Risks Related to Cybersecurity, Data Protection and Privacy
Security breaches and other disruptions could compromise our information and expose us to liability, which would cause our business and reputation to suffer.
In the ordinary course of our business, we store sensitive data, including intellectual property, proprietary business information and personally identifiable information, in our data centers and on our networks. The secure processing, maintenance and transmission of this information is critical to our operations and business strategy. Our information technology systems and those of our third-party service providers, strategic partners and other contractors or consultants are vulnerable to attack and damage or interruption from computer viruses and malware (e.g. ransomware), malicious code, natural disasters, terrorism, war, telecommunication and electrical failures, hacking, cyberattacks, phishing attacks and other social engineering schemes, employee theft or misuse, human error (e.g., social engineering, phishing), fraud, denial or degradation of service attacks, sophisticated nation-state and nation-state-supported actors or unauthorized access or use by persons inside our organization, or persons with access to systems inside our organization. Attacks upon information technology systems are increasing in their frequency, levels of persistence, sophistication and intensity, and are being conducted by sophisticated and organized groups and individuals with a wide range of motives and expertise. As a result of the
COVID-19
pandemic and the current conflict between Russia and Ukraine, we may also face increased cybersecurity risks due to our reliance on internet technology and the number of our employees who are working remotely, which may create additional opportunities for cybercriminals to exploit vulnerabilities. Furthermore, because the techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Despite our security measures, our information technology and infrastructure may be vulnerable to attacks by hackers or breached due to employee error, malfeasance, or other disruptions. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence.
We and certain of our service providers are from time to time subject to cyberattacks and security incidents. While we do not believe that we have experienced any significant system failure, accident or security breach to date, any such breach could compromise our networks and the information stored there could be accessed, publicly disclosed, lost or stolen. Any such access, disclosure or other loss of information could result in significant costs to address and remediate the incident, lead to legal claims or proceedings, disrupt our operations, and damage our reputation.
We maintain cyber risk insurance, but this insurance may not be sufficient to cover all of our losses from any future breaches of our systems.
Our collection, control, processing, sharing, disclosure and otherwise use of personal data could give rise to liabilities as a result of governmental regulation, conflicting legal requirements, and evolving laws concerning data privacy in the EU and EEA.
The global data protection landscape is rapidly evolving, and we are or may become subject to numerous state, federal and foreign laws, requirements and regulations governing the collection, use, disclosure, retention, and security of personal data, such as information that we may collect in connection with clinical trials in the U.S. and abroad. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards, or perception of their requirements may have on our business. This evolution may create uncertainty in our business, affect our ability to operate in certain jurisdictions or to collect, store, transfer use and share personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. Any failure or perceived failure by us to comply with federal, state or foreign laws or regulation, our internal policies and procedures or our contracts governing our processing of personal information could result in negative publicity, government investigations and enforcement actions, claims by third parties and damage to our reputation, any of which could have a material adverse effect on our operations, financial performance and business.
As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities. In the U.S., HIPAA imposes, among other things, certain standards relating to the privacy, security, transmission and breach reporting of individually identifiable health information. Certain states have also adopted comparable privacy and security laws and regulations, some of which may be more stringent than HIPAA. Such laws and regulations will be subject to interpretation by various courts and other governmental authorities, thus creating potentially complex compliance issues for us and our future customers and strategic partners. In addition, the CCPA went into effect on January 1, 2020. The CCPA creates individual privacy rights for California consumers and increases the privacy and security obligations of entities handling certain personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. The CCPA may increase our compliance costs and potential liability, and many similar laws have been proposed at the federal level and in other states. Further, the CPRA recently passed in California. The CPRA will impose additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It will also create a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. The majority of the provisions will go into effect on January 1, 2023, and additional compliance investment and potential business process changes may be required. Similar laws have passed in Virginia and Colorado and have been proposed in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States. The enactment of such laws could have potentially conflicting requirements that would make compliance challenging. In the event that we are subject to or affected by HIPAA, the CCPA, the CPRA or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition.
