interruption from service interruptions, system malfunction, accidents by our employees or third party service providers, natural disasters, terrorism, war, global pandemics, and telecommunication and electrical failures, as well as security breaches from inadvertent or intentional actions by our employees, third-party CROs, CMOs, vendors, contractors, consultants, business partners and/or other third parties, or from cyber-attacks or supply chain attacks by malicious third parties (including the deployment of harmful malware, ransomware, denial-of-service attacks, social engineering and other means to affect service reliability and threaten the confidentiality, integrity and availability of information), which may compromise our system infrastructure, or that of our third-party CROs, CMOs, vendors and other contractors and consultants, or lead to data leakage. The risk of a security breach or disruption, particularly through cyber-attacks or cyber intrusion, including by computer hackers, foreign governments, and cyber terrorists, has generally increased as the number, intensity, and sophistication of attempted attacks and intrusions from around the world have increased. The COVID-19 pandemic is generally increasing the attack surface available for exploitation, as more companies and individuals work online and remotely, and as such, the risk of a cybersecurity incident occurring, and our investment in risk mitigations against such an incident, are increasing. For example, there has been an increase in phishing and spam email attacks as well as social engineering attempts from “hackers” hoping to use the COVID-19 pandemic to their advantage. We may not be able to anticipate all types of security threats, nor implement preventive measures effective against all such security threats. The techniques used by cyber criminals change frequently, may not be recognized until launched and can originate from a wide variety of sources, including outside groups such as external service providers, organized crime affiliates, terrorist organizations, or hostile foreign governments or agencies. Any breach, loss or compromise of clinical trial participant personal data may also subject us to civil fines and penalties, including under HIPAA, and other relevant state and federal privacy laws in the United States. If the information technology systems of our third-party CROs, CMOs, vendors and other contractors and consultants become subject to disruptions or security breaches, we may have insufficient recourse against such third parties and we may have to expend significant resources to mitigate the impact of such an event, and to develop and implement protections to prevent future events of this nature from occurring.
While we have not experienced any such system failure, accident or security breach to date, we cannot assure you that our data protection efforts and our investment in information technology will prevent significant breakdowns, data leakages, breaches in our systems, or those of our third-party CROs, CMOs, vendors and other contractors and consultants, or other cyber incidents that could have a material adverse effect upon our reputation, business, operations, or financial condition. For example, if such an event were to occur and cause interruptions in our operations, or those of our third-party CROs, CMOs, vendors and other contractors and consultants, it could result in a material disruption of our programs and the development of our product candidates could be delayed. In addition, the loss of clinical trial data for our product candidates could result in delays in our marketing approval efforts and significantly increase our costs to recover or reproduce the data. Furthermore, significant disruptions of our internal information technology systems or those of our third-party CROs, CMOs, vendors and other contractors and consultants, or security breaches could result in the loss, misappropriation and/or unauthorized access, use, or disclosure of, or the prevention of access to, confidential information (including trade secrets or other intellectual property, proprietary business information, and sensitive personal information), which could result in financial, legal, business and reputational harm to us.
A security breach may cause us to breach customer contracts. Our agreements with certain customers may require us to use industry-standard or reasonable measures to safeguard sensitive personal information or confidential information. A security breach could lead to claims by our customers, their end users, or other relevant stakeholders that we have failed to comply with such legal or contractual obligations. As a result, we could be subject to legal action or our customers could end their relationships with us. There can be no assurance that the limitations of liability in our contracts would be enforceable or adequate or would otherwise protect us from liabilities or damages.
In addition, litigation resulting from security breaches may adversely affect our business. Unauthorized access to our platform, systems, networks, or physical facilities could result in litigation with our customers, our customers’ end users, or other relevant stakeholders. These proceedings could force us to spend money in defense or settlement, divert management’s time and attention, increase our costs of doing business, or adversely affect our reputation. We could be required to fundamentally change our business activities and practices or modify our solutions and/or platform capabilities in response to such litigation, which could have an adverse effect on our business. If a security breach were to occur and the confidentiality, integrity or availability of our data or the data of our partners, our customers or our customers’ end users was disrupted, we could incur significant liability, or our platform, systems or networks may be perceived as less desirable, which could negatively affect our business and damage our reputation.
