Data Security Policy

Data Security Policy


This policy requires employees and independent contractors of Charles River Associates (“CRA”) to secure non-public information, whether provided by a client, CRA employee or created by CRA. The primary purpose of this policy is to educate CRA employees and independent contractors with the importance of securing personally identifying information (from clients or provided by CRA employees themselves) (referred to as “PII”) and other client and project specific non-public information. Questions about the proper handling of information should be addressed to your project Manager or OIC or Practice Head or .

Types of Confidential Information

All information in the care of CRA is categorized into three main classifications:

  • Confidential;
  • Client Restricted; and
  • Personally Identifying Information (PII)

“Confidential” information means all non-public information provided to CRA from clients or created by CRA for its own internal use and/or distribution.

“Client Restricted” information means Confidential information where CRA has been requested to implement (either orally or by written request) specified handling instructions.  For example, instructions for disposing of information, reporting loss of information, and standards for encrypting or securing and/or transmitting information.

“Personally Identifying Information (PII)” is information that includes a person’s first name and last name or first initial and last name in combination with any of the following: Social Security number, or driver’s license number or state issued ID card number, or financial account number or credit or debit card number. Further, any files containing personal health information or social security numbers are to be considered PII.

Policy Overview

  • Confidential

  • Confidential information should always be secured and never discussed or disclosed unless on a need to know basis (i.e. project team members).  All recipients of confidential information must sign and agree to comply with the CRA confidentiality agreement, and other CRA policies governing confidential treatment of information.  This is the standard default practice for all information provided to or created by CRA. 

  • Client Restricted

  • Client Restricted information should be handled in the same manner as Confidential information, except that any special handling instructions provided by the client should be immediately provided to CRA staff familiar with implementing such instructions by emailing  You must confirm with that CRA can in fact comply with the requested instructions before you agree to any such terms and/or sign any agreements binding CRA to implement such terms.  In some cases CRA Legal and CRA Internal Audit will need to become involved in confirming compliance and implementation.

  • Personally Identifying Information

  • Non Client PII:
    If you work with or become in possession of Non Client PII, please inform who will work with you to confirm that all steps are taken to secure the information.  This may include training and verification of compliance from time to time.  Some general rules governing Non Client PII include ensuring electronic data is always encrypted when transferred to or from non CRA systems (for example using CRA’s Accellion Webtransfer system) and when backed-up, ensuring hardcopy documents are always secured, ensuring access is only provided to authorized personnel on a need to know basis (for example, password protect files whenever possible), refrain from duplicating the information unless such files comply with these provisions.  And only use CRA issued equipment when working with or accessing PII Information.

  • Client and Project Based PII:
    If your client engagement may include PII, then you should follow three steps. First, you must inform of the retention.  This notification will place your matter into a special class where steps will be taken to ensure that the information is properly handled and secured and that the project team is trained on handling instruction.  Secondly, if the prospective retention results in the request of a Project Number Request (PNR), you must classify the matter as PII in the identified “drop down” box in the PNR application.  If more than one classification of data is expected to be obtained and any of that data contains PII then the PII classification should be selected. Finally, you will likely be trained by a member of the PII Secure team who will verify your compliance with the then current PII handling instructions.  All requirements stated above regarding Non Client PII data pertain to client and project based PII data.

Incident Response

If you become aware that any Client Confidential, Client Restricted or PII could be or was tampered with, stolen, lost, improperly disclosed, improperly secured, transmitted or copied or any similar threat or breach to the policy requirements set forth in above, you must immediately notify and report the incident to your local IT personnel and CRA’s IT Security Officer. If a local IT support staff member is unavailable, individuals should call the IT Global Support number (North America  617-425-3600 ; EME +44(0)20.7664.3600), in all cases must be notified.

Non Compliance

Any employee or independent contractor found to have violated this policy may be subject to disciplinary action, up to and including termination of employment or its relationship with CRA. CRA may amend and/or modify this policy at any time in its discretion.  You are responsible for complying with such amended policy.

Review Date 4/12/18