Upload
others
View
17
Download
0
Embed Size (px)
Citation preview
C O R P O R A T E P O L I C Y M A N U A L
© United Technologies Corporation 2016
Proprietary Information
Protection
A. SUMMARY
B. APPLICABILITY
C. POLICY
D. PROCEDURES
E. REFERENCES
Section
14
Code of Ethics
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 2 of 35
A. SUMMARY
United Technologies Corporation (the "Corporation" or “UTC”) creates, receives, uses, stores,
and transfers various data, including trade secrets and other financial, business, scientific,
technical, economic, and engineering information; and data owned by or about customers,
competitors, suppliers, and individuals outside the Corporation. It is the responsibility of each
UTC director, officer, employee, and service provider to collect, protect, use, and disclose data
only in accordance with this Policy.
Capitalized terms used throughout this Policy are defined in Exhibit 1.
B. APPLICABILITY
1. This Policy applies worldwide to UTC and its subsidiaries, divisions, and other business
entities it controls or for which it provides day-to-day management (“operating units”). Unless
the context indicates otherwise, references to UTC or its operating units include their directors,
officers, and employees.
2. UTC will obligate its Service Providers to comply with this Policy in the conduct of their
business with UTC, through appropriate contractual agreements, warranties and
representations.
3. Local laws, regulations, and other restrictions applicable to any operating unit shall be
applied to the extent of a conflict with this Policy.
C. POLICY
1. The Corporation invests substantial resources in creating and using various types of Data, as
defined in Exhibit 1. Improper use or disclosure of Data damages the Corporation’s legal
rights and results in loss of a competitive advantage. Although the legal and other protections
afforded different types of Data vary, all Data must be protected against misuse and improper
or inadvertent disclosure, as described below.
2. Each director, officer, employee, Service Provider, or Third Party entrusted with UTC Data
shall comply with Exhibit 2, exercise good judgment before disclosing Proprietary
Information (defined in Exhibit 1) within or outside of the Corporation, and obtain all
necessary approvals prior to disclosure.
3. UTC respects legitimate rights in Competitive Information belonging to its customers,
suppliers, competitors, and Third Parties. UTC will solicit, accept, use, and disclose such
information only in conformity with this Policy. Although gathering information about
competing products and services is a necessary and routine element of business, UTC will not
utilize any improper means such as theft or deception. Because there is no single, definitive
standard for determining what is proprietary and because a business must take reasonable steps
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 3 of 35
to protect its Proprietary Information, UTC will evaluate its receipt of information within the
context of how the information is gathered. See Exhibit 2 and UTC Policy 3.
4. UTC will maintain the confidentiality of Material Nonpublic Information and will comply
with all laws, rules, and regulations regarding the public disclosure of the Corporation’s
business information. Such information will be disclosed only through designated
spokespersons, who typically are the most senior UTC officers. All public disclosures will be
made in accordance with:
Policy 30 - Securities Trading & Release of Material Nonpublic Information;
Policy 51 - Disclosures to Investors Under U.S. Securities Laws; and
Policy 50 - Maintenance of Corporate Governance and Financial Data.
UTC’s directors, officers, employees and Third Parties (and their immediate family members)
shall not misuse Material Nonpublic Information and must not buy, sell or otherwise trade
securities while aware of Material Nonpublic Information.
5. Service Providers having access to Proprietary Information shall have written agreements
approved by the Legal Department and are subject to IT Policy IT-08-108 - Protection of UTC
Data Entrusted to Third Parties.
6. UTC shall maintain a robust Data Breach Incident Response Plan, respond to and remediate
any Data Breach Incident, engage the UTC Crisis Communications Team and others, as
appropriate, and provide notification about Data Breach Incidents as legally or contractually
required. UTC may adopt one Data Breach Incident Response Plan to cover both Proprietary
Information, as addressed by this Policy, and Personal Information, as addressed by Corporate
Policy Manual Section 24. The current UTC Data Breach Incident Response Plan is provided
in Exhibit 4.
7. Records retention requirements are addressed in Section 46–Retaining Records and Data.
8. Employees and other users of UTC’s Data systems shall receive periodic training in
application of this Policy and Information Technology (“IT”) security. Training may be
provided via UTC’s Ethics and Compliance Education Center.
9. Questions, comments, or suspected noncompliance concerning this Policy may be directed
to an employee’s management, the Legal Department, the UTC Global Compliance Office, or
in confidence or anonymously to a UTC Ombudsman or via the DIALOG or e-DIALOG
Program, as appropriate.
10. Violators of this Policy are subject to disciplinary action, up to and including dismissal
and possible legal consequences.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 4 of 35
D. PROCEDURES
1. UTC operating units and UTC Headquarters staff organizations that collect, use, transfer, or
manage Data shall establish and maintain compliance programs meeting the requirements of
Exhibit 3 and pertinent IT policies, procedures, and standards (Index to IT Policies,
Procedures and Standards).
2. The UTC Vice President and Intellectual Property Counsel and the UTC Vice President &
Chief Information Officer shall assist as necessary to ensure proper and complete
implementation of this Policy, including provision of the necessary technology tools to enable
compliance worldwide.
3. The UTC Vice President, Operations and other staff organizations involved in selecting and
retaining Service Providers shall ensure that Service Providers have written agreements in
place to protect Proprietary Information as approved by the Legal Department and that
procurement of Service Providers complies with IT Policy IT-08-108 - Protection of UTC
Data Entrusted to Third Parties.
4. The UTC Vice President and Chief Intellectual Property Counsel and the UTC Worldwide
Director, Internal Audit, will administer assurance and audit programs to ensure that each staff
organization and operating unit complies with this Policy.
E. REFERENCES
UTC Code of Ethics Section 3 - Antitrust Compliance;
Section 4 - Business Ethics and Conduct in Contracting with the U.S. Government;
Section 7 - Conflicts of Interest;
Section 20 - Compliance with Export Controls and Economic Sanctions;
Section 24 – Personal Information Protection
Section 30 - Securities Trading and Release of Material Nonpublic Information;
Section 32 - Permissible References to UTC by Outside Companies vs. Endorsements;
Section 37 - Electronic Communications Media;
Section 40 - Software License Compliance;
Section 46 - Retaining Records and Data;
Index to IT Policies, Procedures and Standards;
UTC Employee Privacy Notice
UTC HIPAA Privacy Notice
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 5 of 35
EXHIBIT 1 - DEFINITIONS
1.1 “Data Breach Incident” is a set of circumstances that involve actual or a reasonable
possibility of unauthorized access to or possession of, or the loss or destruction of, Proprietary
Information. The circumstances contributing to an Incident may be intentional, or unintentional or
accidental, and the access, loss, or destruction may be confirmed or only suspected.
1.2 “Competitive Information” means anything related to the competitive environment or to a
competitor (defined as any company seeking to win business against UTC) — for example,
information related to products, services, pricing, or marketing plans. This information could be
drawn from published sources or could otherwise be widely available to the public. Some of this
information may relate to a specific competitor (“competitor information”), and some competitor
information may be considered by the competitor to be “proprietary,” “business confidential,” or
“trade secret,” which the competitor would normally attempt to hold closely.
1.3 “Data” means Trade Secrets, Proprietary Information, and Personal Information relating to
directors, officers, and employees of the Corporation. Without limiting the generality of the
foregoing, the term includes Proprietary Information, Personal Information (as defined by Corporate
Policy Manual Section 24), and other information (including information belonging to another
person or entity) that is required to be protected against improper use or disclosure by law,
regulation, or contract. This definition applies to information contained in documents or in electronic
form, whether used or disclosed orally, visually, or electronically.
1.4 “Electronic” means relating to technology having electrical, digital, magnetic, wireless,
optical, electromagnetic, or similar capabilities.
1.5 “Encrypted” means the transformation of Data into unusable and/or unreadable form by use
of a confidential process or key.
1.6 “Material Nonpublic Information” means any information that has not been disclosed
publicly by the Corporation and that a reasonable investor likely would consider to be important to a
decision to buy, hold or sell the Corporation's securities. It includes Board of Directors minutes and
deliberations, and nonpublic information disclosed to or possessed by the Corporation that is related
to another corporation and that a reasonable investor likely would consider important to a decision to
buy, hold or sell the securities of the other corporation.
1.7 “Multiple Single Factor Authentication” means using more than one piece of information in
the process of determining whether someone or something is, in fact, who or what it is declared to
be. An example of this would include knowing a password as well as a question/answer pair which
should result in a generally unique answer for each individual. A ‘factor’ is defined as classification
of authentication types: A knowledge factor is something that a person knows (i.e. password), a
physical factor is something that a person has (i.e. token), and an inherence factor is something that a
person is (i.e., thumbprint).
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 6 of 35
1.8 “Proprietary Information” means (a) financial, business, scientific, technical, economic and
engineering information (e.g., cost data, formulae, patterns, compilations, programs, devices,
methods, techniques, processes, drawings) that are created, owned, or controlled by the Corporation,
that are not generally known to competitors or others in the industry or the public and that have
independent commercial value or provide a competitive advantage to the Corporation, and (b)
information of a Third Party that the Corporation is obligated to protect. Personal Information, as
defined in Corporate Policy Manual Section 24, may also be Proprietary Information when that
Personal Information is not generally known to competitors or others in the industry or the public
and it would have independent commercial value or provide a competitive advantage to the
Corporation. The term includes Trade Secrets as well as Company Restricted information and
Company Private information, which are defined as:
1.8.1 “Company Private” means information that is important to the Corporation’s business
and legal interests, warranting disclosure only to persons within or outside the Corporation
who have a specific "need to know.” This includes, but is not limited to, employment of key
executives; opinions of in-house or outside legal counsel; financial investments and
resources; sensitive human resources programs; key public-relations endeavors; competitive
relationships with other organizations; audit reports; executive travel schedules; computer
and network architectural and configuration information and related vulnerability
information; and government and customer relations matters. Disclosure of Company
Private information to Third Parties shall only occur pursuant to the terms of an applicable
agreement (such as a nondisclosure agreement) that requires the Third Party to protect the
Company Private information.
1.8.2 “Company Restricted” means Material Nonpublic Information, and other Data such
as Board of Directors information; plans for acquisitions; divestitures and other business
combinations; major company reorganizations or actions; financial results and forecasts;
significant marketing campaigns; significant or new business techniques; sourcing of critical
materials; and critical technical, financial, or management Data. The term includes Personal
Information, as defined in Corporate Policy Manual Section 24, of employees and Third
Parties; and any other information that requires protection under law or regulation.
1.9 “Protect,” as used in this Policy and in Appendix A to this Policy, means, at a minimum, to
apply the level of data integrity, security and access controls necessary to meet the requirements of
agreements UTC has with third parties, law, regulation or UTC policies, including UTC IT Policies,
Procedures & Standards. See Appendix A for examples.
1.10 “Record(s)” means any material upon which written, drawn, spoken, visual, or
electromagnetic information or images are recorded or preserved, regardless of physical form or
characteristics.
1.11 “Service Provider” means any entity or person who/that receives, stores, maintains,
processes, or otherwise is permitted access to Proprietary Information through its provision of
services directly to UTC or its operating units.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 7 of 35
1.12 “Single Factor Authentication” is an authentication scheme using only one factor in
determining whether someone or something is, in fact, who or what it is declared to be. An example
of this would be using a user ID and password to gain access. A ‘factor’ is defined as classification
of authentication types: A knowledge factor is something that a person knows (i.e. password), a
physical factor is something that a person has (i.e., token), and an inherence factor is something that
a person is (i.e., thumbprint).
1.13 “Third Party” is any individual or entity, including UTC contractors and their employees,
other than UTC or its operating companies.
1.14 “Trade Secrets” means information, including a formula, pattern, compilation, program,
device, method, technique, or process, that has independent economic value, actual or potential,
from not being generally known to, and not being readily ascertainable by proper means by, other
persons who can obtain economic value from its disclosure or use, and is the subject of efforts that
are reasonable under the circumstances to maintain its secrecy.
1.15 “Two Factor Authentication” is an authentication scheme using two factors in determining
whether someone or something is, in fact, who or what it is declared to be. An example of this
would be using a user ID and password as well as a token to gain access. A ‘factor’ is defined as
classification of authentication types: A knowledge factor is something that a person knows (i.e.
password), a physical factor is something that a person has (i.e., token), and an inherence factor is
something that a person is (i.e., thumbprint).
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 8 of 35
EXHIBIT 2 - PROTECTION OF UTC
AND THIRD PARTY INFORMATION
2.1 The Corporation invests substantial resources in creating and obtaining information. Misuse
or improper disclosure of any information damages the Corporation’s legal rights, exposes the
Corporation to liability, and results in loss of a competitive advantage. Each division and subsidiary
shall establish procedures adequate to protect Proprietary Information from improper use or
disclosure, without hampering the legitimate exchange of Proprietary Information within and outside
the Corporation. Procedures shall address, at a minimum, marking, reproduction, safekeeping,
disclosure, external release, retention and destruction or return of Proprietary Information.
2.2 This document establishes a hierarchy of information types and provides guidelines for the
protection of information based on the type of information. Appendix A shall be used to determine
the level of protection assigned to the information and minimum standards on its use and disclosure.
This applies whether the information is used or disclosed in documents, orally, visually or
electronically. If doubt exists as to whether use or disclosure of information is proper, the Legal
Department shall be consulted.
2.3 Proprietary Information disclosed outside the Corporation must be disclosed pursuant to a
nondisclosure agreement, contract, license, technical assistance agreement, or other contractual
instrument that identifies the allowable use and disclosure of the Proprietary Information. The
manner of securing proper legal and contractual protections will be made in consultation with the
Legal Department.
2.4 Proprietary Information provided to customers (including the U.S. Government),
competitors, suppliers, and Third Parties or others in response to solicitations and contracts shall
bear the appropriate restrictive legends authorized by law or regulation, or as specified in the
solicitation or contract.
2.5 The Corporation will receive a Third Party’s Proprietary Information only under a written
agreement that clearly describes the subject matter, labeling requirements, duration, permitted uses,
and other pertinent provisions reviewed and approved by the Legal Department. Such Third Party
Proprietary Information shall be used and disclosed only as permitted by the written agreement.
Copies, derivations, integrations or other representations of such Third Party Proprietary Information
will be labeled in accordance with the agreement.
2.6 Gathering and using information related to competitors is addressed in the Policy
Clarification Circular entitled Gathering Competitive Information. This includes compliance with
U.S. Government rules regarding access to competition sensitive and source selection data, as
described in Policy 4. Unsolicited information received from a Third Party that is claimed or
appears to be Proprietary Information must be sent immediately to the Legal Department, and should
not otherwise be used, reviewed or shared until the Legal Department has evaluated the nature of the
information and the manner in which it was received. If appropriate, the Legal Department will
obtain the proper agreements prior to any evaluation, use, or review by the Corporation.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 9 of 35
2.7 The U.S. Economic Espionage Act of 1996 and various other statutes impose civil and
criminal penalties for the misappropriation, counterfeiting, misuse, or destruction of Proprietary
Information and other protected data. Additional information should be obtained from the Legal
Department in the event of unauthorized access to, misuse of, or disclosure of the Corporation’s or a
Third Party’s information.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 10 of 35
Appendix A (See Exhibit 1 for definitions)
TYPE OF
INFORMATION
HOW DISCLOSED
AUTHORIZED
FOR PUBLIC
RELEASE;
INTERNAL UTC
DATA NOT
FALLING WITHIN
ANOTHER
CATEGORY
PROPRIETARY
INFORMATION
PROPRIETARY
INFORMATION THAT
IS COMPANY
PRIVATE, INCL.
COMPETITIVE INFO.
PROPRIETARY
INFORMATION THAT
IS COMPANY
RESTRICTED, INCL.
MATERIAL
NONPUBLIC INFO.
UNTIL RELEASED BY
UTC; PERSONAL
INFO.,
CONTROLLED BY
LAW OR REGULATION
(E.G., EXPORT
CONTROLS,
PROTECTED HEALTH
INFORMATION,
SENSITIVE
EMPLOYEE
INFORMATION)
ELECTRONIC
TRANSMISSION
WITHIN UTC’S IT
SYSTEMS/FIREWALLS
NO SPECIAL
REQUIREMENTS
INFORMATION IS TO BE
IDENTIFIED AS
CONTAINING
PROPRIETARY
INFORMATION SO AS
TO IDENTIFY RISKS OF
UNAUTHORIZED
DISCLOSURE OUTSIDE
OF UTC
LIMIT TO “NEED TO
KNOW”
LIMIT TO “NEED TO
KNOW”
LIMIT TO PERSONS
HAVING APPROPRIATE
AUTHORIZATION –
PASSWORD PROTECT
OR ENCRYPT DATA
BEFORE
TRANSMISSION
OUTSIDE OF UTC’S
IT SYSTEMS/
FIREWALLS
(INCLUDES INTERNET
FACING
APPLICATIONS)
NO SPECIAL
REQUIREMENTS
INFORMATION IS TO BE
IDENTIFIED AS
CONTAINING
PROPRIETARY
INFORMATION SO AS
TO HIGHLIGHT RISKS OF
UNAUTHORIZED
DISCLOSURE OUTSIDE
OF UTC – AT LEAST
SINGLE FACTOR
AUTHENTICATION
REQUIRED
LIMIT TO “NEED TO
KNOW” AND SUBJECT
TO DATA TRANSFER
AGREEMENT1 – AT
LEAST MULTIPLE
SINGLE FACTOR
AUTHENTICATION
REQUIRED –
PASSWORD PROTECT
BEFORE
TRANSMISSION
LIMIT TO “NEED TO
KNOW” AND SUBJECT
TO DATA TRANSFER
AGREEMENT – AT
LEAST MULTIPLE
SINGLE FACTOR
AUTHENTICATION
REQUIRED – ENCRYPT
DATA AT REST AND
BEFORE
TRANSMISSION
LIMIT TO PERSONS
HAVING APPROPRIATE
AUTHORIZATION AND
SUBJECT TO DATA
TRANSFER
AGREEMENT – TWO-
FACTOR
AUTHENTICATION
REQUIRED –ENCRYPT
DATA AT REST AND
BEFORE
TRANSMISSION
STORAGE
FIXED MEDIA, INCL.
DESKTOP
COMPUTERS, HARD-
DRIVES, SERVERS,
ETC.
NO SPECIAL
REQUIREMENTS
INFORMATION IS TO BE
IDENTIFIED AS
CONTAINING
PROPRIETARY
INFORMATION SO AS
TO HIGHLIGHT THE
RISKS OF
UNAUTHORIZED
DISCLOSURE OUTSIDE
OF UTC
LIMIT AVAILABILITY
TO PERSONS HAVING A
“NEED TO KNOW”
LIMIT AVAILABILITY
TO PERSONS HAVING A
“NEED TO KNOW.” –
ENCRYPT DATA AT
REST
LIMIT AVAILABILITY
TO PERSONS HAVING
APPROPRIATE
AUTHORIZATION (E.G.,
ACCESS-RESTRICTED
SHARED DRIVES
DESIGNATED FOR THIS
USE). – ENCRYPT
DATA AT REST
REMOVABLE MEDIA
INCL. LAPTOPS, USB
FLASH DRIVES,
EXTERNAL STORAGE
DRIVES, ETC.
NO SPECIAL
REQUIREMENTS
INFORMATION IS TO BE
IDENTIFIED AS
CONTAINING
PROPRIETARY
INFORMATION SO AS
TO HIGHLIGHT THE
RISKS OF
UNAUTHORIZED
DISCLOSURE OUTSIDE
OF UTC
LIMIT AVAILABILITY
TO PERSONS HAVING A
“NEED TO KNOW” –
DO NOT STORE ON
REMOVABLE MEDIA
UNLESS PASSWORD
PROTECTED OR
ENCRYPTED
LIMIT AVAILABILITY
TO PERSONS HAVING A
“NEED TO KNOW” –
DO NOT STORE ON
REMOVABLE MEDIA
UNLESS ENCRYPTED
LIMIT AVAILABILITY
TO PERSONS HAVING
APPROPRIATE
AUTHORIZATION. DO
NOT STORE ON
REMOVABLE MEDIA
UNLESS ENCRYPTED.
1 “Data transfer agreement” means an agreement meeting the requirements of 2.3 above.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 11 of 35
MARKINGS NO MARKINGS
REQUIRED
(INTERNAL &
EXTERNAL): “UTC
PROPRIETARY
INFORMATION”
PRIMARY MARKING
(INTERNAL &
EXTERNAL): “UTC
PROPRIETARY
INFORMATION”
SECONDARY
MARKINGS: (A)
“COMPANY PRIVATE”
(B) SCOPE OF “NEED
TO KNOW” GROUP
PRIMARY MARKING
(INTERNAL &
EXTERNAL): “UTC
PROPRIETARY
INFORMATION”
SECONDARY
MARKINGS: (A)
“COMPANY
RESTRICTED” (B)
SCOPE OF “NEED TO
KNOW” GROUP
CONTACT LEGAL
DEPARTMENT FOR
APPROPRIATE
MARKINGS
DISCLOSURE SEE BELOW
WITHIN UTC AND TO
THIRD PARTIES UNDER
AN OBLIGATION TO
PROTECT THE
PROPRIETARY
INFORMATION
“NEED TO KNOW”
BASIS
“NEED TO KNOW”
BASIS
PERSONS/PARTIES
WITH LEGAL
AUTHORIZATION
ONLY, PER PERTINENT
AGREEMENT, LICENSE,
ETC.
DESTRUCTION
(HARD &
ELECTRONIC
COPIES)
PER POLICY 46
PER POLICY 46, USING
MEANS THAT PREVENT
RE-CREATION OF THE
DATA (E.G., CD
DESTROYERS, DISK
WIPE, ETC.)
PER POLICY 46,
USING MEANS THAT
PREVENT RE-
CREATION OF THE
DATA (E.G., CD
DESTROYERS, DISK
WIPE, ETC.)
PER POLICY 46, USING
MEANS THAT PREVENT
RE-CREATION OF THE
DATA (E.G., CD
DESTROYERS, DISK
WIPE, ETC.)
PER POLICY 46,
USING MEANS THAT
PREVENT RE-
CREATION OF THE
DATA (E.G., CD
DESTROYERS, DISK
WIPE, ETC.)
Decisions to disclose information will be made only after considering the following:
Type and value of the information;
Contractual or other legal restrictions between the disclosing or receiving party(ies) and the
Corporation. Note that data required to be delivered to a customer pursuant to a valid agreement
will be marked as required thereunder and shall be protected according to the standards or
requirements established in the agreement (e.g., encryption, etc.);
Extent of party’s "need to know;"
Any value the Corporation will receive from the disclosure;
Potential for misuse of the information;
Protections afforded the information under pertinent laws, regulations or contracts, including
U.S. and other obligations such as export controls, treatment of U.S. Government classified
information, and personal privacy. Information subject to these requirements shall be protected
and marked in accordance with pertinent legal or regulatory requirements. Operating units must
avoid legends such as "Confidential" or similar markings if this will create confusion with the
handling of government classified materials;
Impact of the disclosure on other operating units within the Corporation;
Additional restrictions found elsewhere in this Policy and the Corporate Policy Manual:
Section 3- Antitrust Compliance;
Section 4 - Business Ethics and Conduct in Contracting with the U.S. Government;
Section 7 - Conflicts of Interest;
Section 20 - Compliance with Export Controls and Economic Sanctions;
Section 24 – Personal Information Protection
Section 30 - Securities Trading and Release of Material Nonpublic Information;
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 12 of 35
Section 32 - Permissible References to UTC by Outside Companies vs. Endorsements;
Section 37 - Electronic Communication Systems; and
Section 40 - Software License Compliance.
Although information other than Proprietary Information may not require the same degree of
protection, decisions to disclose any information will be made after due consideration of the factors
described above. If doubt exists as to whether use or disclosure of information is proper, the Legal
Department shall be consulted.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 13 of 35
EXHIBIT 3 - STANDARDS FOR THE PROTECTION OF DATA
3.1 This Exhibit establishes minimum standards to be met by UTC, its operating companies, and
Service Providers to the extent they own, license, receive, store, maintain, process, or otherwise
access Data in electronic or paper form.
3.2 UTC operating units and staff organizations that collect, use, transfer, or manage Data shall
establish and maintain a Data security program meeting the requirements of this Exhibit and
pertinent Information Technology (“IT”) policies, procedures, and standards (Index to IT Policies,
Procedures and Standards).
3.3 The UTC Vice President and Chief Intellectual Property Counsel and the UTC Vice
President & Chief Information Officer shall assist as necessary to ensure proper and complete
implementation of this Policy, including provision of the necessary technology tools to enable
compliance worldwide.
3.4 The UTC Vice President, Operations and other staff organizations involved in selecting and
retaining Service Providers shall ensure compliance with Exhibit 8.
3.5 The Data security program shall identify and assess reasonably foreseeable internal and
external risks to the security, confidentiality, and/or integrity of any records containing Data, and
evaluate and improve, where necessary, the effectiveness of the current safeguards for limiting such
risks. The program shall include:
o Ongoing employee (including temporary and contract employee) training;
o Means of ensuring employee compliance with security program policies and
procedures;
o Means for detecting and preventing security program failures;
o Security policies for employees relating to the storage, access and transportation of
records containing Data outside of business systems or premises;
o Disciplinary measures for violations of security program rules;
o Means of preventing terminated employees from accessing records containing Data;
o Reasonable restrictions upon physical access to records containing Data, and storage
of such records and Data in locked facilities, storage areas or containers;
o Regular monitoring to ensure that the information security program is operating in a
manner reasonably calculated to prevent unauthorized access to or unauthorized use
of Data, and upgrading information safeguards as necessary to limit risks;
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 14 of 35
o Annual reviews of the scope of security rules and more often when there is a material
change in business practices that may reasonably implicate the security or integrity of
Data; and
o Documentation of responsive actions taken in connection with any incident involving
a Breach of Security, and mandatory post-incident review of events and actions taken,
if any, to make changes in business practices relating to protection of Data (See
Exhibit 9).
o Procedures for sanitization and destruction of storage or other media removed from
service, prior to disposal.
3.6 UTC shall oversee Service Providers that have access to or control of Data by:
o Taking reasonable steps to select and retain third-party Service Providers that are
capable of maintaining appropriate security measures to protect such Proprietary
Information; and
o Requiring, by contract, third-party Service Providers to implement and maintain such
appropriate security measures for Proprietary Information.
3.7 UTC electronic or paper systems, including any wireless system (e.g., wireless internet,
personal digital devices, etc.) that collects, uses, transmits or stores Proprietary Information, shall be
managed in accordance with IT Policies, Procedures and Standards. Each such system shall have
the following:
o Secure user authentication protocols, including control of user IDs and other
identifiers; a secure method of assigning and selecting passwords, or use of unique
identifier technologies, such as biometrics or token devices; control of Data security
passwords to ensure that such passwords are kept in a location and/or format that does
not compromise the security of the Data they protect; restrict access to active users
and active user accounts only; and block access to user identification after multiple
unsuccessful attempts to gain access or the limitation placed on access for the
particular system.
o Secure access control measures that restrict access to records and files (both active
and archived) containing Proprietary Information to those who need such information
to perform their job duties; and assign unique identifications plus passwords, which
are not vendor supplied default passwords, to each person with computer access, and
that are reasonably designed to maintain the integrity of the security of the access
controls.
o Encryption of all Company Restricted Data, both “at rest” or “in transit,” that resides
on any portable electronic device such as laptops, USB flash drives, floppy disks,
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 15 of 35
CD-ROMs, etc., and all such Data at the time it is transmitted across public networks
or wirelessly. See IT-12-204.
o TLS encryption between UTC domains and Service Providers’ domains in order to
provide an extra “safety net” for emails sent over public networks. (IT-10-273).
o Requirements for employees and Third Parties to report a loss or suspected
compromise of Data, a loss of a mobile device (laptop, USB drive, etc.) or any other
incidents immediately to UTC IT Security at [email protected], (and other
security manager servicing the operating company) and as required by U.S.
Government rules related to cyber intrusions (e.g., Industrial Security Letter 2010-02
dtd. Feb. 22, 2010; DOD Federal Acquisition Regulation Supplement Subpart 204 ).
o Reasonable monitoring of systems to detect and deter unauthorized use of or access to
Data;
o For systems connected to the Internet, up-to-date firewall protection and operating
system security patches, reasonably designed to maintain the integrity of Data;
o Up-to-date versions of system security software, including malware protection and
reasonably up-to-date patches and virus definitions, and set to receive the most
current security updates on a regular basis; and
o Education and training of employees on the proper use of the computer security
systems and the importance of information security, e.g., limiting collection and
storage of unneeded information; use of encryption; restricting access to drives,
folders, and files; recognizing risks to information security posed by peer-to-peer
(“P2P”) and other file sharing programs.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 16 of 35
EXHIBIT 4 – DATA BREACH INCIDENT RESPONSE PLAN
1. Summary
This Data Breach Incident Response Plan (“DBIRP”) provides instructions on how to prepare
for, respond to, and remediate a data breach “Incident” (defined in Section 3 below). This
DBIRP requires that all employees report Incidents and that United Technologies
Corporation (“UTC”) and its business units deploy “Incident Response Teams” (defined in
Section 4 below) with the appropriate skill set and level of authority to respond properly to
any Incidents that are reported.
Capitalized terms used throughout this Exhibit, if not defined in Exhibit 1 to CPM 14, are
defined in section 3 of this Exhibit. The following acronyms are used in this Exhibit:
BU is Business Unit
BU-IRT is a Business Unit-level Incident Response Team
C360 is Compliance 360
DBIRP is Data Breach Incident Response Plan
DBIRPT is the UTC Corporate Data Breach Incident Response Planning
Team
HR is Human Resources
IRT is Incident Response Team
IT is Information Technology
UTC is United Technologies Corporation
UTC-IRT is the UTC-level Incident Response Team
2. Applicability
This DBIRP applies to UTC, all of its business segments, units and divisions, and all other
operating entities wherever located (including controlled joint ventures, partnerships and
other business arrangements where UTC has either a controlling interest or effective
management control) (collectively “operating units”). Unless the context indicates
otherwise, references to UTC include all operating units, their directors, officers, employees
and onsite leased labor. For purposes of this DBIRP, the “Business Units” are: Climate,
Controls & Security (“CCS”); Otis; Pratt & Whitney (“P&W”); UTC Aerospace Systems
(“UTAS”); and United Technologies Research Center (“UTRC”).
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 17 of 35
The Business Units may follow this DBIRP or adopt their own so long as it is not
inconsistent with this DBIRP. If a Business Unit adopts its own DBIRP, it must send that
DBIRP within 30 days of adoption to [email protected]. If a Business Unit
adopts this DBIRP, it must create a contact list (see section 6.14) specific for that Business
Unit and within 30 days of adoption of this DBIRP send the list to
[email protected]. Any changes to a DBIRP or the contact list must also be
sent to [email protected].
3. Data Breach Incident
An “Incident” is defined in Exhibit 1 to CPM 14 and is a set of circumstances that involve
actual or a reasonable possibility of unauthorized access to or possession of, or the loss or
destruction of, “Protected Information” (as defined in Section 3.1 below). The circumstances
contributing to an Incident may be unintentional or accidental and the unauthorized access,
possession, loss, or destruction may be confirmed or only suspected.
Once unauthorized access to or possession of, or the loss or destruction of, UTC Protected
Information has been confirmed by the Incident Response Team the Incident becomes a data
breach “Event”. This DBIRP will use the term Incident to refer to both Incident and Event,
whereas an Event means only a confirmed Incident.
3.1. Protected Information
Protected Information is any information in any form (electronic, hard copy, graphic,
audio, or any other format) that is:
Proprietary Information (as defined by Corporate Policy Manual Section 14);
Technical Data (as defined by procedures promulgated under Corporate Policy
Manual Section 20), which is discussed in “UTC Common Interpretation of
Technical Data,” available on the UTC International Trade Compliance site;
Personal Information (as defined by Corporate Policy Manual Section 24); and
Designated by any government as Classified or by the United States Government
as controlled under a U.S. government contract.
3.2. Unauthorized Access
Unauthorized access is any circumstance that permits a person or entity to review,
use, see, consume, analyze, sell, transfer, or otherwise control information without
both a legitimate business purpose and a legal basis. Unauthorized access to
Classified information also includes when the Classified Information is sent, received,
or transmitted via any unauthorized means or when an un-cleared individual accesses
information in any fashion.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 18 of 35
For example, consider a scenario in which one employee accidentally emails a file
containing the names and home addresses of a business unit’s quality group to a
person in customer service instead of the correct person of the same name in Human
Resources (“HR”). This is unauthorized access because the recipient in customer
service had no legitimate business purpose for the information. Similarly, if UTC
collects home address information for tax and safety reasons, but an employee uses
HR’s home address data to send invitations to a fundraiser for his son’s private
school, that scenario may also involve unauthorized access if it was unrelated to a
legitimate business purpose. Another example is an employee accidentally leaving a
laptop in a taxicab and collecting it from the taxicab dispatcher three days later. In all
of these scenarios, even if the unauthorized access were unlikely to lead to any harm,
the nature of the Incident only dictates the appropriate response, and not the
classification of the circumstances as an Incident. Any circumstance that must be
reported is an Incident, but only those Incidents that are confirmed to be breaches are
Events.
Yet another example of unauthorized access is a hacker breaking into a UTC network.
In such a situation, even if the access to Protected Information may only be potential,
the possibility of access requires a response consistent with this DBIRP.
3.3. Loss or Destruction
Protected Information is lost or destroyed when it is no longer available to UTC to
use. Protected Information can be lost or destroyed in many ways, such as:
Stolen laptop;
Flood of an office, destroying the only copy of certain records; and
Inability to access the only copy of data on a server.
The temporary inability to access Protected Information amounts to a loss if there is
no anticipated resolution or the inability to access lasts for more than a week. If
Protected Information is destroyed but there are other copies (such as back-ups)
available, then it does not constitute an Incident.
3.4. An Incident Includes Actions by a Service Provider or Supplier
An Incident includes unauthorized access to or possession of, or the loss or
destruction of, Protected Information by or in the custody of any person, whether or
not a UTC employee. This includes UTC service providers and suppliers. For
example, if a service provider loses back-up tapes containing Protected Information,
that circumstance would constitute an Incident. To the extent that any UTC employee
or contractor is aware of an Incident resulting from the conduct of a service provider
or supplier, that Incident must be reported and addressed under this DBIRP.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 19 of 35
4. Reporting an Incident
Anyone aware of an Incident must immediately report it to an Ethics and Compliance Officer
or through the Ombudsman program. The Ethics and Compliance Officer or Ombudsman
must enter the report into C360. If an Incident has already been reported to the ITC instance
of C360, there is no need to report it again.
The Incident Response Team that investigates the Incident may contact the person making
the report for additional information.
Incidents involving Classified national security information must not be reported in C360 due
to security concerns. Each Business Unit must keep a secure means to track such incidents
locally and to brief the UTC Associate General Counsel, Government Contracts (or
designee).
5. Preparation
The Data Breach Incident Response Planning Team (“DBIRPT”) will be created at the UTC
Corporate level only and is responsible for preparing in advance for Incident response. The
DBIRPT will consist of the: UTC IT Director, Compliance; UTC Associate General
Counsel, Government Contracts; the UTC Assistant General Counsel responsible for
cybersecurity; the UTC Assistant General Counsel, Data Privacy and Security, and a member
of the Communications team. The DBIRPT may add members or delegate any part of its
function, as deemed appropriate.
The DBIRPT is responsible for:
5.1. Preparing UTC to promptly and effectively respond to Incidents.
5.2. Entering into a proactive relationship with a data breach resolution service provider,
if determined to be cost-effective. This may be accomplished by selecting insurance
that provides such services.
5.3. Developing and implementing training and education on this DBIRP. The DBIRPT
will identify the appropriate means for communication for each audience and the
appropriate frequency.
5.4. Conducting a practice exercise each year, or more frequently if appropriate, for the
UTC-IRT to test and improve the DBIRP process. The Privacy Professional for each
BU must ensure that the BU-IRT conducts at least one practice exercise every three
years.
5.5. Reporting annually to the executive oversight committee, as set forth in Section 10
below.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 20 of 35
6. Incident Response Team (“IRT”)
To ensure the appropriate actions are considered in developing the response to an Incident,
the IRT may need to include: Legal; Intellectual Property (“IP”); Information Technology
(“IT”); Security; HR; Privacy; International Trade Compliance (“ITC”); Communications;
Government Relations; and potentially an independent forensic investigator and/or a data
breach resolution service provider.
6.1. UTC-level IRT or Business Unit-level IRT
If an Incident involves UTC Corporate Protected Information only (as opposed to Protected
Information from one or more Business Units), then the response will be managed by an IRT
at the UTC level (“UTC-IRT”). If the Incident involves multiple Business Units or UTC
Corporate Protected Information and Business Unit Protected Information, then the UTC-
IRT will take the lead and the Business Unit-level IRT(s) (“BU-IRT”) will assist. If the
Incident involves only Business Unit Protected Information, then the BU-IRT will handle the
response. Each BU must set up an IRT to address any BU-specific Incidents. The BUs have
flexibility to determine which function participates in the IRT, so long as: (1) Legal is
always notified, except in cases of a lost or stolen portable storage device; and (2) Appendix
B is used with appropriate follow-up for cases of a lost or stolen portable storage device.
For Business Unit Incidents involving Classified national security data, systems, or
programs, the local Government Security Compliance manager and Information Systems
Security Manager must take the lead in partnership with the appropriate Business Unit level
IRT team members as required.
6.2. IRT Lead
The function that will lead the IRT depends on the nature of the Incident. The lead
must be identified in order of precedence below, so that an Incident that might fall
into multiple categories is led by the role identified for the first category in which it
properly fits. If there is any question about leadership of the team, the UTC Assistant
General Counsel responsible for cybersecurity and the UTC Assistant General
Counsel, Data Privacy and Security will resolve the issue.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 21 of 35
6.3. Legal
Every IRT must involve someone from the Legal Department. The appropriate
member of the Legal Department will be identified in the contact list referred to in
Section 6.14 below.
Legal must be involved to ensure that our actions comply with law, appropriately
mitigate risks, and are consistent with the UTC Code of Ethics and corporate policy.
Legal must involve Global Compliance if there is a suspicion that an employee or
contractor acted maliciously, in other words, if an insider intentionally breached
Protected Information. In all instances, the IRT must consult with Global
Compliance prior to contacting law enforcement. If the Incident involves Classified
Information or information controlled under a U.S. government contract, the UTC
Associate General Counsel, Government Contracts (or designee) must be included on
the IRT team.
Where the Incident involves Personal Information, the Legal representative may be
the Privacy Professional if that person is a member of the Legal Department.
6.4. Communications
Communications must be notified of each Event (a confirmed Event, not all
Incidents). The Communications representative on the IRT will determine whether
and to what extent participation by Communications is required. The
Communications representative must consider whether, when, and how an urgent
•Government Security Compliance Manager and Information Systems Security Manager
Classified information, systems, or programs
• Lost/Stolen Device Investigator
Lost or Stolen Electronic Storage Device
• IT Security Compromise of electronically-stored Protected Information
• HR Employee Data
• Privacy Any Other Personal Information
• Legal All Other
Electronically-
Stored Protected
Information
Protected
Information
stored in non-
electronic
forms, such as
hard copy,
paper, verbal
conversations,
etc.
All Classified
information,
systems and
programs in all
forms, media,
and formats
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 22 of 35
and/or informative message should be sent to employees. The Communications
representative must also assess the risk of an Incident becoming public and the nature
of the appropriate response. The Communications representative should provide
input on Communications with affected individuals, external entities, or government
regulators.
6.5. Government Relations
When an incident involves a federal or state government regulator, Government
Relations must be involved. In all cases where a government regulator is notified
Government Relations must be informed.
6.6. HR
HR must be involved when the Personal Information of one or more employees is
involved.
6.7. Intellectual Property
Intellectual Property must be involved when an Incident involves Proprietary
Information.
6.8. IT
IT must be involved if there is an IT system or electronically-stored data involved in
the Incident. If the Incident involves only hard copy data, then IT may not need to be
involved. Only appropriately cleared or program accessed IT personnel may be
involved in Incidents impacting Classified IT systems or information.
6.9. ITC
For all Incidents, an ITC representative must determine whether there are any ITC
implications. If there are ITC implications, then the ITC representative must enter the
matter into the ITC instance of C360 and should continue to participate on the IRT as
appropriate. If there are no ITC implications, then the ITC representative does not
need to participate on the IRT.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 23 of 35
6.10. Lost/Stolen Device Investigator
Each Business Unit must identify a person or team to serve as the Lost/Stolen Device
Investigator and identify that person(s) on the Business Unit’s Contact List, as
discussed in Section 6.14 below. The Lost/Stolen Device Investigator is responsible
for ensuring that the Lost/Stolen Device Questionnaire, contained in Appendix B, is
completed, including any follow-up described in the Questionnaire.
6.11. Privacy
When Personal Information is involved - regardless of whose Personal Information,
Privacy must be involved. For UTC, the Privacy function is represented by the
Assistant General Counsel, Data Privacy and Security. For the Business Units, the
Privacy function is represented by the Privacy Professional for the Business Unit.
6.12. Security
Security must be involved if there is an indication of theft or of a compromise of the
physical integrity of any system or facility. The Corporate Facility Security Officer
must be notified for any Incident involving Classified systems or information.
6.13. External Parties
6.13.1. Independent forensic investigator
An independent forensic investigator may be needed when there is an intrusion into
our networks or facilities. The legal department must be consulted prior to engaging
a forensic investigator to ensure preservation of privilege, and compliance with
applicable laws.
6.13.2. Data Breach Resolution Service Provider
If affected individuals will need to be notified, the IRT should consider whether an
external data breach resolution service provider is needed. This analysis should
depend on the number of individuals that must be notified and whether the IRT can
identify internal resources to manage this process.
6.14. Contact List
Each Business Unit must create a contact list using the template contained in
Appendix C or an equivalent format that identifies the name, title, email, office or
work telephone number and mobile number for the person or persons that represents
Legal, Communications, HR, Intellectual Property, IT, ITC, Lost/Stolen Device
Investigator, Privacy Professional, and Security. The Business Unit must ensure that
the person identified for the contact list has sufficient skill and authority to serve on
the IRT for the Business Unit, including making appropriate determinations about
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 24 of 35
escalation to senior management. The Business Unit will send the complete list to
[email protected]. The Business Unit must ensure that the contact list
remains current and, at a minimum, provides an annual update by May 15 of each
year even if no change has taken place.
7. Responding to an Incident
The following steps must be taken in the order in which they appear.
The required process for responding to an Incident involving Classified information, systems,
and/or programs is set forth in Exhibit 1.
7.1. Notification and Formation of the IRT
The team lead, as identified in Section 6.2 above, must notify and form the team
using the contact list for the appropriate level IRT, either UTC, BU, or both. The
contact lists shall be posted on privacy.utc.com. If a UTC-IRT and one or more BU-
IRT are required to respond to an Incident, the UTC-IRT lead is responsible for
contacting the UTC-IRT members and the BU-IRT lead(s), who are responsible for
notifying the BU-IRT members.
7.2. Containment
The IRT must ensure that appropriate action is taken to contain any impact while also
permitting investigation of the case. To ensure that containment efforts are addressed
with the appropriate speed, IT may address containment measures without consulting
the full IRT. In doing so, however, IT must consult Global Compliance if there is a
possibility of criminal activity to balance containment with preservation of evidence.
7.3. Triage
The IRT should conduct a preliminary review of the Incident to understand the
severity, set priorities, identify appropriate escalation, and determine the appropriate
schedule for the response. If the Incident involves the loss or theft of a portable
storage device, the appropriate response should be dictated through use of Appendix
B (Questionnaire for Lost and Stolen Devices that Store Data).
Formation of the IRT Containment Triage Investigation Remediation Notification
RRCA / Follow-Up
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 25 of 35
7.4. Investigation
The IRT will take appropriate steps to investigate the Incident to determine: (1) the
nature and scope of the Incident; (2) what Protected Information may be or is
involved; (3) the likely cause; (4) any improvements that could be made on an interim
basis to the containment effort; and (5) appropriate remediation intended to prevent
the Incident from reoccurring. In conducting an investigation, the IRT should
consider:
the type and amount of Protected Information at risk;
the availability of log records to help determine whether Protected
Information was downloaded or copied;
whether the Protected Information was actually used by an unauthorized
person;
whether the Protected Information is in the physical possession of an
unauthorized person;
whether the Incident was part of a broad Internet exploit attack and
whether the attack exposed Protected Information; and
identifying evidence regarding the cause of the Incident, how to preserve
that evidence, and whether a forensic investigator should be engaged.
The leader of the IRT must consult with the legal department before commencing the
investigations to ensure that appropriate measures are in place to preserve attorney-
client privilege.
7.5. Remediation
Based on its investigation, the IRT will develop recommendations and, as
appropriate, implement measures to remediate any vulnerability and/or help guard
against similar Events from occurring in the future.
7.6. Notification
Generally, notification is only required for an Event, where unauthorized access or
possession of Protected Information has been confirmed. In situations where
unauthorized access or possession cannot be reasonably ruled out or precluded,
notification may be required under applicable law or may be prudent.
7.6.1. Internal Business Customers and Management
The IRT must ensure that the appropriate members of the business and
management are notified and kept apprised of the progress of the response.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 26 of 35
7.6.2. Law Enforcement
If there is the possibility that the Incident was the result of criminal activity,
the IRT must consider whether contacting law enforcement is appropriate.
Global Compliance must be consulted prior to contacting law enforcement.
7.6.3. Government Regulators
In certain jurisdictions, certain types of Incidents require notification to
government regulators. In other situations, notification may be prudent. For
example, if notice is being provided to affected individuals, it is generally
advisable to notify the local regulator in advance so that a government
regulator does not learn of an Incident from an affected individual. The
Privacy Professional on the IRT is responsible for any notice to a government
regulator if it involves Personal Information. If Classified Information or
information controlled under a U.S. government contract is involved, then the
UTC Associate General Counsel, Government Contracts (or designee) is
responsible for notice to a government regulator or providing approval for a
Business Unit’s Government Security Compliance manager or Facility
Security Officer to provide notice to a government customer. Otherwise, the
member on the IRT from Legal is responsible for notification to a government
regulator. In the event that an inquiry or notification involves the U.S.
Congress, Government Relations is responsible for notice.
7.6.4. Affected Individuals
If notification to affected individuals is required by applicable law or is
otherwise deemed to be appropriate by the Privacy Professional on the IRT,
the affected individuals must be notified as promptly as possible, consistent
with the terms of applicable law and the need to conduct and/or complete any
investigation. The Privacy Professional shall, in consultation with other
members of the IRT, assume responsibility for drafting the applicable notice,
using any applicable templates that may be available. Prior to providing
notice to affected individuals, the Privacy Professional must consult with the
Assistant General Counsel, Data Privacy and Security.
The notice to affected individuals must include, at a minimum (unless
applicable law requires otherwise):
a general description of the Incident;
a general description of the type of Personal Information that was
involved;
a description of the steps taken or that will be taken to protect the Personal
Information from further unauthorized access and/or acquisitions –
including both containment and remediation measures;
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 27 of 35
if credit monitoring and/or protection is being offered, a description of the
product and the process to obtain it;
a telephone number that the individual may call for further information
and assistance;
general guidance on how individuals may protect their Personal
Information, as applicable to the nature of the Personal Information
involved; and
any other information required by applicable law.
If notification to individuals regarding an Incident involving their Personal
Information is not required by law, the IRT should review the findings of any
investigation to determine whether notification should nevertheless be made
to affected individuals. For example, notification might be warranted when
not required by law because the Incident involved data stored on hard copy
forms rather than in an electronic system. If notification is made, it should
include the items identified above.
The decision to notify or not to notify affected individuals must be
documented in the summary required under Section 8.
7.6.5. Commercial business partners whose data may be impacted
If a commercial business partner may be affected, the IRT will consider
contacting that business partner. In making this determination, the IRT must
analyze whether any contractual or legal obligation requires notification. The
IRT must also contact the individual who manages the relationship with that
business partner.
7.6.6. Insurance
The Assistant General Counsel responsible for cybersecurity shall, in
consultation with insurance brokers, coverage counsel, adjusters and
accountants, take steps to evaluate potential rights and obligations under
insurance policies and indemnity agreements in connection with the Incident.
Policies evaluated should include the following, as appropriate:
Specialty Cyber-risk policies;
E&O liability policies;
General liability (CGL), umbrella and excess policies;
D&O liability policies;
First-party property, business interruption and extra expense policies;
Fidelity/employee dishonesty, bankers bonds and crime policies;
Vendor and partner agreements, including both indemnity provisions and
insurance procurement provisions;
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 28 of 35
Counterparties’ potentially applicable coverage where one or more UTC
company may be an additional insured or loss payee.
The Assistant General Counsel responsible for cybersecurity will, as
appropriate, promptly provide notices required under potentially-implicated
insurance or other agreements and shall take any other steps necessary to
preserve UTC’s and the BU’s rights, such as filing timely proofs of loss.
7.6.7. Media
The IRT, particularly the Communications member(s) of the team, must
consider whether preemptive media notification is warranted.
7.7. RRCA / Follow-Up
For confirmed Events, the IRT will conduct a root cause and corrective action analysis
intended to prevent a similar Event and to incorporate any learning about the response
process into this DBIRP. The IRT must prepare a summary of the RRCA and submit it to
[email protected]. The UTC Corporate DBIRPT is responsible for ensuring
that this information is incorporated into updates of the DBIRP.
8. Recordkeeping
The IRT is responsible for preparing a summary of the Incident, response, and RRCA (to the
extent applicable). The IRT lead must send the summary, along with any associated
documents (such as notification letter templates), to [email protected]. The
IRT lead must ensure that the summary and associated documents are sent in a timely
manner, generally within 60 days of the formation of the IRT for that particular Incident.
When warranted, the summary may be modified or updated with new or missing information.
Any records or summaries for Classified Incidents, responses, and RRCA must be approved
by the UTC Associate General Counsel, Government Contracts (or designee) prior to
submission. Such submissions must be sanitized and unclassified to avoid creating a
Classified security violation, as well as in keeping with good Operational Security principles.
The Associate General Counsel, Data Privacy and Security is responsible for maintaining a
log of all Events involving Personal Information.
9. Updating the DBIRP
The UTC Corporate DBIRPT is responsible for updating this DBIRP on an annual basis.
The review will consider the summaries of Incidents from the past year, any regulatory
changes, and best practices in the industry.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 29 of 35
10. Executive Ownership
An executive oversight committee will provide oversight for the DBIRP, including
implementation and updates. The executive oversight committee shall consist of the
following (or their designee): the Senior Vice President and General Counsel; the Senior
Vice President, Human Resources and Organization; and the Vice President and Chief
Information Officer. The DBIRPT shall report to the executive committee at least once
annually.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 30 of 35
Appendix A
Process for responding to an Incident involving Classified information, systems, and/or
programs
Key to terms and acronyms used in Appendix A
Acronyms:
DSS – U.S. Defense Security Service
ITP - Insider Threat Program
SME - Subject Matter Expert
FSO - Facility Security Officer – A U.S. citizen employee who is
appointed by the contractor, who is cleared as part of the facility clearance
who will supervise and direct security measures necessary for
implementing applicable requirements of the National Industrial Security
Program Operating Manual and related Federal requirements for classified
information. Classified – any information that has been determined
pursuant to reference or any predecessor order, to required
protection against unauthorized disclosure in the interest of
national security and which has been so designated.
ISSM - Information System Security Manager – A U.S. citizen employee
who is appointed with oversight responsibility for the development,
implementation and evaluation of the facility’s classified information
system security program.
CPSO - Contractor Program Security Officer - the
individual appointed at a contractor program facility to
provide security administration and management based
upon guidance provided by the Program Security Officer.
SAP - Special Access Program, any program that is established to control
access, distribution, and to provide protection for particularly sensitive
classified information beyond that normally required for TOP SECRET,
SECRET, or CONFIDENTIAL information. A Special Access Program
can be created or continued only as authorized by the senior agency
official delegated such authority.
CTUI - Controlled Technical Unclassified Information,
which may include CDI or covered defense information as
defined by the Defense Federal Acquisition Regulations
Customer – U.S. government entity, prime contractor, or
subcontractor under contract with a UTC entity.
Spill – Intentional or unintentional placement of classified information on
unapproved or unauthorized computer systems, networks, equipment, or
devices.
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 31 of 35
Appendix B
Questionnaire for Lost and Stolen Devices that Store Data
Employee Information
Employee Name:
Employee Number:
Employee Title or Job Function:
Employee Business Unit: ☐ UTC Corporate HQ
☐ CCS
☐ Otis
☐ P&W
☐ UTAS
☐ UTRC
☐ Contractor – please specify the contractor’s employer and the business
unit for which the contractor was working:
Click here to enter text.
Work Location (city/state/country):
Date of Report (MM/DD/YYYY):
Type of Asset: ☐ Company Laptop
☐ Company Smartphone (BlackBerry, Windows Phone, Android)
☐ Company portable storage device (Thumb drive, portable hard drive,
DVD, CD)
☐ Person device used for company purposes – if so, please specify the
type of device:
Click here to enter text.
☐ Other – please specify:
Click here to enter text.
Loss or Theft: ☐ Loss
☐ Theft/Stolen
Device Information
Device Number:
If no asset tag, or unknown provide details such as make,
model, serial number, color, etc.
Date of loss or theft (MM/DD/YYYY):
If the exact date is not known, please include an approximate
date and note that it is an approximation.
Last known location of the device:
Last time device was seen (MM/DD/YYYY):
Last time worked with the device (MM/DD/YYYY):
Last log on to device (MM/DD/YYYY):
Were there any passwords stored with the device?
A password could be stored with the device if it was written
on a piece of paper in the bag or appears on identification in
the bag (i.e., if the password was the person’s middle name
that appears on the driver’s license), or in any other way.
☐ Yes – please specify:
Click here to enter text.
☐ No
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 32 of 35
Is there any special access requirements to use the device?
☐ Yes – please specify:
Click here to enter text.
☐ No
Were there any additional markings or ID or name tag or
badging on the device?
Examples are the UTC logo, an employee business card,
colored protective case, decorative cover, etc.
☐ Yes – please specify:
Click here to enter text.
☐ No
Description of Data on the Device
What type of work do you do?
Use this question to determine what data may be on the device.
If HR-related work, inquire as to whether Personal
Information was stored on the asset and, if so, be sure to
contact the HR representative on the DBIRP for your
business unit
If working with export-controlled or government
programs, determine nature/type- export controlled, critical
program information, controlled unclassified information,
or information controlled under a U.S. government
contract on the asset and then contact the government
security representative for your business unit
If working in engineering, ask about whether there was
Proprietary Information stored on the device and, if so,
contact the IP representative on the contact list for your
business unit
Consider any other type of risk, such as contact
information for government representatives or customer
Personal Information.
Specific questions follow below to ensure that each issue is
addressed.
What is the most important work information stored on
asset?
What is the second most important work information
stored on asset?
Does the asset contain company-Private or sensitive
information?
Check for Intellectual Property (IP), trade secrets,
schedule/pricing/campaign/sales data, etc. If the answer is
YES, be sure to contact the IP representative on the DBIRP
contact list for your business unit.
☐ Yes – please specify:
Click here to enter text.
☐ No
Does the asset contain export-controlled data?
Check for U.S. ITAR-EAR or other nation’s export regulated
data on asset. If yes, contact your local International Trade
Compliance (ITC) team.
☐ Yes – please specify:
Click here to enter text.
☐ No
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 33 of 35
Description of Data on the Device
Is there any Government data on the asset?
Critical Program Information, For Official Use Only
Information, Sensitive But Unclassified Information,
Controlled Unclassified Information, Military data, or data
controlled under a U.S. government contract. If yes, contact
your local Government Security Compliance (GSC) team.
☐ Yes – please specify:
Click here to enter text.
☐ No
Does the asset contain any 3rd
party data?
3rd
party data may include suppliers, vendors, contractor,
subcontractor or customer data.
☐ Yes – please specify:
Click here to enter text.
☐ No
Is there any Personal Information about another person
stored on the device?
Personal Information is defined in CPM 24 as information that,
when associated with an individual, can be used to identify him
or her. For purposes of this question, you can exclude a name
and/or email address standing alone. Personal Information
could involve HR data or data from customers, suppliers,
vendors, or consumers. If the answer is YES, be sure to contact
the Privacy Professional for your business unit and, if it
involves HR information, also contact the HR representative.
☐ Yes – please specify:
Click here to enter text.
☐ No
Additional Information
Have you ever created a back-up of the asset yourself? ☐ Yes – please specify:
Click here to enter text.
☐ No
Do you have any IT administrative rights or accesses? ☐ Yes – please specify:
Click here to enter text.
☐ No
Is the asset encrypted?
Encryption beyond just a log on password. ☐ Yes
☐ No
Did you lose any other device, equipment, equipment, or
information?
For example if a laptop was lost in a travel bag was there any
other company issued material with it (hardware/part sample,
phone, USB stick, etc.)
☐ Yes – please specify:
Click here to enter text.
☐ No
Did you lose any hard copy or printed information with the
device?
For example, was the asset lost or stolen along with company
documents, work files, technical manuals, etc.
☐ Yes – please specify:
Click here to enter text.
☐ No
Did you file a report with Security?
Includes business unit security/investigations/IT ☐ Yes
☐ No
Did you file a report with local law enforcement or a police
department? ☐ Yes – please specify:
Click here to enter text.
☐ No
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 34 of 35
Additional Information
Do you work in any field locations (in non-UTC Facilities),
such as in the field, customer locations, or a government
installation?
☐ Yes – please specify:
Click here to enter text.
☐ No
Do you hold a security clearance? ☐ Yes
☐ No
Can you think of any person who may have taken the
missing asset? ☐ Yes – please specify:
Click here to enter text.
☐ No
Do you have any additional information of note to report:
Was the interview conducted in-person, by phone, or by
some other means? ☐ Phone
☐ In-Person
☐ Other – please specify:
Click here to enter text.
Interviewer/Investigator Name:
C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4
© United Technologies Corporation 2016
Page 35 of 35
Appendix C
Contact List Template
Business Unit:
☐ Climate, Controls & Security
☐ Otis
☐ Pratt & Whitney
☐ UTC Aerospace Systems
☐ United Technologies Corporation (Corporate)
☐ United Technologies Research Center
Person Maintaining this List:
Date last updated:
Role Name Title Email Work Phone Mobile Phone
Legal
Communications
HR
Intellectual Property
IT
ITC Lost/Stolen Device
Investigator
Privacy Professional Security