Skip to content

Information Security & Data Privacy

A Johnson & Johnson employee stands in front of a wall of computer servers while holding a laptop
Accountability & Innovation
Information Security & Data Privacy
ESG Policies & Positions

Johnson & Johnson is strongly committed to protecting the privacy of those who entrust us with their personal information. In addition to our Code of Business Conduct and all the laws that apply to our operating companies’ handling of personal information, we maintain global privacy policies to which all our businesses worldwide must adhere. Our policies reflect our commitment to fair and transparent information practices. Similarly, through our Information Security and Risk Management organization, we safeguard the Company’s networks, systems, products and information against evolving cyber threats to ensure the availability of critical systems and prevent unintended or unauthorized access to both business and personal information.

In 2021, in addition to ongoing programs and controls, our focus included:

Proactive cyber protection for our COVID-19 vaccine information: The intensive development processes and global scrutiny of all COVID-19 development, including our own work at Johnson & Johnson, made vaccine-related information a target for sophisticated attackers. We quickly identified a clear need for additional vigilance and protection of critical data, communications, applications, and systems supporting the development and production of our COVID-19 vaccine. During 2021, we maintained increased threat intelligence and proactive monitoring as well as protection of key manufacturing sites, systems and processes to prevent disruption to vaccine-related activities from potential cyber threats. We also maintained heightened privacy support and guidance for on-site COVID-19 testing, vaccine campaigns and pandemic initiatives.

Increased security capabilities at critical manufacturing sites and product certifications: As part of our ongoing efforts to enhance the resilience of our supply chain in meeting the product needs of our patients and consumers and reduce the risk of Johnson & Johnson being unable to manufacture or ship critical products because of a cyber event, in 2021, we deployed new cybersecurity capabilities at critical manufacturing and distribution sites and enhanced third-party due diligence. Additionally, in 2021, we obtained ISO 27001 certifications for multiple products, including products from both the MedTech and Pharmaceutical business segments.

Maintaining global cybersecurity and privacy compliance: In 2021, we continued our commitment to protecting our valued information resources, such as IP IP Intellectual Property and personal data, by expanding and automating our data protection capabilities. With the ongoing growth and evolution of global privacy and cybersecurity legal requirements designed to protect the rights of consumers, patients, HCPs HCPs Healthcare professional and employees, we expanded our efforts to develop enhanced programs to ensure compliance with these new requirements while actively engaging with policymakers to help address critical issues in the rapidly changing privacy and data protection landscape. Our focus areas included the newly established cybersecurity and data privacy laws in China, evolving legal and regulatory laws in various U.S. states, South Korea, Thailand and South Africa. We also continued to work with our businesses to integrate privacy and information security controls into designated data-driven initiatives (including data science, clinical operations, digital surgery and robotics, and e-commerce) and implement key standardized processes across Johnson & Johnson, designed to consistently support the rights of consumers and patients for the management of their personal data.

Maintaining awareness and vigilance among our employees: It is critical that all employees at Johnson & Johnson maintain an always-on awareness of their role in protecting information and data privacy and know what to do when faced with potential threats and breaches. In addition to our annual mandatory training on privacy and information security for employees (and contractors), regular communications and reminders, we dedicate the months of January and October each year respectively to privacy and cybersecurity awareness. In 2021, January was dedicated to International Privacy Day communications, and October was filled with activities to inform, engage and update employees on matters relating to information security.

At the core of our work lies digital security and data—within Johnson & Johnson, throughout our value chain—and for all those who rely on us. We prioritize the sensitivity of the information we handle and build frameworks that lock in patient security and ensure the protection of personal information entrusted to us. We share our learning externally to improve industry practices and shape regulatory protocols for the benefit of all.
Marene Allison
Chief Information Security Officer, Johnson & Johnson
Previous Counterfeiting & Illicit Trade Next Reporting Hub
Back to Top