In the ordinary course of business, we collect, use, transmit, store, share and otherwise process member, customer and employee data, including credit and debit card numbers, bank account information, dates of birth, location information and other highly sensitive information, including PII, in IT systems that we maintain, with third-party service providers with whom we contract to provide services, and in connection with the SH.APP. Some of this data is sensitive and could be an attractive target for criminal attack by malicious third parties with a wide range of expertise and motives (including financial gain), including organized criminal groups, hackers, disgruntled current or former employees, and others. In particular, the increasing sophistication and resources of cyber criminals and other
non-state
threat actors and increased actions by nation-state actors make keeping up with new threats difficult and could result in a breach of security. The integrity, protection and security of such member, customer and employee data is critical to us.
Despite the security measures we and our third-party service providers have in place to protect confidential information and PII and to comply with applicable laws, rules, regulations, industry standards and contractual obligations relating to data privacy, protection and security, our facilities and systems and those of our third-party service providers, as well as the SH.APP, may be vulnerable to security or data breaches, acts of cyber terrorism or sabotage, vandalism or theft, computer viruses, misplaced, corrupted or lost data, programming or human errors or other similar events. Furthermore, the size and complexity of our IT systems and those of our third-party service providers make such systems potentially vulnerable to security or data breaches and other security incidents from inadvertent or intentional actions by our employees or third-party service providers or from attacks by malicious third parties. Because such attacks are increasing in sophistication and change frequently in nature, we and our third-party service providers may be unable to anticipate these attacks or implement adequate preventative measures, and any compromise of our systems, or those of our third-party vendors, may not be discovered, mitigated or remediated promptly or effectively.
Additionally, the collection, maintenance, use, disclosure, storage, transmission, disposal and other processing of PII by our businesses are regulated at the federal, state local, provincial and international levels as well as by certain industry groups, such as the Payment Card Industry organization and the National Automated Clearing House Association, and we cannot guarantee that we have been and will be in compliance with all such applicable laws, rules, regulations and standards. The regulatory framework for data privacy and security worldwide is continuously evolving and developing and, as a result, interpretation and implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future. The occurrence of unanticipated events and the development of evolving technologies often rapidly drives the adoption of legislation or regulation affecting the use, collection or other processing of data. New laws, amendments to or reinterpretations of existing laws, regulations, standards and other obligations may require us to change our business operations with respect to how we use, collect, store, transfer or otherwise process certain types of PII, implement new processes, and incur additional costs to comply with those laws and our members’ exercise of their rights thereunder.
Foreign data protection, privacy, consumer protection and other laws and regulations are often more restrictive than those in the United States. In particular, the EEA (comprised of the EU member states and Iceland, Liechtenstein and Norway) and the UK, have traditionally taken broader views as to types of data that are subject to privacy and data protection. The EU has adopted the GDPR, which went into effect in May 2018 and contains numerous requirements and changes from previously existing EU law, including more robust obligations on data processors and heavier documentation requirements for data protection compliance programs. The GDPR requires data controllers to implement more stringent operational requirements for processors and controllers of personal data, including, for example, transparent and expanded disclosure to data subjects (in a concise, intelligible and easily accessible form) about how their personal information is to be used, imposes limitations on retention of information, introduces mandatory data breach notification requirements, and sets higher standards for data controllers to demonstrate that they have obtained valid consent for certain data processing activities. The GDPR also imposes strict rules on the transfer of personal data to countries outside the EEA, including the US. In 2016, the EU and US agreed to a transfer framework for data transferred from the EEA to the US, called the Privacy Shield, but the Privacy Shield was invalidated in July 2020 by the Court of Justice of the EU (‘CJEU’) in its Schrems II ruling. We continue to evaluate the impact of the Schrems II decision and are considering whether any additional steps need to be taken to continue to comply with applicable regulations in light of Schrems II. The standard contractual clauses issued by the European Commission for the transfer of personal data, a potential alternative to the Privacy Shield, may be similarly invalidated by the CJEU, and it remains to be seen whether additional means for lawful data transfers will become available. Fines for noncompliance with the GDPR are significant and can be up to the greater of €20 million or 4% of annual global turnover. We may also be liable should any individual who has suffered financial or
non-financial
damage arising out from our violation of the GDPR exercise their right to receive compensation against us. The GDPR also provides that EU member states may introduce further conditions, including limitations, and make their own laws and regulations further limiting the processing of ‘special categories of personal data,’ including personal data related to health, biometric data used for unique identification purposes and genetic information. The EU has also proposed the draft ePrivacy Regulation, which will replace both the ePrivacy Directive and all the national laws implementing this directive. The ePrivacy Regulation, as proposed, would impose strict
opt-in
marketing rules, change rules about cookies, web beacons and related technologies, and significantly increase penalties for violations. Such regulations could limit our ability to collect, use and share EU data, could cause our compliance costs to increase and could increase our potential liability, ultimately having an adverse impact on our business, and harm our business and financial condition.