programs, and reports to our Chief Legal Officer. Our Board of Directors maintains oversight of our cybersecurity and data privacy programs via the Audit Committee with at least two scheduled updates per year on the topic and an annual review by the full Board. We operate our own security operations center (SOC) that employs a defense-in-depth strategy to provide layers of safeguards. We apply a hybrid security framework model based on the NIST, ISO 27001 and COBIT frameworks. We conduct ongoing risk assessments, as well as both internal and external penetration testing on a quarterly basis. We are under regular information technology and security audits by both internal audit and our independent public accounting firm. Additionally, we have regular audits from our financial institution business partners, independent auditor/public accounting firm, internal auditors and regulators. We also have established data security breach preparedness and response plans. We have implemented two-factor authentication protocols for network access and installed firewalls and anti-virus/ anti-malware software, as well as software for visibility into network data and an administrative rights tool. We promote security awareness with our colleagues by requiring all colleagues to review and sign off on our information security policy. Additionally, all colleagues and contractors with access to Macy’s, Inc.’s systems must complete data security and privacy training on an annual basis, as well as participate in quarterly phishing simulations. Data Privacy Through our sales, marketing activities and use of third- party information, Macy’s collects and may retain certain public and non-public personal information that customers provide to us. This collection is done consistent with California Consumer Privacy Act (CCPA) requirements. We inform customers about how we will use their data and limit our use to those purposes. We work with our key third-party vendor partners to ensure they use secure and compliant systems. We include data-security language in our supplier contracts and appropriately restrict where vendors have access to customer information. Those vendors are also put through a risk-assessment process. For non-personal information, we also include confidentiality language in our written contracts in order to safeguard company data shared with third parties. We share customer data internally, on our platforms, with our service providers, with our business partners, with third parties for marketing purposes, with any successors to all or part of our business and to comply with law or to protect ourselves. We sell the following categories of customer data: identifiers, payment information, event information, demographic information, device information, location information, commercial information, and Internet or other network activity information. | Sustainability Report 2020 Return to Table of Contents 36