Information Security & Privacy

In all that we do, we strive to be good data stewards to balance our data needs with our responsibilities to the people and communities we serve.

Resources

 

Information about our company, products and people is one of our most valuable assets. We are committed to ethical use, management and protection of information.

Our commitment applies not only to our company’s information, but also to the information entrusted to us by others. Our tools, processes and procedures ensure that we appropriately use and safeguard information throughout its life cycle to ensure integrity of information and to prevent unauthorized access and disclosure. We have developed and continue to improve upon a comprehensive, global, state of the art information security and cyber resiliency program to enable our company to fulfil its mission: inventing for life.

Global privacy program

Over the past 18 years, we have developed and continually improved a comprehensive global privacy program that promotes organizational accountability for privacy, data governance and data protection across our business and with our collaborative partners and suppliers.

We were the first company in the world to obtain regulatory approval in the European Union (EU) for Binding Corporate Rules (BCRs) based in part on our existing Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPRs) certified program.

This achievement demonstrates that organizations can rely on common internal standards and processes to govern international data transfers across both the EU and APEC regions to simplify their ability to address the growing regulatory challenges in this area.

We also self-certify to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. These frameworks were designed by the U.S. Department of Commerce together with the European Commission and with the Swiss Administration, respectively, following the invalidation of the EU-U.S. and Swiss-U.S. Safe Harbor programs.

In 2018, we updated our global privacy practices using the requirements stemming from the General Data Protection Regulation (GDPR) in the EU. This was a comprehensive overhaul of our privacy program framework that included a closed loop accountability model starting with integrated governance, global deployment and operations and independent verification of program effectiveness.

Our holistic approach to privacy has its origins in biomedical research ethics and the protection of participants in the research studies that we sponsor and conduct. We have adapted human subject research ethics standards for risk-benefit analysis, transparency, anonymization, coding and prior review to other activities and processes involving data about people.

We also have established a set of privacy values to guide all of our privacy, data stewardship, and data protection decisions. These core tenets serve as the foundational ethical framework for our comprehensive global privacy program and our compliance with the continually evolving legal and regulatory standards for privacy and data protection.

List of four privacy values to guide all of our privacy, data stewardship, and data protection decisions: Respect, Trust, Prevent Harm, Comply

Cyber security

Our company is increasingly dependent on sophisticated software applications and complex information technology systems and computing infrastructure (collectively, “IT systems”) to conduct critical operations. Disruption, degradation or manipulation of these IT systems through intentional or accidental means could impact key business processes.

Cyber attacks against our IT systems could result in exposure of confidential information, the modification of critical data, and/or the failure of critical operations. Misuse of these IT systems could result in the disclosure of sensitive personal information or the theft of trade secrets, intellectual property, or other confidential business information. We continue to leverage new and innovative technologies across the enterprise to improve the efficacy and efficiency of its business processes, the use of which can create new risks.

In 2017, our company experienced a network cyber attack that led to a disruption of our worldwide operations, including manufacturing, research and sales operations.

We have implemented a variety of measures to further enhance and modernize our systems to guard against similar attacks in the future, and we are pursuing an enterprise-wide effort to enhance our resiliency against cyber attacks, including incidents similar to the 2017 attack. The objective of these efforts is not only to protect against future cyber attacks, but also to improve the speed of our recovery from such attacks and to enable continued business operations to the greatest extent possible during any recovery period.

Although the aggregate impact of cyber attacks and network disruptions, including the 2017 cyber attack, on our company’s operations and financial condition has not been material to date, we continue to be a target of events of this nature and expect them to continue. We monitor our data, information technology and personnel usage of our IT systems to reduce these risks and continue to do so on an ongoing basis for any current or potential threats. However, there is no assurance that our efforts to protect our data and IT systems will be successful in preventing disruptions to our operations, including its manufacturing, research and sales operations. Any such disruption could result in loss of revenue, or the loss of critical or sensitive information from our company’s or our third-party providers’ databases or IT systems and could also result in financial, legal, business or reputational harm and potentially substantial remediation costs.

Given the exponential rise in cybersecurity threats and complexity of those threats, and the increasing dependency on trusted partners to conduct our company’s business, as a critical component of the IT transformation, we have consolidated information security and cyber resiliency activities across IT under the leadership of the Chief Information Security Officer (CISO).

Performance

GLOBAL PRIVACY PROGRAM2014 2015 2016 2017 2018
Number of countries in which we conduct privacy compliance verification and risk assessment 137 137 137 137 137
Number of concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated1, 3, 4 151 143 227 123 315
Percentage of reported concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated2 18% 96% 98% 98% 97%
Number of privacy breaches requiring notification by Merck & Co., Inc., Kenilworth, N.J., U.S.A., to individuals or government authorities1 0 1 0 2
Number of privacy breaches requiring notification by third parties working for Merck & Co., Inc., Kenilworth, N.J., U.S.A., to individuals or government authorities 1 3 0 1 1
1 Privacy concerns include all concerns about our privacy practices escalated to our company’s Privacy Office. Substantiated concerns are those that are determined to be consistent with our own privacy standards or that involve loss of, theft or unauthorized access to personal data.
2 In 2015, because of the scope of lost or stolen devices known to be encrypted, we ceased inclusion of lost or stolen MSD devices in our incident metrics.
3 Reporting in 2017 was impacted by cyber-incident.
4 Increase in substantiated concerns in 2018 due to changes reporting practices stemming from new requirements in the EU (GDPR).