We are subject to securities class action litigation, which is expensive, can divert management attention, and, if resolved unfavorably, could expose us to significant liabilities.
We are subject to securities litigation, which is described further in Part II of this Annual Report in “Notes to Consolidated Financial Statements, Note 12. Commitments and Contingencies and incorporated by reference in Part I, Item 3—Legal Proceedings. We have recently reached a negotiated agreement in principle to settle one of these actions, the putative shareholder class action, which is subject to the preliminary and final approval of the court. If the settlement is not approved, this action and any additional litigation could result in substantial costs and a diversion of management’s resources and attention. In addition, any adverse determination could expose us to significant liabilities, which could have a material adverse effect on our business, financial condition, and results of operations.
Failure to protect our information technology infrastructure against cyber-based attacks, network security breaches, service interruptions, or data corruption could significantly disrupt our operations and adversely affect our business and operating results.
We rely on information technology, telephone networks and systems, including the internet, to process and transmit sensitive electronic information and to manage or support a variety of business processes and activities. We use enterprise information technology systems to record, process, and summarize financial information and results of operations for internal reporting purposes and to comply with regulatory, financial reporting, legal, and tax requirements. Despite the implementation of security measures, our information technology systems, and those of our third-party contractors and consultants, are vulnerable to a cyber-attack, malicious intrusion, breakdown, destruction, loss of data privacy or other significant disruption. Any such successful attacks could result in the theft of intellectual property or other misappropriation of assets, or otherwise compromise our confidential or proprietary information and disrupt our operations. Cyber-attacks are becoming more sophisticated and frequent, and our systems could be the target of malware and other cyber-attacks. We have invested in our systems and the protection of our data to reduce the risk of an intrusion or interruption, and we monitor our systems on an ongoing basis for any current or potential threats. Nonetheless, our computer systems are subject to penetration and our data protection measures may not prevent unauthorized access. We can give no assurances that these measures and efforts will prevent interruptions or breakdowns. If we are unable to detect or prevent a security breach or cyber-attack or other disruption from occurring, then we could incur losses or damage to our data, or inappropriate disclosure of our confidential information or that of others; and we could sustain damage to our reputation, suffer disruptions to our research and development and incur increased operating costs including increased cybersecurity and other insurance premiums, costs to mitigate any damage caused and protect against future damage, and be exposed to additional regulatory scrutiny or penalties and to civil litigation and possible financial liability. For instance, the loss of preclinical or clinical data could result in delays in our development and regulatory filing efforts and significantly increase our costs.
We face risks related to our collection and use of data, which could result in investigations, inquiries, litigation, fines, legislative and regulatory action and negative press about our privacy and data protection practices.
We are subject to U.S. data protection laws and regulations (i.e., laws and regulations that address privacy and data security) at both the federal and state levels. The legislative and regulatory landscape for data protection continues to evolve, and in recent years there has been an increasing focus on privacy and data security issues. Numerous federal and state laws, including state data breach notification laws, state health information privacy laws, and federal and state consumer protection laws, govern the collection, use, and disclosure of health-related and other personal information.
In addition, our business processes some personal data, including some data related to health. When conducting clinical trials, we face risks associated with collecting trial participants’ data, especially health data, in a manner consistent with applicable laws and regulations. We also face risks inherent in handling large volumes of data and in protecting the security of such data. We could be subject to attacks on our systems by outside parties or fraudulent or inappropriate behavior by our service providers or employees. Third parties may also gain access to users’ accounts using stolen or inferred credentials, computer malware, viruses, spamming, phishing attacks or other means, and may use such access to obtain users’ personal data or prevent use of their accounts. Data breaches could result in a violation of applicable U.S. and international privacy, data protection and other laws, and subject us to individual or consumer class action litigation and governmental investigations and proceedings by federal, state and local regulatory entities in the United States and