industry groups may propose new and different self-regulatory standards that may apply to us. Because the interpretation and application of privacy and data protection laws are uncertain, it is possible that these laws and other actual or alleged legal obligations, such as contractual or self-regulatory obligations, may be interpreted and applied in a manner that is inconsistent with our existing data management practices or the features of our platform or in a manner inconsistent across the various jurisdictions in which we operate. If so, in addition to the possibility of fines, lawsuits, and other claims, we could be required to fundamentally change our business activities and practices or modify our platform, which could have an adverse effect on our business. Any inability to adequately address privacy concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations, and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales, and adversely affect our business, results of operations, and financial condition.
Additionally, we publish privacy policies and other documentation regarding our collection, processing, use, and disclosure of personal information. Although we endeavor to comply with our published policies and other documentation, we may at times fail to do so or may be perceived to have failed to do so. Moreover, despite our efforts, we may not be successful in achieving compliance if our employees, contractors, service providers, or vendors fail to comply with our published policies and documentation. Such failures can subject us to potential foreign, federal, state, and local action if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Claims that we have violated individuals’ privacy rights or failed to comply with data protection laws or applicable privacy notices, even if we are not found liable, could be expensive and time-consuming to defend and could result in adverse publicity that could harm our business.
If the security of the personal information that we (or our vendors) collect, store, or process is compromised or is otherwise accessed without authorization, or if we fail to comply with our commitments and assurances regarding the privacy and security of such information, our reputation may be harmed and we may be exposed to liability and loss of business.
We collect and maintain data about individuals and customers, including personally identifiable information, as well as other confidential or proprietary information. We may use third-party service providers and sub-processors to help us deliver services to our customers. These vendors may store or process personal information on our behalf.
Cyberattacks and other malicious internet-based activity continue to increase. In addition to traditional computer “hackers,” malicious code (such as viruses and worms), employee theft or misuse, and denial-of-service attacks, sophisticated nation-state and nation-state supported actors now engage in attacks (including advanced persistent threat intrusions). We cannot guarantee that our or our vendors’ security measures will be sufficient to protect against unauthorized access to or other compromise of personal information and our confidential or proprietary information. Due to the COVID-19 pandemic, our employees are temporarily working remotely, which may pose additional data security risks. The techniques used to sabotage or to obtain unauthorized access to our or our vendors’ platforms, systems, networks and/or physical facilities in which data is stored or through which data is transmitted change frequently, and we or our vendors may be unable to implement adequate preventative measures or stop security breaches while they are occurring. The recovery systems, security protocols, network protection mechanisms, and other security measures that we have integrated into our platform, systems, networks, and physical facilities and any such measures implemented by our vendors, which are designed to protect against, detect, and minimize security breaches, may not be adequate to prevent or detect service interruption, system failure, or data loss. Our platform, systems, networks, and physical facilities, and those of our vendors, in the past have been, and in the future could be, breached and personal information has been and could be otherwise compromised. Third parties could attempt to fraudulently induce our employees or our customers to disclose information or user names and/or passwords, or otherwise compromise the security of our platform, networks, systems, and/or physical facilities. Third parties have exploited in the past, and could exploit in the future, vulnerabilities in, or could obtain unauthorized access to, platforms, systems, networks, and/or physical facilities utilized by our vendors.
We are required to comply with laws, rules, regulations and other obligations that require us to maintain the security of personal information. We may have contractual and other legal obligations to notify relevant stakeholders of security breaches. We operate in an industry that is prone to cyber-attacks. We have previously
38