PENSKE AUTOMOTIVE / 2021 ESG REPORT 27 the California Consumer Privacy Act (CCPA) which allows similar rights for our California customers. Data Security We are committed to maintaining data security awareness for all team members in light of increasing third-party cyberattacks and the threat of ransomware. Starting with on-boarding, we introduce information security and security awareness as part of every employee’s job and reinforce this through training on topics such as phishing, physical security, protecting sensitive information, among others. This initial training is reinforced with monthly and quarterly communications and follow-up training. In addition to training, we: • Audit our data security continually through simulated attacks on our digital infrastructure • Review incidents with senior management and/or our Board of Directors at least annually • Assure we update our infrastructure to provide the most current data protection technologies Human Trafficking Our businesses have a zero-tolerance approach with respect to slavery and human trafficking in our operations. We support the California Transparency in Supply Chains Act of 2010 and the United Kingdom’s Modern Slavery Act of 2015 and their intent to prevent and eliminate slavery and human trafficking from global supply chains by increasing transparency. For additional information, please refer to our Human Trafficking Policy . We promote a culture of uncompromising ethics and integrity in all that we do, including corporate governance, oversight, accountability, and transparency.