independent third party to conduct a maturity assessment against the NIST Cybersecurity Framework, providing a current view of program maturity and areas for continued improvement. We also obtained ISO 27001 certification for the environment supporting the Johnson & Johnson CAR-T immunotherapy offering in EMEA, extending the number of certifications we hold for a range of Company products. In parallel, we monitor the introduction of new standards such as ISO 31700 covering Privacy by Design, which was released in early 2023, to evaluate the requirements and technical controls needed for the certification process.

Enhancing cyber awareness

Through 2022, we offered our employees around the globe various opportunities to improve their cyber awareness and learn more about smart cyber practices in innovative ways. One example is our CyberEscape online escape rooms, which attracted hundreds of employees who worked in teams to solve a series of basic cyber challenges and puzzles in different escape room scenarios, raising their cybersecurity knowledge.

Additionally, alongside our ongoing information security and privacy training for all employees, in 2022, we expanded our Johnson & Johnson PhishSmarts phishing simulation program. This program provides quarterly simulated phishing emails and follow-up to help employees better detect real phishing attempts and defend against phishing email threats, which pose a potential risk to our organization.

Artificial intelligence
Chimeric antigen receptor or Chimeric antigen receptor T-cell
Europe, Middle East and Africa
Intellectual Property
National Institute of Standards and Technology