35
CORPORATE POLICY MANUAL © United Technologies Corporation 2016 Proprietary Information Protection A. SUMMARY B. APPLICABILITY C. POLICY D. PROCEDURES E. REFERENCES Section 14 Code of Ethics

Proprietary Information Protection - RTX

  • Upload
    others

  • View
    17

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L

© United Technologies Corporation 2016

Proprietary Information

Protection

A. SUMMARY

B. APPLICABILITY

C. POLICY

D. PROCEDURES

E. REFERENCES

Section

14

Code of Ethics

Page 2: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 2 of 35

A. SUMMARY

United Technologies Corporation (the "Corporation" or “UTC”) creates, receives, uses, stores,

and transfers various data, including trade secrets and other financial, business, scientific,

technical, economic, and engineering information; and data owned by or about customers,

competitors, suppliers, and individuals outside the Corporation. It is the responsibility of each

UTC director, officer, employee, and service provider to collect, protect, use, and disclose data

only in accordance with this Policy.

Capitalized terms used throughout this Policy are defined in Exhibit 1.

B. APPLICABILITY

1. This Policy applies worldwide to UTC and its subsidiaries, divisions, and other business

entities it controls or for which it provides day-to-day management (“operating units”). Unless

the context indicates otherwise, references to UTC or its operating units include their directors,

officers, and employees.

2. UTC will obligate its Service Providers to comply with this Policy in the conduct of their

business with UTC, through appropriate contractual agreements, warranties and

representations.

3. Local laws, regulations, and other restrictions applicable to any operating unit shall be

applied to the extent of a conflict with this Policy.

C. POLICY

1. The Corporation invests substantial resources in creating and using various types of Data, as

defined in Exhibit 1. Improper use or disclosure of Data damages the Corporation’s legal

rights and results in loss of a competitive advantage. Although the legal and other protections

afforded different types of Data vary, all Data must be protected against misuse and improper

or inadvertent disclosure, as described below.

2. Each director, officer, employee, Service Provider, or Third Party entrusted with UTC Data

shall comply with Exhibit 2, exercise good judgment before disclosing Proprietary

Information (defined in Exhibit 1) within or outside of the Corporation, and obtain all

necessary approvals prior to disclosure.

3. UTC respects legitimate rights in Competitive Information belonging to its customers,

suppliers, competitors, and Third Parties. UTC will solicit, accept, use, and disclose such

information only in conformity with this Policy. Although gathering information about

competing products and services is a necessary and routine element of business, UTC will not

utilize any improper means such as theft or deception. Because there is no single, definitive

standard for determining what is proprietary and because a business must take reasonable steps

Page 3: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 3 of 35

to protect its Proprietary Information, UTC will evaluate its receipt of information within the

context of how the information is gathered. See Exhibit 2 and UTC Policy 3.

4. UTC will maintain the confidentiality of Material Nonpublic Information and will comply

with all laws, rules, and regulations regarding the public disclosure of the Corporation’s

business information. Such information will be disclosed only through designated

spokespersons, who typically are the most senior UTC officers. All public disclosures will be

made in accordance with:

Policy 30 - Securities Trading & Release of Material Nonpublic Information;

Policy 51 - Disclosures to Investors Under U.S. Securities Laws; and

Policy 50 - Maintenance of Corporate Governance and Financial Data.

UTC’s directors, officers, employees and Third Parties (and their immediate family members)

shall not misuse Material Nonpublic Information and must not buy, sell or otherwise trade

securities while aware of Material Nonpublic Information.

5. Service Providers having access to Proprietary Information shall have written agreements

approved by the Legal Department and are subject to IT Policy IT-08-108 - Protection of UTC

Data Entrusted to Third Parties.

6. UTC shall maintain a robust Data Breach Incident Response Plan, respond to and remediate

any Data Breach Incident, engage the UTC Crisis Communications Team and others, as

appropriate, and provide notification about Data Breach Incidents as legally or contractually

required. UTC may adopt one Data Breach Incident Response Plan to cover both Proprietary

Information, as addressed by this Policy, and Personal Information, as addressed by Corporate

Policy Manual Section 24. The current UTC Data Breach Incident Response Plan is provided

in Exhibit 4.

7. Records retention requirements are addressed in Section 46–Retaining Records and Data.

8. Employees and other users of UTC’s Data systems shall receive periodic training in

application of this Policy and Information Technology (“IT”) security. Training may be

provided via UTC’s Ethics and Compliance Education Center.

9. Questions, comments, or suspected noncompliance concerning this Policy may be directed

to an employee’s management, the Legal Department, the UTC Global Compliance Office, or

in confidence or anonymously to a UTC Ombudsman or via the DIALOG or e-DIALOG

Program, as appropriate.

10. Violators of this Policy are subject to disciplinary action, up to and including dismissal

and possible legal consequences.

Page 4: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 4 of 35

D. PROCEDURES

1. UTC operating units and UTC Headquarters staff organizations that collect, use, transfer, or

manage Data shall establish and maintain compliance programs meeting the requirements of

Exhibit 3 and pertinent IT policies, procedures, and standards (Index to IT Policies,

Procedures and Standards).

2. The UTC Vice President and Intellectual Property Counsel and the UTC Vice President &

Chief Information Officer shall assist as necessary to ensure proper and complete

implementation of this Policy, including provision of the necessary technology tools to enable

compliance worldwide.

3. The UTC Vice President, Operations and other staff organizations involved in selecting and

retaining Service Providers shall ensure that Service Providers have written agreements in

place to protect Proprietary Information as approved by the Legal Department and that

procurement of Service Providers complies with IT Policy IT-08-108 - Protection of UTC

Data Entrusted to Third Parties.

4. The UTC Vice President and Chief Intellectual Property Counsel and the UTC Worldwide

Director, Internal Audit, will administer assurance and audit programs to ensure that each staff

organization and operating unit complies with this Policy.

E. REFERENCES

UTC Code of Ethics Section 3 - Antitrust Compliance;

Section 4 - Business Ethics and Conduct in Contracting with the U.S. Government;

Section 7 - Conflicts of Interest;

Section 20 - Compliance with Export Controls and Economic Sanctions;

Section 24 – Personal Information Protection

Section 30 - Securities Trading and Release of Material Nonpublic Information;

Section 32 - Permissible References to UTC by Outside Companies vs. Endorsements;

Section 37 - Electronic Communications Media;

Section 40 - Software License Compliance;

Section 46 - Retaining Records and Data;

Index to IT Policies, Procedures and Standards;

UTC Employee Privacy Notice

UTC HIPAA Privacy Notice

Page 5: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 5 of 35

EXHIBIT 1 - DEFINITIONS

1.1 “Data Breach Incident” is a set of circumstances that involve actual or a reasonable

possibility of unauthorized access to or possession of, or the loss or destruction of, Proprietary

Information. The circumstances contributing to an Incident may be intentional, or unintentional or

accidental, and the access, loss, or destruction may be confirmed or only suspected.

1.2 “Competitive Information” means anything related to the competitive environment or to a

competitor (defined as any company seeking to win business against UTC) — for example,

information related to products, services, pricing, or marketing plans. This information could be

drawn from published sources or could otherwise be widely available to the public. Some of this

information may relate to a specific competitor (“competitor information”), and some competitor

information may be considered by the competitor to be “proprietary,” “business confidential,” or

“trade secret,” which the competitor would normally attempt to hold closely.

1.3 “Data” means Trade Secrets, Proprietary Information, and Personal Information relating to

directors, officers, and employees of the Corporation. Without limiting the generality of the

foregoing, the term includes Proprietary Information, Personal Information (as defined by Corporate

Policy Manual Section 24), and other information (including information belonging to another

person or entity) that is required to be protected against improper use or disclosure by law,

regulation, or contract. This definition applies to information contained in documents or in electronic

form, whether used or disclosed orally, visually, or electronically.

1.4 “Electronic” means relating to technology having electrical, digital, magnetic, wireless,

optical, electromagnetic, or similar capabilities.

1.5 “Encrypted” means the transformation of Data into unusable and/or unreadable form by use

of a confidential process or key.

1.6 “Material Nonpublic Information” means any information that has not been disclosed

publicly by the Corporation and that a reasonable investor likely would consider to be important to a

decision to buy, hold or sell the Corporation's securities. It includes Board of Directors minutes and

deliberations, and nonpublic information disclosed to or possessed by the Corporation that is related

to another corporation and that a reasonable investor likely would consider important to a decision to

buy, hold or sell the securities of the other corporation.

1.7 “Multiple Single Factor Authentication” means using more than one piece of information in

the process of determining whether someone or something is, in fact, who or what it is declared to

be. An example of this would include knowing a password as well as a question/answer pair which

should result in a generally unique answer for each individual. A ‘factor’ is defined as classification

of authentication types: A knowledge factor is something that a person knows (i.e. password), a

physical factor is something that a person has (i.e. token), and an inherence factor is something that a

person is (i.e., thumbprint).

Page 6: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 6 of 35

1.8 “Proprietary Information” means (a) financial, business, scientific, technical, economic and

engineering information (e.g., cost data, formulae, patterns, compilations, programs, devices,

methods, techniques, processes, drawings) that are created, owned, or controlled by the Corporation,

that are not generally known to competitors or others in the industry or the public and that have

independent commercial value or provide a competitive advantage to the Corporation, and (b)

information of a Third Party that the Corporation is obligated to protect. Personal Information, as

defined in Corporate Policy Manual Section 24, may also be Proprietary Information when that

Personal Information is not generally known to competitors or others in the industry or the public

and it would have independent commercial value or provide a competitive advantage to the

Corporation. The term includes Trade Secrets as well as Company Restricted information and

Company Private information, which are defined as:

1.8.1 “Company Private” means information that is important to the Corporation’s business

and legal interests, warranting disclosure only to persons within or outside the Corporation

who have a specific "need to know.” This includes, but is not limited to, employment of key

executives; opinions of in-house or outside legal counsel; financial investments and

resources; sensitive human resources programs; key public-relations endeavors; competitive

relationships with other organizations; audit reports; executive travel schedules; computer

and network architectural and configuration information and related vulnerability

information; and government and customer relations matters. Disclosure of Company

Private information to Third Parties shall only occur pursuant to the terms of an applicable

agreement (such as a nondisclosure agreement) that requires the Third Party to protect the

Company Private information.

1.8.2 “Company Restricted” means Material Nonpublic Information, and other Data such

as Board of Directors information; plans for acquisitions; divestitures and other business

combinations; major company reorganizations or actions; financial results and forecasts;

significant marketing campaigns; significant or new business techniques; sourcing of critical

materials; and critical technical, financial, or management Data. The term includes Personal

Information, as defined in Corporate Policy Manual Section 24, of employees and Third

Parties; and any other information that requires protection under law or regulation.

1.9 “Protect,” as used in this Policy and in Appendix A to this Policy, means, at a minimum, to

apply the level of data integrity, security and access controls necessary to meet the requirements of

agreements UTC has with third parties, law, regulation or UTC policies, including UTC IT Policies,

Procedures & Standards. See Appendix A for examples.

1.10 “Record(s)” means any material upon which written, drawn, spoken, visual, or

electromagnetic information or images are recorded or preserved, regardless of physical form or

characteristics.

1.11 “Service Provider” means any entity or person who/that receives, stores, maintains,

processes, or otherwise is permitted access to Proprietary Information through its provision of

services directly to UTC or its operating units.

Page 7: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 7 of 35

1.12 “Single Factor Authentication” is an authentication scheme using only one factor in

determining whether someone or something is, in fact, who or what it is declared to be. An example

of this would be using a user ID and password to gain access. A ‘factor’ is defined as classification

of authentication types: A knowledge factor is something that a person knows (i.e. password), a

physical factor is something that a person has (i.e., token), and an inherence factor is something that

a person is (i.e., thumbprint).

1.13 “Third Party” is any individual or entity, including UTC contractors and their employees,

other than UTC or its operating companies.

1.14 “Trade Secrets” means information, including a formula, pattern, compilation, program,

device, method, technique, or process, that has independent economic value, actual or potential,

from not being generally known to, and not being readily ascertainable by proper means by, other

persons who can obtain economic value from its disclosure or use, and is the subject of efforts that

are reasonable under the circumstances to maintain its secrecy.

1.15 “Two Factor Authentication” is an authentication scheme using two factors in determining

whether someone or something is, in fact, who or what it is declared to be. An example of this

would be using a user ID and password as well as a token to gain access. A ‘factor’ is defined as

classification of authentication types: A knowledge factor is something that a person knows (i.e.

password), a physical factor is something that a person has (i.e., token), and an inherence factor is

something that a person is (i.e., thumbprint).

Page 8: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 8 of 35

EXHIBIT 2 - PROTECTION OF UTC

AND THIRD PARTY INFORMATION

2.1 The Corporation invests substantial resources in creating and obtaining information. Misuse

or improper disclosure of any information damages the Corporation’s legal rights, exposes the

Corporation to liability, and results in loss of a competitive advantage. Each division and subsidiary

shall establish procedures adequate to protect Proprietary Information from improper use or

disclosure, without hampering the legitimate exchange of Proprietary Information within and outside

the Corporation. Procedures shall address, at a minimum, marking, reproduction, safekeeping,

disclosure, external release, retention and destruction or return of Proprietary Information.

2.2 This document establishes a hierarchy of information types and provides guidelines for the

protection of information based on the type of information. Appendix A shall be used to determine

the level of protection assigned to the information and minimum standards on its use and disclosure.

This applies whether the information is used or disclosed in documents, orally, visually or

electronically. If doubt exists as to whether use or disclosure of information is proper, the Legal

Department shall be consulted.

2.3 Proprietary Information disclosed outside the Corporation must be disclosed pursuant to a

nondisclosure agreement, contract, license, technical assistance agreement, or other contractual

instrument that identifies the allowable use and disclosure of the Proprietary Information. The

manner of securing proper legal and contractual protections will be made in consultation with the

Legal Department.

2.4 Proprietary Information provided to customers (including the U.S. Government),

competitors, suppliers, and Third Parties or others in response to solicitations and contracts shall

bear the appropriate restrictive legends authorized by law or regulation, or as specified in the

solicitation or contract.

2.5 The Corporation will receive a Third Party’s Proprietary Information only under a written

agreement that clearly describes the subject matter, labeling requirements, duration, permitted uses,

and other pertinent provisions reviewed and approved by the Legal Department. Such Third Party

Proprietary Information shall be used and disclosed only as permitted by the written agreement.

Copies, derivations, integrations or other representations of such Third Party Proprietary Information

will be labeled in accordance with the agreement.

2.6 Gathering and using information related to competitors is addressed in the Policy

Clarification Circular entitled Gathering Competitive Information. This includes compliance with

U.S. Government rules regarding access to competition sensitive and source selection data, as

described in Policy 4. Unsolicited information received from a Third Party that is claimed or

appears to be Proprietary Information must be sent immediately to the Legal Department, and should

not otherwise be used, reviewed or shared until the Legal Department has evaluated the nature of the

information and the manner in which it was received. If appropriate, the Legal Department will

obtain the proper agreements prior to any evaluation, use, or review by the Corporation.

Page 9: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 9 of 35

2.7 The U.S. Economic Espionage Act of 1996 and various other statutes impose civil and

criminal penalties for the misappropriation, counterfeiting, misuse, or destruction of Proprietary

Information and other protected data. Additional information should be obtained from the Legal

Department in the event of unauthorized access to, misuse of, or disclosure of the Corporation’s or a

Third Party’s information.

Page 10: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 10 of 35

Appendix A (See Exhibit 1 for definitions)

TYPE OF

INFORMATION

HOW DISCLOSED

AUTHORIZED

FOR PUBLIC

RELEASE;

INTERNAL UTC

DATA NOT

FALLING WITHIN

ANOTHER

CATEGORY

PROPRIETARY

INFORMATION

PROPRIETARY

INFORMATION THAT

IS COMPANY

PRIVATE, INCL.

COMPETITIVE INFO.

PROPRIETARY

INFORMATION THAT

IS COMPANY

RESTRICTED, INCL.

MATERIAL

NONPUBLIC INFO.

UNTIL RELEASED BY

UTC; PERSONAL

INFO.,

CONTROLLED BY

LAW OR REGULATION

(E.G., EXPORT

CONTROLS,

PROTECTED HEALTH

INFORMATION,

SENSITIVE

EMPLOYEE

INFORMATION)

ELECTRONIC

TRANSMISSION

WITHIN UTC’S IT

SYSTEMS/FIREWALLS

NO SPECIAL

REQUIREMENTS

INFORMATION IS TO BE

IDENTIFIED AS

CONTAINING

PROPRIETARY

INFORMATION SO AS

TO IDENTIFY RISKS OF

UNAUTHORIZED

DISCLOSURE OUTSIDE

OF UTC

LIMIT TO “NEED TO

KNOW”

LIMIT TO “NEED TO

KNOW”

LIMIT TO PERSONS

HAVING APPROPRIATE

AUTHORIZATION –

PASSWORD PROTECT

OR ENCRYPT DATA

BEFORE

TRANSMISSION

OUTSIDE OF UTC’S

IT SYSTEMS/

FIREWALLS

(INCLUDES INTERNET

FACING

APPLICATIONS)

NO SPECIAL

REQUIREMENTS

INFORMATION IS TO BE

IDENTIFIED AS

CONTAINING

PROPRIETARY

INFORMATION SO AS

TO HIGHLIGHT RISKS OF

UNAUTHORIZED

DISCLOSURE OUTSIDE

OF UTC – AT LEAST

SINGLE FACTOR

AUTHENTICATION

REQUIRED

LIMIT TO “NEED TO

KNOW” AND SUBJECT

TO DATA TRANSFER

AGREEMENT1 – AT

LEAST MULTIPLE

SINGLE FACTOR

AUTHENTICATION

REQUIRED –

PASSWORD PROTECT

BEFORE

TRANSMISSION

LIMIT TO “NEED TO

KNOW” AND SUBJECT

TO DATA TRANSFER

AGREEMENT – AT

LEAST MULTIPLE

SINGLE FACTOR

AUTHENTICATION

REQUIRED – ENCRYPT

DATA AT REST AND

BEFORE

TRANSMISSION

LIMIT TO PERSONS

HAVING APPROPRIATE

AUTHORIZATION AND

SUBJECT TO DATA

TRANSFER

AGREEMENT – TWO-

FACTOR

AUTHENTICATION

REQUIRED –ENCRYPT

DATA AT REST AND

BEFORE

TRANSMISSION

STORAGE

FIXED MEDIA, INCL.

DESKTOP

COMPUTERS, HARD-

DRIVES, SERVERS,

ETC.

NO SPECIAL

REQUIREMENTS

INFORMATION IS TO BE

IDENTIFIED AS

CONTAINING

PROPRIETARY

INFORMATION SO AS

TO HIGHLIGHT THE

RISKS OF

UNAUTHORIZED

DISCLOSURE OUTSIDE

OF UTC

LIMIT AVAILABILITY

TO PERSONS HAVING A

“NEED TO KNOW”

LIMIT AVAILABILITY

TO PERSONS HAVING A

“NEED TO KNOW.” –

ENCRYPT DATA AT

REST

LIMIT AVAILABILITY

TO PERSONS HAVING

APPROPRIATE

AUTHORIZATION (E.G.,

ACCESS-RESTRICTED

SHARED DRIVES

DESIGNATED FOR THIS

USE). – ENCRYPT

DATA AT REST

REMOVABLE MEDIA

INCL. LAPTOPS, USB

FLASH DRIVES,

EXTERNAL STORAGE

DRIVES, ETC.

NO SPECIAL

REQUIREMENTS

INFORMATION IS TO BE

IDENTIFIED AS

CONTAINING

PROPRIETARY

INFORMATION SO AS

TO HIGHLIGHT THE

RISKS OF

UNAUTHORIZED

DISCLOSURE OUTSIDE

OF UTC

LIMIT AVAILABILITY

TO PERSONS HAVING A

“NEED TO KNOW” –

DO NOT STORE ON

REMOVABLE MEDIA

UNLESS PASSWORD

PROTECTED OR

ENCRYPTED

LIMIT AVAILABILITY

TO PERSONS HAVING A

“NEED TO KNOW” –

DO NOT STORE ON

REMOVABLE MEDIA

UNLESS ENCRYPTED

LIMIT AVAILABILITY

TO PERSONS HAVING

APPROPRIATE

AUTHORIZATION. DO

NOT STORE ON

REMOVABLE MEDIA

UNLESS ENCRYPTED.

1 “Data transfer agreement” means an agreement meeting the requirements of 2.3 above.

Page 11: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 11 of 35

MARKINGS NO MARKINGS

REQUIRED

(INTERNAL &

EXTERNAL): “UTC

PROPRIETARY

INFORMATION”

PRIMARY MARKING

(INTERNAL &

EXTERNAL): “UTC

PROPRIETARY

INFORMATION”

SECONDARY

MARKINGS: (A)

“COMPANY PRIVATE”

(B) SCOPE OF “NEED

TO KNOW” GROUP

PRIMARY MARKING

(INTERNAL &

EXTERNAL): “UTC

PROPRIETARY

INFORMATION”

SECONDARY

MARKINGS: (A)

“COMPANY

RESTRICTED” (B)

SCOPE OF “NEED TO

KNOW” GROUP

CONTACT LEGAL

DEPARTMENT FOR

APPROPRIATE

MARKINGS

DISCLOSURE SEE BELOW

WITHIN UTC AND TO

THIRD PARTIES UNDER

AN OBLIGATION TO

PROTECT THE

PROPRIETARY

INFORMATION

“NEED TO KNOW”

BASIS

“NEED TO KNOW”

BASIS

PERSONS/PARTIES

WITH LEGAL

AUTHORIZATION

ONLY, PER PERTINENT

AGREEMENT, LICENSE,

ETC.

DESTRUCTION

(HARD &

ELECTRONIC

COPIES)

PER POLICY 46

PER POLICY 46, USING

MEANS THAT PREVENT

RE-CREATION OF THE

DATA (E.G., CD

DESTROYERS, DISK

WIPE, ETC.)

PER POLICY 46,

USING MEANS THAT

PREVENT RE-

CREATION OF THE

DATA (E.G., CD

DESTROYERS, DISK

WIPE, ETC.)

PER POLICY 46, USING

MEANS THAT PREVENT

RE-CREATION OF THE

DATA (E.G., CD

DESTROYERS, DISK

WIPE, ETC.)

PER POLICY 46,

USING MEANS THAT

PREVENT RE-

CREATION OF THE

DATA (E.G., CD

DESTROYERS, DISK

WIPE, ETC.)

Decisions to disclose information will be made only after considering the following:

Type and value of the information;

Contractual or other legal restrictions between the disclosing or receiving party(ies) and the

Corporation. Note that data required to be delivered to a customer pursuant to a valid agreement

will be marked as required thereunder and shall be protected according to the standards or

requirements established in the agreement (e.g., encryption, etc.);

Extent of party’s "need to know;"

Any value the Corporation will receive from the disclosure;

Potential for misuse of the information;

Protections afforded the information under pertinent laws, regulations or contracts, including

U.S. and other obligations such as export controls, treatment of U.S. Government classified

information, and personal privacy. Information subject to these requirements shall be protected

and marked in accordance with pertinent legal or regulatory requirements. Operating units must

avoid legends such as "Confidential" or similar markings if this will create confusion with the

handling of government classified materials;

Impact of the disclosure on other operating units within the Corporation;

Additional restrictions found elsewhere in this Policy and the Corporate Policy Manual:

Section 3- Antitrust Compliance;

Section 4 - Business Ethics and Conduct in Contracting with the U.S. Government;

Section 7 - Conflicts of Interest;

Section 20 - Compliance with Export Controls and Economic Sanctions;

Section 24 – Personal Information Protection

Section 30 - Securities Trading and Release of Material Nonpublic Information;

Page 12: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 12 of 35

Section 32 - Permissible References to UTC by Outside Companies vs. Endorsements;

Section 37 - Electronic Communication Systems; and

Section 40 - Software License Compliance.

Although information other than Proprietary Information may not require the same degree of

protection, decisions to disclose any information will be made after due consideration of the factors

described above. If doubt exists as to whether use or disclosure of information is proper, the Legal

Department shall be consulted.

Page 13: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 13 of 35

EXHIBIT 3 - STANDARDS FOR THE PROTECTION OF DATA

3.1 This Exhibit establishes minimum standards to be met by UTC, its operating companies, and

Service Providers to the extent they own, license, receive, store, maintain, process, or otherwise

access Data in electronic or paper form.

3.2 UTC operating units and staff organizations that collect, use, transfer, or manage Data shall

establish and maintain a Data security program meeting the requirements of this Exhibit and

pertinent Information Technology (“IT”) policies, procedures, and standards (Index to IT Policies,

Procedures and Standards).

3.3 The UTC Vice President and Chief Intellectual Property Counsel and the UTC Vice

President & Chief Information Officer shall assist as necessary to ensure proper and complete

implementation of this Policy, including provision of the necessary technology tools to enable

compliance worldwide.

3.4 The UTC Vice President, Operations and other staff organizations involved in selecting and

retaining Service Providers shall ensure compliance with Exhibit 8.

3.5 The Data security program shall identify and assess reasonably foreseeable internal and

external risks to the security, confidentiality, and/or integrity of any records containing Data, and

evaluate and improve, where necessary, the effectiveness of the current safeguards for limiting such

risks. The program shall include:

o Ongoing employee (including temporary and contract employee) training;

o Means of ensuring employee compliance with security program policies and

procedures;

o Means for detecting and preventing security program failures;

o Security policies for employees relating to the storage, access and transportation of

records containing Data outside of business systems or premises;

o Disciplinary measures for violations of security program rules;

o Means of preventing terminated employees from accessing records containing Data;

o Reasonable restrictions upon physical access to records containing Data, and storage

of such records and Data in locked facilities, storage areas or containers;

o Regular monitoring to ensure that the information security program is operating in a

manner reasonably calculated to prevent unauthorized access to or unauthorized use

of Data, and upgrading information safeguards as necessary to limit risks;

Page 14: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 14 of 35

o Annual reviews of the scope of security rules and more often when there is a material

change in business practices that may reasonably implicate the security or integrity of

Data; and

o Documentation of responsive actions taken in connection with any incident involving

a Breach of Security, and mandatory post-incident review of events and actions taken,

if any, to make changes in business practices relating to protection of Data (See

Exhibit 9).

o Procedures for sanitization and destruction of storage or other media removed from

service, prior to disposal.

3.6 UTC shall oversee Service Providers that have access to or control of Data by:

o Taking reasonable steps to select and retain third-party Service Providers that are

capable of maintaining appropriate security measures to protect such Proprietary

Information; and

o Requiring, by contract, third-party Service Providers to implement and maintain such

appropriate security measures for Proprietary Information.

3.7 UTC electronic or paper systems, including any wireless system (e.g., wireless internet,

personal digital devices, etc.) that collects, uses, transmits or stores Proprietary Information, shall be

managed in accordance with IT Policies, Procedures and Standards. Each such system shall have

the following:

o Secure user authentication protocols, including control of user IDs and other

identifiers; a secure method of assigning and selecting passwords, or use of unique

identifier technologies, such as biometrics or token devices; control of Data security

passwords to ensure that such passwords are kept in a location and/or format that does

not compromise the security of the Data they protect; restrict access to active users

and active user accounts only; and block access to user identification after multiple

unsuccessful attempts to gain access or the limitation placed on access for the

particular system.

o Secure access control measures that restrict access to records and files (both active

and archived) containing Proprietary Information to those who need such information

to perform their job duties; and assign unique identifications plus passwords, which

are not vendor supplied default passwords, to each person with computer access, and

that are reasonably designed to maintain the integrity of the security of the access

controls.

o Encryption of all Company Restricted Data, both “at rest” or “in transit,” that resides

on any portable electronic device such as laptops, USB flash drives, floppy disks,

Page 15: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 15 of 35

CD-ROMs, etc., and all such Data at the time it is transmitted across public networks

or wirelessly. See IT-12-204.

o TLS encryption between UTC domains and Service Providers’ domains in order to

provide an extra “safety net” for emails sent over public networks. (IT-10-273).

o Requirements for employees and Third Parties to report a loss or suspected

compromise of Data, a loss of a mobile device (laptop, USB drive, etc.) or any other

incidents immediately to UTC IT Security at [email protected], (and other

security manager servicing the operating company) and as required by U.S.

Government rules related to cyber intrusions (e.g., Industrial Security Letter 2010-02

dtd. Feb. 22, 2010; DOD Federal Acquisition Regulation Supplement Subpart 204 ).

o Reasonable monitoring of systems to detect and deter unauthorized use of or access to

Data;

o For systems connected to the Internet, up-to-date firewall protection and operating

system security patches, reasonably designed to maintain the integrity of Data;

o Up-to-date versions of system security software, including malware protection and

reasonably up-to-date patches and virus definitions, and set to receive the most

current security updates on a regular basis; and

o Education and training of employees on the proper use of the computer security

systems and the importance of information security, e.g., limiting collection and

storage of unneeded information; use of encryption; restricting access to drives,

folders, and files; recognizing risks to information security posed by peer-to-peer

(“P2P”) and other file sharing programs.

Page 16: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 16 of 35

EXHIBIT 4 – DATA BREACH INCIDENT RESPONSE PLAN

1. Summary

This Data Breach Incident Response Plan (“DBIRP”) provides instructions on how to prepare

for, respond to, and remediate a data breach “Incident” (defined in Section 3 below). This

DBIRP requires that all employees report Incidents and that United Technologies

Corporation (“UTC”) and its business units deploy “Incident Response Teams” (defined in

Section 4 below) with the appropriate skill set and level of authority to respond properly to

any Incidents that are reported.

Capitalized terms used throughout this Exhibit, if not defined in Exhibit 1 to CPM 14, are

defined in section 3 of this Exhibit. The following acronyms are used in this Exhibit:

BU is Business Unit

BU-IRT is a Business Unit-level Incident Response Team

C360 is Compliance 360

DBIRP is Data Breach Incident Response Plan

DBIRPT is the UTC Corporate Data Breach Incident Response Planning

Team

HR is Human Resources

IRT is Incident Response Team

IT is Information Technology

UTC is United Technologies Corporation

UTC-IRT is the UTC-level Incident Response Team

2. Applicability

This DBIRP applies to UTC, all of its business segments, units and divisions, and all other

operating entities wherever located (including controlled joint ventures, partnerships and

other business arrangements where UTC has either a controlling interest or effective

management control) (collectively “operating units”). Unless the context indicates

otherwise, references to UTC include all operating units, their directors, officers, employees

and onsite leased labor. For purposes of this DBIRP, the “Business Units” are: Climate,

Controls & Security (“CCS”); Otis; Pratt & Whitney (“P&W”); UTC Aerospace Systems

(“UTAS”); and United Technologies Research Center (“UTRC”).

Page 17: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 17 of 35

The Business Units may follow this DBIRP or adopt their own so long as it is not

inconsistent with this DBIRP. If a Business Unit adopts its own DBIRP, it must send that

DBIRP within 30 days of adoption to [email protected]. If a Business Unit

adopts this DBIRP, it must create a contact list (see section 6.14) specific for that Business

Unit and within 30 days of adoption of this DBIRP send the list to

[email protected]. Any changes to a DBIRP or the contact list must also be

sent to [email protected].

3. Data Breach Incident

An “Incident” is defined in Exhibit 1 to CPM 14 and is a set of circumstances that involve

actual or a reasonable possibility of unauthorized access to or possession of, or the loss or

destruction of, “Protected Information” (as defined in Section 3.1 below). The circumstances

contributing to an Incident may be unintentional or accidental and the unauthorized access,

possession, loss, or destruction may be confirmed or only suspected.

Once unauthorized access to or possession of, or the loss or destruction of, UTC Protected

Information has been confirmed by the Incident Response Team the Incident becomes a data

breach “Event”. This DBIRP will use the term Incident to refer to both Incident and Event,

whereas an Event means only a confirmed Incident.

3.1. Protected Information

Protected Information is any information in any form (electronic, hard copy, graphic,

audio, or any other format) that is:

Proprietary Information (as defined by Corporate Policy Manual Section 14);

Technical Data (as defined by procedures promulgated under Corporate Policy

Manual Section 20), which is discussed in “UTC Common Interpretation of

Technical Data,” available on the UTC International Trade Compliance site;

Personal Information (as defined by Corporate Policy Manual Section 24); and

Designated by any government as Classified or by the United States Government

as controlled under a U.S. government contract.

3.2. Unauthorized Access

Unauthorized access is any circumstance that permits a person or entity to review,

use, see, consume, analyze, sell, transfer, or otherwise control information without

both a legitimate business purpose and a legal basis. Unauthorized access to

Classified information also includes when the Classified Information is sent, received,

or transmitted via any unauthorized means or when an un-cleared individual accesses

information in any fashion.

Page 18: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 18 of 35

For example, consider a scenario in which one employee accidentally emails a file

containing the names and home addresses of a business unit’s quality group to a

person in customer service instead of the correct person of the same name in Human

Resources (“HR”). This is unauthorized access because the recipient in customer

service had no legitimate business purpose for the information. Similarly, if UTC

collects home address information for tax and safety reasons, but an employee uses

HR’s home address data to send invitations to a fundraiser for his son’s private

school, that scenario may also involve unauthorized access if it was unrelated to a

legitimate business purpose. Another example is an employee accidentally leaving a

laptop in a taxicab and collecting it from the taxicab dispatcher three days later. In all

of these scenarios, even if the unauthorized access were unlikely to lead to any harm,

the nature of the Incident only dictates the appropriate response, and not the

classification of the circumstances as an Incident. Any circumstance that must be

reported is an Incident, but only those Incidents that are confirmed to be breaches are

Events.

Yet another example of unauthorized access is a hacker breaking into a UTC network.

In such a situation, even if the access to Protected Information may only be potential,

the possibility of access requires a response consistent with this DBIRP.

3.3. Loss or Destruction

Protected Information is lost or destroyed when it is no longer available to UTC to

use. Protected Information can be lost or destroyed in many ways, such as:

Stolen laptop;

Flood of an office, destroying the only copy of certain records; and

Inability to access the only copy of data on a server.

The temporary inability to access Protected Information amounts to a loss if there is

no anticipated resolution or the inability to access lasts for more than a week. If

Protected Information is destroyed but there are other copies (such as back-ups)

available, then it does not constitute an Incident.

3.4. An Incident Includes Actions by a Service Provider or Supplier

An Incident includes unauthorized access to or possession of, or the loss or

destruction of, Protected Information by or in the custody of any person, whether or

not a UTC employee. This includes UTC service providers and suppliers. For

example, if a service provider loses back-up tapes containing Protected Information,

that circumstance would constitute an Incident. To the extent that any UTC employee

or contractor is aware of an Incident resulting from the conduct of a service provider

or supplier, that Incident must be reported and addressed under this DBIRP.

Page 19: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 19 of 35

4. Reporting an Incident

Anyone aware of an Incident must immediately report it to an Ethics and Compliance Officer

or through the Ombudsman program. The Ethics and Compliance Officer or Ombudsman

must enter the report into C360. If an Incident has already been reported to the ITC instance

of C360, there is no need to report it again.

The Incident Response Team that investigates the Incident may contact the person making

the report for additional information.

Incidents involving Classified national security information must not be reported in C360 due

to security concerns. Each Business Unit must keep a secure means to track such incidents

locally and to brief the UTC Associate General Counsel, Government Contracts (or

designee).

5. Preparation

The Data Breach Incident Response Planning Team (“DBIRPT”) will be created at the UTC

Corporate level only and is responsible for preparing in advance for Incident response. The

DBIRPT will consist of the: UTC IT Director, Compliance; UTC Associate General

Counsel, Government Contracts; the UTC Assistant General Counsel responsible for

cybersecurity; the UTC Assistant General Counsel, Data Privacy and Security, and a member

of the Communications team. The DBIRPT may add members or delegate any part of its

function, as deemed appropriate.

The DBIRPT is responsible for:

5.1. Preparing UTC to promptly and effectively respond to Incidents.

5.2. Entering into a proactive relationship with a data breach resolution service provider,

if determined to be cost-effective. This may be accomplished by selecting insurance

that provides such services.

5.3. Developing and implementing training and education on this DBIRP. The DBIRPT

will identify the appropriate means for communication for each audience and the

appropriate frequency.

5.4. Conducting a practice exercise each year, or more frequently if appropriate, for the

UTC-IRT to test and improve the DBIRP process. The Privacy Professional for each

BU must ensure that the BU-IRT conducts at least one practice exercise every three

years.

5.5. Reporting annually to the executive oversight committee, as set forth in Section 10

below.

Page 20: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 20 of 35

6. Incident Response Team (“IRT”)

To ensure the appropriate actions are considered in developing the response to an Incident,

the IRT may need to include: Legal; Intellectual Property (“IP”); Information Technology

(“IT”); Security; HR; Privacy; International Trade Compliance (“ITC”); Communications;

Government Relations; and potentially an independent forensic investigator and/or a data

breach resolution service provider.

6.1. UTC-level IRT or Business Unit-level IRT

If an Incident involves UTC Corporate Protected Information only (as opposed to Protected

Information from one or more Business Units), then the response will be managed by an IRT

at the UTC level (“UTC-IRT”). If the Incident involves multiple Business Units or UTC

Corporate Protected Information and Business Unit Protected Information, then the UTC-

IRT will take the lead and the Business Unit-level IRT(s) (“BU-IRT”) will assist. If the

Incident involves only Business Unit Protected Information, then the BU-IRT will handle the

response. Each BU must set up an IRT to address any BU-specific Incidents. The BUs have

flexibility to determine which function participates in the IRT, so long as: (1) Legal is

always notified, except in cases of a lost or stolen portable storage device; and (2) Appendix

B is used with appropriate follow-up for cases of a lost or stolen portable storage device.

For Business Unit Incidents involving Classified national security data, systems, or

programs, the local Government Security Compliance manager and Information Systems

Security Manager must take the lead in partnership with the appropriate Business Unit level

IRT team members as required.

6.2. IRT Lead

The function that will lead the IRT depends on the nature of the Incident. The lead

must be identified in order of precedence below, so that an Incident that might fall

into multiple categories is led by the role identified for the first category in which it

properly fits. If there is any question about leadership of the team, the UTC Assistant

General Counsel responsible for cybersecurity and the UTC Assistant General

Counsel, Data Privacy and Security will resolve the issue.

Page 21: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 21 of 35

6.3. Legal

Every IRT must involve someone from the Legal Department. The appropriate

member of the Legal Department will be identified in the contact list referred to in

Section 6.14 below.

Legal must be involved to ensure that our actions comply with law, appropriately

mitigate risks, and are consistent with the UTC Code of Ethics and corporate policy.

Legal must involve Global Compliance if there is a suspicion that an employee or

contractor acted maliciously, in other words, if an insider intentionally breached

Protected Information. In all instances, the IRT must consult with Global

Compliance prior to contacting law enforcement. If the Incident involves Classified

Information or information controlled under a U.S. government contract, the UTC

Associate General Counsel, Government Contracts (or designee) must be included on

the IRT team.

Where the Incident involves Personal Information, the Legal representative may be

the Privacy Professional if that person is a member of the Legal Department.

6.4. Communications

Communications must be notified of each Event (a confirmed Event, not all

Incidents). The Communications representative on the IRT will determine whether

and to what extent participation by Communications is required. The

Communications representative must consider whether, when, and how an urgent

•Government Security Compliance Manager and Information Systems Security Manager

Classified information, systems, or programs

• Lost/Stolen Device Investigator

Lost or Stolen Electronic Storage Device

• IT Security Compromise of electronically-stored Protected Information

• HR Employee Data

• Privacy Any Other Personal Information

• Legal All Other

Electronically-

Stored Protected

Information

Protected

Information

stored in non-

electronic

forms, such as

hard copy,

paper, verbal

conversations,

etc.

All Classified

information,

systems and

programs in all

forms, media,

and formats

Page 22: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 22 of 35

and/or informative message should be sent to employees. The Communications

representative must also assess the risk of an Incident becoming public and the nature

of the appropriate response. The Communications representative should provide

input on Communications with affected individuals, external entities, or government

regulators.

6.5. Government Relations

When an incident involves a federal or state government regulator, Government

Relations must be involved. In all cases where a government regulator is notified

Government Relations must be informed.

6.6. HR

HR must be involved when the Personal Information of one or more employees is

involved.

6.7. Intellectual Property

Intellectual Property must be involved when an Incident involves Proprietary

Information.

6.8. IT

IT must be involved if there is an IT system or electronically-stored data involved in

the Incident. If the Incident involves only hard copy data, then IT may not need to be

involved. Only appropriately cleared or program accessed IT personnel may be

involved in Incidents impacting Classified IT systems or information.

6.9. ITC

For all Incidents, an ITC representative must determine whether there are any ITC

implications. If there are ITC implications, then the ITC representative must enter the

matter into the ITC instance of C360 and should continue to participate on the IRT as

appropriate. If there are no ITC implications, then the ITC representative does not

need to participate on the IRT.

Page 23: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 23 of 35

6.10. Lost/Stolen Device Investigator

Each Business Unit must identify a person or team to serve as the Lost/Stolen Device

Investigator and identify that person(s) on the Business Unit’s Contact List, as

discussed in Section 6.14 below. The Lost/Stolen Device Investigator is responsible

for ensuring that the Lost/Stolen Device Questionnaire, contained in Appendix B, is

completed, including any follow-up described in the Questionnaire.

6.11. Privacy

When Personal Information is involved - regardless of whose Personal Information,

Privacy must be involved. For UTC, the Privacy function is represented by the

Assistant General Counsel, Data Privacy and Security. For the Business Units, the

Privacy function is represented by the Privacy Professional for the Business Unit.

6.12. Security

Security must be involved if there is an indication of theft or of a compromise of the

physical integrity of any system or facility. The Corporate Facility Security Officer

must be notified for any Incident involving Classified systems or information.

6.13. External Parties

6.13.1. Independent forensic investigator

An independent forensic investigator may be needed when there is an intrusion into

our networks or facilities. The legal department must be consulted prior to engaging

a forensic investigator to ensure preservation of privilege, and compliance with

applicable laws.

6.13.2. Data Breach Resolution Service Provider

If affected individuals will need to be notified, the IRT should consider whether an

external data breach resolution service provider is needed. This analysis should

depend on the number of individuals that must be notified and whether the IRT can

identify internal resources to manage this process.

6.14. Contact List

Each Business Unit must create a contact list using the template contained in

Appendix C or an equivalent format that identifies the name, title, email, office or

work telephone number and mobile number for the person or persons that represents

Legal, Communications, HR, Intellectual Property, IT, ITC, Lost/Stolen Device

Investigator, Privacy Professional, and Security. The Business Unit must ensure that

the person identified for the contact list has sufficient skill and authority to serve on

the IRT for the Business Unit, including making appropriate determinations about

Page 24: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 24 of 35

escalation to senior management. The Business Unit will send the complete list to

[email protected]. The Business Unit must ensure that the contact list

remains current and, at a minimum, provides an annual update by May 15 of each

year even if no change has taken place.

7. Responding to an Incident

The following steps must be taken in the order in which they appear.

The required process for responding to an Incident involving Classified information, systems,

and/or programs is set forth in Exhibit 1.

7.1. Notification and Formation of the IRT

The team lead, as identified in Section 6.2 above, must notify and form the team

using the contact list for the appropriate level IRT, either UTC, BU, or both. The

contact lists shall be posted on privacy.utc.com. If a UTC-IRT and one or more BU-

IRT are required to respond to an Incident, the UTC-IRT lead is responsible for

contacting the UTC-IRT members and the BU-IRT lead(s), who are responsible for

notifying the BU-IRT members.

7.2. Containment

The IRT must ensure that appropriate action is taken to contain any impact while also

permitting investigation of the case. To ensure that containment efforts are addressed

with the appropriate speed, IT may address containment measures without consulting

the full IRT. In doing so, however, IT must consult Global Compliance if there is a

possibility of criminal activity to balance containment with preservation of evidence.

7.3. Triage

The IRT should conduct a preliminary review of the Incident to understand the

severity, set priorities, identify appropriate escalation, and determine the appropriate

schedule for the response. If the Incident involves the loss or theft of a portable

storage device, the appropriate response should be dictated through use of Appendix

B (Questionnaire for Lost and Stolen Devices that Store Data).

Formation of the IRT Containment Triage Investigation Remediation Notification

RRCA / Follow-Up

Page 25: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 25 of 35

7.4. Investigation

The IRT will take appropriate steps to investigate the Incident to determine: (1) the

nature and scope of the Incident; (2) what Protected Information may be or is

involved; (3) the likely cause; (4) any improvements that could be made on an interim

basis to the containment effort; and (5) appropriate remediation intended to prevent

the Incident from reoccurring. In conducting an investigation, the IRT should

consider:

the type and amount of Protected Information at risk;

the availability of log records to help determine whether Protected

Information was downloaded or copied;

whether the Protected Information was actually used by an unauthorized

person;

whether the Protected Information is in the physical possession of an

unauthorized person;

whether the Incident was part of a broad Internet exploit attack and

whether the attack exposed Protected Information; and

identifying evidence regarding the cause of the Incident, how to preserve

that evidence, and whether a forensic investigator should be engaged.

The leader of the IRT must consult with the legal department before commencing the

investigations to ensure that appropriate measures are in place to preserve attorney-

client privilege.

7.5. Remediation

Based on its investigation, the IRT will develop recommendations and, as

appropriate, implement measures to remediate any vulnerability and/or help guard

against similar Events from occurring in the future.

7.6. Notification

Generally, notification is only required for an Event, where unauthorized access or

possession of Protected Information has been confirmed. In situations where

unauthorized access or possession cannot be reasonably ruled out or precluded,

notification may be required under applicable law or may be prudent.

7.6.1. Internal Business Customers and Management

The IRT must ensure that the appropriate members of the business and

management are notified and kept apprised of the progress of the response.

Page 26: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 26 of 35

7.6.2. Law Enforcement

If there is the possibility that the Incident was the result of criminal activity,

the IRT must consider whether contacting law enforcement is appropriate.

Global Compliance must be consulted prior to contacting law enforcement.

7.6.3. Government Regulators

In certain jurisdictions, certain types of Incidents require notification to

government regulators. In other situations, notification may be prudent. For

example, if notice is being provided to affected individuals, it is generally

advisable to notify the local regulator in advance so that a government

regulator does not learn of an Incident from an affected individual. The

Privacy Professional on the IRT is responsible for any notice to a government

regulator if it involves Personal Information. If Classified Information or

information controlled under a U.S. government contract is involved, then the

UTC Associate General Counsel, Government Contracts (or designee) is

responsible for notice to a government regulator or providing approval for a

Business Unit’s Government Security Compliance manager or Facility

Security Officer to provide notice to a government customer. Otherwise, the

member on the IRT from Legal is responsible for notification to a government

regulator. In the event that an inquiry or notification involves the U.S.

Congress, Government Relations is responsible for notice.

7.6.4. Affected Individuals

If notification to affected individuals is required by applicable law or is

otherwise deemed to be appropriate by the Privacy Professional on the IRT,

the affected individuals must be notified as promptly as possible, consistent

with the terms of applicable law and the need to conduct and/or complete any

investigation. The Privacy Professional shall, in consultation with other

members of the IRT, assume responsibility for drafting the applicable notice,

using any applicable templates that may be available. Prior to providing

notice to affected individuals, the Privacy Professional must consult with the

Assistant General Counsel, Data Privacy and Security.

The notice to affected individuals must include, at a minimum (unless

applicable law requires otherwise):

a general description of the Incident;

a general description of the type of Personal Information that was

involved;

a description of the steps taken or that will be taken to protect the Personal

Information from further unauthorized access and/or acquisitions –

including both containment and remediation measures;

Page 27: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 27 of 35

if credit monitoring and/or protection is being offered, a description of the

product and the process to obtain it;

a telephone number that the individual may call for further information

and assistance;

general guidance on how individuals may protect their Personal

Information, as applicable to the nature of the Personal Information

involved; and

any other information required by applicable law.

If notification to individuals regarding an Incident involving their Personal

Information is not required by law, the IRT should review the findings of any

investigation to determine whether notification should nevertheless be made

to affected individuals. For example, notification might be warranted when

not required by law because the Incident involved data stored on hard copy

forms rather than in an electronic system. If notification is made, it should

include the items identified above.

The decision to notify or not to notify affected individuals must be

documented in the summary required under Section 8.

7.6.5. Commercial business partners whose data may be impacted

If a commercial business partner may be affected, the IRT will consider

contacting that business partner. In making this determination, the IRT must

analyze whether any contractual or legal obligation requires notification. The

IRT must also contact the individual who manages the relationship with that

business partner.

7.6.6. Insurance

The Assistant General Counsel responsible for cybersecurity shall, in

consultation with insurance brokers, coverage counsel, adjusters and

accountants, take steps to evaluate potential rights and obligations under

insurance policies and indemnity agreements in connection with the Incident.

Policies evaluated should include the following, as appropriate:

Specialty Cyber-risk policies;

E&O liability policies;

General liability (CGL), umbrella and excess policies;

D&O liability policies;

First-party property, business interruption and extra expense policies;

Fidelity/employee dishonesty, bankers bonds and crime policies;

Vendor and partner agreements, including both indemnity provisions and

insurance procurement provisions;

Page 28: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 28 of 35

Counterparties’ potentially applicable coverage where one or more UTC

company may be an additional insured or loss payee.

The Assistant General Counsel responsible for cybersecurity will, as

appropriate, promptly provide notices required under potentially-implicated

insurance or other agreements and shall take any other steps necessary to

preserve UTC’s and the BU’s rights, such as filing timely proofs of loss.

7.6.7. Media

The IRT, particularly the Communications member(s) of the team, must

consider whether preemptive media notification is warranted.

7.7. RRCA / Follow-Up

For confirmed Events, the IRT will conduct a root cause and corrective action analysis

intended to prevent a similar Event and to incorporate any learning about the response

process into this DBIRP. The IRT must prepare a summary of the RRCA and submit it to

[email protected]. The UTC Corporate DBIRPT is responsible for ensuring

that this information is incorporated into updates of the DBIRP.

8. Recordkeeping

The IRT is responsible for preparing a summary of the Incident, response, and RRCA (to the

extent applicable). The IRT lead must send the summary, along with any associated

documents (such as notification letter templates), to [email protected]. The

IRT lead must ensure that the summary and associated documents are sent in a timely

manner, generally within 60 days of the formation of the IRT for that particular Incident.

When warranted, the summary may be modified or updated with new or missing information.

Any records or summaries for Classified Incidents, responses, and RRCA must be approved

by the UTC Associate General Counsel, Government Contracts (or designee) prior to

submission. Such submissions must be sanitized and unclassified to avoid creating a

Classified security violation, as well as in keeping with good Operational Security principles.

The Associate General Counsel, Data Privacy and Security is responsible for maintaining a

log of all Events involving Personal Information.

9. Updating the DBIRP

The UTC Corporate DBIRPT is responsible for updating this DBIRP on an annual basis.

The review will consider the summaries of Incidents from the past year, any regulatory

changes, and best practices in the industry.

Page 29: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 29 of 35

10. Executive Ownership

An executive oversight committee will provide oversight for the DBIRP, including

implementation and updates. The executive oversight committee shall consist of the

following (or their designee): the Senior Vice President and General Counsel; the Senior

Vice President, Human Resources and Organization; and the Vice President and Chief

Information Officer. The DBIRPT shall report to the executive committee at least once

annually.

Page 30: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 30 of 35

Appendix A

Process for responding to an Incident involving Classified information, systems, and/or

programs

Key to terms and acronyms used in Appendix A

Acronyms:

DSS – U.S. Defense Security Service

ITP - Insider Threat Program

SME - Subject Matter Expert

FSO - Facility Security Officer – A U.S. citizen employee who is

appointed by the contractor, who is cleared as part of the facility clearance

who will supervise and direct security measures necessary for

implementing applicable requirements of the National Industrial Security

Program Operating Manual and related Federal requirements for classified

information. Classified – any information that has been determined

pursuant to reference or any predecessor order, to required

protection against unauthorized disclosure in the interest of

national security and which has been so designated.

ISSM - Information System Security Manager – A U.S. citizen employee

who is appointed with oversight responsibility for the development,

implementation and evaluation of the facility’s classified information

system security program.

CPSO - Contractor Program Security Officer - the

individual appointed at a contractor program facility to

provide security administration and management based

upon guidance provided by the Program Security Officer.

SAP - Special Access Program, any program that is established to control

access, distribution, and to provide protection for particularly sensitive

classified information beyond that normally required for TOP SECRET,

SECRET, or CONFIDENTIAL information. A Special Access Program

can be created or continued only as authorized by the senior agency

official delegated such authority.

CTUI - Controlled Technical Unclassified Information,

which may include CDI or covered defense information as

defined by the Defense Federal Acquisition Regulations

Customer – U.S. government entity, prime contractor, or

subcontractor under contract with a UTC entity.

Spill – Intentional or unintentional placement of classified information on

unapproved or unauthorized computer systems, networks, equipment, or

devices.

Page 31: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 31 of 35

Appendix B

Questionnaire for Lost and Stolen Devices that Store Data

Employee Information

Employee Name:

Employee Number:

Employee Title or Job Function:

Employee Business Unit: ☐ UTC Corporate HQ

☐ CCS

☐ Otis

☐ P&W

☐ UTAS

☐ UTRC

☐ Contractor – please specify the contractor’s employer and the business

unit for which the contractor was working:

Click here to enter text.

Work Location (city/state/country):

Date of Report (MM/DD/YYYY):

Type of Asset: ☐ Company Laptop

☐ Company Smartphone (BlackBerry, Windows Phone, Android)

☐ Company portable storage device (Thumb drive, portable hard drive,

DVD, CD)

☐ Person device used for company purposes – if so, please specify the

type of device:

Click here to enter text.

☐ Other – please specify:

Click here to enter text.

Loss or Theft: ☐ Loss

☐ Theft/Stolen

Device Information

Device Number:

If no asset tag, or unknown provide details such as make,

model, serial number, color, etc.

Date of loss or theft (MM/DD/YYYY):

If the exact date is not known, please include an approximate

date and note that it is an approximation.

Last known location of the device:

Last time device was seen (MM/DD/YYYY):

Last time worked with the device (MM/DD/YYYY):

Last log on to device (MM/DD/YYYY):

Were there any passwords stored with the device?

A password could be stored with the device if it was written

on a piece of paper in the bag or appears on identification in

the bag (i.e., if the password was the person’s middle name

that appears on the driver’s license), or in any other way.

☐ Yes – please specify:

Click here to enter text.

☐ No

Page 32: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 32 of 35

Is there any special access requirements to use the device?

☐ Yes – please specify:

Click here to enter text.

☐ No

Were there any additional markings or ID or name tag or

badging on the device?

Examples are the UTC logo, an employee business card,

colored protective case, decorative cover, etc.

☐ Yes – please specify:

Click here to enter text.

☐ No

Description of Data on the Device

What type of work do you do?

Use this question to determine what data may be on the device.

If HR-related work, inquire as to whether Personal

Information was stored on the asset and, if so, be sure to

contact the HR representative on the DBIRP for your

business unit

If working with export-controlled or government

programs, determine nature/type- export controlled, critical

program information, controlled unclassified information,

or information controlled under a U.S. government

contract on the asset and then contact the government

security representative for your business unit

If working in engineering, ask about whether there was

Proprietary Information stored on the device and, if so,

contact the IP representative on the contact list for your

business unit

Consider any other type of risk, such as contact

information for government representatives or customer

Personal Information.

Specific questions follow below to ensure that each issue is

addressed.

What is the most important work information stored on

asset?

What is the second most important work information

stored on asset?

Does the asset contain company-Private or sensitive

information?

Check for Intellectual Property (IP), trade secrets,

schedule/pricing/campaign/sales data, etc. If the answer is

YES, be sure to contact the IP representative on the DBIRP

contact list for your business unit.

☐ Yes – please specify:

Click here to enter text.

☐ No

Does the asset contain export-controlled data?

Check for U.S. ITAR-EAR or other nation’s export regulated

data on asset. If yes, contact your local International Trade

Compliance (ITC) team.

☐ Yes – please specify:

Click here to enter text.

☐ No

Page 33: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 33 of 35

Description of Data on the Device

Is there any Government data on the asset?

Critical Program Information, For Official Use Only

Information, Sensitive But Unclassified Information,

Controlled Unclassified Information, Military data, or data

controlled under a U.S. government contract. If yes, contact

your local Government Security Compliance (GSC) team.

☐ Yes – please specify:

Click here to enter text.

☐ No

Does the asset contain any 3rd

party data?

3rd

party data may include suppliers, vendors, contractor,

subcontractor or customer data.

☐ Yes – please specify:

Click here to enter text.

☐ No

Is there any Personal Information about another person

stored on the device?

Personal Information is defined in CPM 24 as information that,

when associated with an individual, can be used to identify him

or her. For purposes of this question, you can exclude a name

and/or email address standing alone. Personal Information

could involve HR data or data from customers, suppliers,

vendors, or consumers. If the answer is YES, be sure to contact

the Privacy Professional for your business unit and, if it

involves HR information, also contact the HR representative.

☐ Yes – please specify:

Click here to enter text.

☐ No

Additional Information

Have you ever created a back-up of the asset yourself? ☐ Yes – please specify:

Click here to enter text.

☐ No

Do you have any IT administrative rights or accesses? ☐ Yes – please specify:

Click here to enter text.

☐ No

Is the asset encrypted?

Encryption beyond just a log on password. ☐ Yes

☐ No

Did you lose any other device, equipment, equipment, or

information?

For example if a laptop was lost in a travel bag was there any

other company issued material with it (hardware/part sample,

phone, USB stick, etc.)

☐ Yes – please specify:

Click here to enter text.

☐ No

Did you lose any hard copy or printed information with the

device?

For example, was the asset lost or stolen along with company

documents, work files, technical manuals, etc.

☐ Yes – please specify:

Click here to enter text.

☐ No

Did you file a report with Security?

Includes business unit security/investigations/IT ☐ Yes

☐ No

Did you file a report with local law enforcement or a police

department? ☐ Yes – please specify:

Click here to enter text.

☐ No

Page 34: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 34 of 35

Additional Information

Do you work in any field locations (in non-UTC Facilities),

such as in the field, customer locations, or a government

installation?

☐ Yes – please specify:

Click here to enter text.

☐ No

Do you hold a security clearance? ☐ Yes

☐ No

Can you think of any person who may have taken the

missing asset? ☐ Yes – please specify:

Click here to enter text.

☐ No

Do you have any additional information of note to report:

Was the interview conducted in-person, by phone, or by

some other means? ☐ Phone

☐ In-Person

☐ Other – please specify:

Click here to enter text.

Interviewer/Investigator Name:

Page 35: Proprietary Information Protection - RTX

C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4

© United Technologies Corporation 2016

Page 35 of 35

Appendix C

Contact List Template

Business Unit:

☐ Climate, Controls & Security

☐ Otis

☐ Pratt & Whitney

☐ UTC Aerospace Systems

☐ United Technologies Corporation (Corporate)

☐ United Technologies Research Center

Person Maintaining this List:

Date last updated:

Role Name Title Email Work Phone Mobile Phone

Legal

Communications

HR

Intellectual Property

IT

ITC Lost/Stolen Device

Investigator

Privacy Professional Security