0 Introduction Environmental Social Governance Indexes and Glossary Governance Overview Information security, cybersecurity and data privacy Inside Governance Operating Ethically Promoting and Protecting Human Rights Securing our systems, networks, information about our business and information we have about our guests, team members, vendors and other third parties is important to us. When handling personal information, we follow laws, policies and processes that help us collect, use and share the information appropriately while still allowing us to serve our guests and run our business operations. Management and oversight While every Target team member plays a part in information security, cybersecurity and data privacy, oversight responsibility is shared by the Board of Directors, its committees and management. Management provides regular updates to the Board and/or Audit & Risk Committee on these topics throughout the year. In addition, at least annually, the Chief Information Security Officer provides an information security program review and the Chief Compliance Officer (CCO) provides a privacy program update to the Audit & Risk Committee. Responsible party Oversight area Board Oversight of information security, cybersecurity and data privacy within Target’s overall risks. Audit & Risk Committee Primary oversight responsibility for information security, cybersecurity and data privacy, including internal controls designed to mitigate risks related to these topics. Management Our Chief Information Officer, Chief Legal & Risk Officer, Chief Information Security Officer, CCO and senior members of our cybersecurity, compliance and ethics teams are responsible for identifying and managing risks related to these topics, and reporting to the Audit & Risk Committee and/or the full Board. Information security and cybersecurity Our cybersecurity team is responsible for designing and implementing Target’s information security and cybersecurity program, including governance, policy, risk assessment, monitoring and training. We use a combination of industry- leading tools and in-house technologies to protect Target and our guests, operate a proactive threat intelligence program to identify and assess risk, and run a Cyber Fusion Center to investigate and respond to threats in real time. Our cyber threat intelligence team works to understand evolving threats and industry trends, and our vendor security team monitors and assesses risk with our suppliers. We also offer ongoing practice and education for team members to recognize and report suspicious activity. We invest in building and developing cybersecurity talent and engineering expertise in-house, and offer educational courses through our Cyber Plus Institute, a security training curriculum leveraging internal expertise as well as curated resources. We also engage with leading security and technology vendors to evaluate our information security and cybersecurity program and test our technical capabilities. To date, our team has more than 20 patents, with more pending, and we actively share, and contribute to, open source solutions. One solution, Merry Maker — designed to protect Target.com from “digital skimming” 61 — has been open sourced to help other cybersecurity teams develop their own defense systems. We also seek to be a leader in cybersecurity and have been recognized for our commitment to cross-industry information sharing and collaboration with organizations. Target leaders serve on the boards of the Retail & Hospitality Information Sharing and Analysis Center , the Financial Services Information Sharing Analysis Center , the Aspen Cybersecurity Group and the Payment Card Industry Security Standards Council Board of Advisors. To complement our DE&I strategy, we partner with organizations — including the Executive Women’s Forum , Women in CyberSecurity and Cyversity — to strengthen support networks for team members and build a more diverse talent pipeline. Data privacy Our privacy compliance team is responsible for designing and implementing Target’s privacy program, including governance, policy, risk assessment, monitoring and training. The team identifies and manages privacy risks, elevating them to our CCO and Chief Legal & Risk Officer. The team’s work to design privacy controls into operations is supported with continual learning and professional certification opportunities, including Certified Information Privacy Professional designations. Our retail Privacy Policy details how we collect, use and share guest personal information. It also informs guests of their options for limiting marketing or other uses of their data. In addition, the policy expressly states that Target does not knowingly collect personal information online from children aged under 13. Everyone at Target who works with personal information must comply with our internal Privacy Compliance Policy. Team members receive annual training to understand the requirements around collecting, using and sharing personal information. Third parties that handle personal information must also follow applicable laws, regulations and contractual obligations. We conduct external cross-industry benchmarking to understand privacy best practices and industry trends and actively contribute to the Retail Industry Leaders Association’s Privacy Leaders Council and the National Retail Federation’s Privacy Working Group . 61 Malicious code covertly inserted into websites to steal credit card information. 2022 Target ESG Report 60