Similar actions are either in place or under way in the United States. There are a broad variety of data protection laws that are applicable to our activities, and a wide range of enforcement agencies at both the state and federal levels that can review companies for privacy and data security concerns based on general consumer protection laws. The Federal Trade Commission and state Attorneys General are aggressive in reviewing privacy and data security protections for consumers. New laws also are being considered at both the state and federal levels. For example, the California Consumer Privacy Act, or CCPA—which went into effect on January 1, 2020—is creating similar risks and obligations as those created by GDPR, though the CCPA does currently exempt certain information collected as part of a clinical trial subject to the Federal Policy for the Protection of Human Subjects, known as the Common Rule. The CCPA also has been amended through a recent referendum in California that creates additional obligations beginning in 2023. At least two other states have adopted, and many other states are considering, similar legislation. A broad range of legislative measures also have been introduced at the federal level. Accordingly, failure to comply with federal and state laws (both those currently in effect and future legislation) regarding privacy and security of personal information could expose us to fines and penalties under such laws. There also is the threat of consumer class actions related to these laws and the overall protection of personal data. Even if we are not determined to have violated these laws, government investigations into these issues typically require the expenditure of significant resources and generate negative publicity, which could harm our reputation and our business.
Given the breadth and depth of changes in data protection obligations, preparing for and complying with these requirements is rigorous and time intensive and requires significant resources and a review of our technologies, systems and practices, as well as those of any third-party collaborators, service providers, contractors or consultants that process or transfer personal data collected in applicable jurisdictions. These changes in laws or regulations associated with the enhanced protection of certain types of sensitive data, such as healthcare data or other personal information from our clinical trials, could require us to change our business practices and put in place additional compliance mechanisms, may interrupt or delay our development, regulatory and commercialization activities and increase our cost of doing business, and could lead to government enforcement actions, private litigation and significant fines and penalties against us and could have a material adverse effect on our business, financial condition or results of operations.
Our internal information technology systems, or those of our vendors, collaborators, contractors, consultants, or other third parties may fail or suffer security breaches, which could result in a material disruption of our product development programs, compromise sensitive information related to our business or prevent us from accessing critical information, trigger contractual and legal obligations, potentially exposing us to liability, reputational harm or otherwise adversely affecting our business and financial results.
We are dependent upon information technology systems, infrastructure and data to operate our business. In the ordinary course of business, we collect, store and transmit large amounts of confidential information, including personal information and information relating to intellectual property, on internal and external information systems and through the information systems of our vendors, collaborators, contractors, consultants, or other third parties. It is critical that we, our vendors, collaborators, contractors, consultants, or other third parties, do so in a secure manner to maintain the availability, security, confidentiality, privacy and integrity of such confidential information.
Despite the implementation of security measures, our internal information technology systems and those of third parties are vulnerable to damage from computer viruses, malware, computer hackers, malicious code, employee error, theft or misuse, denial-of-service attacks, sophisticated nation-state supported actors, unauthorized access, natural disasters, terrorism, war and telecommunication and electrical failures. Such systems are also vulnerable to service interruptions or to security breaches from inadvertent or intentional actions by our employees, our collaborators, contractors, consultants, vendors, and other third parties, or from cyberattacks by malicious third parties over the Internet or through other mechanisms. Cyberattacks are increasing in their frequency, sophistication and intensity, and have become increasingly difficult to detect. Cyberattacks could include the deployment of harmful malware, ransomware, denial of service attacks, unauthorized access to or deletion of files, social engineering and other means to affect service reliability and threaten the confidentiality, integrity and availability of information. Cyberattacks also could include phishing attempts or e-mail fraud to cause payments or information to be transmitted to an unintended recipient. We may not be able to anticipate all types of security threats, and we may not be able to implement preventive measures effective against all such security threats. The techniques used by cyber criminals change frequently, may not be recognized until launched, and can originate from a wide variety of sources, including outside groups such as external service providers, organized crime affiliates, terrorist organizations or hostile foreign governments or agencies. We cannot guarantee that the measures we have taken to date, and actions we may take in the future, will be sufficient to prevent any future breaches.
