complexity to compliance in the U.S. market, and could increase our compliance costs and adversely affect our business. Multiple other states and the federal government are considering enacting similar legislation, demonstrating a strong trend towards more stringent state privacy, data protection and data security legislation in the U.S., as well as enhanced scrutiny on international data flows, which could increase our potential liability and adversely affect our business. Other states have passed or amended existing state privacy laws to impose enhanced privacy and cybersecurity obligations for consumer health data, such as, the Washington My Health My Data Act and Nevada’s Consumer Health Data Privacy Law. For instance, Washington State's “My Health My Data Act” regulates “consumer health data” which is defined as “personal information that is linked or reasonably linkable to a consumer and that identifies a consumer’s past, present, or future physical or mental health.” Additional states may enact laws regulating consumer health data which may impact our operations.
The Federal Trade Commission (FTC) has authority under Section 5 of the FTC Act to regulate unfair or deceptive practices, and has used this authority to initiate enforcement actions against companies that implement inadequate controls around privacy and information security in violation of their externally facing policies. The FTC has recently brought several cases alleging violations of Section 5 of the FTC Act with respect to health information, and has proposed rulemaking on privacy and data security.
Lawmakers and regulatory bodies at the federal level have been considering more detailed regulation regarding these subjects and the privacy and security of personal information. For example, the FTC has been active with respect to enforcement of its Health Breach Notification Rule and in scrutinizing the use and disclosure of sensitive personal information. The FTC finalized changes to the Health Breach Notification in May 2024. Additionally, in 2021, the HHS' Office for Civil Rights (OCR) has issued a Notice of Proposed Rulemaking, which proposed a number of changes to the HIPAA Privacy Rule, and in 2025, the OCR issued a Notice of Proposed Rulemaking which proposed a number of changes to HIPAA Security Rule.
Compliance with applicable U.S. and foreign privacy, data protection, and data security laws and regulations may result in government investigations or cause us to incur substantial costs or require us to change our business practices and compliance procedures in a manner adverse to our business. Moreover, complying with these various laws could require us to take on more onerous obligations in our contracts, restrict our ability to collect, use and disclose data, or in some cases, impact our ability to operate in certain jurisdictions. Failure to comply with U.S. and foreign privacy, data protection, and data security laws and regulations could result in government investigations or enforcement actions (which could include civil or criminal penalties), private litigation, claims, or public statements against us and/or adverse publicity and could negatively affect our operating results and business. Claims that we have violated individuals’ privacy rights, failed to comply with privacy, data protection, and data security laws, or breached our contractual obligations, even if we are not found liable, could be expensive and time consuming to defend, could result in adverse publicity and could have a material adverse effect on our business, reputation, financial performance and business, and operations. Furthermore, the costs of compliance with, and other burdens imposed by, the laws, regulations and policies that are applicable to the business of our customers may limit the adoption and use of, and reduce the overall demand for, our products and services.
If our security measures are compromised, or our information technology systems or those of our vendors, and other relevant third parties fail or suffer security breaches, loss or leakage of data, and other disruptions, this could result in a material disruption of our services, compromise sensitive information related to our business, harm our reputation, trigger our breach notification obligations, prevent us from accessing critical information, and expose us to liability or other adverse effects to our business.
In the ordinary course of our business, we may collect, process, and store proprietary, confidential, and sensitive information, including personal information (including health information), intellectual property, trade secrets, and proprietary business information owned or controlled by ourselves or other parties. It is critical that we do so in a secure manner to maintain the confidentiality, integrity, and availability of such information. We face several risks relative to protecting this critical information, including loss of access risk, inappropriate use or disclosure, inappropriate modification, and the risk of our being unable to adequately monitor, audit and modify our controls over our critical information. This risk extends to the third party service providers who handle elements of our operations.
We, our partners, our CROs, our CMOs, and other business vendors on which we rely depend on information technology and telecommunication systems for significant elements of our operations, including, for example, systems handling human resources, financial reporting and controls, regulatory compliance and other infrastructure operations. Notwithstanding the implementation of security measures, given the size and complexity of our information technology systems and those of our third party vendors and other contractors and consultants, and the increasing amounts of proprietary, confidential and sensitive information that they maintain, such information technology systems have been subject to and remain vulnerable to breakdown, service interruptions, system malfunction, natural disasters, terrorism, war and telecommunication and electrical failures, as well as security breaches from inadvertent or intentional actions by our personnel, third party vendors, contractors, consultants, business partners, and/or other third parties, or from cyber-attacks by malicious third parties (including the deployment of