CEO’S MESSAGE OUR ESG STRATEGY DASHBOARD PEOPLE SUPPLY CHAIN ENVIRONMENT TRANSPARENCY REFERENCE TABLES Data Security We are committed to implementing measures designed to keep our We take cybersecurity very seriously, and our approach consists of closer Privacy customers’ and team members’ data safe and secure, and have multiple alignment to well-known and established cybersecurity frameworks. We use systems in place to help ensure customers’ and team members’ data and and continue to improve our cyber defense-in-depth strategy that uses multiple Over the past few years, customer data privacy has continued to gain further privacy are protected. Our data security program is aligned to ISO/IEC layers of security for holistic protection. importance as our customers share an increasing amount of their personal 27000 (Information Security Management Systems standards) and leverages information with us online and in our stores. best practices from other frameworks, such as the National Institute of Annual cybersecurity training is mandatory for both corporate and field team Standards and Technology. members based on job function. In FY21, 100% of corporate team members, In FY21, we formed a Data Governance function, and in FY22, we created a and 96% of field team members (due to turnover) completed this training. Chief Privacy Officer role. This team employs a variety of tools and strategies Additionally, we evaluate our vendors through our Vendor Technical to help track and secure data within the organization and with third parties. By Questionnaire to help ensure that they can meet technical and security improving our understanding where data is stored and who accesses it, we guidelines and require certain protective clauses in our vendor agreements, In FY21, we employed the services of ReliaQuest to improve our security can minimize risk. We are finalizing a refresh of role-based access across our as appropriate. We routinely test our systems and disaster recovery processes posture using advanced correlation techniques, machine learning, and organization to increase automation and allow our professionals to access the to test for anomalies, reduce false positives, and help ensure efficient reaction automated attack simulations. Their services allow us to continuously data they need to perform their jobs and adapt that access as their role changes. to potential vulnerabilities. validate our cybersecurity controls, identify potential gaps, and prioritize remediations based on business risk. ReliaQuest is able to correlate We have also made strides in process improvement and due diligence. When various activities to help identify any irregular events which may be working with third parties, we have processes in place to help identify if personal Cybersecurity required to be blocked or further investigated. data will be processed by such third parties. If it is identified that our third parties process personal data, our privacy and legal professionals help ensure that To mitigate against certain technology risks, including failures, security appropriate data processing agreements are put in place and, when appropriate breaches, and cybersecurity risks that could harm our business, damage our that data privacy impact assessments are conducted to identify potential privacy reputation, and increase our costs, our cybersecurity program includes the risks and risk mitigation strategies. Such risk mitigation strategies may include following elements: data minimization measures, masking personal data, and reducing retention • Technology – We employ a layered “defense, detect, and respond” strategy. periods and others to help reduce risk to customers. • Benchmarking and External Engagement – We benchmark our security Our Privacy Policies and Statements are available on the direct-to-consumer practices against other organizations and are active in the information websites of our various banners around the world. Our Privacy Policies and security community. Statements govern our treatment of customer data. They outline the types of • Third-Party Assessments – We engage a range of outside experts to personal information we collect, how we use and share the information, and regularly assess our organizational security programs, processes, and the measures we take to protect their security. Multiple points of contact are capabilities. provided through which customers may initiate inquiries and raise concerns to us • Internal Assessments – We regularly test and improve our information regarding our collection, sharing, and use of their personal data. systems through security risk and compliance review, user access Our privacy policies and practices in the European Union were updated in FY18 campaigns, and other strategies. in response to the GDPR requirements. Similarly, our privacy statements and To actively monitor this changing landscape, our Chief Information Security practices in the United States were updated in response to the CCPA in FY19. Officer, and outside experts on cybersecurity risk and cyber risk oversight, With recent legislative changes, we are also dedicated to revising our policies to provide regular briefings to the Audit Committee. Unleashing the align with legislative developments. 5959