Information security and privacy are very important to TJX. We have many protocols in place that are designed to help protect the security of our customers’ personal information. The Privacy statements on our retail brand websites describe our practices pertaining to the personal information we collect about our customers.

For many years, we have maintained an Information Management Program, led by our Chief Risk and Compliance Officer (CRO). This program is overseen by TJX’s Information Management Steering Committee, which meets regularly and includes a number of senior leaders, including the Data Protection Officer, Chief Information Security Officer (CISO), and Director of Internal Audit. This Committee is responsible for developing and overseeing strategies to help TJX’s Information Management Program enhance the overall privacy, information security, and records management posture of TJX. Our CCO and CISO regularly report to the Audit Committee of our Board of Directors.

Our Information Management Program incorporates several components, including:

Privacy: Our privacy statements address the types of personal information we collect from customers, how we may use that information, with whom we share that information, how we protect that information, and how individuals can exercise their rights with regard to personal information. We don’t generate revenue by selling personal information.

Information Security: While the cybersecurity threat landscape is constantly evolving, we utilize a variety of strategies and techniques designed to reduce the risk of unauthorized access to the personal information we collect from customers. This approach includes encrypting certain types of personal information and controlling access to TJX facility systems, among other threat- and risk-based safeguards.

Records Management: Our records management program consists of policies, guidelines, and practices designed to promote both the retention of company records to meet legal and business requirements and the timely deletion of records and other documents, with particular emphasis on minimizing the retention of personal information where appropriate.

In addition to these components, we perform selected audits and make training available to appropriate TJX Associates.

Audits: Our Internal Audit team performs audits that address compliance with TJX information security policies and, along with other teams, reviews certain third-party service providers with respect to their security practices concerning personal information.

Associate Training: Privacy and Information Security training is made available to appropriate TJX Associates and is tailored to their job functions. This training is often supplemented with other education, communications, and an internal Information Management website, all designed to help our Associates understand our expectations in this important area.