Any failure on the part of us or third parties with which we do business to maintain the security of our personal, sensitive or confidential data, including via the penetration of our network and the misappropriation of confidential and personal information, as well as a failure to promptly remedy any security incident events should they occur, could compromise our systems, and the information stored in our systems could be accessed, publicly disclosed, lost, stolen or damaged. Any such circumstance could adversely affect our ability to attract and maintain clients, cause us to suffer negative publicity, and subject us to legal claims and liabilities or regulatory penalties or cause us to suffer competitive disadvantages, and thus have a material and adverse impact on us. Investigations into a data breach, including how it occurred, its consequences and our responses, by state and federal agencies could, among other adverse outcomes, lead to fines, other monetary relief and/or injunctive relief that could materially increase our data security costs, adversely impact how we operate our information systems and collect and use client information, and put us at a competitive disadvantage with other retailers. For example, as discussed below, the California Consumer Privacy Act (the “CCPA”) creates a private right of action for certain data breaches. Further, defending a suit, regardless of its merit, could be costly, divert management attention and harm our reputation. The successful assertion of one or more large claims against us could adversely affect our reputation, business, financial condition, revenues, results of operations or cash flows. Furthermore, payment card networks with payment cards impacted by a data breach may pursue claims against us, either directly or through our acquiring banks. Finally, any material disruption or slowdown of our systems or those of our third-party service providers and business partners, could have a material adverse effect on our business, financial condition and results of operations.
Our collection, use, storage, disclosure, transfer and other processing of personal information could give rise to significant costs and liabilities, including as a result of governmental regulation, uncertain or inconsistent interpretation and enforcement of legal requirements or differing views of personal privacy rights, which may have a material adverse effect on our reputation, business, financial condition and results of operations.
As part of our normal business activities, we collect, use, store, process and transmit personal information with respect to our clients children, families and employees. We share some of this personal information with vendors who assist us with certain aspects of our business. A variety of federal and state laws, regulations industry self-regulatory principles, industry standards or codes of conduct, and regulatory guidance, relating to privacy, data protection, marketing and advertising, and consumer protection apply to the collection, use, retention, protection, disclosure, transfer and other processing of certain types of data. These requirements of such laws, regulations, industry self-regulatory principles, industry standards or codes of conduct, and regulatory guidance may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another or may conflict with other rules or our practices. As a result, our practices may not have complied in the past, or may not comply in the future, with all such laws, regulations, standards, requirements and obligations. Any failure, or perceived failure, by us to comply with our posted privacy policies or with any federal or state privacy or consumer protection-related laws, regulations, industry self-regulatory principles, industry standards or codes of conduct, regulatory guidance, or orders to which we may be subject or other legal obligations relating to privacy or consumer protection could adversely affect our reputation, brand and business, and may result in claims, fines, penalties, proceedings or actions against us by governmental entities, clients, suppliers or others or other liabilities or may require us to change our operations and/or cease using certain data.
In addition, various federal and state legislative and regulatory bodies, or self-regulatory organizations, may expand current laws or regulations, enact new laws or regulations or issue revised rules or guidance regarding privacy, data protection, consumer protection and advertising, and as the regulatory environment related to information security, data collection and use and privacy becomes increasingly rigorous, with new and changing requirements applicable to our business. For example, the CCPA, which came into effect in 2020, increases privacy rights for California consumers and imposes obligations on companies that process their personal information. Among other things, the CCPA gives California consumers expanded rights related to their personal information, including the right to access and delete their personal information and receive detailed information about how their personal information is used and shared. The CCPA also provides California consumers the right
to opt-out of certain sales of personal information and may restrict the use of cookies and similar technologies for
36