Moreover, we maintain offices in the European Union (“EU”) (Ireland) and we have customers in the EU and the United Kingdom (“UK”). Accordingly, we are subject to the General Data Protection Regulation (EU) 2016/679 (the “GDPR”), and related member state implementing legislation, and to the UK’s Data Protection Act 2018 (collectively, “European Data Protection Law”). European Data Protection Law places obligations on controllers and processors of personal data, while establishing rights for individuals with respect to their personal data. European Data Protection Law is also explicitly extraterritorial in its application, and could affect our business activities in jurisdictions outside the EU and the UK. Additionally, European Data Protection Law imposes strict rules on the transfer of personal data outside of the EU to countries that do not ensure an adequate level of protection, like the United States. These transfers are prohibited unless an appropriate safeguard specified by the GDPR is implemented, such as the Standard Contractual Clauses (SCCs) or binding corporate rules. The Court of Justice of the European Union (the “CJEU”) recently deemed that these transfers need to be analyzed on a
basis to ensure EU standards of data protection are met in the jurisdiction where the data importer is based. European regulators have issued recent guidance following the CJEU case that imposes significant new diligence requirements on transferring data outside the EU. Complying with this guidance is and will continue to be expensive and time consuming and may ultimately prevent us from transferring personal data outside the EU, which would cause significant business disruption. The GDPR imposes sanctions for violations up to the greater of €20 million and 4% of worldwide gross annual revenue, enables individuals to claim damages for violations and introduces the right for
non-profit
organizations to bring claims on behalf of data subjects.
The regulatory framework governing the collection, processing, storage, use and sharing of personal information is rapidly evolving and is likely to continue to be subject to uncertainty and varying interpretations. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our services and platform capabilities. We cannot yet fully determine the impact these or future laws, rules, regulations and industry standards may have on our business or operations. Additionally, our customers may be subject to differing privacy laws, rules and legislation, which may mean that they require us to be bound by varying contractual requirements applicable to certain other jurisdictions. Adherence to such contractual requirements may impact our collection, use, processing, storage, sharing and disclosure of personal information and may mean we become bound by, or voluntarily comply with, self-regulatory or other industry standards relating to these matters that may further change as laws, rules and regulations evolve. We have incurred, and may continue to incur, significant expenses to comply with evolving mandatory privacy and security standards and protocols imposed by law, regulation, industry standards, shifting merchant and customer expectations, or contractual obligations, and we may not be able to respond quickly or effectively to regulatory, legislative and other developments. These changes may in turn impair our ability to offer our existing or planned features, products and services and/or increase our cost of doing business.
We publicly post documentation regarding our privacy practices. Although we endeavor to comply with our published policies and documentation, we may at times fail to do so or be alleged to have failed to do so. Any failure or perceived failure by us to comply with our privacy policies or any applicable privacy, security or data protection, information security or consumer-protection related laws, regulations, orders or industry standards could expose us to costly litigation, significant awards, fines or judgments, civil and/or criminal penalties or negative publicity, and could materially and adversely affect our business, financial condition and results of operations. The publication of our privacy policy and other documentation that provide promises and assurances about privacy and security can subject us to potential state and federal action if they are found to be deceptive, unfair, or misrepresentative of our actual practices, which could, individually or in the aggregate, materially and adversely affect our business, financial condition and results of operations.
We rely on our software and information technology systems to manage numerous aspects of our business and a disruption of these systems could adversely affect our business.
We rely on our information technology systems to manage numerous aspects of our business, including to efficiently purchase products from our suppliers, provide procurement and logistic services, ship products to our customers, receive orders from our customers, manage our accounting and financial functions, including our internal controls, and maintain our research and development data. Our information technology systems are an essential component of our business and any disruption could significantly limit our ability to manage and operate our business efficiently. A failure of our information technology systems to perform properly could disrupt our supply chain, product development and customer experience, which may lead to increased overhead costs and decreased sales and have an adverse effect on our reputation and our financial condition. In particular, our integrated software platform is an essential system that virtually all of our customers depend on for their design needs. If our integrated software platform were to fail, we could face adverse consequences to our results of operations, financial condition and business reputation. In addition, during the
COVID-19
pandemic, a substantial portion of our employees have conducted work remotely, making us more dependent on potentially vulnerable communications systems and making us more vulnerable to cyberattacks.
Although we take steps and incur significant costs to secure our information technology systems, including our computer systems, intranet and internet sites, email and other telecommunications and data networks, our security measures may not be effective and our systems may be vulnerable to damage or interruption. Disruption to our information technology systems could result from power outages, computer and telecommunications failures, computer viruses, cyber-attack or other security breaches, catastrophic events such as fires, floods, earthquakes, tornadoes, hurricanes, acts of war, terrorism and usage errors by our employees.
Our reputation and financial condition could be adversely affected if, as a result of a significant cyber-event or otherwise:
| | • | | our operations are disrupted or shut down; |
| | • | | our confidential, proprietary information is stolen or disclosed; |
| | • | | we incur costs or are required to pay fines in connection with stolen customer, employee or other confidential information; or |
| | • | | we must dedicate significant resources to system repairs or increase cyber security protection. |
In addition, any unauthorized access, disclosure or other loss or unauthorized use of information or data could result in legal claims or proceedings, regulatory investigations or actions, and other types of liability under laws that protect the privacy and security of personal information, including federal, state and foreign data protection and privacy regulations, violations of which could result in significant penalties and fines. In addition, although we seek to detect and investigate all data security incidents, security breaches and other incidents of unauthorized access to our information technology systems and data can be difficult to detect and any delay in identifying such breaches or incidents may lead to increased harm and legal exposure.
