promising, offering, or providing, directly or indirectly, improper payments or anything else of value to recipients in the public or private sector. Rockley can be held liable for the corrupt or other illegal activities of its employees, agents, contractors, and other collaborators, even if Rockley does not explicitly authorize or have actual knowledge of such activities. Any violations of the laws and regulations described above may result in substantial civil and criminal fines and penalties, imprisonment, the loss of export or import privileges, debarment, tax reassessments, breach of contract and fraud litigation, reputational harm, and other consequences.
Failures, or perceived failures, to comply with privacy, data protection, and information security requirements in the variety of jurisdictions in which Rockley operates may adversely impact its business, and such legal requirements are evolving, uncertain, and may require improvements in, or changes to, Rockley’s policies and operations.
Rockley’s current and potential future operations and sales are subject to laws and regulations addressing privacy and the collection, use, storage, disclosure, transfer, and protection of a variety of types of data. For example, the European Commission has adopted the General Data Protection Regulation and California recently enacted the California Consumer Privacy Act of 2018, both of which provide for potentially material penalties for non-compliance. These regimes may, among other things, impose data security requirements, disclosure requirements, and restrictions on data collection, uses, and sharing that may impact Rockley’s operations and the development of its business. Rockley has limited access to collect, store, process, or share certain information collected by its products, and Rockley’s products may evolve to collect additional information. Therefore, the full impact of these privacy regimes on Rockley’s business is rapidly evolving across jurisdictions and remains uncertain at this time.
Rockley may also be affected by cyber-attacks and other means of gaining unauthorized access to its products, systems, and data. For instance, cyber criminals or insiders may target Rockley or third parties with which it has business relationships to obtain data, or in a manner that disrupts Rockley’s operations or compromises its products or the systems into which its products are integrated.
Rockley is assessing the continually evolving privacy and data security regimes and measures it believes are appropriate in response. Since these data security regimes are evolving, uncertain, and complex, especially for a global business like Rockley, Rockley may need to update or enhance its compliance measures and these updates or enhancements may require implementation costs. In addition, Rockley may not be able to monitor and react to all developments in a timely manner. The compliance measures Rockley does adopt may prove ineffective. Any failure, or perceived failure, by Rockley to comply with current and future regulatory or customer-driven privacy, data protection, and information security requirements, or to prevent or mitigate security breaches, cyber-attacks, or improper access to, use of, or disclosure of data, or any security issues or cyber-attacks affecting Rockley, could result in significant liability, costs (including the costs of mitigation and recovery), and a material loss of revenue resulting from the adverse impact on its reputation and brand, loss of proprietary information and data, disruption to its business and relationships, and diminished ability to retain or attract customers and business partners. Such events may result in governmental enforcement actions and prosecutions, private litigation, fines, and penalties or adverse publicity, and could cause customers and business partners to lose trust in Rockley, which could have an adverse effect on its reputation and business.
Further, in the event Rockley’s products, or the end products into which Rockley’s products are incorporated, involve the collection of personal medical or clinical data, Rockley would be subject to additional privacy regulations. For example, the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) regulations apply U.S. national standards for some types of electronic health information transactions and the data elements used in those transactions to ensure the integrity, security, and confidentiality of health information and standards to protect the privacy of individually identifiable health information businesses receive, maintain or transmit. The Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH Act”) expanded the scope of the privacy and security requirements under HIPAA and increased penalties for violations. In addition, the HITECH Act enacted federal breach notification rules requiring notification to affected individuals and the Department of Health and Human Services (and in some cases, relevant media outlets) whenever a breach of protected health information occurs. Rockley’s failure to maintain confidentiality of sensitive protected health information or other personal information in accordance with the applicable regulatory requirements could damage its reputation and expose Rockley to claims, fines, and penalties. Rockley’s business, operating results, and financial condition could also be negatively impacted by a violation of the HIPAA privacy or security rules or any other applicable privacy or data security law.
Many U.S. states and international jurisdictions in which Rockley operates also have laws and regulations that protect the privacy and security of confidential, protected health information, or other personal information and have similar or even more protection than U.S. federal regulations. Furthermore, state data breach notification laws continue to expand the type of protected health information and other personal information they encompass, and in many cases are more burdensome than the HIPAA/HITECH breach reporting requirements.
70
