For example, the California Consumer Privacy Act (“CCPA”), which went into effect on January 1, 2020, requires, among other things, covered companies to provide new disclosures to California consumers and afford such consumers new abilities to opt-out of certain sales of personal information. Similar legislation has been proposed or adopted in other states. Aspects of the CCPA and these other state laws and regulations, as well as their enforcement, remain unclear, and we may be required to modify our practices in an effort to comply with them. Additionally, a new privacy law, the California Privacy Rights Act (“CPRA”), recently was certified by the California Secretary of State to appear on the ballot for the November 3, 2020 election. If this initiative is approved by California voters, the CPRA would significantly modify the CCPA, potentially resulting in further uncertainty and requiring us to incur additional costs and expenses.
Our business, including our ability to operate and to expand internationally, could be adversely affected if legislation or regulations are adopted, interpreted, or implemented in a manner that is inconsistent with our current business practices and that require changes to these practices, the design of our websites, mobile applications, solutions, features, or our privacy policies. In particular, the success of our business has been, and we expect will continue to be, driven by our ability to responsibly gather and use data from data subjects. Therefore, our business could be harmed by any significant change to applicable laws, regulations, or industry standards or practices regarding the storage, use, or disclosure of data our customers or providers share with us, or regarding the manner in which the express or implied consent of customers or providers for such collection, analysis, and disclosure is obtained. Such changes may require us to modify our platform, possibly in a material manner, and may limit our ability to develop new offerings, functionality, or features.
Security breaches, loss of data, and other disruptions could compromise sensitive information related to our business or customers, or prevent us from accessing critical information and expose us to liability, which could adversely affect our business and our reputation.
In the ordinary course of our business, we collect, store, use and disclose sensitive data, including health information and other types of PII. We also process and store, and use additional third parties to process and store, confidential and proprietary information such as intellectual property and other proprietary business information, including that of our customers, providers, and partners. Our customer information is encrypted but not always de-identified. We manage and maintain our platform and data utilizing a combination of managed data center systems and cloud-based computing center systems.
We are highly dependent on information technology networks and systems, including the internet, to securely process, transmit, and store this critical information. Security breaches of this infrastructure, including physical or electronic break-ins, computer viruses, attacks by hackers and similar breaches, and employee or contractor error, negligence or malfeasance, can create system disruptions, shutdowns, or unauthorized disclosure or modifications of information, causing sensitive, confidential or proprietary information to be accessed or acquired without authorization, or to become publicly available. We utilize third-party service providers for important aspects of the collection, storage, transmission, and verification of customer information and other confidential, and sensitive information, and therefore rely on third parties to manage functions that have material cybersecurity risks. Because of the nature of the sensitive, confidential, and proprietary information that we and our service providers collect, store, transmit, and otherwise process, the security of our technology platform and other aspects of our services, including those provided or facilitated by our third-party service providers, are important to our operations and business strategy. We take certain administrative, physical, and technological safeguards to address these risks, such as requiring outsourcing subcontractors who handle customer, user, and patient information for us to enter into agreements that contractually obligate those subcontractors to use reasonable efforts to safeguard sensitive, confidential, and proprietary information. Measures taken to protect our systems, those of our third-party service providers, or sensitive, confidential, and proprietary information that we or our third-party service providers process or maintain, may not adequately protect us from the risks associated with the collection, storage, and transmission of such information. Although we take steps to help protect sensitive, confidential, and proprietary information from unauthorized access or disclosure, our information technology and infrastructure may be vulnerable to attacks by hackers or viruses, failures or breaches due to third-party action, employee negligence or error, malfeasance, or other disruptions.
A security breach or privacy violation that leads to disclosure or unauthorized use or modification of, or that prevents access to or otherwise impacts the confidentiality, security, or integrity of, sensitive, confidential, or proprietary information we or our third-party service providers maintain or otherwise process, could harm our reputation, compel us to comply with breach notification laws, and cause us to incur significant costs for remediation, fines, penalties, notification to individuals and governmental authorities, implementation of measures intended to repair or replace systems or technology, and to prevent future occurrences, potential increases in insurance premiums, and forensic security audits or investigations. As a result, a security breach or privacy violation could result in increased costs or loss of revenue. If we are unable to prevent such security breaches or privacy violations or implement satisfactory remedial measures, or if it is perceived that we have been unable to do so, our operations could be disrupted, we may be unable to provide access to our platform, and could suffer a loss of customers or providers or a decrease in the use of our platform, and we may suffer loss of reputation, adverse impacts on customer, provider, and partner confidence, financial loss, governmental investigations or other actions, regulatory or contractual penalties, and other claims and liability. In addition, security breaches and other inappropriate access to, or acquisition or processing of, information can be difficult to detect, and any delay in identifying such incidents or in providing any notification of such incidents may lead to increased harm.
30