around privacy and information security in violation of their externally facing policies. The FTC has recently brought several cases alleging violations of Section 5 of the FTC Act with respect to health information, and has proposed rulemaking on privacy and data security.
Lawmakers and regulatory bodies at the federal level have been considering more detailed regulation regarding these subjects and the privacy and security of personal information. For example, the FTC has been active with respect to enforcement of its Health Breach Notification Rule and in scrutinizing the use and disclosure of sensitive personal information. The FTC finalized changes to the Health Breach Notification in May 2024. Additionally, in 2021, the HHS' Office for Civil Rights (OCR) has issued a Notice of Proposed Rulemaking, which proposed a number of changes to the HIPAA Privacy Rule, and in 2025, the OCR issued a Notice of Proposed Rulemaking which proposed a number of changes to HIPAA Security Rule.
Compliance with applicable U.S. and foreign privacy, data protection, and data security laws and regulations may result in government investigations or cause us to incur substantial costs or require us to change our business practices and compliance procedures in a manner adverse to our business. Moreover, complying with these various laws could require us to take on more onerous obligations in our contracts, restrict our ability to collect, use and disclose data, or in some cases, impact our ability to operate in certain jurisdictions. Failure to comply with U.S. and foreign privacy, data protection, and data security laws and regulations could result in government investigations or enforcement actions (which could include civil or criminal penalties), private litigation, claims, or public statements against us and/or adverse publicity and could negatively affect our operating results and business. Claims that we have violated individuals’ privacy rights, failed to comply with privacy, data protection, and data security laws, or breached our contractual obligations, even if we are not found liable, could be expensive and time consuming to defend, could result in adverse publicity and could have a material adverse effect on our business, reputation, financial performance and business, and operations. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations and policies that are applicable to the business of our customers may limit the adoption and use of, and reduce the overall demand for, our products and services.
If our security measures are compromised, or our information technology systems or those of our vendors, and other relevant third parties fail or suffer security breaches, loss or leakage of data, and other disruptions, this could result in a material disruption of our services, compromise sensitive information related to our business, harm our reputation, trigger our breach notification obligations, prevent us from accessing critical information, and expose us to liability or other adverse effects to our business.
In the ordinary course of our business, we may collect, process, and store proprietary, confidential, and sensitive information, including personal information (including health information), intellectual property, trade secrets, and proprietary business information owned or controlled by ourselves or other parties. It is critical that we do so in a secure manner to maintain the confidentiality, integrity, and availability of such information. We face several risks relative to protecting this critical information, including loss of access risk, inappropriate use or disclosure, inappropriate modification, and the risk of our being unable to adequately monitor, audit and modify our controls over our critical information. This risk extends to the third party service providers who handle elements of our operations.
We, our partners, our CROs, our CMOs, and other business vendors on which we rely depend on information technology and telecommunication systems for significant elements of our operations, including, for example, systems handling human resources, financial reporting and controls, regulatory compliance and other infrastructure operations. Notwithstanding the implementation of security measures, given the size and complexity of our information technology systems and those of our third party vendors and other contractors and consultants, and the increasing amounts of proprietary, confidential and sensitive information that they maintain, such information technology systems have been subject to and remain vulnerable to breakdown, service interruptions, system malfunction, natural disasters, terrorism, war and telecommunication and electrical failures, as well as security breaches from inadvertent or intentional actions by our personnel, third party vendors, contractors, consultants, business partners, and/or other third parties, or from cyber-attacks by malicious third parties (including the deployment of harmful malware, ransomware, denial-of-service attacks, social engineering, and other means to affect service reliability and threaten the confidentiality, integrity, and availability of information), which may compromise our system infrastructure, or that of our third party vendors and other contractors and consultants, or lead to data leakage. The risk of a security breach or disruption, particularly through accidental actions or omissions by trusted insiders, cyber-attacks or cyber intrusions, including by computer hackers, viruses, foreign governments, and cyber terrorists, has generally increased as the number, intensity, and sophistication of attempted attacks and intrusions from around the world have increased. Additionally, the increased usage of computers operated on home networks due to the shelter-in-place or similar restrictions related to the COVID-19 pandemic may make our systems more susceptible to security breaches. For example, in March 2021, MSK provided notice that MSK was one of many customers impacted by a data breach at Accellion, Inc., which provides a document-sharing system. MSK subsequently notified us that certain documents related to one of our discontinued programs were subject to the breach, which compromise we deemed immaterial. Although we take measures to protect sensitive data from unauthorized access, use or disclosure, we and our third party service providers frequently defend against and respond to cyber-attacks, and our information