Effective Date: July 23, 2015 Approved by: Policy Committee Policy #: IT04 Page 1 of 5

BLOOMIN’ BRANDS, INC. DATA SECURITY CLASSIFICATION POLICY

I. PURPOSE & SCOPE This Data Security Classification Policy (“Policy”) applies to all digital and physical Data and information (“Data”) within the Company Environment of Bloomin’ Brands, Inc. (“Company”, which includes all affiliates). This Policy applies to all people and entities that have any form of access to or that use, store or transmit any Data either owned by the Company or that is part of the Company Environment. A method for classifying Data is essential in order to determine appropriate safeguards or controls based upon the relative business risk, value or sensitivity of the Data. The protection of Data will be determined based upon the classification both initially assigned to and throughout the lifecycle of such Data. II. DEFINITIONS • Company Environment – Encompasses all Company devices, network(s),

transmissions/communications, computer systems, resources, information, physical locations, and premises as well as Data which is licensed to, owned or leased by Company.

• Data Custodian(s) – person responsible for the encryption environment, its database structure and security.

• Data Owner – person responsible for classification and control of Data, including– use, storage, transmission, classification, and access.

• Device(s) – Any electronic hardware owned or leased by Company or approved for use of Company Data (consistent with the IT Hardware-Mobile Devices Policy (Policy #SC02)).

• Duty of Care – Adherence to a standard of reasonable care while performing any acts that could foreseeably harm Company or others.

• Encrypt (ion) (ed) - conversion of Data into a form (called a cipher text), which cannot be easily understood by unauthorized people.

• Least Privilege – Refers to a user having only those privileges that are actually required to efficiently perform his or her job.

• Need to Know - Refers to Data being disclosed only to those people who have a legitimate Company business need for the Data.

Effective Date: July 23, 2015 Approved by: Policy Committee Policy #: IT04 Page 2 of 5

• PCI (Payment Card Industry Information) - Primary Account Number, in combination with one or

more of the following:

§ Track II Data (restricted Data can never be stored); § CVV (restricted Data can only be used in authorization and never stored;) § Account Holder Name; § Account Holder Signature; § PIN; or § Expiration date.

The above is not the exclusive definition of PCI, as additional information can constitute PCI.

• PHI (Personal Health Information) - individually identifiable health information, identifiable

demographic and other information relating to the past, present, or future physical or mental health or condition of an individual, or the provision or payment of health care to an individual that is created or received by a health care provider, health plan, employer, or health care clearinghouse. Examples include:

§ Medical record number, account number, health plan beneficiary number, or Social Security Number;

§ Patient demographic Data, (e.g., address, date of birth, date of death, sex, email / web address);

§ Dates of service (e.g., date of admission, discharge); § Telephone or fax number; or § Medical records, reports, test results, appointment dates.

The above is not the exclusive definition of PHI, as additional information can constitute PHI.

• PII (Personally Identifiable Information) - any information concerning a natural person that can be

used to identify such natural person in combination with any of the following data elements:

§ Social Security Number; § Tax Payer ID; § Birth Date; § Employee Number; § Passport number; § State or Federal identification numbers; § Military identification numbers; § Financial Account information, credit or debit card information, in combination

with any required security code, access code or password that would permit access to an individual’s financial account;

§ Driver License Numbers or non-driver identification card number; or § PHI.

The above is not the exclusive definition of PII, as additional information can constitute PII.

• Strong Encryption - is an encryption produced by a crypto system and industry proven cryptographic algorithms which are highly resistant to cryptanalysis and other attacks.

Effective Date: July 23, 2015 Approved by: Policy Committee Policy #: IT04 Page 3 of 5

III. POLICY

A. Classifications

All Company Data is to be classified by the Data Owner of the Data (and should be marked whenever possible) according to the below guidelines based on the designated classification. By default, all Data not (or not yet) classified as Confidential, Corporate or Public (see classification table below) shall be treated as Confidential until properly classified. Company has identified 3 levels of Data classification as outlined below:

Classification Brief Description Examples*

Confidential

(Highest, Most Sensitive)

Critically volatile and sensitive Data, which requires always the highest security protection. Access to such Data is limited and very strictly defined and controlled. Unauthorized disclosure of such Data usually will result in severe detriment to the Company, its affiliates, employees or its customers.

Any Data governed by legal or local, state or Federal regulatory requirement. Any PII, PHI or PCI. Trade secrets (e.g., recipes) strategic business plans and future concept designs. Consult with Legal when in doubt as to the classification of Data (legal@bloominbrands.com)

Corporate

(Moderate level of Sensitivity)

Internal Data, which is usually intended for Company use only and requires a heightened level of security. Access to such Data should be limited and unauthorized access to the Data could negatively impact the Company, its affiliates, employees or its customers.

Data pertaining to daily business operations, intellectual property or internal emails, phone directory, internal communications, internal business practices and methods, non-public financial reports, performance indicators, customer or supplier lists, pricing, judicial/legal affairs.

Public

(Low or No Level of Sensitivity)

Non-volatile and insensitive Data, which can be disclosed publicly. Anonymous access to such Data is allowed and disseminating the Data to the public will not result in negative impact to the Company, employees or its customers.

All Data currently residing in the public domain. SEC report filings and filed financial documents for purposes of reporting published restaurant menus, public relations releases, Data posted on public websites.

*EXAMPLES ARE NOT INCLUSIVE AND OTHER DATA SETS MAY BE UNDEFINED

Effective Date: July 23, 2015 Approved by: Policy Committee Policy #: IT04 Page 4 of 5

B. Data Handling Guidelines

All users of Company Data are required to comply with the following requirements for handling Company Data:

Confidential Corporate Public

Protection Requirements

Protection of Data is required by law. Protection of Data is at the discretion of the Data Owner.

Protection of Data is at the discretion of the Data Owner.

Risk High Medium Low or None

Data Access and Control

• Collected and stored only if required for legitimate business purpose

• Access shall follow Least Privilege principle

• Access to Data must be logged by the Data Custodian when such method is available.

• Collected and stored only if required for legitimate business purposes.

• Access shall follow Least Privilege principle

• Access to Data must be logged when such method is available.

• No access restrictions. Data may be made available publicly.

Transmission • Data must be transmitted using Strong Encryption when reasonably feasible and at a minimum as required by local, state, Federal legislation or other required compliance mandate (e.g., PCI-DSS, HIPAA, etc.)

• Data must be shared or disseminated using the Need to Know principle.

• Data must be shared or disseminated using the Need to Know principle.

• Data must be transmitted via Encrypted method.

• No protection is required for Data

Storage • All Data, when deemed appropriate by the Data Custodian, must be marked with the appropriate classification for identification and stored in a manner consistent with its classification.

• The distribution of all Data shall be controlled based on its classification. • Confidential Data and Corporate Data shall be stored in an appropriately secured location. • Only Data Owners can approve movement of Data from its secured storage location and the

appropriate use, transmission and application of such Data. • When legal or compliance requirements warrant the movement of physical Confidential Data

or Corporate Data (printed copies, backup tapes etc.) outside of the Company Environment, such physical Data must be sent only by secure courier or other delivery method that can be tracked.

Audit Controls • Access to all available audits must follow Least Privilege and Need to Know principles.

• Access to audit logs shall be logged and audit trails retained no less than one (1) year from the latest entry.

• Audit logs and trails are to be stored in a secure manner and backups with built in redundancy.

Effective Date: July 23, 2015 Approved by: Policy Committee Policy #: IT04 Page 5 of 5

Data Security • All Data generated within the Company Environment is the property of Company.

• Devices containing Company Data must include passwords and shall be controlled by Device owner with a high level of due care.

• All employees will be held responsible to notify Information Security in the event that a device containing Company Data is lost (e.g., mobiles, laptops etc.) per the IT Hardware-Mobile Devices Policy (Policy #SC02).

• Company Data shall be handled with a high level of due care.

C. Violation of Policy

Violation of this Policy may subject a user to disciplinary action under appropriate Company disciplinary procedures.

In the event that a system or process is suspected not to be in compliance with this Policy, Company employees and Company guests have a duty to inform Information Security by emailing ITSecurityGroup@BloominBrands.com