Case study: How UPS is protecting customer privacy

What are the material issues the company has identified?

In its 2014 Corporate Sustainability Report UPS identified a range of material issues, such as labor relations, energy, emissions and fuel supply, digital and physical asset security, management of third-party representatives. Among these, as UPS holds one of the largest private databases of customer information in the world, protecting customer privacy stands out as its top material issue.

Stakeholder engagement in accordance with the GRI Standards

The Global Reporting Initiative (GRI) defines the Principle of Stakeholder Inclusiveness when identifying material issues (or a company’s most important impacts) as follows:

“The organization should identify its stakeholders, and explain how it has responded to their reasonable expectations.”

Stakeholders must be consulted in the process of identifying a company’s most important impacts and their reasonable expectations and interests must be taken into account. This is an important cornerstone for CSR / sustainability reporting done responsibly.

Key stakeholder groups UPS engages with:

How stakeholder engagement was made to identify material issues

Materiality is a critical input into UPS’s corporate sustainability strategy because it ensures that it provides its stakeholders with the sustainability information most relevant to them. To determine this, UPS conducts a formal materiality assessment on a regular basis. This process occurred most recently in 2013 when UPS worked with BSR (formerly Business for Social Responsibility) on internal and external outreach that:

• Evaluated approximately 30 international sustainability frameworks and standards, ratings and rankings assessments and other information, either developed by or representing the interests of important stakeholder groups.
• Conducted structured interviews with representatives from five stakeholder groups in the United States, Europe, China and Brazil, with specific expertise in high-priority or emerging sustainability issues for UPS.
• Reviewed the outcomes of stakeholder engagement efforts around the world on sustainability issues. Relevant results from these engagements were shared with BSR during the formal materiality process.
• Interviewed six members of UPS’s Management Committee, which has direct responsibility for executing all company strategy. UPS also interviewed senior UPS managers around the world to better understand their points of view on issues relevant to their respective regions.
• Gathered feedback from dozens of regulators and other government agencies; communities; nongovernmental organizations (NGOs), including social and environmental activists; academics; and engaged investors.

Ultimately, UPS examined more than 50 issues, including areas of significant organizational impact, as well as broader sustainability trends that affect the company. These issues fell into broad categories, such as greenhouse gas emissions and climate change, energy and fuels, privacy and security, labor/management relations, employees, ethics and governance and other major areas of corporate sustainability.

BSR ranked each issue’s relative importance based on an assessment of the aggregate feedback from stakeholders and UPS executives and supported UPS in making final adjustments to the ranking before presenting it to members of UPS’s Sustainability Directors’ Committee. This Committee then submitted the results of the materiality process for approval to UPS’s Sustainability Steering Committee, which includes members of the Management Committee and other senior leaders of UPS.

What actions were taken by UPS to protect customer privacy?

In its 2014 Corporate Sustainability Report UPS set the following targets for protecting customer privacy, based on the company’s approach to materiality – on taking action on what matters, where it matters:

• Interacting with customers on UPS’s privacy practices

UPS informs its stakeholders about its privacy practices in the UPS Privacy Notice, available on the home page of its website. The Privacy Notice describes the personal data that UPS collects, how it uses it and with whom it shares it. UPS also provides consumers with a contact for questions about its privacy practices. UPS offers an easy-to-use Privacy Preferences Center that enables its consumers to make meaningful choices about how UPS uses their personal information. Behind the scenes, UPS is continually improving its IT systems, business operations, training and monitoring to strengthen its privacy practices. This challenge is particularly complex because the network connectivity that enables global commerce also increases the risk of theft or misuse of personal data.

• Utilizing a cross-functional Information Security Council (ISC)

Governance also is a priority for UPS. UPS utilizes a cross-functional Information Security Council (ISC), composed of more than 20 senior managers, that reports to its Management Committee and was formed more than 10 years ago. The ISC meets on a quarterly basis and has established a working committee led by UPS’s Global Privacy Officer and the head of UPS’s Information Security Group. This working team convenes representatives from UPS’s information technology, privacy, legal and security teams and business representatives on a weekly basis. An ISC steering committee comprised of senior managers also focuses on policy, standards and compliance at a quarterly meeting. During 2014, the ISC oversaw UPS’s response to a malware intrusion that had targeted retailers throughout the U.S. The malware was discovered and subsequently eradicated at approximately 1 percent of The UPS Store® franchisees’ locations. Customers who used a payment card at the affected locations during the time period in which systems were infected by the malware were offered a year of free credit monitoring. This experience helped UPS to demonstrate the effectiveness of its incident response plan.

• Raising employee awareness of privacy issues

As UPS’s privacy practices and policies continue to evolve, employee awareness is essential. A key focus during 2014 was to engage with employees on privacy issues, as well as to strengthen training programs. Activities and development included:

• Expanding mandatory training on UPS’s Information Security and Privacy Manual to include nonmanagement employees.
• An Information Security and Privacy Communications Campaign, which included articles, contests, videos and quick polls delivered through UPS’s intranet site. The campaign reached more than 110,000 UPS employees and a follow-up survey revealed that 91 percent of survey participants had seen communications about privacy.
• An International Privacy Week to further engage employees by urging them to internalize data privacy on the job, as well as in their personal lives. Activities included employee-written articles describing their personal experiences with privacy, one of which prompted more than 500 employees to share their experiences on UPS’s internal employee blog.
• A comprehensive internal audit of UPS’s U.S. Information Security and Privacy policies and procedures to measure effectiveness, which UPS planned to expand to its international operations in 2015.

Which GRI indicators/Standards have been addressed?

The GRI indicator addressed in this case is: G4-PR8: Total number of substantiated complaints regarding breaches of customer privacy and losses of customer data and the updated GRI Standard is: Disclosure 418-1 Substantiated complaints concerning breaches of customer privacy and losses of customer data

78% of the world’s 250 largest companies report in accordance with the GRI Standards

SustainCase was primarily created to demonstrate, through case studies, the importance of dealing with a company’s most important impacts in a structured way, with use of the GRI Standards. To show how today’s best-run companies are achieving economic, social and environmental success – and how you can too.

Research by well-recognised institutions is clearly proving that responsible companies can look to the future with optimism.

FBRH GRI Standards Certified and ISEP approved Sustainability Course | Venue: London LSE

By registering for the next 2-day FBRH GRI-Standards Certified and ISEP approved Course you will be taking the first step in gaining the many benefits of sustainability reporting.

References:

1) This case study is based on published information by UPS, located at the link below. For the sake of readability, we did not use brackets or ellipses. However, we made sure that the extra or missing words did not change the report’s meaning. If you would like to quote these written sources from the original, please revert to the original on the Global Reporting Initiative’s Sustainability Disclosure Database at the link:

http://database.globalreporting.org/

2) http://www.fbrh.co.uk/en/global-reporting-initiative-gri-g4-guidelines-download-page

3) https://g4.globalreporting.org/Pages/default.aspx

4) https://www.globalreporting.org/standards/gri-standards-download-center/

Note to UPS: With each case study we send out an email to your listed address in request for a comment on this case study. If you have not received such an email please contact us.