Cyber security breaches or other systems and information technology interruptions could result in liability, harm our reputation, impact our ability to operate, and other material adverse consequences.
We rely on computer, information, and communications technology and systems to operate. We store and process large amounts of confidential and other sensitive information concerning our employees, customers, contractors, and vendors. We also rely in part on third-party software and information technology vendors to run certain parts of our information technology systems and our business, and our ability to monitor these third parties’ information security practices is limited. These third parties may not have adequate information security measures in place. If the third parties with whom we work with experience a cyber security breach or other interruption, we could experience material adverse consequences.
In the ordinary course of business, we have been and may be in the future be targeted by malicious cyber-attacks. Cybersecurity attacks in particular are evolving, and we and the third parties with whom we work face the constant risk of cybersecurity threats, including, among other things, computer viruses, malicious code, attacks by computer hackers, organized cyber-attacks, ransomware attacks, and other electronic security breaches that could lead to disruptions in critical systems, unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, encryption, access to, release or other compromise of confidential or sensitive information. In particular, severe ransomware attacks are becoming increasingly prevalent and can lead to material adverse consequences.
While we have implemented security measures designed to protect against cyber security breaches, there can be no assurance that these measures will be effective. We take steps designed to detect, mitigate, and remediate vulnerabilities in our information systems (such as our hardware and/or software, including that of third parties with whom we work). We may not, however, detect and remediate all such vulnerabilities including on a timely basis. Further, we may experience delays in developing and deploying remedial measures and patches designed to address identified vulnerabilities. Vulnerabilities could be exploited and result in a cyber security breach or other interruption.
Any of the previously identified or similar threats could cause a cyber security breach or other interruption that could result in unauthorized, unlawful, or accidental acquisition, modification, destruction, loss, alteration, encryption, disclosure of, or access to our confidential or sensitive information or our information technology systems, or those of the third parties with whom we work. For example, we have been the target of unsuccessful phishing attempts in the past, and expect such attempts will continue in the future.
If we or the third parties with whom we work experience or are perceived to experience cybersecurity attacks or otherwise, we could experience material adverse consequences, such as suspending or stopping our operations, government enforcement actions, additional reporting requirements, litigation, and other harms, which could have a material adverse effect on our business, results of operations and financial condition, and could negatively impact our clients. Further, improper disclosure of confidential, proprietary or sensitive information of our employees, customers, contractors and vendors could harm our reputation and subject us to liability and other harms.
Data privacy risks, including evolving laws, regulations, and other obligations, may result in business interruption and increased costs and liabilities.
Laws, regulations and other obligations (including without limitation applicable guidance, industry standards, external and internal privacy and security policies and statements, and contractual requirements) relating to personal data and data privacy are constantly evolving, as federal, state, local and foreign governments adopt new measures addressing data privacy. These laws impose stringent obligations. For example, the California Consumer Privacy Act, as amended (“CCPA”), which applies to business representative and other types of personal data of California residents, provides for fines of up to $7,500 per intentional violation and allows private litigants affected by certain data breaches to recover significant statutory damages. Our privacy obligations, including applicable laws and regulations, may be interpreted or applied in a manner that is inconsistent with each other and may complicate our existing data privacy practices. Evolving compliance and operational requirements under the privacy laws of the jurisdictions in which we operate, regulations, and other obligations have become increasingly burdensome and complex. Our failure to comply (or perceived failure to comply) with these obligations could result in costly enforcement actions (including regulatory proceedings, investigations, fines, penalties, audits, and inspections), litigation (including class action claims) or mass arbitration demands, penalties and fines, require us to change our business practices or cause business interruptions, and may lead to liabilities and other harms.
