Cybersecurity & Privacy

Monitoring & Mitigating Risks

SASB: CG-MR-230a.1

As a global retailer, we are mindful of the ongoing risks to our IT systems and operations from various sources and have implemented processes to monitor and mitigate these risks.

We maintain an Information Management Program that is overseen by TJX’s Information Management Steering Committee (“IMSC”), which is a cross-functional group of senior leaders from areas such as IT, Cybersecurity, Risk and Compliance, Privacy, Legal, and Internal Audit. The IMSC meets regularly and is responsible for developing and updating policies to support TJX’s Information Management Program and enhance the overall privacy, cybersecurity, and records management posture of TJX.

Our Information Management Program incorporates several components, including:

Privacy

Our privacy statements address the types of personal information we collect from customers, how we may use that information, with whom we may share that information, how we protect that information, and how individuals can exercise their rights with regard to personal information. We don’t generate revenue by selling personal information. The privacy statements on our retail brand websites describe our practices pertaining to the personal information we collect about our customers.

Cybersecurity

Our cybersecurity program is designed to identify, assess, and manage material risks from cybersecurity threats, and cybersecurity risk is integrated into our broader enterprise risk management program. Our cybersecurity program is overseen by our Chief Information Security Officer (CISO), who reports to our Chief Information Officer. Our CISO is informed about and monitors the prevention, detection, and mitigation of cybersecurity threats through his management of, and participation in, TJX’s cybersecurity risk management and strategy program.

We use a variety of strategies and techniques designed to identify cybersecurity risks and reduce the risk of unauthorized access to our organization’s confidential information (including customer, vendor, and Associate data) and critical business systems. This approach includes various assessment activities, encryption of certain types of information, and certain controls governing access to TJX facilities and systems, among other threat- and risk-based safeguards. The scope and level of our risk-based initiatives in these areas varies across functions and across the business.

Our Security Operations Center provides threat detection and incident response capabilities. We also have an incident response plan which describes roles and responsibilities for internal stakeholders in responding to and escalating potential cybersecurity incidents. We periodically test this plan through tabletop exercises with relevant stakeholders across various functions of our business, including members of senior management.

Records Management

Our records management program consists of policies, guidelines, and practices designed to promote both the retention of company records to meet legal and business requirements and the timely deletion of records and other documents, with particular emphasis on minimizing the retention of personal information where appropriate.

In addition to these components, we perform selected audits and make training available to appropriate TJX Associates.

Audits

Our Internal Audit team performs audits that address compliance with TJX cybersecurity policies and, along with other teams, reviews certain third-party service providers with respect to their security practices.

Associate Training

Privacy and cybersecurity training is made available to appropriate TJX Associates and is tailored to their job functions. This training is supplemented with an internal Information Management website, educational materials, and Associate engagement efforts, all designed to help our Associates understand our expectations in this important area.

Updated October 2024