Health Care Professionals Partnering Careers Contact Us
Text SizeAAA
Print

FAQs Related to Pfizer Laptop Data Privacy Incident

Questions

Answers

  • What happened?
    On March 26, 2007, the spouse of a US Sales colleague loaded unauthorized personal software onto a Pfizer laptop for the purpose of accessing a “peer to peer” file sharing network. That software gave other users of the file sharing network access to approximately 2300 files in the “My Documents” section of the colleague’s laptop, including names, social security numbers and in some instances, addresses, home and/or cell phone numbers and bonus data for approximately 17,000 present and former colleagues. After learning about the unauthorized software on April 18, 2007, Pfizer took action the same day to retrieve the laptop and disable the software.
  • What data was exposed?
    The names, social security numbers, and in some instances addresses, home and/or cell phone numbers and bonus data, concerning approximately 17,000 present and former Pfizer colleagues were accessible to users of the "peer to peer" file sharing network.
  • Why was the personal information on a colleague's laptop at home?
    The nature of that individual’s job included analysis of data contained in the files and the colleague performed work both in the office and outside the office. The laptop contained data files that pre-dated the adoption of the employee ID and other identifiers to replace social security numbers.
  • During what time period were files containing personal identifiable information accessed and/or exposed on the Internet?
    The unauthorized file-sharing software was installed on the computer on March 26, 2007 and removed on April 18, 2007, when Pfizer became aware of the situation and immediately retrieved the laptop and disabled the software.
    Based on the forensic analysis, we believe that during this period of time, some files containing personal information were accessed and/or exposed on the Internet.
  • Who had access and what are they doing with the data?
    Despite our interest in doing so, and our efforts to investigate using available technologies, we were not able to determine the identities or intentions of the parties who accessed the data, and we will not likely be able to ascertain the identities or intentions of the parties with whom the data may have been shared.
  • What steps are being taken to track or control the further dissemination of the data?
    We are monitoring the file sharing network for any instances of the transfer of the data. To date, we have found no evidence of any further transmission of the data on that network.
  • Were any other Pfizer systems, networks or data compromised during this incident?
    No. This incident only affected the data contained in a single laptop that was connected to a peer to peer network on a home-based Internet connection. No other Pfizer systems, network or data were compromised in this incident.
  • What are the penalties for installing unauthorized software on a Company laptop?
    Installing unauthorized software on a company computer is a violation of company policy and is cause for disciplinary action, up to and including termination.
  • Is the colleague whose laptop contained the unauthorized software still employed by Pfizer?
    No.
  • Was the colleague's employment terminated for this incident?
    As a matter of Pfizer policy, we can only state that the colleague is no longer employed by Pfizer.
  • Why did it take until now to notify the affected individuals?
    We had five immediate objectives:
    • Stop the exposure and fully understand the incident to prevent any further unauthorized access.
    • Identify the files and data that were exposed or accessed.
    • Track and prevent further dissemination;
    • Accurately identify everyone affected, and
    • Notify affected individuals and other required entities.
    As soon as Pfizer learned about the unauthorized software, we retrieved the laptop, disabled the unauthorized software, and began monitoring the file sharing network to detect and investigate further transmittal.

    We launched a detailed investigation of the incident and the manner of exposure. We learned that certain files had been exposed, while others had not been exposed. Thus, a great deal of data contained in the laptop needed to be carefully evaluated in order to separate affected individuals from non-affected individuals. We worked with internal and external forensic data specialists to review the files and help correlate the information on the laptop – some of which is years old – with current Pfizer colleague information. Ultimately, we were able to ascertain that there were two groups of affected individuals; one group whose data was exposed, but not necessarily accessed, and a second group whose data was accessed and copied.

    Once we identified the individuals who appeared to be affected, we needed to generate and verify address lists for the two groups, comprising 17,000 affected individuals. As the investigation proceeded and address lists were generated, Pfizer engaged Experian, one of the three major credit reporting agencies to develop and implement a credit monitoring and protection program; provide a toll-free call center and mail out 17,000 notification letters with individual registration numbers.

    When we had the information we needed to notify affected colleagues, Experian started sending letters. At the same time, Pfizer communicated the nature and impact of the incident to the Attorneys General of all 50 states, in accordance with applicable privacy regulations.

    In sum, based on the selective manner in which this data was exposed and the file sharing program used, a great deal of investigative and reconstructive work was needed to put Pfizer in a position to accurately identify and notify all affected individuals.
  • I have not received a letter from Pfizer about the privacy incident. Does that mean that I am not affected?
    Pfizer’s vendor, the credit monitoring service Experian, mailed letters to affected individuals between June 1 and June 6. The majority of affected individuals should have received notices by now.

    We recently identified a small group of additional individuals whose name and social security numbers appear to have been exposed, but who may not have been notified with the rest of the original group of about 17,000 affected individuals. We are taking steps to notify people who did not receive the initial notice.

    If you did not receive a letter and remain concerned that you might have been affected, you can request information by calling 212-733-0228 or sending an email to privacy.officer@pfizer.com
  • What steps are being taken to prevent another similar incident?
    Pfizer is implementing controls on its computer systems that restrict the ability to install unauthorized software. An additional assessment to determine if there are additional opportunities to enhance controls is underway. Included in the assessment is an analysis of Pfizer computers on which there may be unauthorized peer to peer and similar software installed.

    Taking individual responsibility for the handling of confidential, sensitive, and personal information is one of our most important tools in preventing future incidents. With that in mind, Pfizer has developed educational materials for all colleagues and contractors on "Handling Sensitive Information." These materials will help everyone better understand their responsibilities in the safeguarding of important Pfizer information, including personal information. This effort will be supported by periodic educational reminders about the ways we all can help.
  • What is Pfizer doing to protect the present and former colleagues whose data was accessed?
    As described in detail in a letter sent to all affected individuals, Pfizer has contracted with Experian, one of the three major credit reporting agencies, for a comprehensive array of fraud and credit protections. Recently, Pfizer sent letters to all affected individuals to let them know that the company has enhanced the fraud and credit protection offering. Instead of one year of credit monitoring and $25,000 in Identity Theft insurance (where available), Pfizer is now providing affected individuals who register with two years of credit monitoring support services and a $50,000 identity theft insurance policy (where available). The services are available at no cost to the individual for two years following registration. A toll-free hotline and personalized registration number is provided in the notification letter. If you are affected by this incident and no longer have your notification letter, please contact the Pfizer Privacy Helpline at (212) 733-0228 to obtain a new personalized registration number.
  • Will Pfizer pay for credit protection for my spouse/partner, or for people with whom I have joint bank accounts or own other property?
    Pfizer has offered to pay for credit protection to those individuals whose personal information was exposed. This credit protection is a sensible way to protect you and those with whom you have joint accounts or other property because the credit protection covers all accounts with your name on it, including accounts that you own with other people.
  • I have heard about something called a “Security Freeze” or a “Credit Freeze.” What are they?
    Another tool for addressing the risk of fraud and/or identity theft is placing a “security freeze,” also known as a “credit freeze,” on a credit account. A freeze generally locks or “freezes” access to a consumer credit report and credit score by prohibiting a credit bureau from releasing a consumer’s credit report or any information about the consumer’s credit history unless certain conditions are met.

    As of July 16, 2007, as a matter of law the possible option of imposing a freeze on your account is only available for residents of the following states:

    California, Colorado, Connecticut, Delaware, the District of Columbia, Florida, Hawaii, Illinois, Kansas, Kentucky, Louisiana, Maine, Minnesota, Mississippi, Montana, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, North Dakota, Oklahoma, Pennsylvania, Rhode Island, South Dakota, Texas, Vermont, Washington, West Virginia, Wisconsin, and Wyoming.

    In addition, there are six other states that have passed security freeze laws; however, those laws are not yet in effect. They are:
    Arkansas (January 1, 2008 effective date)
    Indiana (September 1, 2007 effective date)
    Maryland (January 1, 2008 effective date)
    Nebraska (September 1, 2007 effective date)
    Oregon (October 1, 2007 effective date)
    Tennessee (January 1, 2008 effective date)
    Utah (September 1, 2008 effective date)
    Please be aware that state rules and regulations for imposing a freeze may vary; for example, in some states, a person must show that s/he is a victim of identity theft, not merely that personal information has been exposed, in order to secure a credit freeze. Other freeze issues also vary by state, including how to request one, how much one costs and how long it takes to put a freeze in place and remove the freeze. You should keep in mind that in order for the freeze to be fully effective it must be imposed separately on your account at all 3 major credit reporting agencies.

    Pfizer neither endorses nor discourages the use of a freeze. Some people have found them useful and worthwhile; others have found them unnecessary and inconvenient. Many factors must be considered, and the decision concerning a security freeze requires a personal assessment.

    To learn more, contact the Federal Trade Commission’s website at www.ftc.gov/idtheft and click on the link for credit freeze information.
  • What can I do if someone charges items on my credit cards or withdraws money from my bank account without my permission?
    If you suspect that your credit card or bank account information has been misused, contact the card issuer or bank immediately to ask for their help. Many credit card issuers limit personal liability for unauthorized transactions to $50, and often are willing to waive that fee as long as you notify them promptly that you suspect your account is being misused. Banks are usually able to resolve and reverse false checks and withdrawals.

    In addition, if you believe that you have been the victim of a crime, you should promptly notify your local police department and/or State Attorney General’s office.
  • If I signed up for Experian's services, including the insurance policy, what does that policy cover?
    The insurance policy covers any expenses you incur to protect your credit or clear your name, but it does not cover any losses you may suffer as a result of someone misusing your account information. For example, if it costs $50 to cancel a cell phone contract and have it reissued, the insurance covers that $50. If someone uses your credit card number to purchase a grand piano and you spend $2,000 on a lawyer to contest those charges, the insurance covers those legal expenses -- but would not cover the cost of the actual piano charged to your account. As noted in the prior FAQ, normally your credit card issuer would take responsibility for most of the charges relating to the piano.
  • How does two years of credit protection compare with what other companies have offered in similar situations?
    Pfizer reviewed information about privacy incidents at other companies and institutions, and compared their responses. Most offered one year of credit protection support; some offered significantly less credit protection support (for example, no credit monitoring or limited credit monitoring (e.g., 90 days)). Two years is more than is generally offered and reflects Pfizer's consideration of colleague comments and Respect for People.
  • Is there a deadline to register for the package of Experian credit protection services?
    Yes. Individuals whose information was potentially exposed and/or accessed in connection with this incident are eligible for the Pfizer credit protection services support and should promptly consider whether they wish to register. The deadline to register for these services is October 1, 2007.
  • My computer is a Mac. Will I be able to access the Experian registration site?
    We have just learned that users of non-Windows-based-computers need a special hyperlink to access the Experian site. Please call the Privacy Helpline at 212-733-0228 if your computer is not Windows-based and we will arrange for Experian customer service to contact you. Once you have the hyperlink, you can readily complete the registration process.

Privacy Inquiries

Pfizer Inc
Privacy Officer
235 East 42nd Street
Mailstop 235/26/6
New York, NY 10017

Privacy Links

Pfizer Privacy Policy
The privacy of your personal information is important to Pfizer. Visit Pfizer's Privacy Policy to learn how we respect your privacy.

Updated September 11, 2007