SASB: CG-MR-230a.1, CG-EC-220a.2
G | Published: March 17, 2023
We seek to build and maintain the trust of customers, associates and communities with respect to our use of technology and data, in line with our values of service, excellence, integrity, and respect for the individual.
Relevance to Our Business & Society
Walmart seeks to make trust a competitive advantage. As our customer proposition has evolved beyond stores and clubs to become a more digital, omni-channel offering that blends online and in-store experiences, our approach to data and technology has become central to building trust.
Today, almost every aspect of Walmart’s business relies on the use of technology and data, including business-sensitive and proprietary data as well as personal data from our customers. Our customers trust us to use their data to help provide them with relevant and exciting products, services, shopping experiences, and innovative ways to help them save money and live better. Walmart believes that our commitment to the ethical use of data and responsible use of technology helps build customer trust in our brand and products and mitigate the risks of improper data and technology practices, as well as maintain alignment with governments’ movements to regulate companies’ conduct in the digital space.
While technology will continue to change how we operate; it does not change our values.
Walmart’s Digital Trust Commitments provide a foundation for the company to earn and maintain customer trust in an omni-channel, data- and technology-driven world.
Walmart’s Digital Trust Commitments
Our use of technology and data will be in service of people.
We strive for excellence in our technology, making it simple, convenient and secure.
We will use data responsibly and transparently and always with integrity.
Our data practices and technology will treat people fairly, with dignity and respect.
We put these commitments into practice through four areas of focus:
- Promoting fairness. Through the guidance of Walmart’s Digital Citizenship team, shaping decisions regarding new technologies, services, and data use to align with Walmart’s Digital Trust Commitments.
- Protecting privacy. Maintaining policies and controls regarding the use and sharing of customer and associate information to build trust and protect confidentiality while providing excellent customer services and experiences.
- Data, records, and information management. Supporting safe and appropriate data and technology use through policies and procedures, associate training, and monitoring and assessment.
- Cybersecurity and information security. Protecting our information and digital infrastructure from cyber intrusions through adherence to industry standards, incident reporting policies and escalation practices, vulnerability testing, and continuous improvement.
Key Strategies & Progress
Promoting Fairness | Protecting Privacy | Data, Records, & Information Management | Cybersecurity
Walmart’s Digital Citizenship team helps the company live up to our Digital Trust Commitments as the company develops and implements emerging technologies, new services, and innovative ways to use data. The team includes business, compliance and legal associates with expertise in digital values, emerging technology, privacy, data, records, information management, and cybersecurity. The team partners closely with Walmart’s business teams, including Global People, Operations, Marketing, and Technology to support new business initiatives and help operationalize our Digital Trust Commitments.
Our teams work to improve the customer and associate experience through our Digital Trust Commitments. In service of that objective, we aspire to:
- Design globally and deploy locally: Technology should be developed to be usable in as many places as possible, recognizing the need for increased controls, or non-use, in some markets. The technology should be flexible and scalable.
- Design for customer usability and choice: Technology usage should be clear and accessible to our customers. We aim to build and deploy technology in a way that emphasizes customer and associate choice.
- Decrease bias and increase transparency: Technology should be designed, evaluated and tested to reduce bias, both implicit and actual. Systems should be auditable and open. The outcomes produced by the technology should be fair.
For example, the Digital Citizenship team has developed frameworks to evaluate artificial intelligence and machine learning models in order to mitigate bias and promote fair outcomes in the development and implementation of these tools at Walmart.
We also endeavor to shape the field with respect to digital trust, including by:
- Partnering with leading employers and institutions as a member of the not-for-profit Data & Trust Alliance to develop an algorithmic bias toolkit that helps companies’ HR teams evaluate how vendors detect, mitigate, and monitor algorithmic bias in workforce decisions.
- Participating in the World Economic Forum’s Digital Trust Initiative Steering Committee and Working Group, culminating in WEF’s release of a framework for companies to commit to earning digital trust through security and reliability; accountability and oversight; and inclusive, ethical, and responsible use of technology.
The Audit Committee of Walmart’s Board of Directors oversees risks related to data privacy as part of its information security and cybersecurity oversight responsibilities.
Walmart’s Digital Citizenship team helps to oversee Walmart’s compliance with our privacy policies and applicable laws and required notices. Our associates and service providers are required to commit to managing personal information appropriately and in accordance with Walmart’s policies and applicable laws.
Privacy by Design
Walmart aims to build trust with our customers and stakeholders by considering their privacy throughout the design process. Walmart’s Global Privacy by Design Policy is constructed to ensure privacy controls are incorporated in the design, development, procurement, or modification of technology, business processes, or projects that involve the processing of personal information. The policy is based on adherence to the principles of Privacy by Design, including:
- Proactive and preventative: Privacy controls and practices should be considered from the outset rather than after development.
- Privacy by default: We seek to respect privacy and protection by default, through methods including transparency in the collection of personal information, only processing the personal information necessary to achieve our business purpose, and using and retaining data in line with law and policy.
- Design assessment: Our teams conduct privacy risk assessments and privacy impact assessments as part of the design or redesign of technology, processes, and projects to determine risks, legal requirements, and mitigation measures.
- Balancing interests: We strive to accommodate both the privacy of individuals and Walmart’s legitimate business objectives so we can better serve our customers now and in the future.
- Security: End-to-end security considerations that support privacy protections will be assessed and addressed prior to implementation.
Communicating Privacy Information
Through Walmart’s privacy notices, we aim to build trust through transparency. Our privacy notices disclose to customers, associates and other stakeholders clear, prominent and easily accessible information on what personal information we collect, how and why we collect it, how we use and protect it, how long we keep it, when and with whom we share it, and what privacy rights our stakeholders may have. We regularly review our notices and update them where appropriate to cover new regulations, technologies, and services.
Examples of our privacy notices in the United States include:
- Walmart Privacy Notice. This notice tells customers about the information we collect in stores and online in order to provide them with products and services and to run our business. In addition to telling customers how we collect, use, share, and protect their personal information, we also outline what choices customers have about how their personal information is used for advertising and marketing purposes.
- Walmart Associate Information Privacy Notice. This notice informs current and former associates about the personal information we collect and use for purposes of the employment relationship and to fulfill our obligations as an employer.
- Walmart Supplier Privacy Notice. This notice informs our suppliers about the information we collect, use, and share as part of managing our business relationship with them.
We have a number of other U.S.-focused privacy notices relevant to our specialized operations such as Health & Wellness and Financial Services; please see our Privacy and Security page and the Additional Resources section below for a more comprehensive list. Walmart’s international markets also have privacy notices that are specific to those markets’ businesses.
Stakeholders can contact Walmart with privacy inquiries or concerns by visiting our Store and Corporate Feedback page and selecting “Company Feedback and Questions” from the menu or writing to the Walmart Privacy Office.
Walmart teams track emerging privacy laws in the United States and other countries where we operate and implement programs across the global enterprise to comply with those laws, anticipate future developments, and meet stakeholder expectations. For example, in FY2023 Walmart’s Digital Citizenship and Regulatory Change Management teams launched a set of January 2023 updates to our privacy notices related to the implementation of the California Privacy Rights Act and the Virginia Consumer Data Protection Act, and are preparing for the implementation of new or revised privacy laws and regulations in Colorado, Connecticut, and Utah.
In addition, our Digital Values team includes professionals who manage governance for our websites and mobile apps. This team helps guide decisions and implement policies regarding the sharing of data with third parties, online tracking technologies, and the use of data in advertising and marketing efforts. The team helps business partners understand the rapidly changing technology landscape and implications for Walmart initiatives.
Engaging with Stakeholders on Privacy
Walmart works with policymakers to enhance consumer privacy in the omni-channel world. We strongly support bipartisan efforts toward a national privacy law that protects the rights of all consumers in the U.S. In the absence of a preemptive federal law, Walmart supports state laws that give consumers greater control over their data and that provide companies with clear expectations and reasonable compliance standards.
Read more: Engagement in Public Policy
Data, Records, & Information Management
Our data governance policies, standards and processes are designed to ensure data and information are secure and accurate, that Walmart’s management of the data complies with U.S. and other market-specific regulatory requirements, and that we earn and maintain the trust of our customers, associates, and business partners.
Policies and Standards
Walmart’s data governance policies include:
- Global Records Management: Defines how we manage, retain, and dispose of records created or used throughout our business.
- Global Data Governance Policies: A set of policies that address roles and responsibilities, data classification, data sharing, and data products designed to ensure Walmart understands the data it has and how that data is handled, shared, and classified.
- Artificial Intelligence, Machine Learning, and Automated Decisioning Policy: Provides guidance for the company in the design, implementation, and review of automated decisioning solutions, models, and technology.
In addition, Digital Citizenship maintains and implements Walmart’s global data incident response policies for reporting and addressing any actual or suspected data incidents in a timely and lawful manner. The policies are supported by data breach notification and regulatory reporting guidelines and standards.
Information Management Practices
Information management practices include:
Controls and monitoring: Ongoing monitoring of data and privacy controls to confirm their effectiveness and to help identify opportunities to keep our systems and processes evergreen; establishing data owners and stewards within business units to drive accountability in the use and access of data; and creation of a Know Your Data process to increase visibility into data being shared internally and externally. Walmart utilizes the Enterprise Privacy Risk Assessment process to identify and manage privacy implications related to the use of personal information in new and existing applications. This review helps ensure the management of personal information is responsible and compliant with our standards and policies.
Risk assessment: We conduct a periodic risk assessment for the purposes of risk-spotting, risk-based monitoring, and to ensure the highest-ranked risks are addressed with appropriate controls.
Training: We also have required trainings for our associates to understand the policies relevant to their functions and business units, and we engage business leaders to implement the policies through functional business processes, practices, and tools. Associates failing to comply with these policies are subject to potential disciplinary action, up to and including termination.
Walmart’s Chief Information Security Officer (CISO) is responsible for cybersecurity and information security within the company. The Audit Committee of Walmart’s Board of Directors oversees cybersecurity and information security for the company and meets with the CISO at least annually to discuss the status of cybersecurity efforts. Audit Committee materials are provided to the full Walmart Inc. Board of Directors.
Walmart’s Enterprise Risk Management process incorporates cybersecurity risk, with the CISO responsible for management. The CISO makes regular reports to Walmart’s executive leadership team and Disclosure Committee on the status of our cybersecurity programs.
Walmart’s Information Security department (InfoSec) supports the CISO and seeks to ensure the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. InfoSec’s goal is to keep Walmart secure by taking a proactive approach; it helps associates understand and follow Walmart directives, ensures the company is complying with regulatory and industry requirements and following best practices, and reports and responds to suspicious activity.
Walmart’s information security program is based on the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity (NIST-CSF). The program includes policies and standards to keep information secure. The Information Security Program Management policy is the foundation of Walmart’s information security program. The policy applies everywhere Walmart data is stored or processed- within Walmart and outside it- and speaks to the security requirements for assessments, account, and device security; personnel security; and awareness and training. Additional policies cover the key elements of the NIST-CSF framework. These policies include escalation processes that associates can follow should they notice something suspicious; associates are required to report known or suspected violations of the policies. Policy violations may result in disciplinary action up to and including termination or legal action.
Vendors that have access to Walmart information are required to manage such information in accordance with laws and appropriate privacy and security standards. Standards are applied on a per-contract basis and include requirements to have an information security program and report to Walmart any incidents in which Walmart’s confidential information or systems are compromised.
Processes & Procedures
In addition to effective policy and oversight, we promote a secure environment through risk management, training and communication, and incident management.
Risk management: We annually assess our cybersecurity programs against third-party requirements including NIST-CSF, PCI, HIPAA and the Sarbanes-Oxley Act (SOX). Our most recent external assessment occurred in FY2023 when external auditors reviewed our information technology infrastructure and our information security management systems. Walmart tests multiple aspects of cybersecurity regularly, including semi-annual testing of our technical recovery and incident response procedures. Our vulnerability testing program includes (1) testing in our software development life cycle, (2) penetration testing, (3) our dedicated red team, and (4) vulnerability scanning. Walmart uses several methodologies, including tabletop exercises and incident response testing and vulnerability analyses that simulate attacks. Some of our systems and third-party service providers' systems have experienced security incidents or breaches1 and these cybersecurity attempts and incidents have informed Walmart’s approach to its cyber governance, policies and procedures, or technologies.
Cybersecurity at Scale
Always on the Job
As part of protecting Walmart’s customers, members, associates and business operations, our cybersecurity programs work 24/7/365.
From analyzing alerts and ingests to scanning for security vulnerabilities or blocking bots, our security experts take a proactive approach.
Alerts analyzed annually
Intelligence reports ingested annually
Assets continually scanned for vulnerabilities
Lines of code scanned for security risks in 2022
Bots blocked on our websites in 2022
Training and communication: Our vision is to foster continuous learning and increase defense-in-depth on a global scale. We do this by seeking to ensure that all Walmart associates, strategic partners, and vendors with access to the corporate network are appropriately trained with respect to risk, roles, policies, standards, and behaviors. In FY2023, more than 1.4 million U.S. associates completed training covering digital citizenship and information security. We maintain a strong security posture by fostering a security-aware culture and embedding information security into relevant aspects of our business with global, data-driven, simplified, and accessible content including learning modules, phishing exercises, gamified security awareness, tech talks, and awareness campaigns.
Gamification Cybersecurity Training
Virtual Escape Rooms
Our escape rooms use creative methods to integrate cybersecurity concepts with everyday situations.
During these immersive virtual experiences, associates must find their way through various threats and avoid security violations to “escape the room.” We have multiple versions focusing on real-life cyber threat tactics.
"Born Secure" Escape Room
The “Born Secure” Escape Room focuses on
- Physical Security
- Social Engineering
- Security Habits
- Passwords vs Passphrases
- Real World Threats
- Incident Response
Incident management: We and the businesses with which we interact have experienced and continue to experience threats to data and systems. We have established procedures for responding to incidents around the globe, including when and how to engage with internal management, stakeholders, and law enforcement. Severe incidents are escalated to the highest levels of Walmart’s management. Any security breaches or incidents having a material adverse effect on our operating results will be reported as appropriate or required.
Helping Customers Stay Safe in the Digital World
As our digital world expands, Walmart aims to share knowledge with our customers to help keep them secure online. We publish a customer-facing Cybersecurity Hygiene page that describes steps that customers can take to keep their private information private and reduce cybersecurity risk. Customers can learn more about topics including phishing, social media safety, and password best practices.
Cybersecurity Industry Engagement
Walmart is committed to sharing its expertise to strengthen the information security community at large and to help develop the next generation of cyber professionals. We have made significant contributions to various open-source information-security projects and malware information-sharing forums, and we have built strong partnerships to share intelligence about cybersecurity risk across retail and other business verticals.
We also seek to grow and support the talent pool in the cybersecurity industry, through participation and sponsorship in programs including BEYA STEM Conference, Women of Color (WoC) STEM Conference, and Women in Cyber Security (WiCyS), in addition to the National College Cyber Defense Competition (NCCDC) and RSA Security Scholars program, which helps develop the next generation of cybersecurity experts.
- Walmart is subject to a broad number of industry data protection standards and protocols. Walmart also has compliance obligations associated with new privacy laws enacted to protect and regulate the collection, use, retention, disclosure and transfer of personal information. There are constantly emerging, sometimes inconsistent and competing laws and regulations, particularly regarding consumer privacy.
- Our compliance programs, information technology, and enterprise risk management efforts cannot eliminate all systemic risks.
- The size of Walmart's business, our geographic reach, the number of consumer transactions we make, and the nature of the information we collect to operate our business make us a target for bad actors. The increased use of remote work infrastructure over the past several years has also expanded the possible attack surfaces, and the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and may not immediately produce signs of a compromise. Walmart's systems, information and infrastructure are regularly threatened by cyber threats and cyber-attacks, as discussed in more detail in Walmart's most recent annual report on Form 10-K.
- Walmart's Digital Citizenship and Cybersecurity programs include the use of a variety of third-party service providers. Although we have policies and programs in place to help ensure these service providers safely and effectively manage data and information related to Walmart, we do not have the same level of visibility or control on those external systems as we do in our internal systems.
- Walmart Privacy and Security
- Walmart Privacy Notice
- Walmart Associate Information Privacy Notice
- Walmart Supplier Privacy Notice
- Walmart Applicant Privacy Notice
- Walmart Visitor Privacy Notice
- Walmart Marketplace Seller Privacy Notice
- Walmart Anti-Corruption Due Diligence Privacy Notice
- Walmart Insurance Services Privacy Notice
- Health & Wellness Privacy Notice
- Financial Services Privacy Notice
- Responsible Disclosure Policy
1. As stated in Walmart’s annual report on Form 10-K, although there has not been a material impact to date [from those security incidents or breaches], there can be no assurance of a similar result in the future.