2021 CORPORATE RESPONSIBILITY REPORT I 69 At Quest, we know that the strength and resilience of our cybersecurity and data privacy oversight and preparedness are critical in maintaining the trust of our customers, partners, employees, shareholders, and other stakeholders. Governance practices We have robust governance practices with respect to cybersecurity and data privacy. Our Board of Directors oversees and is regularly engaged in our cybersecurity and data privacy efforts. The Board’s Cybersecurity Committee, which consists solely of independent directors, oversees the company’s cybersecurity policies, plans, programs, practices, and risks related to cybersecurity and data security. The Board’s Audit and Finance Committee, which is responsible for overseeing our enterprise risk management program, receives updates regarding cybersecurity at least annually. The Board’s Quality and Compliance Committee oversees and receives regular updates on data privacy. Management is responsible for cybersecurity, data privacy, and related risks, including through committees consisting of senior officers of the company (eg, our Senior Vice President and Chief Information and Digital Officer; our Vice President, Chief Information Security Officer; our Senior Vice President, General Counsel; and our Senior Vice President, Compliance). The Board regularly receives briefings and updates on cybersecurity, data privacy, and related risks from each of the responsible committees and management. Data privacy and security Quest maintains comprehensive controls and oversight related to data privacy and security laws and regulations as well as our contractual obligations. As a company operating in a highly regulated industry, we are subject to extensive data privacy and security laws and regulations, including, but not limited to, the Health Insurance Portability and Accountability Act (HIPAA), various state privacy laws, and the General Data Protection Regulation (GDPR). In addition, as many of our customers are heavily regulated, we are subject to numerous contractual requirements relating to cybersecurity and data privacy. We meet our breach reporting and notification obligations by notifying affected individuals, regulatory authorities, and other entities as required by law. Management is responsible for compliance with these laws, regulations, and requirements and regularly evaluates the information technology (IT) security and data privacy programs. As discussed above, the Board provides oversight. Data security incidents are reflected in our financial statements in accordance with accounting standards. Quest maintains a comprehensive, enterprise-wide, cybersecurity program and an extensive data privacy program, both of which are designed to secure our facilities and information systems as well as protect data throughout its lifecycle. Examples • Our HIPAA Notice of Privacy Practices, Privacy Notice, and Cookie Notice, all available on our website , include information about our data use, data disclosure, and privacy practices. Cybersecurity and data privacy are high-level priorities “All employees have a duty to report potential or suspected violations of company policy or the law, including those involving data privacy, and we provide confidential channels to do so. This is how we safeguard our integrity and support a culture of trust and accountability.” Gabrielle Wolfson Senior Vice President and Chief Information and Digital Officer TABLE OF CONTENTS 2021 OVERVIEW COVID-19 RESPONSE PROMOTING A HEALTHIER WORLD CREATING AN INSPIRING WORKPLACE BUILDING VALUE REFERENCES
Quest Diagnostics Corporate Responsibility Report Page 68 Page 70