network and we are dependent on the performance and continued cooperation of the other airlines party to those agreements. No assurances can be given as to any benefits that we may derive from such arrangements or any other arrangements that may ultimately be implemented, or whether or not regulators will, or if granted continue to, approve or impose material conditions on our business activities.
Additional mergers and other forms of industry consolidation, including antitrust immunity grants, may take place and may not involve us as a participant. Depending on which carriers combine and which assets, if any, are sold or otherwise transferred to other carriers in connection with any such combinations, our competitive position relative to the post-combination carriers or other carriers that acquire such assets could be harmed. In addition, as carriers combine through traditional mergers or antitrust immunity grants, their route networks will grow, and that growth will result in greater overlap with our network, which in turn could result in lower overall market share and revenues for us. Such consolidation is not limited to the U.S., but could include further consolidation among international carriers in Europe and elsewhere.
Additionally, our AAdvantage loyalty program, which is an important element of our sales and marketing programs, faces significant and increasing competition from the loyalty programs offered by other travel companies, as well as from similar loyalty benefits offered by banks and other financial services companies. Competition among loyalty programs is intense regarding the rewards, fees, required usage, and other terms and conditions of these programs. These competitive factors affect our ability to attract and retain customers, increase usage of our loyalty program and maximize the revenue generated by our loyalty program.
Evolving data security and privacy requirements could increase our costs, and any significant data security incident could disrupt our operations, harm our reputation, expose us to legal risks and otherwise materially adversely affect our business, results of operations and financial condition.
Our business requires the secure processing and storage of sensitive information relating to our customers, employees, business partners and others. However, like any global enterprise operating in today’s digital business environment, we are subject to threats to the security of our networks and data, including threats potentially involving criminal hackers, hacktivists, state-sponsored actors, corporate espionage, employee malfeasance, and human or technological error. These threats continue to increase as the frequency, intensity and sophistication of attempted attacks and intrusions increase around the world. We have been the target of cybersecurity attacks in the past and expect that we will continue to be in the future.
Furthermore, in response to these threats there has been heightened legislative and regulatory focus on data privacy and cybersecurity in the U.S., the European Union (“EU”) and elsewhere, particularly with respect to critical infrastructure providers, including those in the transportation sector. As a result, we must comply with a growing and fast-evolving set of legal requirements in this area, including substantive cybersecurity standards as well as requirements for notifying regulators and affected individuals in the event of a data security incident. This regulatory environment is increasingly challenging and may present material obligations and risks to our business, including significantly expanded compliance burdens, costs and enforcement risks. For example, in May 2018, the EU’s new General Data Protection Regulation, commonly referred to as GDPR, came into effect, which imposes a host of new data privacy and security requirements, imposing significant costs on us and carrying substantial penalties fornon-compliance.
In addition, many of our commercial partners, including credit card companies, have imposed data security standards that we must meet. In particular, we are required by the Payment Card Industry Security Standards Council, founded by the credit card companies, to comply with their highest level of data security standards. While we continue our efforts to meet these standards, new and revised standards may be imposed that may be difficult for us to meet and could increase our costs.
A significant cybersecurity incident could result in a range of potentially material negative consequences for us, including unauthorized access to, disclosure, modification, misuse, loss or destruction of company systems or
S-25
