business operations, result in data compromise, or both. Nation-state actors have in the past carried out, and may in
the future carry out, cyber-attacks to achieve their aims and goals, which may include espionage, monetary gain,
disruption, and destruction. To achieve their objectives, nation-state actors and other cyber criminals have used and
may continue to use numerous attack vectors and methods, including use of stolen passwords, social engineering,
phishing, smishing, vishing, identity spoofing, ransomware or other disruptive and destructive malware, supply chain
compromises, and man-in-the-middle and denial of service attacks. The methods used to obtain unauthorized
access, disable or degrade service, or sabotage systems are constantly changing and evolving, increasing in
frequency and sophistication, and may be difficult to anticipate or detect for long periods of time.
To protect against unauthorized access to or use of data, prevent data loss, preserve data integrity, and protect our
own access to systems, we have implemented and regularly review and update systems, processes, and
procedures; third-party assessments and testing; and annual associate training and other specific training initiatives.
However, the ever-evolving threats mean that we and our third-party service providers and business partners must
continually evaluate and adapt our respective systems and processes and overall security environment, as well as
those of companies we acquire. There is no guarantee that the measures we take will be adequate to safeguard
against all threats, including vulnerabilities, data security breaches, system compromises or misuses of data. As we
saw in connection with the data breach we experienced in 2014, any significant compromise or breach of our data
security, whether external or internal, or misuse of customer, associate, job applicant, business partner, or Company
data, could result in significant costs, including costs to investigate and remediate, as well as lost sales, fines,
lawsuits, regulatory investigations, and damage to our reputation. Furthermore, because the techniques used to
obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and may not
immediately produce signs of anomalous activity or compromise, we may be unable to anticipate these techniques
or to implement adequate preventative measures. Additionally, as occurred in the case of the data breach we
experienced in 2014, we or our third-party service providers may not discover any security breach, vulnerability or
compromise of information for a significant period of time after the occurrence of a security incident.
In addition, data governance failures can adversely affect our reputation and business. Our business depends on
our customers’, associates’, job applicants’ and business partners’ willingness to entrust us with their personal
information. Events that adversely affect that trust, including inadequate disclosure to our customers, associates,
job applicants, or business partners of our uses of their information or failing to keep our information technology
systems and our customers’, associates’, job applicants’ and business partners’ personal information secure from
significant attack, theft, damage, loss or unauthorized disclosure or access, whether as a result of our action or
inaction (including human error or malfeasance) or that of our service providers or other third parties, could
adversely affect our brand and harm our reputation. Further, the regulatory environment related to data privacy and
cybersecurity is constantly changing, with new and increasingly rigorous requirements applicable to our business.
The implementation of these requirements has also become more complex. Maintaining our compliance with
evolving requirements, including state privacy laws, requires significant effort and cost, requires changes to our
business practices, and may limit our ability to collect and use certain data to support the customer experience. In
addition, failure to comply with applicable requirements could subject us to fines, sanctions, governmental
investigations, lawsuits or reputational damage. Additionally, our cyber insurance coverage may not be adequate for
liabilities or costs actually incurred, and we cannot be certain that insurance will continue to be available to us on
economically reasonable terms, or at all, or that any insurer will not deny coverage of a future claim.
We are subject to payment-related risks that could increase our operating costs, expose us to fraud or theft,
subject us to potential liability, and potentially disrupt our business.
We accept payments using a variety of methods, including credit and debit cards, our private label credit cards,
cash, checks, PayPal, installment loan programs, trade credit, and gift cards, and we may offer new payment
options over time. Acceptance of these payment options subjects us to rules, regulations, contractual obligations
and compliance requirements, including payment network rules and operating guidelines, data security standards
and certification requirements, and rules governing electronic funds transfers. These requirements may change over
time or be reinterpreted, making compliance more difficult, costly, or uncertain. For certain payment methods,
including credit and debit cards, we pay interchange and other fees, which may increase over time and raise our
operating costs. We rely on third parties to provide payment processing services, including the processing of credit
cards, debit cards, and other forms of electronic payment. If these companies become unable to provide these
services to us, or if their systems are compromised, it could potentially disrupt our business. The payment methods
that we offer, and the selling channels in which we operate, also subject us to potential fraud and theft by threat
actors, who are becoming increasingly more sophisticated, seeking to obtain unauthorized access to or exploit
weaknesses that may exist in our sales, payments and payment processing systems. If we fail to comply with
applicable rules or requirements for the payment methods we accept, or if payment-related data is compromised
Table of Contents
Fiscal 2022 Form 10-K
16