Significance

Importance To Berry Global and our Stakeholders

Data security is paramount to protect intellectual property and private data as well as comply with privacy regulations. By developing a robust approach to data security, we reduce security risks and help ensure business and stakeholder information is handled securely. Data security also helps safeguard our research and development efforts to ensure our innovations remain confidential.

Our Customers: Customers expect us to keep their data private, secure, and protected from breaches.

Our Investors: A robust approach to data security is critical to mitigating risk and maximizing long-term shareholder value. By taking effective data security measures, we reduce the likelihood of costly data breaches or regulatory fines and safeguard our company's financial stability and reputation.

Our Approach

Physical and electronic assets, such as computers, hardware, and software, are required to facilitate our operations, so it's imperative that assets are safeguarded diligently. Something as simple as an employee clicking on an incorrect link can jeopardize sensitive company information, damage our reputation, and erode our competitive edge. Through a robust approach to employee training and awareness, incident management, and technological solutions, we work to mitigate potential risks of cybersecurity incidents.

We have a responsibility to uphold the highest standards of excellence when it comes to protecting personal information. Within their roles, many of our employees encounter personal data from suppliers, team members, and customers. We approach these scenarios by employing procedures designed to collect only necessary information, employing secure storage methods, sharing collected information only in compliance with legal requirements on a need-to-know basis, and maintaining an internal record retention policy providing for proper disposal of records when they cease to hold business or legal relevance. The Chief Information Security Officer briefs the Board of Directors Audit Committee on security matters quarterly and the entire Board of Directors on an as-needed basis.

Key Metrics 

The below metrics are based on Berry's fiscal years unless otherwise noted. 

Data Security and Transparency
  2023
Compliance Training¹ (Full Time Employees) Courses Completed Completion % Completion Hours
Cybersecurity Awareness Training 11,826 99.7% 10,145
   2021 2022
 2023
Information Security Breaches
  Total Dollar ($) Amount
Expenses from Information Security Breach Penalties & Settlements $0
 $0  $0

¹Our Compliance courses are completed on a calendar year basis. 

Key Strategies

Cybersecurity 

Infographic to show Cybersecuirty Awareness and Training courses completed at BerryGlobal cybersecurity threats and targeted attacks are an evolving risk to our data, infrastructure, and overall operations. Through our Cybersecurity Program, we have implemented a wide array of tools and practices designed to maintain the security and availability of our resources. To further mitigate our cybersecurity risk, we have information security risk insurance in place across our business.


Icon to illustrate TechnologyTechnology

Industry-leading solutions to protect our systems with 24/7/365 monitoring by experienced security professionals.


Icon to illustrate Cybersecurity AssessmentCybersecurity Assessment

Targeted security assessments and penetration tests conducted throughout the year by internal and external entities.

Continuous vulnerability scanning of our digital environments with industry-leading vulnerability management solutions


Icon to illustrate Training and AwarenessTraining and Awareness

Regular meetings with information technology and security employees from around the world to discuss emerging threats and concerns

Annual and periodic security awareness training for employees

Supplemental training and testing for key employees in high-risk job functions 


Icon to illustrate Incident ManagementIncident Management

Defined Global Incident Response Plan designed to enable compliance with reporting standards and provide robust response to global cybersecurity events

Incidents are reviewed by the Global IT Leadership Team and appropriate members of Senior Management

We undergo annual 3rd-party cyber security audit and penetration tests. These are performed in alignment with information security standards, but we have not yet pursued certification to these standards. We also conduct an annual (Sarbanes-Oxley) SOX audit of financial controls, including access to accounts and data. Our business continuity and contingency plans for our primary ERP and related critical APPs are tested bi-annually to ensure our procedures remain robust. In addition, our other ERPs maintain backups that are tested annually. 


Data Privacy and Protection 

Berry recognizes and respects the importance of data privacy and protection. In the European Union an individual’s data privacy is an established fundamental human right. Frameworks such as the EU’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA), Brazil’s General Personal Data Protection Law (LGPD), and many others have shaped how we interact with an individual’s data across our businesses and operating locations. It is important we not only meet these existing requirements, but anticipate and are prepared for new regional laws and the continuous evolution of current legislation.

We also firmly believe in the principles that apply to handling data with the care it deserves – whether for our team members, customers, suppliers or other potential partners. We are committed to only collect necessary data, to store the information with care, to share only where legally permitted and on a need-to-know basis, and to dispose of records in accordance with our internal records retention policy. This commitment demonstrates to our team members and business partners that we can be trusted with the information they provide to us. We set clear standards regarding our approach to data privacy in our Privacy Policies and provide additional guidance in our Global Code of Business Ethics. To further strengthen our approach, we are committed to continually developing and/or improving our data privacy processes and practices. This includes ongoing training for our employees and regular technology reviews.

Lastly, if any stakeholder believes their data is not handled appropriately, they can report their concern to our Ethics Helpline, which is supported by our Non-Retaliation Policy. This policy also covers external stakeholders, such as customers and suppliers.

Disclosures

Contribution to the Sustainable Development Goals (SDGs) 


SDG 8: Decent Work and Economic GrowthSDG 8: Decent Work and Economic Growth

By protecting employee and customer data, we build trust and stability in our operations, contributing to a positive work environment and reinforcing efficient business practices.

SDG 9: Industry, Innovation, and InfrastructureSDG 9: Industry, Innovation, and Infrastructure

Implementing robust data security measures and technologies helps us deliver resilient and sustainable infrastructure within our operations, which is crucial for responsible economic growth and development.

SDG 16: Peace, Justice, and Strong Institutions SDG 16: Peace, Justice, and Strong Institutions 

Through data security and privacy measures, we handle personal and sensitive information ethically and legally, reducing the potential for conflicts and disputes related to data breaches.

GRI and SASB Alignment 

GRI 418(3-3) Customer Privacy
GRI 418-1 Substantiated Complaints Concerning Breaches of Customer Privacy and Losses of Customer Data

Last updated: December 19th 2023