| • | | limit who may call stockholder meetings; |
| • | | authorize our board of directors to issue preferred stock without stockholder approval, which could be used to institute a stockholder rights plan, or so-called “poison pill,” that would work to dilute the stock ownership of a potential hostile acquirer, effectively preventing acquisitions that have not been approved by our board of directors; and |
| • | | require the approval of the holders of at least 75% of the votes that all our stockholders would be entitled to cast to amend or repeal certain provisions of our charter or bylaws. |
Moreover, because we are incorporated in Delaware, we are governed by the provisions of Section 203 of the Delaware General Corporation Law, which prohibits a person who owns in excess of 15% of our outstanding voting stock from merging or combining with us for a period of three years after the date of the transaction in which the person acquired in excess of 15% of our outstanding voting stock, unless the merger or combination is approved in a prescribed manner.
Risks Related to Cybersecurity, Data Protection and Privacy
Security breaches and other disruptions could compromise our information and expose us to liability, which would cause our business and reputation to suffer.
In the ordinary course of our business, we store sensitive data, including intellectual property, proprietary business information and personally identifiable information, in our data centers and on our networks. The secure processing, maintenance and transmission of this information is critical to our operations and business strategy. Attacks upon information technology systems are increasing in their frequency, levels of persistence, sophistication and intensity, and are being conducted by sophisticated and organized groups and individuals with a wide range of motives and expertise. As a result of the
COVID-19
pandemic, we may also face increased cybersecurity risks due to our reliance on internet technology and the number of our employees who are working remotely, which may create additional opportunities for cybercriminals to exploit vulnerabilities. Furthermore, because the techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Despite our security measures, our information technology and infrastructure may be vulnerable to attacks by hackers or breached due to employee error, malfeasance, or other disruptions. Any such breach could compromise our networks and the information stored there could be accessed, publicly disclosed, lost or stolen. Any such access, disclosure or other loss of information could result in significant costs to address and remediate the incident, lead to legal claims or proceedings, disrupt our operations, and damage our reputation.
We maintain cyber risk insurance, but this insurance may not be sufficient to cover all of our losses from any future breaches of our systems.
Our collection, control, processing, sharing, disclosure and otherwise use of personal data could give rise to liabilities as a result of governmental regulation, conflicting legal requirements, and evolving laws concerning data privacy in the EU and EEA.
The global data protection landscape is rapidly evolving, and we are or may become subject to numerous state, federal and foreign laws, requirements and regulations governing the collection, use, disclosure, retention, and security of personal data, such as information that we may collect in connection with clinical trials in the U.S. and abroad. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards, or perception of their requirements may have on our business. This evolution may create uncertainty in our business, affect our ability to operate in certain jurisdictions or to collect, store, transfer use and share personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. The cost of compliance with these laws, regulations and standards is high and is likely to increase in the future. Any failure or perceived failure by us to comply with federal, state or foreign laws or regulation, our internal policies and procedures or our contracts governing our processing of personal information could result in negative publicity, government investigations and enforcement actions, claims by third parties and damage to our reputation, any of which could have a material adverse effect on our operations, financial performance and business.
As our operations and business grow, we may become subject to or affected by new or additional data protection laws and regulations and face increased scrutiny or attention from regulatory authorities. In the U.S., HIPAA imposes, among other things, certain standards relating to the privacy, security, transmission and breach reporting of individually identifiable health information. Certain states have also adopted comparable privacy and security laws and regulations, some of which may be more stringent than HIPAA. Such laws and regulations will be subject to interpretation by various courts and other governmental authorities, thus creating potentially complex compliance issues for us and our future customers and strategic partners. In addition, the CCPA went into effect on January 1, 2020. The CCPA creates individual privacy rights for California consumers and increases the privacy and security obligations of entities handling certain personal information. The CCPA provides for civil penalties for violations, as well as a private right of action for data breaches that is expected to increase data breach litigation. The CCPA may increase our compliance costs and potential liability, and many similar laws have been proposed at the federal level and in other states. Further, the CPRA recently passed in California. The CPRA will impose additional data protection obligations on covered businesses, including additional consumer rights processes, limitations on data uses, new audit requirements for higher risk data, and opt outs for certain uses of sensitive data. It will also create a new California data protection agency authorized to issue substantive regulations and could result in increased privacy and information security enforcement. The majority of the provisions will go into effect on January 1, 2023, and additional compliance investment and potential business process changes may be required. In the event that we are subject to or affected by HIPAA, the CCPA, the CPRA or other domestic privacy and data protection laws, any liability from failure to comply with the requirements of these laws could adversely affect our financial condition.
52