Data Privacy and Security

LS&Co. is deeply committed to the relationship and trust we have with consumers, and we take our data protection and privacy responsibilities seriously. Our privacy program is based on a documented global privacy framework with implementation led by our Chief Privacy Officer, under the direction of our Executive Vice President and General Counsel. The Chief Privacy Officer works in partnership with other leaders, including our Chief Information Security Officer. The global breadth of our privacy program is supported by a network of privacy champions embedded in the business.

As of July 2022, more than 150 countries have enacted at least one unique privacy and/or data protection law. By basing the core elements of our program on the Fair Information Processing Principles, LS&Co. can more easily respond and adjust to rapid legislative changes around the world. We monitor changing legal requirements and engage numerous external resources and experts to help us appropriately respond to data protection laws and regulations in the jurisdictions where we operate.

Data Protection

Our commitment to data protection has visibility at the most senior levels of the organization and forms part of the unique LS&Co. culture. Regular data privacy and data security updates are given by our Chief Privacy Officer and Chief Information Security Officer to the executive leadership team, the LS&Co. Enterprise Risk Committee and the Audit Committee. We provide mandatory annual information security training for all employees, applicable data privacy training, along with supplementary training on topics such as phishing and social media risk.

LS&Co.’s Privacy Policy (available on all our websites) describes how we use consumers’ personal information collected when consumers interact with us in our stores, through customer service, on our retail websites, through our mobile app or on our corporate website (levistrauss.com). The LS&Co. Privacy Policy describes in detail the types of information we collect and, in line with the Fair Information Practice Principles, how we limit information collection to that which is reasonable and necessary to achieve the intended purpose for collection. This includes, as examples, information for processing consumer orders, advertising and marketing, improving consumer experience and offering our loyalty program. If there is a need to use personal information for purposes beyond the scope of that previously disclosed to consumers, we provide additional notice or seek consumer consent where required by applicable laws.

LS&Co. does not sell consumer personal information to third parties for their independent business use. We allow individuals the opportunity to participate in how their personal information is used and offer ways for them to exercise choices, including how to change or correct personal information and how to opt out of or unsubscribe from marketing emails and mailings. We provide consumers with opportunities to join our RedTab™ member program and subscribe to communications, and they are free to opt out at any time.

A process is in place to update the LS&Co. consumer Privacy Policy annually. We also maintain an Employee Privacy Notice that details how LS&Co. processes the personal information of its employee base, and a Candidate Privacy Notice that provides information about LS&Co.’s privacy practices for job applicants. The privacy program is managed through a series of internal documented policies and procedures that reflect the organization’s commitment to and respect for individuals’ personal information.

Data Security

We apply and leverage a variety of approaches to protect company, employee, applicant and consumer data from risk, including risks of unauthorized disclosure, loss or misuse. These approaches include vendor security assessments; privacy impact assessments; legislative monitoring; cyber threat assessments; reviewing industry threat analysis; and benchmarking. LS&Co. maintains standard data processing agreements and security templates for use in our contract processes that are developed in line with our data use, privacy and security requirements. Technical security solutions, including but not limited to identity and access management, infrastructure, platform and endpoints solutions are deployed across the technology infrastructure to address identified cyber risks and protect against theft of sensitive data and/or information.

LS&Co. continuously monitors for privacy and security incidents, which include incidents of unauthorized use or access to personal information or other confidential information under our control. When an incident is detected or reported, a response team engages to contain, investigate, and respond, including assessing any applicable data breach notification and reporting obligations. Further, internal risk assessments are completed on an annual schedule. Additional risk analysis may be performed to address any potential threat scenario. External risk assessments are performed for certain third parties where the relationship meets the criteria of an assessment.

Proactive identification of cyber risks, along with significant investments in technology and vendor relationships, help address key risk areas and allow focus on risk quantification and reporting. This approach positions us to identify potential threats and invest in tools and resources to mitigate them. We will continue conducting annual reviews of our cybersecurity policies, which reflect our intentions and standards and provide us with guidance for protecting data security.

Our cyber awareness program aims to educate all employees of LS&Co. on current cyber threats and solicits their participation in the collective defense of the company’s assets. The scope includes employees and contractors. We treat our employees as front-line defenders and support them in building the skills and habits to protect LS&Co.’s information assets through frequent, targeted and short trainings on topics such as phishing and data protection.

We actively participate in the data privacy and security initiatives of multiple industry associations and organizations, such as the International Association of Privacy Professionals, the Retail Industry Leaders Association (RILA), the National Retail Federation (NRF) and the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC). Together, these consortiums help LS&Co. in its commitment to meet applicable legal requirements and to protect data and systems.

LS&Co. continues to invest strategically in information security, with investments across operational capacity as well as innovative technology, process and/or service capabilities. These critical investments support our focus on business and technology transformation, as well as support the handling of consumer personally identifiable information.

Intellectual Property Management

Our Chief Counsel, Global Intellectual Property, Brands and Marketing for LS&Co., and other specialists on our Legal team oversee our intellectual property. This includes all LS&Co.-owned property, whether publicly available on the LS&Co. family of websites or other public domains; our trademarks and patents; and proprietary and confidential information we use internally. We have a network of brand protection specialists who seek out counterfeit production sources and distribution channels, working to stop counterfeits from reaching the market.

The LS&Co. Terms and Conditions of Use apply to all online visitors of our websites; our supplier contracts stipulate the intellectual property protection requirements for LS&Co. vendors; and the Worldwide Code of Business Conduct specifies the intellectual property expectations of our employees to protect LS&Co.’s digital, financial and physical assets, intellectual property and confidential information.