Johnson & Johnson is committed to protecting its information assets. Our Information Security and Risk Management (ISRM) organization, led by our Chief Information Security Officer, has global reach with a presence in all regions of the world, and provides ongoing security consulting on relevant policies, procedures and requirements to all Johnson & Johnson businesses. ISRM has developed a robust program, which constantly enhances our security capabilities to safeguard the Company’s networks, systems, products, and information against evolving cyber threats. In terms of data privacy, it is our strict policy to protect the privacy of those who entrust us with their personal information. In addition to our Code of Business Conduct and all the laws that apply to our operating companies’ handling of personal information, we also have global privacy policies to which all our businesses worldwide must adhere. Our policies reflect our commitment to fair and transparent information practices.
Our advances in the area of information security and data privacy in 2019 include:
- Enhanced compliance capabilities: We increased efforts to ensure compliance with the growing number of new privacy and cybersecurity laws around the globe, which all have security and/or data protection requirements. For example, we collaborated widely across our organization to become compliant with the new California Consumer Privacy Act, which became effective on January 1, 2020. The Act is focused on providing California consumers with the ability to request access to, correction of, and deletion of their data as well as opting out of allowing a company to sell their information. Remediation of over 100 websites controlled by Johnson & Johnson and the establishment of processes to support consumer requests were required to be compliant.
- Improved product security: We partnered with product teams, providing consulting and engineering support for multiple pre-market medical devices and post-market product lines, increasing confidence that cybersecurity controls are in place to ensure the availability of the devices and the confidentiality and integrity of their associated data.
- Improved controls in our supply chain: We defined a cybersecurity strategy and initiated a multi-year program to improve technical and administrative cyber controls within Johnson & Johnson’s supply chain across 125 manufacturing and delivery sites. The program will raise the security and resiliency of our supply chain systems and our ability to achieve supply continuity of our products to both patients and consumers.
- Reinforced internal cybersecurity controls: As every year, we continued to improve our cybersecurity controls to protect our enterprise networks, computing resources, and data from the expanding and evolving cybersecurity threats across our worldwide business.