groups to target our systems or those of third parties with which we do business. In addition, our information systems are a target of cyberattacks, although the incidents that we have experienced to date have not had a material effect. If we suffer a material loss or disclosure of personal or confidential information as a result of a breach of our information technology systems, including those of our third-party service providers, we may suffer reputational, competitive and/or business harm, incur significant costs and be subject to government investigations, litigation, fines and/or damages, which could have a material adverse effect on our business, prospects, results of operations, financial condition and/or cash flows. Moreover, while we maintain cyber insurance that may help provide coverage for these types of incidents, we cannot assure you that our insurance will be adequate to cover costs and liabilities related to these incidents.
Any failure on the part of us or third parties with which we do business to maintain the security of our personal, sensitive, or confidential data, including via the penetration of our network and the misappropriation of confidential and personal information, as well as a failure to promptly remedy any security incidents events should they occur, could compromise our systems, and the information stored in our systems could be accessed, publicly disclosed, lost, stolen, or damaged. Any such circumstance could adversely affect our ability to attract and maintain clients, cause us to suffer negative publicity, and subject us to legal claims and liabilities or regulatory penalties or cause us to suffer competitive disadvantages, and thus have a material and adverse impact on us. Investigations into a data breach, including how it occurred, its consequences and our responses, by state and federal agencies could, among other adverse outcomes, lead to fines, other monetary relief and/or injunctive relief that could materially increase our data security costs, adversely impact how we operate our information systems and collect and use client information, and put us at a competitive disadvantage with other retailers. For example, as discussed below, the California Consumer Privacy Act (the “CCPA”) creates a private right of action for certain data breaches. Further, defending a suit, regardless of its merit, could be costly, divert management attention and harm our reputation. The successful assertion of one or more large claims against us could adversely affect our reputation, business, financial condition, revenues, results of operations or cash flows. Furthermore, payment card networks with payment cards impacted by a data breach may pursue claims against us, either directly or through our acquiring banks. Finally, any material disruption or slowdown of our systems or those of our third-party service providers and business partners, could have a material adverse effect on our business, financial condition, and results of operations.
Our collection, use, storage, disclosure, transfer and other processing of personal information could give rise to significant costs and liabilities, including as a result of governmental regulation, uncertain or inconsistent interpretation and enforcement of legal requirements or differing views of personal privacy rights, which may have a material adverse effect on our reputation, business, financial condition and results of operations.
As part of our normal business activities, we collect, use, store, process, and transmit personal information with respect to our clients and their families and our team members. We share some of this personal information with vendors who assist us with certain aspects of our business. A variety of federal and state laws, regulations industry self-regulatory principles, industry standards or codes of conduct, and regulatory guidance, relating to privacy, data protection, marketing and advertising, and consumer protection apply to the collection, use, retention, protection, disclosure, transfer and other processing of certain types of data. These requirements of such laws, regulations, industry self-regulatory principles, industry standards or codes of conduct, and regulatory guidance may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another or may conflict with other rules or our practices. As a result, our practices may not have complied in the past, or may not comply in the future, with all such laws, regulations, standards, requirements and obligations. Any failure, or perceived failure, by us to comply with our posted privacy policies or with any federal or state privacy or consumer protection-related laws, regulations, industry self-regulatory principles, industry standards or codes of conduct, regulatory guidance, or orders to which we may be subject or other legal obligations relating to privacy or consumer protection could adversely affect our reputation, brand and business, and may result in claims, fines, penalties, proceedings or actions against us by governmental entities, clients, suppliers or others or other liabilities or may require us to change our operations and/or cease using certain data.
34