intellectual property and proprietary business information owned or controlled by ourselves or our strategic partners. We manage and maintain our applications and data by utilizing a combination of on-site systems, managed data center systems and cloud-based data center systems. These applications and data encompass a wide variety of business-critical information, including research and development information, commercial information and business and financial information. We face four primary risks relative to protecting this critical information: loss of access risk, inappropriate disclosure risk, inappropriate modification risk and the risk of being unable to adequately monitor our controls over the first three risks.
Although we take measures designed to protect sensitive information from unauthorized access or disclosure, our information technology and infrastructure and those of our CROs and our other third-party service providers may utilize may be vulnerable to attacks by hackers or viruses or breached, interrupted or compromised due to inadvertent or intentional actions by our employees, contractors, business partners, and/or other third parties, or from cyber-attacks by malicious third parties (including supply chain cyber-attacks or the deployment of harmful malware, ransomware, denial-of-service attacks, social engineering and other means to affect service reliability and threaten the confidentiality, integrity and availability of information). Any such breach, incident, or interruption could compromise systems and networks used in our business and lead to the loss, destruction, alteration, prevention of access to, disclosure, or dissemination of, or damage or unauthorized access to, our data (including trade secrets or other confidential information, intellectual property, proprietary business information, and personal information) or data that is processed or maintained on our behalf, or other assets, which could result in financial, legal, business and reputational harm to us. Any such event could result in legal claims, demands and litigation or governmental investigations or other proceedings, liability under laws that protect the privacy of personal information, such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), and regulatory penalties and other liabilities. Although we have implemented security measures and a formal enterprise security program designed to prevent unauthorized access to sensitive data, there is no guarantee that we or our third-party service providers can protect our systems or networks or other systems or networks used in our business from security breaches, incidents, or compromises. Any loss, destruction, alteration, prevention of access to, disclosure, or dissemination of, or damage or unauthorized access to, our data or other data that is processed or maintained on our behalf could also disrupt our operations (including our ability to conduct our analyses, pay providers, conduct research and development activities, collect, process and prepare company financial information, provide information about any future products, and manage the administrative aspects of our business) and damage our reputation, any of which could adversely affect our business.
HIPAA, as amended by the Health Information Technology for Economic and Clinical Health Act (“HITECH”), and its implementing regulations, impose certain requirements relating to the privacy, security, transmission and breach reporting of individually identifiable health information upon entities subject to the law, such as health plans, healthcare clearinghouses and healthcare providers and their respective business associates and subcontractors that perform services for them that involve individually identifiable health information. Mandatory penalties for HIPAA violations can be significant, and criminal and monetary penalties, as well as injunctive relief, may be imposed for HIPAA violations. Although most drug manufacturers are not directly subject to HIPAA, prosecutors are increasingly using HIPAA-related theories of liability against drug manufacturers and their agents and we also could be subject to criminal penalties if we knowingly obtain individually identifiable health information from a HIPAA-covered entity in a manner that is not authorized or permitted by HIPAA.
Furthermore, in the event of a breach as defined by HIPAA, HIPAA regulations impose specific reporting requirements to regulators, individuals impacted by the breach and, in some cases, the media. Issuing such notifications can be costly, time and resource intensive, and can generate significant negative publicity. Breaches of HIPAA may also constitute contractual violations that could lead to contractual damages or terminations. In addition to HIPAA, other applicable data privacy and security obligations, including U.S. state data breach notification laws, may require us to notify relevant stakeholders of any security breaches or incidents that result in the unauthorized disclosure, or dissemination of, personal information. Such disclosures are costly, and the disclosures or the failure to comply with such requirements, could lead to adverse impacts.
S-33
