SASB: CG-MR-230a.1
G | Published: February 28, 2022

Digital Citizenship/walmart-pay.jpg

Our Aspiration

We seek to build and maintain the trust of customers, associates and communities with respect to our use of technology and data, in line with our values of service, excellence, integrity, and respect for the individual.

Relevance to Our Business & Society

Walmart seeks to become the most trusted retailer. As our customer proposition has evolved beyond stores and clubs to become a more digital, omni-channel offering that blends online and in-store experiences, our approach to data and technology has become central to building trust.

Today, almost every aspect of Walmart’s business relies on the use of technology and data, including business sensitive and proprietary data as well as personal data from our customers. Our customers trust us to use their data to help provide them with relevant and exciting products, services, shopping experiences and innovative ways to help them save money and live better. As governments move to regulate companies’ conduct in the digital space, Walmart believes that our commitment to ethical use of data and technology helps build customer trust in our brand and products and helps mitigate the risks of improper data and technology practices.

Walmart’s Approach

While technology will continue to change how we operate, it doesn’t change our values. Walmart’s digital trust commitments provide a foundation for the company to earn and maintain customer trust in an omni-channel, data- and technology-driven world.

Digital Citizenship/digital-trust-commitments.jpg

We put these commitments into practice through four key areas of focus:

    • Promoting Fairness. Through the guidance of Walmart’s Digital Citizenship team, shaping decisions regarding new technologies, services and data use to align with Walmart’s Digital Trust Commitments.
    • Protecting Privacy. Maintaining policies and controls regarding the use and sharing of customer and associate information to build trust and protect confidentiality while providing excellent customer services and experiences.
    • Data, Records and Information Management. Supporting data and technology uses through policies and procedures, associate training, and monitoring and assessment.
    • Cybersecurity and Information Security. Protecting our information and digital infrastructure from cyber intrusions through adherence to industry standards, incident reporting policies and escalation practices, vulnerability testing, and continuous improvement.

    Key Strategies & Progress

    Promoting Fairness | Protecting Privacy | Data, Records & Information Management | Cybersecurity and Information Security

    Promoting Fairness

    Walmart’s Digital Citizenship team helps the company achieve our digital trust commitments as the company develops and implements new technologies, new services and new ways to capture and use data. The team includes business, compliance and legal associates with expertise in digital values, emerging technology, privacy, data, records, information management and cybersecurity. The team partners closely with Walmart’s business teams, including Operations, Marketing and Technology (for example, Data Strategy and Insights, and the Information Security teams).

    Walmart Pay on a phone at a register

    For example, the Digital Citizenship team has developed frameworks to evaluate artificial intelligence and machine learning models, to mitigate bias and promote fair outcomes in the development and implementation of these tools at Walmart. Walmart has also partnered with leading employers and institutions as a member of the Data & Trust Alliance, a not-for-profit consortium, to adopt an algorithmic bias toolkit that offers a first-of-a-kind approach for evaluating how vendors detect, mitigate, and monitor algorithmic bias in workforce decisions.

    Our teams work to operationalize Walmart’s Digital Trust Commitments to improve the customer and associate experience. In service of that objective, we aspire to:

    • Design Globally and Deploy Locally: Technology should be developed to be used in as many places as possible, recognizing the need for increased controls, or non-use, in some markets. The technology should be flexible and scalable.  
    • Design for Customer Usability and Choice: Technology usage should be clear and accessible to our customers. We will build and deploy technology in a way that prioritizes customer and associate choice. 
    • Decrease Bias and Increase Transparency: Technology should be designed, evaluated and tested to reduce bias, both implicit and actual. Systems should be auditable and open. The outcomes produced by the technology should be fair. 

    Protecting Privacy

    Governance

    The Audit Committee of Walmart’s Board of Directors oversees risks related to data privacy as part of its information security and cybersecurity oversight responsibilities. Walmart’s Digital Citizenship team helps to oversee Walmart’s compliance with our privacy policies and applicable laws. Our associates and service providers are required to commit to managing personal information appropriately and in accordance with Walmart’s policies and applicable laws.

    Digital Citizenship/mobile-purchasing.jpg

    Through Walmart’s privacy policies, we aim to provide customers, associates and other stakeholders with clear, prominent and easily accessible information on how we collect, use, share and protect personal information. We regularly update our policies to cover the use of new technologies and services. Our policies explain how and why we collect personal information; how personal information is used and protected; and when and with whom information is shared.

    Examples of our privacy policies include:

    • Walmart Privacy Policy. We collect data to enhance our customers’ experience, protect the security of our business, help prevent fraud, conduct business analyses and to fulfill our legal obligations. Our privacy policy also explains how we collect, share and protect customers’ personal information. 
    • Walmart Associate Information Privacy Policy. This policy explains how we collect and use personal information from our associates and outlines the steps we take to keep it safe. We expect associates and business partners that handle associate information to take reasonable measures to maintain the confidentiality of all associate information and to do so in accordance with our policies and the law.  
    • Walmart Supplier Privacy Policy. We use reasonable security measures to protect suppliers’ personal information. These measures may include physical and technical security access controls or other safeguards, information security technologies and policies, procedures to help ensure the appropriate disposal of information, and training programs. We have a team of associates who are responsible for helping to protect the security of personal information.  

    We have a number of other U.S.-focused privacy policies relevant to different privacy-related issues we face as a business; please see the Additional Resources section below for full list. Walmart’s international markets also have privacy notices that are specific to those markets’ businesses.

    Privacy Practices

    Walmart tracks emerging data privacy laws and implements compliance programs across the global enterprise. In recent years, Walmart and its international affiliates have created programs to comply with various state privacy laws in the United States and other data privacy laws in countries where we operate. Walmart’s Digital Citizenship Team, in partnership with our technology and business partners, have dedicated professionals that focus on compliance with laws enabling our customers to request information under various data subject access request laws that exist today and that may be passed in the coming years. We have designed our processes and systems to be as resilient as they can be to accommodate different coming state laws and meet the expectations of our customers and regulators about data transparency.

    In addition, our Digital Values team includes professionals who manage governance for our websites and mobile apps. This team helps guide decisions and implement policies regarding sharing data with third parties, online tracking technologies, and the use of data in advertising and marketing efforts. The team helps business partners understand the rapidly changing technology landscape and implications for Walmart initiatives.

    Stakeholders can contact Walmart about privacy inquiries or concerns by visiting our Store and Corporate Feedback page and selecting “Company Feedback and Questions” from the menu or write to the Walmart Privacy Office.

    Engaging with Stakeholders on Privacy

    Walmart works with policymakers to enhance consumer privacy in the physical, digital, and omni-channel world. We strongly support bipartisan efforts toward a national privacy law that would protect the rights of all consumers in the U.S. and preempt a patchwork of state laws, which may be inconsistent and confusing for our customers.

    Data, Records & Information Management

    To earn and maintain the trust of our customers, associates and business partners, Walmart focuses on effective and efficient management of our data and information assets through our global Data, Records and Information Management teams, practices and policies. Our policies, standards and processes are designed to ensure data is secure and accurate and that Walmart’s management of the data complies with U.S. and other market-specific regulatory requirements.

    Policies and Standards

    Data policies include information regarding:

    • Global Records Management: Defines how we manage, retain, and dispose of records created or used throughout our business.
    • Global Data Governance: Defines and describes the role of good data governance as part of our evolving, data-driven business.
    • Data Roles and Responsibilities: This policy defines the roles and responsibilities of different roles within Walmart that create and handle data, providing clarity of purpose.
    • Data Classification: This policy allows our business to accurately classify data, which is foundational to Walmart’s proper handling, securing, use and sharing of data and information. It defines which Walmart data is Highly Sensitive, Sensitive and Non-Sensitive, with guidance around required controls and restrictions for each. For example, highly sensitive data, PCI data, and HIPAA data cannot be stored in certain locations and there are robust controls around how it is transferred.
    • Data Sharing: This policy helps our business understand the proper controls required when data is shared within our business as well as with external stakeholders, including giving guidance to the systems and processes required to enable sharing.
    • Data Products: Our data products policy provides guidance for business units creating internal or commercial products based on Walmart data, including how to register these products, restrictions on data types that can be included, and corporate approval mechanisms for any data products.

    In addition, Digital Citizenship maintains and implements Walmart’s global data incident response policies for reporting and addressing any actual or suspected data incidents in a timely and lawful manner. The policies are supported by data breach notification and regulatory reporting guidelines and standards.

    Digital Citizenship/financial-services.jpg

    Information Management Practices

    Information management practices include the following:

    • Controls and Monitoring: Ongoing monitoring of data and privacy controls to keep our systems and processes evergreen; establishing data owners and stewards within business units to drive accountability in the use and access of data; and creation of a Know Your Data process to increase visibility into data being shared internally and externally.
    • Risk Assessment: Walmart utilizes the Enterprise Privacy Risk Assessment process to identify and manage privacy implications related to the use of personal information in new and existing applications. This review helps ensure the management of personal information is responsible and compliant with our standards and policies.
    • Training: We also have mandatory trainings for our associates to understand the policies relevant for their functions and business units, and we engage business leaders to implement the policies through functional business processes, practices and tools. Associates failing to comply with these policies are subject to potential disciplinary action, up to and including termination.

    Cybersecurity and Information Security

    Governance

    Walmart’s Chief Information Security Officer (CISO) is responsible for cybersecurity and information security within the company. The Audit Committee of Walmart’s Board of Directors oversees risks associated with cybersecurity and information security for the company and meets with the CISO at least annually to discuss the status of cybersecurity efforts. Audit Committee materials are provided to the full Walmart Inc. Board of Directors.

    Walmart’s Enterprise Risk Management process incorporates cybersecurity risk, with the CISO responsible for management. The CISO makes regular reports to Walmart’s executive leadership team, Disclosure Committee, and SOX Committee on the status of our cybersecurity programs.

    Walmart’s Information Security department (InfoSec) supports the CISO and seeks to ensure the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. InfoSec’s goal is to keep Walmart secure by helping associates understand and follow Walmart directives, ensuring the company is complying with regulatory and industry requirements and following best practices, and reporting and responding to suspicious activity.

    Walmart’s information security program is based on the National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity. The program includes policies and standards to keep information secure. The Information Security Program Management policy is the foundation of Walmart’s information security program. The policy applies everywhere Walmart data is stored or processed—within Walmart and outside it—and speaks to the security requirements for assessments, account, and device security; personnel security; and awareness and training. Additional policies cover the key elements of the NIST framework. These policies include escalation processes that associates can follow should they notice something suspicious; associates are required to report known or suspected violations of the policies. Policy violations may result in disciplinary action up to and including termination or legal action.

    Vendors that have access to Walmart information are required to manage such information in accordance with laws and appropriate privacy and security standards. Standards are applied on a per-contract basis and include requirements to have an information security program and report to Walmart any incidents in which Walmart information or systems are compromised.

    Processes & Procedures

    In addition to effective policy and oversight, we promote a secure environment through risk management, training and communication, and incident management.

    • Risk Management: We annually assess our cybersecurity programs against third-party requirements including NIST-CSF, PCI, HIPAA and SOX. Our most recent external assessment occurred in FY2022 when external auditors reviewed our information technology infrastructure and our information security management systems. Internally, Walmart tests multiple aspects of cybersecurity such as incident response and disaster recovery on a frequent basis. Our vulnerability testing program includes (1) testing in our software development life cycle, (2) penetration testing, (3) our dedicated red team and (4) vulnerability scanning. Walmart uses several methodologies, including tabletop exercises and incident response testing and vulnerability analyses that simulate attacks. At least semi-annually, we test technical recovery and incident response procedures.
    • Training & Communication: Our vision is to foster continuous learning and increase defense-in-depth on a global scale. We do this by seeking to ensure that all Walmart associates, strategic partners, and vendors with access to the corporate network are appropriately trained with respect to risk, roles, policies, standards, and behaviors. We maintain a strong security posture by fostering a security-aware culture and embedding information security into relevant aspects of our business with global, data-driven, simplified, and accessible content such as learning modules, phishing exercises, gamified security awareness, tech talks, and awareness campaigns on relevant topics.
    • Incident Management: We and the businesses with which we interact have experienced and continue to experience threats to data and systems. We have established procedures for responding to incidents around the globe, including when and how to engage with internal management, stakeholders and law enforcement. Severe incidents are escalated to the highest levels of Walmart’s management. Any security breaches or incidents having a material adverse effect on our operating results will be reported as appropriate or required.

    Cybersecurity Industry Engagement

    Walmart is committed to sharing its expertise to strengthen the information security community at large. We have made significant contributions to various open-source information-security projects and malware information-sharing forums; have strong, active partnerships to share intelligence/cyber security risk across retail and other business verticals; and are an active sponsor and participant in the National College Cyber Defense Competition (NCCDC) to help develop the next generation of cybersecurity experts.

    Challenges

    • Walmart is subject to a broad number of industry data protection standards and protocols. Walmart also has compliance obligations associated with new privacy laws enacted to protect and regulate the collection, use, retention, disclosure and transfer of personal information. There are inconsistent and sometimes competing laws and regulations, particularly regarding consumer privacy; laws and regulations are constantly emerging and developing.
    • Our compliance programs, information technology, and enterprise risk management efforts cannot eliminate all systemic risk.
    • The size of Walmart's business, our geographic reach, the number of consumer transactions we make, and the nature of information we collect to operate our business make us a target for bad actors. The increased use of remote work infrastructure due to the COVID-19 pandemic has also expanded the possible attack surfaces. And the techniques used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and may not immediately produce signs of a compromise. Walmart's systems, information and infrastructure are regularly threatened by cyber threats and cyber-attacks, as discussed in more detail in Walmart's most recent annual report on Form 10-K.
    • The success of Walmart's digital citizenship and cybersecurity programs depends on the performance of a variety of third-party service providers.

    About Our Reporting

    Back to Top