| Commitments and Contingencies | 13. Commitments and Contingencies Litigation On September 10, 2019, ZapFraud, Inc. (ZapFraud), filed a complaint in the U.S. District Court for the District of Delaware against the Company’s wholly owned subsidiaries, Mimecast North America, Inc., Mimecast Services Limited and Mimecast UK Limited. The complaint alleges that certain elements of the Company’s email security technology infringe a patent held by ZapFraud. ZapFraud seeks an award for damages in an unspecified amount, attorney’s fees and injunctive relief. On November 22, 2019, the Company filed a Motion to Dismiss for Failure to State a Claim. On April 24, 2020, ZapFraud amended its complaint by alleging that the Company’s email security technology infringes an additional patent that was recently issued to ZapFraud. On May 22, 2020, the Company filed a revised Motion to Dismiss for Failure to State a Claim that responds to ZapFraud’s amended complaint. On September 18, 2020, the court held a hearing on the motion and on November 20, 2020 the magistrate judge issued a recommendation that the court grant the Company’s motion. On December 11, 2020, ZapFraud filed objections to the magistrate judge’s recommendation and the Company responded to those objections on January 4, 2021. On March 25, 2021, the court adopted the recommendation of the magistrate judge, and granted the Company’s motion to dismiss. There are no pending motions and no appeal has been filed. Regardless of the outcome, litigation can have an adverse impact on the Company because of defense and potential settlement costs, diversion of management resources and other factors. From time to time, the Company may be involved in legal proceedings and subject to claims in the ordinary course of business. Although the results of these proceedings and claims cannot be predicted with certainty, the Company does not believe the ultimate cost to resolve these matters would individually, or taken together, have a material adverse effect on the Company’s business, operating results, cash flows or financial condition. Regardless of the outcome, such proceedings can have an adverse impact on the Company because of defense and settlement costs, diversion of resources and other factors, and there can be no assurances that favorable outcomes will be obtained. Except as described above, the Company was not subject to any material legal proceedings during the three months ended June 30, 2021 and 2020 , and, to the best of its knowledge, except as described above, no material legal proceedings are currently pending or threatened. Indemnification In the ordinary course of business, the Company provides indemnifications of varying scope and terms to customers, business partners, vendors, lessors, directors, officers, employees, and other parties with respect to certain matters. Indemnification may include losses from intellectual property infringement claims made by third parties, the Company’s breach of certain agreements, and other liabilities relating to or arising from the Company’s acts or omissions. These indemnification provisions may survive termination of the underlying agreement and the maximum potential amount of future indemnification payments may not be subject to a cap. It is not possible to determine the maximum potential loss under these indemnification provisions due to the Company’s limited history of prior indemnification claims and the unique facts and circumstances involved in each particular indemnification. Based on historical experience and information known as of June 30, 2021 and March 31, 2021, the Company has not incurred any costs for the above indemnities. In certain circumstances, the Company warrants that its services will perform in all material respects in accordance with its standard published specification documentation in effect at the time of delivery of the services to the customer for the term of the agreement. To date, the Company has not incurred significant expense under its warranties and, as a result, the Company believes the estimated fair value of these agreements is immaterial. Security Incident In January 2021, the Company became aware of a security incident later determined to be conducted by the same sophisticated threat actor responsible for the SolarWinds supply chain attack. The Company immediately launched an internal forensic investigation. The investigation was supported by leading third-party forensics and cyber incident response experts at Mandiant, a division of FireEye, Inc., and in coordination with law enforcement to aid their investigation into this threat actor. During the investigation, the Company learned that the threat actor used the SolarWinds supply-chain compromise to gain access to part of its production grid environment. Using this entry point, the threat actor accessed certain Mimecast-issued certificates and related customer server connection information. The threat actor also accessed a subset of email addresses and other contact information, as well as encrypted and/or hashed and salted credentials. In addition, the threat actor accessed and downloaded a limited number of the Company’s source code repositories, but the Company found no evidence of any modifications to its source code nor does it believe there was any impact on its products. As the investigation progressed, the Company issued a series of advisories to affected customers, including recommended precautionary steps to mitigate risk and, in some cases, to address regulatory requirements. The forensic investigation was completed in March 2021 and the Company has eliminated the threat actor’s access to its environment. The Company has taken a number of actions to prevent future access to its environment and will continue to monitor for threats and take precautionary steps as needed. The Company is subject to risk and significant uncertainties as a result of this security incident, including those described in Part II, Item 1A, “Risk Factors” in this Quarterly Report on Form 10-Q. While the investigation is complete, there can be no assurance as to what the overall impact of these events will be. These types of events often have cascading impacts that unfold over time and may result in a loss of revenue, a diminution of the Company’s business prospects and incremental costs, including costs associated with litigation or investigations by regulatory authorities, any of which may adversely impact the Company’s financial results. The Company has incurred and expects to incur significant costs related to the security incident. For the year ended March 31, 2021, the Company recorded $0.8 million of pre-tax expenses related to the security incident, net of anticipated insurance recoveries. For the three months ended June 30, 2021, expenses related to the security incident were not material. Expenses include costs of the forensic investigation, remediation costs, and legal and other professional services. It is also expected that the Company will continue to incur costs related to its response, remediation, and investigatory efforts relating to this security incident. While the Company has cyber insurance coverage, the amount of such insurance may be insufficient to compensate for any expenses or losses that may result from the security incident or the insurance carrier may refuse to reimburse the Company for certain costs under the terms of the policy. The full scope of the costs and related impacts of the security incident, including the availability of insurance to offset some of these costs, cannot be estimated at this time. |
