any concerns to managers, our Human Resources team and our anonymous Team Member Hotline. To help foster an ethical workplace and drive a strong sense of organizational fairness for our team members, we have a strict non- retaliation policy, and we investigate all good faith concerns fairly, objectively and expeditiously. To drive quality and consistency in our internal investigations, we created an Investigators’ Toolkit that includes training, templates, resources and an Escalations and Internal Investigations Policy. APPROACH TO CYBER SECURITY AND DATA PRIVACY We believe that the integrity of our technological infrastructure and our ability to mitigate threats to systems that power our operations and from vulnerabilities of third parties with whom we do business is a source of significant value to our business. As part of our strategic transformation, we continue to enhance enterprise-wide cyber security and data management practices. We evaluate the maturity and ongoing enhancements of our work using the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1. Our security operations function provides 24/7 monitoring across all information assets, which include our privately hosted data centers, cloud-hosted services, all internet- facing resources, distribution centers and all corporate-hosted desktops and laptops. We take a cross-banner approach to identify vulnerabilities in information systems that pose a data security risk that leverages both technological tools and operational procedures. We also comprehensively train our team members at least annually using a variety of methods to increase security awareness enterprise wide. In addition, we highly value the data and privacy of our team members, customers, our business and those with whom we do business. We adhere to fair information principles and address data privacy risks through the leadership of a cross-functional Data Privacy team comprising leaders in information security, information technology and legal/compliance. We continually improve our data privacy management in support of our business initiatives and seek to embed privacy into the design of our systems and business processes.

The Audit Committee of our Board oversees and regularly receives updates regarding cyber security and data privacy matters. THIRD PARTIES We expect those with whom we do business to adhere to our standards for responsible and ethical business practices. While historically our Code of Ethics and Business Conduct and Human Rights Policy have applied to third parties, in 2021, we created a Supplier Code of Conduct that sets out the expectations we have for our suppliers in many areas, including human rights, bribery and corruption, conflicts of interest, information security, trade compliance and reporting concerns. We maintain programs designed to identify, evaluate and address potential human rights and environmental issues with our Direct Import suppliers. We maintain policies that govern our selection of third parties with whom we do business to help us assess the alignment of those parties to our standards for ethical and compliant behavior and help us mitigate the risks of working with third parties. In addition to screening processes to new international and private label suppliers, we conduct regular audits of existing suppliers to identify and evaluate environmental practices, labor practices, working conditions and records on human rights matters.







Made with FlippingBook - professional solution for displaying marketing and sales documents online