| Commitments and Contingencies | 9. Commitments and Contingencies Leases We have operating leases for corporate offices, subleased offices and certain equipment and furniture. As of June 30, 2021, we did not have any operating leases that had not yet commenced. The components of lease expense were as follows: Three months ended June 30, Six months ended June 30, (dollars in thousands) 2021 2020 2021 2020 Operating lease cost (1) $ 2,372 $ 6,281 $ 5,213 $ 12,592 Variable lease cost 699 1,113 1,398 2,371 Sublease income (366) (940) (826) (1,853) Net lease cost $ 2,705 $ 6,454 $ 5,785 $ 13,110 (1) Includes short-term lease costs, which were immaterial. Other commitments The term loans under the 2020 Credit Facility require periodic principal payments. The balance of the term loans and any amounts drawn on the revolving credit loans are due upon maturity of the 2020 Credit Facility in October 2025. The Real Estate Loans also require periodic principal payments and the balance of the Real Estate Loans are due upon maturity in April 2038. We have contractual obligations for third-party technology used in our solutions and for other services we purchase as part of our normal operations. In certain cases, these arrangements require a minimum annual purchase commitment by us. As of June 30, 2021, the remaining aggregate minimum purchase commitment under these arrangements was approximately $45.0 million through 2024. Solution and service indemnifications In the ordinary course of business, we provide certain indemnifications of varying scope to customers against claims of intellectual property infringement made by third parties arising from the use of our solutions or services. If we determine that it is probable that a loss has been incurred related to solution or service indemnifications, any such loss that could be reasonably estimated would be recognized. We have not identified any losses and, accordingly, we have not recorded a liability related to these indemnifications. Legal proceedings We are subject to legal proceedings and claims that arise in the ordinary course of business, as well as certain other non-ordinary course proceedings, claims and inquiries, as described below. We make a provision for a loss contingency when it is both probable that a material liability has been incurred and the amount of the loss can be reasonably estimated. If only a range of estimated losses can be determined, we accrue an amount within the range that, in our judgment, reflects the most likely outcome; if none of the estimates within that range is a better estimate than any other amount, we accrue the low end of the range. For proceedings in which an unfavorable outcome is reasonably possible but not probable and an estimate of the loss or range of losses arising from the proceeding can be made, we disclose such an estimate, if material. If such a loss or range of losses is not reasonably estimable, we disclose that fact. We review any such loss contingency provisions at least quarterly and adjust them to reflect the impacts of negotiations, settlements, rulings, advice of legal counsel and other information and events pertaining to a particular case. We recognize insurance recoveries, if any, when they are probable of receipt. All associated costs due to third-party service providers and consultants, including legal fees, are expensed as incurred. Legal proceedings are inherently unpredictable. However, we believe that we have valid defenses with respect to the legal matters pending or threatened against us and intend to defend ourselves vigorously against all claims asserted. It is possible that our consolidated financial position, results of operations or cash flows could be materially negatively affected in any particular period by an unfavorable resolution of one or more of such legal proceedings. Security incident As previously disclosed, we are subject to risks and uncertainties as a result of a ransomware attack against us in May 2020 in which a cybercriminal removed a copy of a subset of data from our self-hosted environment (the "Security Incident"). Based on the nature of the Security Incident, our research and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Our investigation into the Security Incident by our cybersecurity team and third-party forensic advisors remains ongoing. As a result of the Security Incident, we are currently subject to certain legal proceedings, claims, inquiries and investigations, as discussed below, and could be the subject of additional legal proceedings, claims, inquires and investigations in the future that might result in adverse judgments, settlements, fines, penalties, or other resolution. To limit our exposure to losses related to claims against us, including data breaches such as the Security Incident, we maintain $50 million of insurance above a $250 thousand deductible payable by us. As noted below, this coverage has reduced our fina ncial exposure related to the Security Incident, and we will continue to seek recoveries under these insurance policies. Based on our review of expenses incurred to date, and upon consideration of the number of matters outstanding (as described below), w e believe it is probable that total losses related to the Security Incident will ultimately exceed the limits of our insurance coverage. However, we are currently unable to determine when that will be the case nor are we able to determine the approximate amount or range of any such excess. In the three and six months ended June 30, 2021, we recorded $11.7 million and $24.4 million, respectively, of expenses related to the Security Incident and offsetting probable insurance recoveries of $11.2 million and $23.9 million, respectively. As of June 30, 2021, we have recorded cumulative expenses related to the Security Incident of $34.2 million and cumulative probable insurance recoveries of $33.3 million. Due to the time required to submit and process such insurance claims, we have not yet received all of the accrued insurance recoveries. Of the insurance recoveries recorded, $10.0 million had been paid as of June 30, 2021. Recorded expenses consisted primarily of payments to third-party service providers and consultants, including legal fees. We present expenses and insurance recoveries related to the Security Incident in general and administrative expense on our condensed consolidated statements of comprehensive income and as operating activities on our condensed consolidated statements of cash flows. We expect to continue to experience significant expenses related to our response to the Security Incident, resolution of legal proceedings, claims, inquiries and investigations discussed below, and our efforts to further enhance our security measures, and those expenses may be material. Based on our analysis of the factors described above, we have not recorded a liability related to the Security Incident as of June 30, 2021 because we are unable at this time to reasonably estimate the possible loss or range of loss. Customer claims. To date, we have received approximately 260 specific requests for reimbursement of expenses ("Customer Reimbursement Requests") and approximately 400 reservations of the right to seek expense recovery in the future from customers or their attorneys in the U.S., U.K. and Canada related to the Security Incident (none of which have as yet been filed in court and only one of which is in arbitration). Of the Customer Reimbursement Requests received to date, approximately 160 have been fully resolved and closed. Customer claims generally seek reimbursement of their costs and expenses associated with notifying their own customers of the Security Incident and taking steps to assure that personal information has not been compromised as a result of the Security Incident. Our review of customer claims includes analyzing individual customer contracts into which we have entered, the specific claims made and applicable law. Customer constituent class actions. Presently, we are a defendant in 29 putative consumer class action cases [27 in U.S. federal courts (some of which have been consolidated under multi district litigation to a single federal court) and 2 in Canadian courts] alleging harm from the Security Incident. The plaintiffs in these cases, who purport to represent various classes of individual constituents of our customers, generally claim to have been harmed by alleged actions and/or omissions by us in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs and attorneys’ fees, and other related relief. Lawsuits that are putative class actions require a plaintiff to satisfy a number of procedural requirements before proceeding to trial. These requirements include, among others, demonstration to a court that the law proscribes in some manner our activities, the making of factual allegations sufficient to suggest that our activities exceeded the limits of the law and a determination by the court—known as class certification—that the law permits a group of individuals to pursue the case together as a class. If these procedural requirements are not met, the lawsuit cannot proceed as a class action and the plaintiff may lose the financial incentive to proceed with the case. Frequently, a court’s determination as to these procedural requirements is subject to appeal to a higher court. As a result of these uncertainties, we may be unable to determine the probability of loss until, or after, a court has finally determined that a plaintiff has satisfied the applicable class action procedural requirements. Furthermore, for putative class actions, it is often not possible to estimate the possible loss or a range of loss amounts, even where we have determined that a loss is reasonably possible. Generally, class actions involve a large number of people and raise complex legal and factual issues that result in uncertainty as to their outcome and, ultimately, making it difficult for us to estimate the amount of damages that a plaintiff might successfully prove. This analysis is further complicated by the fact that the plaintiffs lack contractual privity with us. Governmental inquiries and investigations. To date, we have received a consolidated, multi-state Civil Investigative Demand issued on behalf of 47 state Attorneys General and the District of Columbia and separate Civil Investigative Demands from the offices of the Illinois Attorney General and the California Attorney General relating to the Security Incident. In addition, we have received communications, inquires and requests from the U.S. Federal Trade Commission, the SEC, the U.S. Department of Health and Human Services, the Information Commissioner’s Office in the United Kingdom under the U.K. Data Protection Act 2018, the Office of the Australian Information Commissioner, the Office of the Privacy Commissioner of Canada and the Spanish Data Protection Agency. We are cooperating with these offices and responding to their inquiries, which include various requests for documents, policies, narratives and communications, as well as requests to interview or depose various Company-related personnel. As noted above, each of these separate governmental inquiries and investigations could result in adverse judgements, settlements, fines, penalties, or other resolution, the amount, scope and timing of which we are currently unable to predict, but could be material. |
