Proprietary Information Protection

Transcription

1 C O R P O R A T E P O L I C Y M A N U A L Section Proprietary Information Protection 14 A. SUMMARY B. APPLICABILITY C. POLICY D. PROCEDURES E. REFERENCES Code of Ethics United Technologies Corporation 2016

2 A. SUMMARY United Technologies Corporation (the "Corporation" or UTC ) creates, receives, uses, stores, and transfers various data, including trade secrets and other financial, business, scientific, technical, economic, and engineering information; and data owned by or about customers, competitors, suppliers, and individuals outside the Corporation. It is the responsibility of each UTC director, officer, employee, and service provider to collect, protect, use, and disclose data only in accordance with this Policy. Capitalized terms used throughout this Policy are defined in Exhibit 1. B. APPLICABILITY 1. This Policy applies worldwide to UTC and its subsidiaries, divisions, and other business entities it controls or for which it provides day-to-day management ( operating units ). Unless the context indicates otherwise, references to UTC or its operating units include their directors, officers, and employees. 2. UTC will obligate its Service Providers to comply with this Policy in the conduct of their business with UTC, through appropriate contractual agreements, warranties and representations. 3. Local laws, regulations, and other restrictions applicable to any operating unit shall be applied to the extent of a conflict with this Policy. C. POLICY 1. The Corporation invests substantial resources in creating and using various types of Data, as defined in Exhibit 1. Improper use or disclosure of Data damages the Corporation s legal rights and results in loss of a competitive advantage. Although the legal and other protections afforded different types of Data vary, all Data must be protected against misuse and improper or inadvertent disclosure, as described below. 2. Each director, officer, employee, Service Provider, or Third Party entrusted with UTC Data shall comply with Exhibit 2, exercise good judgment before disclosing Proprietary Information (defined in Exhibit 1) within or outside of the Corporation, and obtain all necessary approvals prior to disclosure. 3. UTC respects legitimate rights in Competitive Information belonging to its customers, suppliers, competitors, and Third Parties. UTC will solicit, accept, use, and disclose such information only in conformity with this Policy. Although gathering information about competing products and services is a necessary and routine element of business, UTC will not utilize any improper means such as theft or deception. Because there is no single, definitive standard for determining what is proprietary and because a business must take reasonable steps United Technologies Corporation 2016 Page 2 of 35

3 to protect its Proprietary Information, UTC will evaluate its receipt of information within the context of how the information is gathered. See Exhibit 2 and UTC Policy UTC will maintain the confidentiality of Material Nonpublic Information and will comply with all laws, rules, and regulations regarding the public disclosure of the Corporation s business information. Such information will be disclosed only through designated spokespersons, who typically are the most senior UTC officers. All public disclosures will be made in accordance with: Policy 30 - Securities Trading & Release of Material Nonpublic Information; Policy 51 - Disclosures to Investors Under U.S. Securities Laws; and Policy 50 - Maintenance of Corporate Governance and Financial Data. UTC s directors, officers, employees and Third Parties (and their immediate family members) shall not misuse Material Nonpublic Information and must not buy, sell or otherwise trade securities while aware of Material Nonpublic Information. 5. Service Providers having access to Proprietary Information shall have written agreements approved by the Legal Department and are subject to IT Policy IT Protection of UTC Data Entrusted to Third Parties. 6. UTC shall maintain a robust Data Breach Incident Response Plan, respond to and remediate any Data Breach Incident, engage the UTC Crisis Communications Team and others, as appropriate, and provide notification about Data Breach Incidents as legally or contractually required. UTC may adopt one Data Breach Incident Response Plan to cover both Proprietary Information, as addressed by this Policy, and Personal Information, as addressed by Corporate Policy Manual Section 24. The current UTC Data Breach Incident Response Plan is provided in Exhibit Records retention requirements are addressed in Section 46 Retaining Records and Data. 8. Employees and other users of UTC s Data systems shall receive periodic training in application of this Policy and Information Technology ( IT ) security. Training may be provided via UTC s Ethics and Compliance Education Center. 9. Questions, comments, or suspected noncompliance concerning this Policy may be directed to an employee s management, the Legal Department, the UTC Global Compliance Office, or in confidence or anonymously to a UTC Ombudsman or via the DIALOG or e-dialog Program, as appropriate. 10. Violators of this Policy are subject to disciplinary action, up to and including dismissal and possible legal consequences. United Technologies Corporation 2016 Page 3 of 35

4 D. PROCEDURES 1. UTC operating units and UTC Headquarters staff organizations that collect, use, transfer, or manage Data shall establish and maintain compliance programs meeting the requirements of Exhibit 3 and pertinent IT policies, procedures, and standards (Index to IT Policies, Procedures and Standards). 2. The UTC Vice President and Intellectual Property Counsel and the UTC Vice President & Chief Information Officer shall assist as necessary to ensure proper and complete implementation of this Policy, including provision of the necessary technology tools to enable compliance worldwide. 3. The UTC Vice President, Operations and other staff organizations involved in selecting and retaining Service Providers shall ensure that Service Providers have written agreements in place to protect Proprietary Information as approved by the Legal Department and that procurement of Service Providers complies with IT Policy IT Protection of UTC Data Entrusted to Third Parties. 4. The UTC Vice President and Chief Intellectual Property Counsel and the UTC Worldwide Director, Internal Audit, will administer assurance and audit programs to ensure that each staff organization and operating unit complies with this Policy. E. REFERENCES UTC Code of Ethics Section 3 - Antitrust Compliance; Section 4 - Business Ethics and Conduct in Contracting with the U.S. Government; Section 7 - Conflicts of Interest; Section 20 - Compliance with Export Controls and Economic Sanctions; Section 24 Personal Information Protection Section 30 - Securities Trading and Release of Material Nonpublic Information; Section 32 - Permissible References to UTC by Outside Companies vs. Endorsements; Section 37 - Electronic Communications Media; Section 40 - Software License Compliance; Section 46 - Retaining Records and Data; Index to IT Policies, Procedures and Standards; UTC Employee Privacy Notice UTC HIPAA Privacy Notice United Technologies Corporation 2016 Page 4 of 35

5 EXHIBIT 1 - DEFINITIONS 1.1 Data Breach Incident is a set of circumstances that involve actual or a reasonable possibility of unauthorized access to or possession of, or the loss or destruction of, Proprietary Information. The circumstances contributing to an Incident may be intentional, or unintentional or accidental, and the access, loss, or destruction may be confirmed or only suspected. 1.2 Competitive Information means anything related to the competitive environment or to a competitor (defined as any company seeking to win business against UTC) for example, information related to products, services, pricing, or marketing plans. This information could be drawn from published sources or could otherwise be widely available to the public. Some of this information may relate to a specific competitor ( competitor information ), and some competitor information may be considered by the competitor to be proprietary, business confidential, or trade secret, which the competitor would normally attempt to hold closely. 1.3 Data means Trade Secrets, Proprietary Information, and Personal Information relating to directors, officers, and employees of the Corporation. Without limiting the generality of the foregoing, the term includes Proprietary Information, Personal Information (as defined by Corporate Policy Manual Section 24), and other information (including information belonging to another person or entity) that is required to be protected against improper use or disclosure by law, regulation, or contract. This definition applies to information contained in documents or in electronic form, whether used or disclosed orally, visually, or electronically. 1.4 Electronic means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities. 1.5 Encrypted means the transformation of Data into unusable and/or unreadable form by use of a confidential process or key. 1.6 Material Nonpublic Information means any information that has not been disclosed publicly by the Corporation and that a reasonable investor likely would consider to be important to a decision to buy, hold or sell the Corporation's securities. It includes Board of Directors minutes and deliberations, and nonpublic information disclosed to or possessed by the Corporation that is related to another corporation and that a reasonable investor likely would consider important to a decision to buy, hold or sell the securities of the other corporation. 1.7 Multiple Single Factor Authentication means using more than one piece of information in the process of determining whether someone or something is, in fact, who or what it is declared to be. An example of this would include knowing a password as well as a question/answer pair which should result in a generally unique answer for each individual. A factor is defined as classification of authentication types: A knowledge factor is something that a person knows (i.e. password), a physical factor is something that a person has (i.e. token), and an inherence factor is something that a person is (i.e., thumbprint). United Technologies Corporation 2016 Page 5 of 35

6 1.8 Proprietary Information means (a) financial, business, scientific, technical, economic and engineering information (e.g., cost data, formulae, patterns, compilations, programs, devices, methods, techniques, processes, drawings) that are created, owned, or controlled by the Corporation, that are not generally known to competitors or others in the industry or the public and that have independent commercial value or provide a competitive advantage to the Corporation, and (b) information of a Third Party that the Corporation is obligated to protect. Personal Information, as defined in Corporate Policy Manual Section 24, may also be Proprietary Information when that Personal Information is not generally known to competitors or others in the industry or the public and it would have independent commercial value or provide a competitive advantage to the Corporation. The term includes Trade Secrets as well as Company Restricted information and Company Private information, which are defined as: Company Private means information that is important to the Corporation s business and legal interests, warranting disclosure only to persons within or outside the Corporation who have a specific "need to know. This includes, but is not limited to, employment of key executives; opinions of in-house or outside legal counsel; financial investments and resources; sensitive human resources programs; key public-relations endeavors; competitive relationships with other organizations; audit reports; executive travel schedules; computer and network architectural and configuration information and related vulnerability information; and government and customer relations matters. Disclosure of Company Private information to Third Parties shall only occur pursuant to the terms of an applicable agreement (such as a nondisclosure agreement) that requires the Third Party to protect the Company Private information Company Restricted means Material Nonpublic Information, and other Data such as Board of Directors information; plans for acquisitions; divestitures and other business combinations; major company reorganizations or actions; financial results and forecasts; significant marketing campaigns; significant or new business techniques; sourcing of critical materials; and critical technical, financial, or management Data. The term includes Personal Information, as defined in Corporate Policy Manual Section 24, of employees and Third Parties; and any other information that requires protection under law or regulation. 1.9 Protect, as used in this Policy and in Appendix A to this Policy, means, at a minimum, to apply the level of data integrity, security and access controls necessary to meet the requirements of agreements UTC has with third parties, law, regulation or UTC policies, including UTC IT Policies, Procedures & Standards. See Appendix A for examples Record(s) means any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics Service Provider means any entity or person who/that receives, stores, maintains, processes, or otherwise is permitted access to Proprietary Information through its provision of services directly to UTC or its operating units. United Technologies Corporation 2016 Page 6 of 35

7 1.12 Single Factor Authentication is an authentication scheme using only one factor in determining whether someone or something is, in fact, who or what it is declared to be. An example of this would be using a user ID and password to gain access. A factor is defined as classification of authentication types: A knowledge factor is something that a person knows (i.e. password), a physical factor is something that a person has (i.e., token), and an inherence factor is something that a person is (i.e., thumbprint) Third Party is any individual or entity, including UTC contractors and their employees, other than UTC or its operating companies Trade Secrets means information, including a formula, pattern, compilation, program, device, method, technique, or process, that has independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and is the subject of efforts that are reasonable under the circumstances to maintain its secrecy Two Factor Authentication is an authentication scheme using two factors in determining whether someone or something is, in fact, who or what it is declared to be. An example of this would be using a user ID and password as well as a token to gain access. A factor is defined as classification of authentication types: A knowledge factor is something that a person knows (i.e. password), a physical factor is something that a person has (i.e., token), and an inherence factor is something that a person is (i.e., thumbprint). United Technologies Corporation 2016 Page 7 of 35

8 EXHIBIT 2 - PROTECTION OF UTC AND THIRD PARTY INFORMATION 2.1 The Corporation invests substantial resources in creating and obtaining information. Misuse or improper disclosure of any information damages the Corporation s legal rights, exposes the Corporation to liability, and results in loss of a competitive advantage. Each division and subsidiary shall establish procedures adequate to protect Proprietary Information from improper use or disclosure, without hampering the legitimate exchange of Proprietary Information within and outside the Corporation. Procedures shall address, at a minimum, marking, reproduction, safekeeping, disclosure, external release, retention and destruction or return of Proprietary Information. 2.2 This document establishes a hierarchy of information types and provides guidelines for the protection of information based on the type of information. Appendix A shall be used to determine the level of protection assigned to the information and minimum standards on its use and disclosure. This applies whether the information is used or disclosed in documents, orally, visually or electronically. If doubt exists as to whether use or disclosure of information is proper, the Legal Department shall be consulted. 2.3 Proprietary Information disclosed outside the Corporation must be disclosed pursuant to a nondisclosure agreement, contract, license, technical assistance agreement, or other contractual instrument that identifies the allowable use and disclosure of the Proprietary Information. The manner of securing proper legal and contractual protections will be made in consultation with the Legal Department. 2.4 Proprietary Information provided to customers (including the U.S. Government), competitors, suppliers, and Third Parties or others in response to solicitations and contracts shall bear the appropriate restrictive legends authorized by law or regulation, or as specified in the solicitation or contract. 2.5 The Corporation will receive a Third Party s Proprietary Information only under a written agreement that clearly describes the subject matter, labeling requirements, duration, permitted uses, and other pertinent provisions reviewed and approved by the Legal Department. Such Third Party Proprietary Information shall be used and disclosed only as permitted by the written agreement. Copies, derivations, integrations or other representations of such Third Party Proprietary Information will be labeled in accordance with the agreement. 2.6 Gathering and using information related to competitors is addressed in the Policy Clarification Circular entitled Gathering Competitive Information. This includes compliance with U.S. Government rules regarding access to competition sensitive and source selection data, as described in Policy 4. Unsolicited information received from a Third Party that is claimed or appears to be Proprietary Information must be sent immediately to the Legal Department, and should not otherwise be used, reviewed or shared until the Legal Department has evaluated the nature of the information and the manner in which it was received. If appropriate, the Legal Department will obtain the proper agreements prior to any evaluation, use, or review by the Corporation. United Technologies Corporation 2016 Page 8 of 35

9 2.7 The U.S. Economic Espionage Act of 1996 and various other statutes impose civil and criminal penalties for the misappropriation, counterfeiting, misuse, or destruction of Proprietary Information and other protected data. Additional information should be obtained from the Legal Department in the event of unauthorized access to, misuse of, or disclosure of the Corporation s or a Third Party s information. United Technologies Corporation 2016 Page 9 of 35

10 Appendix A (See Exhibit 1 for definitions) TYPE OF INFORMATION HOW DISCLOSED AUTHORIZED FOR PUBLIC RELEASE; INTERNAL UTC DATA NOT FALLING WITHIN ANOTHER CATEGORY PROPRIETARY INFORMATION PROPRIETARY INFORMATION THAT IS COMPANY PRIVATE, INCL. COMPETITIVE INFO. PROPRIETARY INFORMATION THAT IS COMPANY RESTRICTED, INCL. MATERIAL NONPUBLIC INFO. UNTIL RELEASED BY UTC; PERSONAL INFO., CONTROLLED BY LAW OR REGULATION (E.G., EXPORT CONTROLS, PROTECTED HEALTH INFORMATION, SENSITIVE EMPLOYEE INFORMATION) INFORMATION IS TO BE ELECTRONIC TRANSMISSION WITHIN UTC S IT SYSTEMS/FIREWALLS NO SPECIAL REQUIREMENTS IDENTIFIED AS CONTAINING PROPRIETARY INFORMATION SO AS TO IDENTIFY RISKS OF UNAUTHORIZED LIMIT TO NEED TO KNOW LIMIT TO NEED TO KNOW LIMIT TO PERSONS HAVING APPROPRIATE AUTHORIZATION PASSWORD PROTECT OR ENCRYPT DATA BEFORE DISCLOSURE OUTSIDE TRANSMISSION OF UTC OUTSIDE OF UTC S IT SYSTEMS/ FIREWALLS (INCLUDES INTERNET FACING APPLICATIONS) NO SPECIAL REQUIREMENTS INFORMATION IS TO BE IDENTIFIED AS CONTAINING PROPRIETARY INFORMATION SO AS TO HIGHLIGHT RISKS OF UNAUTHORIZED DISCLOSURE OUTSIDE OF UTC AT LEAST SINGLE FACTOR AUTHENTICATION REQUIRED LIMIT TO NEED TO KNOW AND SUBJECT TO DATA TRANSFER AGREEMENT 1 AT LEAST MULTIPLE SINGLE FACTOR AUTHENTICATION REQUIRED PASSWORD PROTECT BEFORE TRANSMISSION LIMIT TO NEED TO KNOW AND SUBJECT TO DATA TRANSFER AGREEMENT AT LEAST MULTIPLE SINGLE FACTOR AUTHENTICATION REQUIRED ENCRYPT DATA AT REST AND BEFORE TRANSMISSION LIMIT TO PERSONS HAVING APPROPRIATE AUTHORIZATION AND SUBJECT TO DATA TRANSFER AGREEMENT TWO- FACTOR AUTHENTICATION REQUIRED ENCRYPT DATA AT REST AND BEFORE TRANSMISSION STORAGE FIXED MEDIA, INCL. DESKTOP COMPUTERS, HARD- DRIVES, SERVERS, ETC. NO SPECIAL REQUIREMENTS INFORMATION IS TO BE IDENTIFIED AS CONTAINING PROPRIETARY INFORMATION SO AS TO HIGHLIGHT THE RISKS OF UNAUTHORIZED DISCLOSURE OUTSIDE OF UTC LIMIT AVAILABILITY TO PERSONS HAVING A NEED TO KNOW LIMIT AVAILABILITY TO PERSONS HAVING A NEED TO KNOW. ENCRYPT DATA AT REST LIMIT AVAILABILITY TO PERSONS HAVING APPROPRIATE AUTHORIZATION (E.G., ACCESS-RESTRICTED SHARED DRIVES DESIGNATED FOR THIS USE). ENCRYPT DATA AT REST INFORMATION IS TO BE LIMIT AVAILABILITY LIMIT AVAILABILITY LIMIT AVAILABILITY REMOVABLE MEDIA INCL. LAPTOPS, USB FLASH DRIVES, EXTERNAL STORAGE DRIVES, ETC. NO SPECIAL REQUIREMENTS IDENTIFIED AS CONTAINING PROPRIETARY INFORMATION SO AS TO HIGHLIGHT THE RISKS OF UNAUTHORIZED DISCLOSURE OUTSIDE TO PERSONS HAVING A NEED TO KNOW DO NOT STORE ON REMOVABLE MEDIA UNLESS PASSWORD PROTECTED OR ENCRYPTED TO PERSONS HAVING A NEED TO KNOW DO NOT STORE ON REMOVABLE MEDIA UNLESS ENCRYPTED TO PERSONS HAVING APPROPRIATE AUTHORIZATION. DO NOT STORE ON REMOVABLE MEDIA UNLESS ENCRYPTED. OF UTC 1 Data transfer agreement means an agreement meeting the requirements of 2.3 above. United Technologies Corporation 2016 Page 10 of 35

11 MARKINGS DISCLOSURE DESTRUCTION (HARD & ELECTRONIC COPIES) NO MARKINGS REQUIRED SEE BELOW PER POLICY 46 (INTERNAL & EXTERNAL): UTC PROPRIETARY INFORMATION WITHIN UTC AND TO THIRD PARTIES UNDER AN OBLIGATION TO PROTECT THE PROPRIETARY INFORMATION PER POLICY 46, USING MEANS THAT PREVENT RE-CREATION OF THE DATA (E.G., CD DESTROYERS, DISK WIPE, ETC.) PRIMARY MARKING (INTERNAL & EXTERNAL): UTC PROPRIETARY INFORMATION SECONDARY MARKINGS: (A) COMPANY PRIVATE (B) SCOPE OF NEED TO KNOW GROUP NEED TO KNOW BASIS PER POLICY 46, USING MEANS THAT PREVENT RE- CREATION OF THE DATA (E.G., CD DESTROYERS, DISK WIPE, ETC.) PRIMARY MARKING (INTERNAL & EXTERNAL): UTC PROPRIETARY INFORMATION SECONDARY MARKINGS: (A) COMPANY RESTRICTED (B) SCOPE OF NEED TO KNOW GROUP NEED TO KNOW BASIS PER POLICY 46, USING MEANS THAT PREVENT RE-CREATION OF THE DATA (E.G., CD DESTROYERS, DISK WIPE, ETC.) CONTACT LEGAL DEPARTMENT FOR APPROPRIATE MARKINGS PERSONS/PARTIES WITH LEGAL AUTHORIZATION ONLY, PER PERTINENT AGREEMENT, LICENSE, ETC. PER POLICY 46, USING MEANS THAT PREVENT RE- CREATION OF THE DATA (E.G., CD DESTROYERS, DISK WIPE, ETC.) Decisions to disclose information will be made only after considering the following: Type and value of the information; Contractual or other legal restrictions between the disclosing or receiving party(ies) and the Corporation. Note that data required to be delivered to a customer pursuant to a valid agreement will be marked as required thereunder and shall be protected according to the standards or requirements established in the agreement (e.g., encryption, etc.); Extent of party s "need to know;" Any value the Corporation will receive from the disclosure; Potential for misuse of the information; Protections afforded the information under pertinent laws, regulations or contracts, including U.S. and other obligations such as export controls, treatment of U.S. Government classified information, and personal privacy. Information subject to these requirements shall be protected and marked in accordance with pertinent legal or regulatory requirements. Operating units must avoid legends such as "Confidential" or similar markings if this will create confusion with the handling of government classified materials; Impact of the disclosure on other operating units within the Corporation; Additional restrictions found elsewhere in this Policy and the Corporate Policy Manual: Section 3- Antitrust Compliance; Section 4 - Business Ethics and Conduct in Contracting with the U.S. Government; Section 7 - Conflicts of Interest; Section 20 - Compliance with Export Controls and Economic Sanctions; Section 24 Personal Information Protection Section 30 - Securities Trading and Release of Material Nonpublic Information; United Technologies Corporation 2016 Page 11 of 35

12 Section 32 - Permissible References to UTC by Outside Companies vs. Endorsements; Section 37 - Electronic Communication Systems; and Section 40 - Software License Compliance. Although information other than Proprietary Information may not require the same degree of protection, decisions to disclose any information will be made after due consideration of the factors described above. If doubt exists as to whether use or disclosure of information is proper, the Legal Department shall be consulted. United Technologies Corporation 2016 Page 12 of 35

13 EXHIBIT 3 - STANDARDS FOR THE PROTECTION OF DATA 3.1 This Exhibit establishes minimum standards to be met by UTC, its operating companies, and Service Providers to the extent they own, license, receive, store, maintain, process, or otherwise access Data in electronic or paper form. 3.2 UTC operating units and staff organizations that collect, use, transfer, or manage Data shall establish and maintain a Data security program meeting the requirements of this Exhibit and pertinent Information Technology ( IT ) policies, procedures, and standards (Index to IT Policies, Procedures and Standards). 3.3 The UTC Vice President and Chief Intellectual Property Counsel and the UTC Vice President & Chief Information Officer shall assist as necessary to ensure proper and complete implementation of this Policy, including provision of the necessary technology tools to enable compliance worldwide. 3.4 The UTC Vice President, Operations and other staff organizations involved in selecting and retaining Service Providers shall ensure compliance with Exhibit The Data security program shall identify and assess reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any records containing Data, and evaluate and improve, where necessary, the effectiveness of the current safeguards for limiting such risks. The program shall include: o Ongoing employee (including temporary and contract employee) training; o Means of ensuring employee compliance with security program policies and procedures; o Means for detecting and preventing security program failures; o Security policies for employees relating to the storage, access and transportation of records containing Data outside of business systems or premises; o Disciplinary measures for violations of security program rules; o Means of preventing terminated employees from accessing records containing Data; o Reasonable restrictions upon physical access to records containing Data, and storage of such records and Data in locked facilities, storage areas or containers; o Regular monitoring to ensure that the information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of Data, and upgrading information safeguards as necessary to limit risks; United Technologies Corporation 2016 Page 13 of 35

14 o Annual reviews of the scope of security rules and more often when there is a material change in business practices that may reasonably implicate the security or integrity of Data; and o Documentation of responsive actions taken in connection with any incident involving a Breach of Security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of Data (See Exhibit 9). o Procedures for sanitization and destruction of storage or other media removed from service, prior to disposal. 3.6 UTC shall oversee Service Providers that have access to or control of Data by: o Taking reasonable steps to select and retain third-party Service Providers that are capable of maintaining appropriate security measures to protect such Proprietary Information; and o Requiring, by contract, third-party Service Providers to implement and maintain such appropriate security measures for Proprietary Information. 3.7 UTC electronic or paper systems, including any wireless system (e.g., wireless internet, personal digital devices, etc.) that collects, uses, transmits or stores Proprietary Information, shall be managed in accordance with IT Policies, Procedures and Standards. Each such system shall have the following: o Secure user authentication protocols, including control of user IDs and other identifiers; a secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices; control of Data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the Data they protect; restrict access to active users and active user accounts only; and block access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system. o Secure access control measures that restrict access to records and files (both active and archived) containing Proprietary Information to those who need such information to perform their job duties; and assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, and that are reasonably designed to maintain the integrity of the security of the access controls. o Encryption of all Company Restricted Data, both at rest or in transit, that resides on any portable electronic device such as laptops, USB flash drives, floppy disks, United Technologies Corporation 2016 Page 14 of 35

15 CD-ROMs, etc., and all such Data at the time it is transmitted across public networks or wirelessly. See IT o TLS encryption between UTC domains and Service Providers domains in order to provide an extra safety net for s sent over public networks. (IT ). o Requirements for employees and Third Parties to report a loss or suspected compromise of Data, a loss of a mobile device (laptop, USB drive, etc.) or any other incidents immediately to UTC IT Security at gputcitsecurity@utc.com, (and other security manager servicing the operating company) and as required by U.S. Government rules related to cyber intrusions (e.g., Industrial Security Letter dtd. Feb. 22, 2010; DOD Federal Acquisition Regulation Supplement Subpart 204 ). o Reasonable monitoring of systems to detect and deter unauthorized use of or access to Data; o For systems connected to the Internet, up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of Data; o Up-to-date versions of system security software, including malware protection and reasonably up-to-date patches and virus definitions, and set to receive the most current security updates on a regular basis; and o Education and training of employees on the proper use of the computer security systems and the importance of information security, e.g., limiting collection and storage of unneeded information; use of encryption; restricting access to drives, folders, and files; recognizing risks to information security posed by peer-to-peer ( P2P ) and other file sharing programs. United Technologies Corporation 2016 Page 15 of 35

16 1. Summary EXHIBIT 4 DATA BREACH INCIDENT RESPONSE PLAN This Data Breach Incident Response Plan ( DBIRP ) provides instructions on how to prepare for, respond to, and remediate a data breach Incident (defined in Section 3 below). This DBIRP requires that all employees report Incidents and that United Technologies Corporation ( UTC ) and its business units deploy Incident Response Teams (defined in Section 4 below) with the appropriate skill set and level of authority to respond properly to any Incidents that are reported. Capitalized terms used throughout this Exhibit, if not defined in Exhibit 1 to CPM 14, are defined in section 3 of this Exhibit. The following acronyms are used in this Exhibit: BU is Business Unit BU-IRT is a Business Unit-level Incident Response Team C360 is Compliance 360 DBIRP is Data Breach Incident Response Plan DBIRPT is the UTC Corporate Data Breach Incident Response Planning Team HR is Human Resources IRT is Incident Response Team IT is Information Technology UTC is United Technologies Corporation UTC-IRT is the UTC-level Incident Response Team 2. Applicability This DBIRP applies to UTC, all of its business segments, units and divisions, and all other operating entities wherever located (including controlled joint ventures, partnerships and other business arrangements where UTC has either a controlling interest or effective management control) (collectively operating units ). Unless the context indicates otherwise, references to UTC include all operating units, their directors, officers, employees and onsite leased labor. For purposes of this DBIRP, the Business Units are: Climate, Controls & Security ( CCS ); Otis; Pratt & Whitney ( P&W ); UTC Aerospace Systems ( UTAS ); and United Technologies Research Center ( UTRC ). United Technologies Corporation 2016 Page 16 of 35

17 The Business Units may follow this DBIRP or adopt their own so long as it is not inconsistent with this DBIRP. If a Business Unit adopts its own DBIRP, it must send that DBIRP within 30 days of adoption to privacy.compliance@utc.com. If a Business Unit adopts this DBIRP, it must create a contact list (see section 6.14) specific for that Business Unit and within 30 days of adoption of this DBIRP send the list to privacy.compliance@utc.com. Any changes to a DBIRP or the contact list must also be sent to privacy.compliance@utc.com. 3. Data Breach Incident An Incident is defined in Exhibit 1 to CPM 14 and is a set of circumstances that involve actual or a reasonable possibility of unauthorized access to or possession of, or the loss or destruction of, Protected Information (as defined in Section 3.1 below). The circumstances contributing to an Incident may be unintentional or accidental and the unauthorized access, possession, loss, or destruction may be confirmed or only suspected. Once unauthorized access to or possession of, or the loss or destruction of, UTC Protected Information has been confirmed by the Incident Response Team the Incident becomes a data breach Event. This DBIRP will use the term Incident to refer to both Incident and Event, whereas an Event means only a confirmed Incident Protected Information Protected Information is any information in any form (electronic, hard copy, graphic, audio, or any other format) that is: Proprietary Information (as defined by Corporate Policy Manual Section 14); Technical Data (as defined by procedures promulgated under Corporate Policy Manual Section 20), which is discussed in UTC Common Interpretation of Technical Data, available on the UTC International Trade Compliance site; Personal Information (as defined by Corporate Policy Manual Section 24); and Designated by any government as Classified or by the United States Government as controlled under a U.S. government contract Unauthorized Access Unauthorized access is any circumstance that permits a person or entity to review, use, see, consume, analyze, sell, transfer, or otherwise control information without both a legitimate business purpose and a legal basis. Unauthorized access to Classified information also includes when the Classified Information is sent, received, or transmitted via any unauthorized means or when an un-cleared individual accesses information in any fashion. United Technologies Corporation 2016 Page 17 of 35

18 For example, consider a scenario in which one employee accidentally s a file containing the names and home addresses of a business unit s quality group to a person in customer service instead of the correct person of the same name in Human Resources ( HR ). This is unauthorized access because the recipient in customer service had no legitimate business purpose for the information. Similarly, if UTC collects home address information for tax and safety reasons, but an employee uses HR s home address data to send invitations to a fundraiser for his son s private school, that scenario may also involve unauthorized access if it was unrelated to a legitimate business purpose. Another example is an employee accidentally leaving a laptop in a taxicab and collecting it from the taxicab dispatcher three days later. In all of these scenarios, even if the unauthorized access were unlikely to lead to any harm, the nature of the Incident only dictates the appropriate response, and not the classification of the circumstances as an Incident. Any circumstance that must be reported is an Incident, but only those Incidents that are confirmed to be breaches are Events. Yet another example of unauthorized access is a hacker breaking into a UTC network. In such a situation, even if the access to Protected Information may only be potential, the possibility of access requires a response consistent with this DBIRP Loss or Destruction Protected Information is lost or destroyed when it is no longer available to UTC to use. Protected Information can be lost or destroyed in many ways, such as: Stolen laptop; Flood of an office, destroying the only copy of certain records; and Inability to access the only copy of data on a server. The temporary inability to access Protected Information amounts to a loss if there is no anticipated resolution or the inability to access lasts for more than a week. If Protected Information is destroyed but there are other copies (such as back-ups) available, then it does not constitute an Incident An Incident Includes Actions by a Service Provider or Supplier An Incident includes unauthorized access to or possession of, or the loss or destruction of, Protected Information by or in the custody of any person, whether or not a UTC employee. This includes UTC service providers and suppliers. For example, if a service provider loses back-up tapes containing Protected Information, that circumstance would constitute an Incident. To the extent that any UTC employee or contractor is aware of an Incident resulting from the conduct of a service provider or supplier, that Incident must be reported and addressed under this DBIRP. United Technologies Corporation 2016 Page 18 of 35

19 4. Reporting an Incident Anyone aware of an Incident must immediately report it to an Ethics and Compliance Officer or through the Ombudsman program. The Ethics and Compliance Officer or Ombudsman must enter the report into C360. If an Incident has already been reported to the ITC instance of C360, there is no need to report it again. The Incident Response Team that investigates the Incident may contact the person making the report for additional information. Incidents involving Classified national security information must not be reported in C360 due to security concerns. Each Business Unit must keep a secure means to track such incidents locally and to brief the UTC Associate General Counsel, Government Contracts (or designee). 5. Preparation The Data Breach Incident Response Planning Team ( DBIRPT ) will be created at the UTC Corporate level only and is responsible for preparing in advance for Incident response. The DBIRPT will consist of the: UTC IT Director, Compliance; UTC Associate General Counsel, Government Contracts; the UTC Assistant General Counsel responsible for cybersecurity; the UTC Assistant General Counsel, Data Privacy and Security, and a member of the Communications team. The DBIRPT may add members or delegate any part of its function, as deemed appropriate. The DBIRPT is responsible for: 5.1. Preparing UTC to promptly and effectively respond to Incidents Entering into a proactive relationship with a data breach resolution service provider, if determined to be cost-effective. This may be accomplished by selecting insurance that provides such services Developing and implementing training and education on this DBIRP. The DBIRPT will identify the appropriate means for communication for each audience and the appropriate frequency Conducting a practice exercise each year, or more frequently if appropriate, for the UTC-IRT to test and improve the DBIRP process. The Privacy Professional for each BU must ensure that the BU-IRT conducts at least one practice exercise every three years Reporting annually to the executive oversight committee, as set forth in Section 10 below. United Technologies Corporation 2016 Page 19 of 35

20 6. Incident Response Team ( IRT ) To ensure the appropriate actions are considered in developing the response to an Incident, the IRT may need to include: Legal; Intellectual Property ( IP ); Information Technology ( IT ); Security; HR; Privacy; International Trade Compliance ( ITC ); Communications; Government Relations; and potentially an independent forensic investigator and/or a data breach resolution service provider UTC-level IRT or Business Unit-level IRT If an Incident involves UTC Corporate Protected Information only (as opposed to Protected Information from one or more Business Units), then the response will be managed by an IRT at the UTC level ( UTC-IRT ). If the Incident involves multiple Business Units or UTC Corporate Protected Information and Business Unit Protected Information, then the UTC- IRT will take the lead and the Business Unit-level IRT(s) ( BU-IRT ) will assist. If the Incident involves only Business Unit Protected Information, then the BU-IRT will handle the response. Each BU must set up an IRT to address any BU-specific Incidents. The BUs have flexibility to determine which function participates in the IRT, so long as: (1) Legal is always notified, except in cases of a lost or stolen portable storage device; and (2) Appendix B is used with appropriate follow-up for cases of a lost or stolen portable storage device. For Business Unit Incidents involving Classified national security data, systems, or programs, the local Government Security Compliance manager and Information Systems Security Manager must take the lead in partnership with the appropriate Business Unit level IRT team members as required IRT Lead The function that will lead the IRT depends on the nature of the Incident. The lead must be identified in order of precedence below, so that an Incident that might fall into multiple categories is led by the role identified for the first category in which it properly fits. If there is any question about leadership of the team, the UTC Assistant General Counsel responsible for cybersecurity and the UTC Assistant General Counsel, Data Privacy and Security will resolve the issue. United Technologies Corporation 2016 Page 20 of 35

21 All Classified information, systems and programs in all forms, media, and formats C O R P O R A T E P O L I C Y M A N U A L S E C T I O N 1 4 Classified information, systems, or programs Lost or Stolen Electronic Storage Device Compromise of electronicallystored Protected Information Government Security Compliance Manager and Information Systems Security Manager Lost/Stolen Device Investigator IT Security Electronically- Stored Protected Information Protected Information stored in nonelectronic forms, such as hard copy, paper, verbal conversations, etc Legal Employee Data Any Other Personal Information All Other HR Privacy Legal Every IRT must involve someone from the Legal Department. The appropriate member of the Legal Department will be identified in the contact list referred to in Section 6.14 below. Legal must be involved to ensure that our actions comply with law, appropriately mitigate risks, and are consistent with the UTC Code of Ethics and corporate policy. Legal must involve Global Compliance if there is a suspicion that an employee or contractor acted maliciously, in other words, if an insider intentionally breached Protected Information. In all instances, the IRT must consult with Global Compliance prior to contacting law enforcement. If the Incident involves Classified Information or information controlled under a U.S. government contract, the UTC Associate General Counsel, Government Contracts (or designee) must be included on the IRT team. Where the Incident involves Personal Information, the Legal representative may be the Privacy Professional if that person is a member of the Legal Department Communications Communications must be notified of each Event (a confirmed Event, not all Incidents). The Communications representative on the IRT will determine whether and to what extent participation by Communications is required. The Communications representative must consider whether, when, and how an urgent United Technologies Corporation 2016 Page 21 of 35

22 and/or informative message should be sent to employees. The Communications representative must also assess the risk of an Incident becoming public and the nature of the appropriate response. The Communications representative should provide input on Communications with affected individuals, external entities, or government regulators Government Relations 6.6. HR When an incident involves a federal or state government regulator, Government Relations must be involved. In all cases where a government regulator is notified Government Relations must be informed. HR must be involved when the Personal Information of one or more employees is involved Intellectual Property 6.8. IT 6.9. ITC Intellectual Property must be involved when an Incident involves Proprietary Information. IT must be involved if there is an IT system or electronically-stored data involved in the Incident. If the Incident involves only hard copy data, then IT may not need to be involved. Only appropriately cleared or program accessed IT personnel may be involved in Incidents impacting Classified IT systems or information. For all Incidents, an ITC representative must determine whether there are any ITC implications. If there are ITC implications, then the ITC representative must enter the matter into the ITC instance of C360 and should continue to participate on the IRT as appropriate. If there are no ITC implications, then the ITC representative does not need to participate on the IRT. United Technologies Corporation 2016 Page 22 of 35

23 6.10. Lost/Stolen Device Investigator Each Business Unit must identify a person or team to serve as the Lost/Stolen Device Investigator and identify that person(s) on the Business Unit s Contact List, as discussed in Section 6.14 below. The Lost/Stolen Device Investigator is responsible for ensuring that the Lost/Stolen Device Questionnaire, contained in Appendix B, is completed, including any follow-up described in the Questionnaire Privacy When Personal Information is involved - regardless of whose Personal Information, Privacy must be involved. For UTC, the Privacy function is represented by the Assistant General Counsel, Data Privacy and Security. For the Business Units, the Privacy function is represented by the Privacy Professional for the Business Unit Security Security must be involved if there is an indication of theft or of a compromise of the physical integrity of any system or facility. The Corporate Facility Security Officer must be notified for any Incident involving Classified systems or information External Parties Independent forensic investigator An independent forensic investigator may be needed when there is an intrusion into our networks or facilities. The legal department must be consulted prior to engaging a forensic investigator to ensure preservation of privilege, and compliance with applicable laws Data Breach Resolution Service Provider If affected individuals will need to be notified, the IRT should consider whether an external data breach resolution service provider is needed. This analysis should depend on the number of individuals that must be notified and whether the IRT can identify internal resources to manage this process Contact List Each Business Unit must create a contact list using the template contained in Appendix C or an equivalent format that identifies the name, title, , office or work telephone number and mobile number for the person or persons that represents Legal, Communications, HR, Intellectual Property, IT, ITC, Lost/Stolen Device Investigator, Privacy Professional, and Security. The Business Unit must ensure that the person identified for the contact list has sufficient skill and authority to serve on the IRT for the Business Unit, including making appropriate determinations about United Technologies Corporation 2016 Page 23 of 35

24 escalation to senior management. The Business Unit will send the complete list to The Business Unit must ensure that the contact list remains current and, at a minimum, provides an annual update by May 15 of each year even if no change has taken place. 7. Responding to an Incident The following steps must be taken in the order in which they appear. Formation of the IRT Containment Triage Investigation Remediation Notification RRCA / Follow-Up The required process for responding to an Incident involving Classified information, systems, and/or programs is set forth in Exhibit Notification and Formation of the IRT The team lead, as identified in Section 6.2 above, must notify and form the team using the contact list for the appropriate level IRT, either UTC, BU, or both. The contact lists shall be posted on privacy.utc.com. If a UTC-IRT and one or more BU- IRT are required to respond to an Incident, the UTC-IRT lead is responsible for contacting the UTC-IRT members and the BU-IRT lead(s), who are responsible for notifying the BU-IRT members Containment The IRT must ensure that appropriate action is taken to contain any impact while also permitting investigation of the case. To ensure that containment efforts are addressed with the appropriate speed, IT may address containment measures without consulting the full IRT. In doing so, however, IT must consult Global Compliance if there is a possibility of criminal activity to balance containment with preservation of evidence Triage The IRT should conduct a preliminary review of the Incident to understand the severity, set priorities, identify appropriate escalation, and determine the appropriate schedule for the response. If the Incident involves the loss or theft of a portable storage device, the appropriate response should be dictated through use of Appendix B (Questionnaire for Lost and Stolen Devices that Store Data). United Technologies Corporation 2016 Page 24 of 35