We are subject to evolving global laws and regulations relating to privacy, data protection and information security, which may require us to incur substantial compliance costs, and any failure or perceived failure by us to comply with such laws and regulations may harm our business and operations.
In the ordinary course of business, we process personal data and other sensitive information, including our proprietary and confidential business data, trade secrets, intellectual property, data about trial participants collected in connection with clinical trials, and other sensitive data. Our data processing activities subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and security policies, contracts, and other obligations that govern the processing of personal data by us and on our behalf.
In the United States, federal, state, and local governments have enacted numerous data privacy and security laws, including data breach notification laws, personal data privacy laws, and consumer protection laws. For example, the U.S. federal Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH”), imposes specific requirements relating to the privacy, security, and transmission of individually identifiable health information. At the state level, the California Consumer Privacy Act of 2018 (“CCPA”), as amended and supplemented by the California Privacy Rights Act, imposes obligations on businesses to which it applies. The CCPA allows for statutory fines for noncompliance. Although the CCPA exempts some data processed in the context of clinical trials, the CCPA, to the extent applicable to our business and operations, may increase compliance costs and potential liability with respect to other personal information we may maintain about California residents. Other states have also enacted data privacy laws, including sector-specific laws such as Washington’s My Health, My Data Act, and numerous general privacy laws that share similarities with the CCPA. Additional data privacy and security laws have been proposed at the federal, state, and local levels in recent years, which could further complicate compliance efforts.
Outside the U.S., the European Union’s general data protection regulation (“EU GDPR”) and the United Kingdom’s general data protection regulation impose strict requirements for processing the personal data of individuals. For example, under the EU GDPR, government regulators may impose temporary or definitive bans on data processing, as well as fines of up to 20 million euros or 4% of annual global revenue, whichever is greater. Further, individuals may initiate litigation related to our processing of their personal data. Certain other foreign jurisdictions have enacted laws and regulations relating to privacy, data protection, and information security, as well as certain data localization laws and cross-border personal data transfer laws, that could make it more difficult to transfer information across jurisdictions, such as transferring or receiving personal data that originates in the EU. For example, in Canada, where we are headquartered, federal and provincial legislation impose strict requirements for the processing of personal data of individuals, with substantial penalties for noncompliance.
Although we endeavor to comply with all applicable data privacy and security obligations, these obligations are quickly changing in an increasingly stringent fashion, creating some uncertainty as to how to comply, and potentially requiring us to modify our policies and practices, which may be costly and may divert the attention of management and technical personnel. Further, we may at times fail, or be perceived to have failed, to have complied with laws, regulations or other actual or asserted obligations relating to privacy, data protection or information security, and could face significant consequences. These consequences may include, but are not limited to, government enforcement actions, investigations and other proceedings; private claims, demands, and litigation; additional reporting requirements and/or oversight; bans on processing personal data; orders to destroy or not use personal data; imprisonment of company officials and fines, penalties, and other liabilities. Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: interruptions or stoppages in our business operations, including our clinical trials; inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; or revision or restructuring of our operations.
Our business and operations could suffer in the event of an actual or perceived information security incident such as a cybersecurity breach, system failure, or other compromise of our systems or those of a third-party or other contractor or vendor.
We rely on both internal information technology systems and networks, and those of third parties and their vendors and contractors, to transmit, store and otherwise process information in connection with our business activities. We are increasingly dependent upon our technology systems to operate our business and our ability to effectively manage our business depends on the security, reliability and adequacy of our and our third-party or other contractors’ or vendors’ technology systems and data. Any cyberattack, including phishing or other forms of social engineering, business email compromise, ransomware or other malware, or any security breach, security incident, or other destruction, loss, or unauthorized use, modification, or other processing of data maintained or otherwise processed by us or on our behalf could result in a loss of intellectual property or misappropriation of trade secrets, disruptions to our business and operations, subject us to increased costs and require us to expend time and resources to address the matter, may subject us to claims, demands, and proceedings by private parties, regulatory investigations and other proceedings, and fines, penalties, and other liability and have a material adverse effect on our business. In addition, the loss, alteration or other damage to or other unavailability of pre-clinical data or clinical trial data from completed or ongoing clinical trials for our product candidates could result in delays in our development and regulatory approval efforts and significantly increase our costs to recover or reproduce the data. Any cyber-attack, security breach or incident, or other destruction, loss or unauthorized processing of data maintained or otherwise processed by us or on our behalf, or the perception any such matter has occurred, could result in actual or alleged violations of applicable U.S. and international privacy, data protection, information security and other laws and regulations, harm to our reputation, and subject us to claims, demands and litigation by private parties and governmental investigations and other proceedings by federal, state and local regulatory entities in the U.S. and by international regulatory entities, resulting in exposure to material civil and/or criminal proceedings and liability. In addition, we may incur significant additional expense to implement further measures and policies relating to privacy, data protection and information security, whether in response to an actual or perceived security breach or incident or otherwise.
To date, although we have faced cyberattacks and suffered information security incidents, we have not experienced any material impact to our business, financial position or operations resulting from cyberattacks or other information security incidents of which we are aware; however, because of frequently changing attack techniques, along with the increased volume and sophistication of such attacks, our business, financial position or operations could be adversely impacted in the future. Moreover, the prevalent use of mobile devices that access confidential information, widespread use of cloud-based applications with remote data centers, and ability to work remotely all increase the risk of security breaches and incidents. These risks may be heightened due to the increasing number of our and our vendors’ and contractors’ personnel working remotely. Further geopolitical events such as wars and conflicts may increase the cybersecurity threats we and the third parties we work with face. As cyber threats continue to evolve, we may be required to expend significant additional resources to continue to modify or enhance our protective measures or to investigate and remediate information security vulnerabilities. While we have implemented security measures, our computer systems and the external systems and services used by our third-party contract manufacturers and CROs and their vendors and contractors remain potentially vulnerable to these events and there can be no assurance that we will be successful in preventing cyber-attacks or successfully mitigating their effects. Our liability insurance may not be sufficient in type or amount to cover us against claims related to security breaches, cyberattacks and other related incidents, and we cannot be sure that such coverage will continue to be available on acceptable terms or at all. In addition, regulators are considering new cybersecurity laws and regulations. These proposed laws and regulations may impact the manner in which we operate and require us to incur increasing costs.
56
