Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. 

In practice, how do we recognize a potential Privacy and Security Incident?

Click on the statements and find out which ones are privacy and security incidents

Privacy and security incident types based on CPROC 50.1privacy.merck.com

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. 

What is a privacy and security incident?Before starting the test, take a look at the definitions:

When we talk about “Personal Information”, we mean any information that could be used to identify, locate or contact an individual.

A “Privacy Incident” is a violation of any one of the Privacy and Data Protection Principles set forth in Corporate Policy 50, or a privacy or data protection Law (this may include a Security Incident).

A “Security Incident” means access to Personal Information which leads to loss, misuse and unauthorized disclosure, alteration and/or destruction of personal data.

Privacy and security incident types based on CPROC 50.1privacy.merck.com

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. 

Violation of Merck privacy and data protection principles

Sending consumers marketing communications without obtaining proper consent or after they have opted out of receiving them.

Lock up filing cabinets and all areas that store personal information.

An employee improperly collects and broadly distributes sensitive or confidential employee HR data.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. 

Unauthorized internal access or disclosure (When we disclosure personal information in unnecessary or inappropriate manner)

The location of the default printer for your computer was changed, now documents containing personal data are printing out in the wrong office.

When a division wants to make an internal communication informing about the number of people attending an internal celebration.

Creating an internal company report that has names or other sensitive personal information about employees when it is not needed.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. 

Loss or theft of storage device or paper records

Loss of laptops, cell phones, USBs, CDs, and other mobile or removable devices.

Keeping personal information password – protected.

Keeping payments to health care provider records on paper accessible to unauthorized individuals.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. 

Inadvertent disclosure of personal information to an unauthorized person by mistake or accidentPurchasing contact details and personal email of

potential clients from a vendor confirming the vendor has permission to share that data with Merck.

Inadvertently sending an email with an attachment that includes sensitive personal information to the wrong internal email distribution list.

A system failure causes the mailing of payment letters to the wrong physicians.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. 

An unauthorized outside access

When traveling or working from home we make sure we use a secure Merck network.

Cyberattacks by criminals trying to access Merck information.

A personal friend of an employee gains access to the Merck network by looking over the friends shoulder and memorizing the employees login credentials.

Copyright © 2014 Merck Sharp & Dohme Corp., a subsidiary of Merck & Co., Inc. All rights reserved. 

Privacy and security incident types based on CPROC 50.1privacy.merck.com

Report all known and suspected privacy and security incidents and other concerns to the MPO and/or your Compliance Officer