adverse effects, including inability to or interruption in our ability to operate our business and proceedings against us by governmental entities or others.
If we fail, or are perceived to have failed, to address or comply with data privacy and security obligations, we could face significant consequences. These consequences may include, but are not limited to, government enforcement actions (e.g., investigations, fines, penalties, audits, inspections, and similar); litigation (including class-related claims); additional reporting requirements and/or oversight; payment of damages; bans on processing personal data; and orders to destroy or not use personal data.
Any of these events could have a material adverse effect on our reputation, business, or financial condition, including but not limited to: loss of customers; interruptions in our business operations (including, as relevant, clinical trials); inability to process personal data or to operate in certain jurisdictions; limited ability to develop or commercialize our products; expenditure of time and resources to defend any claim or inquiry; adverse publicity; revision or restructuring of our operations; or loss of revenue or profits; and other adverse business consequences.
If our information technology systems or sensitive information, or those of third parties upon which we rely, are or were compromised, we could experience adverse consequences resulting from such compromise, including, but not limited to, regulatory investigations or actions, litigation, fines and penalties, disruptions of our business operations, reputational harm, loss of revenue or profits, and other adverse consequences.
In the ordinary course of our business, we and the third parties upon which we rely, may process proprietary, confidential, and sensitive data, including personal data (such as health-related data), intellectual property, and trade secrets (collectively, sensitive information). We may rely upon third-party service providers and technologies to operate critical business systems to process sensitive information in a variety of contexts, including, without limitation, third-party providers of cloud-based infrastructure, encryption and authentication technology, employee email, and other functions. Our ability to monitor these third parties’ information security practices is limited, and these third parties may not have adequate information security measures in place. If our third-party service providers experience a security incident or other interruption, we could experience adverse consequences. While we may be entitled to damages if our third-party service providers fail to satisfy their privacy or security-related obligations to us, any award may be insufficient to cover our damages, or we may be unable to recover such award.
Cyberattacks, malicious internet-based activity, and online and offline fraud threaten the confidentiality, integrity, and availability of our sensitive information and information technology systems, and those of the third parties upon which we rely. These threats are prevalent and continue to increase. These threats come from a variety of sources, including traditional computer “hackers,” threat actors, “hacktivists”, organized criminal threat actors, personnel (such as through theft or misuse), sophisticated nation states, and nation-state-supported actors. Some actors now engage and are expected to continue to engage in cyber-attacks, including, without limitation, nation-state actors for geopolitical reasons and in conjunction with military conflicts and defense activities. During times of war and other major conflicts, we and the third parties upon which we rely may be vulnerable to a heightened risk of these attacks, including cyber-attacks that could materially disrupt our systems and operations, supply chain, and ability to produce, sell and distribute our products. We and the third parties upon which we rely may be subject to a variety of evolving threats, including, but not limited to, social-engineering attacks (including through phishing attacks), malicious code (such as viruses and worms), malware (including as a result of advanced persistent threat intrusions), denial-of-service attacks (such as credential stuffing), credential harvesting, personnel misconduct or error, ransomware attacks, supply-chain attacks, software bugs, server malfunctions, software or hardware failures, loss of data or other information technology assets, adware, telecommunications failures, earthquakes, fires, flood and other similar threats.
Severe ransomware attacks, including by organized criminal threat actors, nation-states, and nation-state-supported actors, are becoming increasingly prevalent and severe and can lead to significant interruptions in our
86