ACCO Brands Data Security and Privacy
ACCO Brands is committed to securely protecting the data of its employees, customers, consumers, and others. Our Cybersecurity, Privacy, and Risk Management teams collectively work to promote security and privacy throughout the organization. ACCO Brands’ approach to data security and privacy is based on fundamental principles of security, accountability, fairness, transparency and individual rights.
ACCO Brands’ Threat Vulnerability Management Program proactively identifies vulnerabilities and exploits on a monthly cadence. A remediation process is in place that holds system owners accountable. Remediation timing is based on risk level, potential impact and service-level agreements.
Data security is controlled by least privileged access and is based on the end user’s job responsibilities. Manager approval is required prior to granting any access requests. Quarterly access reviews are performed on mission-critical and financial reporting systems.
In the event a cyber incident occurs, ACCO Brands has a defined Incident Response Program that includes:
- An Incident Response Leadership Team
- An Incident Response Team
- Communication Plans
- Incident Response Procedures
- Incident Response Playbooks for specific incidents
- Contacts for outside forensics and consulting groups if needed, and
- Contacts for law enforcement if needed.
In addition to the Threat Vulnerability Management Program, ACCO Brands has established a Cybersecurity Strategy which was developed utilizing the results of its Cybersecurity Risk Assessment and Cybersecurity Maturity Assessment. The objective of the strategy is to continually improve the People, Process and Technology of ACCO Brands and effectively manage its cybersecurity risks. The strategy is being implemented pursuant to a five-year roadmap that concentrates on cyber security risk reduction and maturity improvements. ACCO Brands’ Cybersecurity Risk Assessment is refreshed annually and its Cybersecurity Maturity Assessment is refreshed every two years. Risks and gaps identified through these periodic assessments are reviewed and based on impact to the organizations, the Cybersecurity Strategy and the roadmap may be enhanced or modified.
ACCO Brands promotes data security through its Cybersecurity Awareness Program, which includes role-based training that is conducted twice a year. The program includes newsletters that are communicated monthly and leverages initiatives related to Data Privacy Day and Cybersecurity Month to send a consistent message regarding the importance of protecting ACCO Brands’ data, information and reputation, as well as methods to do so.
ACCO Brands understands its responsibility to promote data security and privacy throughout the organization. ACCO Brands is also a corporate member of the International Association of Privacy Professionals (IAPP), the world’s largest and most comprehensive global information privacy community.
The ACCO Brands Privacy Program includes maintaining a data inventory documenting how it uses personal data, as well as data protection impact assessments for processes that could potentially pose heightened privacy risks to individuals. ACCO Brands also conducts periodic privacy awareness training for all relevant employees, with targeted training for specific groups such as Marketing and Human Resources. The program also regularly reviews and updates its privacy notices to provide individuals with transparency regarding how the company collects and uses their data.
Finally, the program maintains specific portals dedicated to facilitating data subject rights requests and answering any privacy queries from individuals. These portals are designed to remove access barriers, while also ensuring proper verification, so that users can easily exercise their privacy rights.