Commitments and Contingencies | 11. Commitments and Contingencies Leases We have operating leases for corporate offices, subleased offices and certain equipment and furniture. As of December 31, 2023, we did not have any operating leases that had not yet commenced. The following table summarizes the components of our lease expense: Year ended (dollars in thousands) 2023 2022 2021 Operating lease cost (1) $ 8,812 $ 9,501 $ 9,636 Variable lease cost 1,431 1,670 2,478 Sublease income (3,356) (2,763) (1,516) Net lease cost $ 6,887 $ 8,408 $ 10,598 (1) Includes short-term lease costs, which were immaterial. During the year ended December 31, 2023, we recorded noncash impairment charges of $5.6 million against certain operating lease ROU assets. These impairment charges resulted primarily from our entry into a sublease in July 2023 for a portion of our Washington, DC office location, which we previously closed in February 2023 to align with our remote-first workforce strategy and are reflected in general and administrative expense on the statements of comprehensive income. During the year ended December 31, 2022, we recorded noncash impairment charges of $1.0 million against certain operating lease ROU assets resulting primarily from our decision to cease using a portion of our leased office space. These charges are reflected in general and administrative expense on the statements of comprehensive income. In October 2021, we made the decision to permanently close our fixed office locations (with the exception of our global headquarters facility in Charleston, South Carolina), effective in December 2021. This change was intended to align our real estate footprint with our transition to a remote-first workforce. We enter into arrangements for smaller more flexible workspaces where ne cessary. As a result, during the twelve months ended December 31, 2021, we reduced the estimated useful lives of our operating lease ROU assets for certain of our office locations we expected to exit. We recorded $5.3 million in incremental operating lease costs during 2021 related to this change in accounting estimate. For these same office locations, we also reduced the estimated useful lives of certain facilities-related fixed assets, which resulted in incremental depreciation expense of $1.7 million during 2021 (see Note 7 to these consolidated financial statements). During the twelve months ended December 31, 2021, we also recorded $3.6 million in impairments of op erating lease ROU assets associated with certain leased office spaces we have ceased using as a result of our adjusted workforce strategy. These impairment charges are reflected in general and administrative expense. Maturities of our operating lease liabilities as of December 31, 2023 were as follows: Years ending December 31, Operating leases 2024 $ 8,662 2025 7,703 2026 6,107 2027 6,207 2028 6,101 Thereafter 20,689 Total lease payments 55,469 Less: Amount representing interest 8,683 Present value of future payments $ 46,786 Our ROU assets and lease liabilities are included in the following line items in our consolidated balance sheet: (dollars in thousands) December 31, December 31, Operating leases Operating lease ROU assets $ 36,927 $ 45,899 Accrued expenses and other current liabilities $ 6,701 $ 7,723 Operating lease liabilities, net of current portion 40,085 44,918 Total operating lease liabilities $ 46,786 $ 52,641 The weighted average remaining lease terms and discount rates were as follows: (dollars in thousands) December 31, December 31, December 31, Operating leases Weighted average remaining lease term (years) 7.7 8.5 8.9 Weighted average discount rate 4.70 % 4.63 % 4.68 % Supplemental cash flow information related to leases was as follows: Year ended (dollars in thousands) 2023 2022 2021 Cash paid for amounts included in the measurement of lease liabilities: Operating cash flows from operating leases (1) $ 10,983 $ 11,439 $ 11,338 Right-of-use assets obtained in exchange for lease obligations (non-cash): Operating leases 2,765 — 5,358 Other commitments The term loans under the 2020 Credit Facility require periodic principal payments. The balance of the term loans and any amounts drawn on the revolving credit loans are due upon maturity of the 2020 Credit Facility in October 2025. The Real Estate Loans also require periodic principal payments and the balance of the Real Estate Loans are due upon maturity in April 2038. We have contractual obligations for third-party technology used in our solutions and for other services we purchase as part of our normal operations. In certain cases, these arrangements require a minimum annual purchase commitment by us. As of December 31, 2023, the remaining aggregate minimum purchase commitment under these arrangements was approximately $257.6 million through 2027. Solution and service indemnifications In the ordinary course of business, we provide certain indemnifications of varying scope to customers against claims of intellectual property infringement made by third parties arising from the use of our solutions or services. We have not identified any losses that might be covered by these indemnifications Legal proceedings We are subject to legal proceedings and claims that arise in the ordinary course of business, as well as certain other non-ordinary course proceedings, claims and investigations, as described below. We record an accrual for a loss contingency when it is both probable that a material liability has been incurred and the amount of the loss can be reasonably estimated. If only a range of estimated losses can be determined, we accrue an amount within the range that, in our judgment, reflects the most likely outcome; if none of the estimates within that range is a better estimate than any other amount, we accrue the low end of the range. For proceedings in which an unfavorable outcome is reasonably possible but not probable and an estimate of the loss or range of losses arising from the proceeding can be made, we disclose such an estimate, if material. If such a loss or range of losses is not reasonably estimable, we disclose that fact. We review any such loss contingency accruals at least quarterly and adjust them to reflect the impacts of negotiations, settlements, rulings, advice of legal counsel and other information and events pertaining to a particular case. We recognize insurance recoveries, if any, when they are probable of receipt. All associated costs due to third-party service providers and consultants, including legal fees, are expensed as incurred. Legal proceedings are inherently unpredictable. However, we believe that we have valid defenses with respect to the legal matters pending or threatened against us and intend to defend ourselves vigorously against all claims asserted. It is possible that our consolidated financial position, results of operations or cash flows could be materially negatively affected in any particular period by an unfavorable resolution of one or more of such legal proceedings. Security incident As previously disclosed, we are subject to risks and uncertainties as a result of a ransomware attack against us in May 2020 in which a cybercriminal removed a copy of a subset of data from our self-hosted environment (the "Security Incident"). Based on the nature of the Security Incident, our research and third party (including law enforcement) investigation, we do not believe that any data went beyond the cybercriminal, has been misused, or has been disseminated or otherwise made available publicly. Our investigation into the Security Incident remains ongoing. As a result of the Security Incident, we are currently subject to certain legal proceedings, claims and investigations, as discussed below, and could be the subject of additional legal proceedings, claims, inquiries and investigations in the future that might result in adverse judgments, settlements, fines, penalties or other resolution. To limit our exposure to losses related to claims against us, including data breaches such as the Security Incident, we maintain $50 million of insurance abo ve a $250 thousand deductible payable by us. As noted below, this coverage reduced our financial exposure related to the Security Incident in prior years. We recorded expenses and offsetting probable insurance recoveries related to the Security Incident as follows: Years ended December 31, (dollars in thousands) 2023 2022 2021 Gross expense $ 53,426 $ 57,614 $ 40,561 Offsetting probable insurance recoveries — (1,891) (38,745) Net expense $ 53,426 $ 55,723 $ 1,816 The following summarizes our cumulative expenses, insurance recoveries recognized and insurance recoveries paid as of: (dollars in thousands) December 31, December 31, December 31, 2021 Cumulative gross expense $ 161,431 $ 108,005 $ 50,391 Cumulative offsetting insurance recoveries recognized (50,000) (50,000) (48,109) Cumulative net expense $ 111,431 $ 58,005 $ 2,282 Cumulative offsetting insurance recoveries paid $ (50,000) $ (50,000) $ (29,968) Recorded expenses have consisted primarily of payments to third-party service providers and consultants, including legal fees, settlement of the previously disclosed SEC and multi-state Attorneys General investigations (discussed below), settlements of customer claims and accruals for certain loss contingencies. Not included in the expenses discussed above were costs associated with enhancements to our cybersecurity program. We present expenses and insurance recoveries related to the Security Incident in general and administrative expense on our consolidated statements of comprehensive (loss) income and as operating activities on our consolidated statements of cash flows. Total costs related to the Security Incident exceeded the limit of our insurance coverage during the first quarter of 2022. We expect to continue to experience significant expenses related to our response to the Security Incident, resolution of legal proceedings, claims and investigations, including those discussed below, and our efforts to further enhance our cybersecurity measures. For full year 2023, we incurred net pre-tax expense of $53.4 million related to the Security Incident, which included $22.4 million for ongoing legal fees. It also includes settlements and additional accruals for loss contingencies of $31.0 million. Also, for full year 2023, we had net cash outlays of $78.0 million related to the Security Incident, which included ongoing legal fees, the $3.0 million civil penalty paid during the first quarter of 2023 related to the SEC settlement and the $49.5 million civil penalty paid during the fourth quarter of 2023 related to the multi-state Attorneys General settlement (discussed below). In line with our policy, legal fees are expensed as incurred. For full year 2024, we currently expect net pre-tax expense of approximately $5.0 million to $10.0 million and net cash outlays of approximately $8.0 million to $13.0 million for ongoing legal fees related to the Security Incident. As of December 31, 2023, we have recorded approximately $1.5 million in aggregate liabilities for loss contingencies based primarily on recent negotiations with certain customers related to the Security Incident that we believe we can reasonably estimate in accordance with our loss contingency procedures described above. Our liabilities for loss contingencies are recorded in accrued expenses and other current liabilities on our consolidated balance sheets. It is reasonably possible that our estimated or actual losses may change in the near term for those matters and be materially in excess of the amounts accrued, but we are unable at this time to reasonably estimate the possible additional loss. There are other Security Incident-related matters, including customer claims, customer constituent class actions and governmental investigations, for which we have not recorded a liability for a loss contingency as of December 31, 2023 because we are unable at this time to reasonably estimate the possible loss or range of loss. Each of these matters could, separately or in the aggregate, result in an adverse judgement, settlement, fine, penalty or other resolution, the amount, scope and timing of which we are currently unable to predict, but could have a material adverse impact on our results of operations, cash flows or financial condition. Customer claims. To date, we have received approximately 260 specific requests for reimbursement of expenses, approximately 214 (or 82%) of which have been fully resolved and closed and approximately 39 (or 15%) are inactive and are considered by us to have been abandoned by the customers. We have also received approximately 400 reservations of the right to seek expense recovery in the future from customers or their attorneys in the U.S., U.K. and Canada related to the Security Incident, none of which resulted in claims submitted to us and are considered by us to have been abandoned by the customers. We have also received notices of proposed claims on behalf of a number of U.K. data subjects, which we are reviewing. In addition, insurance companies representing various customers’ interests through subrogation claims have contacted us, and certain insurance companies have filed subrogation claims in court, of which 3 cases remain active and unresolved. Customer and insurer subrogation claims generally seek reimbursement of their costs and expenses associated with notifying their own customers of the Security Incident and taking steps to assure that personal information has not been compromised as a result of the Security Incident. Our review of customer and subrogation claims includes analyzing individual customer contracts into which we have entered, the specific claims made and applicable law. Customer constituent class actions . Presently, we are a defendant in putative consumer class action cases in U.S. federal courts (most of which have been consolidated under multi district litigation to a single federal court) and in Canadian courts alleging harm from the Security Incident. The plaintiffs in these cases, who purport to represent various classes of individual constituents of our customers, generally claim to have been harmed by alleged actions and/or omissions by us in connection with the Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs and attorneys’ fees and other related relief. Lawsuits that are putative class actions require a plaintiff to satisfy a number of procedural requirements before proceeding to trial. These requirements include, among others, demonstration to a court that the law proscribes in some manner our activities, the making of factual allegations sufficient to suggest that our activities exceeded the limits of the law and a determination by the court—known as class certification—that the law permits a group of individuals to pursue the case together as a class. If these procedural requirements are not met, the lawsuit cannot proceed as a class action and the plaintiff may lose the financial incentive to proceed with the case. We are currently engaged in court proceedings to determine whether this will proceed as a class action. Frequently, a court’s determination as to these procedural requirements is subject to appeal to a higher court. As a result of these uncertainties, we may be unable to determine the probability of loss until, or after, a court has finally determined that a plaintiff has satisfied the applicable class action procedural requirements. Furthermore, for putative class actions, it is often not possible to reasonably estimate the possible loss or a range of loss amounts, even where we have determined that a loss is reasonably possible. Generally, class actions involve a large number of people and raise complex legal and factual issues that result in uncertainty as to their outcome and, ultimately, making it difficult for us to estimate the amount of damages that a plaintiff might successfully prove. This analysis is further complicated by the fact that the plaintiffs lack contractual privity with us. Governmental investigations. We have received a Civil Investigative Demand from the office of the California Attorney General relating to the Security Incident and are in discussions with the Attorney General about potential resolution of issues arising from this investigation. Although we are hopeful that we can resolve this matter on acceptable terms, there is no assurance that we will be able to do so on terms acceptable to us and the State of California. We also are subject to the following pending governmental actions: • an investigation by the U.S. Federal Trade Commission (the "FTC"), as further described below; and • an investigation by the U.S. Department of Health and Human Services. We also responded to inquiries from the Office of the Australian Information Commissioner in September 2020 and the Office of the Privacy Commissioner of Canada in October 2020. As previously disclosed, on February 1, 2024, the FTC announced its approval of an Agreement Containing Consent Order (the “Proposed Order”) evidencing its settlement with the Company in connection with the Security Incident. Pursuant to its rules, the FTC placed the Proposed Order and related draft complaint on the public record for a period of 30 days for the receipt of public comments after which the FTC will consider any comments received from interested persons prior to determining whether and in what form to finalize the Proposed Order. The 30-day comment period is scheduled to expire on March 14, 2024. As part of the FTC’s proposed order, the Company has not been fined and is not otherwise required to make any payment. Furthermore, the Company has agreed to the FTC’s proposed order without admitting or denying any of the FTC’s allegations, except as expressly stated otherwise in the Proposed Order. If finalized, the settlement described in the Proposed Order will fully resolve the FTC investigation. Although we believe the Proposed Order will be finalized in substantially its current form, there can be no assurances as to whether that will occur or its timing. Under the terms of the Proposed Order, we have agreed (i) to not misrepresent (a) the extent to which we maintain, use, delete or disclose certain customer information, (b) the extent to which we protect the privacy, security, availability, confidentiality or integrity of such information or (c) the extent of any security incident or unauthorized disclosure, misuse, loss, theft, alteration, destruction or other compromise of such information, and (ii) to delete certain data, adopt and make public certain record retention limits, establish, implement and maintain a specified information security program, obtain regular independent assessments of the mandated information security program, provide to the FTC specified certifications regarding our compliance with the Proposed Order, provide to the FTC reports of any future security incidents and create and maintain specified recordkeeping. For more information, see the form of Proposed Order that was furnished as Exhibit 99.2 to the Company’s Current Report on Form 8-K filed with the SEC on February 2, 2024. As previously disclosed, on October 5, 2023, we entered into separate, substantially similar Administrative Orders with each of 49 state Attorneys General and the District of Columbia relating to the previously announced 2020 Security Incident in which a cyber-criminal removed a copy of a subset of data from our self-housed environment. This settlement fully resolves the previously disclosed multi-state Civil Investigative Demand and the separate Civil Investigative Demand from the Office of the Indiana Attorney General relating to the Security Incident (the “Multi-state Investigation”), which is further described in the substantially similar Administrative Orders filed in each of the 49 states and the District of Columbia. Under the terms of the Administrative Orders, we have agreed: (i) to comply with state consumer protection laws, data breach notification laws, and the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”); (ii) not to make misleading misrepresentations to our customers or the individuals whose data is stored by us concerning (a) the extent to which we protect the privacy, security, confidentiality, or integrity of certain data, (b) the likelihood that data impacted by a security incident may be subject to unauthorized access, disclosure, or other misuse, or (c) the data breach notification requirements; and (iii) to implement and improve certain cybersecurity programs and tools. As part of the Administrative Orders, we also agreed to pay, and have paid, a total of $49.5 million to the 49 states and District of Columbia. We entered into the Administrative Orders without admitting fault or liability in connection with the matters subject to the Multi-state Investigation. The form of Administrative Order was furnished as Exhibit 99.2 to our Current Report on Form 8-K filed with the SEC on October 5, 2023. As previously disclosed, on March 9, 2023, we reached a settlement with the SEC in connection with the Security Incident. This settlement fully resolves the previously disclosed SEC investigation of the Security Incident and is further described in an SEC cease-and-desist order (the “SEC Order”). Under the terms of the SEC Order, we have agreed to cease-and-desist from committing or causing any violations or any future violations of Sections 17(a)(2) and (3) of the Securities Act of 1933, as amended (the “Securities Act”), and Section 13(a) of the Securities Exchange Act of 1934, as amended (the “Exchange Act”), and Rules 12b-20, 13a-13 and 13a-15(a) thereunder. No other violations of the securities laws are alleged in the SEC Order. As part of the SEC Order, we also agreed to pay, and have paid, a civil penalty in the amount of $3.0 million. We consented to the entry of the SEC Order without admitting or denying the findings of the SEC Order, other than with respect to the SEC’s jurisdiction over the Company and the subject matter of the SEC Order. The SEC Order describing the settlement was furnished as Exhibit 99.1 and the SEC’s press release announcing this resolution was furnished as Exhibit 99.2 to our Current Report on Form 8-K filed with the SEC on March 9, 2023. On September 28, 2021, the Information Commissioner’s Office in the United Kingdom under the U.K. Data Protection Act 2018 (the "ICO") notified us that it has closed its investigation of the Security Incident. Based on its investigation and having considered our actions before, during and after the Security Incident, the ICO issued our European subsidiary a reprimand in accordance with Article 58(2)(b) of the U.K. General Data Protection Regulation ("U.K. GDPR") due to our non-compliance, in the ICO's view, with the requirements set out in Article 32 of the U.K. GDPR regarding the processing of personal data. The ICO did not impose a penalty related to the Security Incident, nor did it impose any requirements for further action by us. On September 24, 2021, we received notice from the Spanish Data Protection Authority that it has concluded its investigation of the Security Incident, pursuant to which our European subsidiary paid a penalty of €60,000 in relation to the alleged late notification of two Spanish data controllers regarding the Security Incident. On January 15, 2021, we were notified by the Data Protection Commission of Ireland that it has concluded its investigation of the Security Incident without taking any action against us. We continue to cooperate with all ongoing investigations, which include various requests for documents, policies, narratives and communications, as well as requests to interview or depose various Company-related personnel. As noted above, each of these separate governmental investigations could result in adverse judgments, settlements, fines, penalties or other resolution, the amount, scope and timing of which we are currently unable to predict, but could have a material adverse impact on our results of operations, cash flows or financial condition. |