We maintain and process, and our third-party vendors, collaborators, contractors and consultants maintain and process on our behalf, a large quantity of sensitive information, including confidential business, personal and patient health information in connection with our clinical studies and our employees, and are subject to data privacy and protection laws and regulations that apply to the collection, transmission, storage and use of personally identifying information, which among other things, impose certain requirements relating to the privacy, security and transmission of personal information. Failure by us or our third-party vendors, collaborators, contractors and consultants to comply with any of these laws and regulations could result in notification obligations or enforcement actions against us, which could result in fines, imprisonment of company officials and public censure, claims for damages by affected individuals, damage to our reputation and loss of goodwill, any of which could have a material adverse effect on our business, financial condition, results of operations or prospects. These laws, rules and regulations evolve frequently and their scope may continually change, through new legislation, amendments to existing legislation and changes in enforcement, and may be inconsistent from one jurisdiction to another. The interpretation and application of consumer, health-related and data protection laws, especially with respect to genetic samples and data, in the United States, the EU and elsewhere, are often uncertain, contradictory and in flux. As a result, implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future.
In the United States, numerous federal and state laws and regulations, including federal health information privacy laws, state data breach notification laws, state health information privacy laws and federal and state consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act), that govern the collection, use, disclosure and protection of health-related and other personal information could apply to our operations or the operations of our collaborators.
Domestic laws in this area are complex and developing rapidly. Many state legislatures have adopted legislation relating to privacy, data security and data breaches. Laws in all 50 states require businesses to provide notice to customers whose personally identifiable information has been disclosed as a result of a data breach. The laws are not consistent, and compliance in the event of a widespread data breach is costly. States are also frequently amending existing laws, requiring attention to frequently changing regulatory requirements. For example, California recently enacted the CCPA, which became effective on January 1, 2020. The CCPA, among other things, requires new disclosures to California consumers and affords such consumers new abilities to access and delete their personal information, opt-out of certain sales of personal information and receive detailed information about how their personal information is used. The CCPA provides for fines of up to $7,500 per violation, as well as a private right of action for data breaches that is expected to increase the frequency of data breach litigation. While the CCPA has already been amended multiple times, it is unclear how this legislation will be further modified or how it will be interpreted. Interpretations of the CCPA may continue to evolve with regulatory guidance and the CCPA continue to be amended, including through a ballot initiative, adopted by voters in November 2020, known as the California Privacy Rights Act, or CPRA. The CPRA imposes additional data protection obligations on companies doing business in California, including additional consumer rights, including regarding certain uses of sensitive data. It also creates a new California data protection agency - the California Privacy Protection Agency - specifically tasked to enforce the law, which may likely result in increased regulatory scrutiny of California businesses in the areas of data protection and security. The effects of this legislation potentially are far-reaching, however, and may require us to modify our data processing practices and policies and incur substantial compliance-related costs and expenses. The CCPA and other changes in state and federal laws or regulations relating to privacy, data protection and information security, particularly any new or modified laws or regulations that require enhanced protection of certain types of data or new obligations with regard to data retention, transfer or disclosure, could increase the cost of providing our offerings, require significant changes to our operations or even prevent us from providing certain offerings in jurisdictions in which we currently operate and in which we may operate in the future.
Because of the breadth of these data protection laws and the narrowness of their exceptions and safe harbors, it is possible that our business or data protection policies could be subject to challenge under one or more of such laws. The scope and enforcement of each of these laws is uncertain and subject to rapid change in the current environment of heightened regulatory focus on data privacy and security issues. Although we endeavor to comply with our published policies and documentation and ensure their compliance with current laws, rules and regulations, we may at times fail to do so or be alleged to have failed to do so. The publication of our privacy policy and other documentation that provide promises and assurances about privacy and security can subject us to potential state and federal action in the United States if they are found to be deceptive, unfair, or misrepresentative of our actual practices. Any failure by us or other parties with whom we do business to comply with this documentation or with federal, state, local or international regulations could result in proceedings against us by governmental entities, private parties or others. In many jurisdictions, enforcement actions and consequences for noncompliance are rising.
If our operations are found to be in violation of any of the data protection laws described above or any other laws that apply to us, we may be subject to penalties, including, but not limited to, criminal, civil and administrative penalties, damages, fines, disgorgement, individual imprisonment, possible exclusion from participation in government healthcare programs, injunctions, private qui tam actions brought by individual whistleblowers in the name of the government, class action litigation and the curtailment or restructuring of our operations, as well as additional reporting obligations and oversight if we become subject to a corrective action plan or other agreement to resolve allegations of non-compliance with these laws, any of which could adversely affect our ability to operate our business and our results of operations.
In addition, numerous state and federal laws and regulations govern the collection, dissemination, use, privacy, confidentiality, security, availability, integrity, and other processing of PHI and PII. These laws and regulations include HIPAA. HIPAA establishes a set of national privacy and security standards for the protection of protected health information (as defined in HIPAA, PHI) by health plans, healthcare clearinghouses and certain healthcare providers, referred to as covered entities (CE), and the business associates (BA) with whom such covered entities contract for services. We are a CE under HIPAA when we are conducting our clinical trials. We are a CE with regard to our observational studies and clinical trials, and also a BA under HIPAA for certain other business activities, and we execute BA agreements with our clients.
HIPAA requires CEs and BAs, such as us, to develop and maintain policies with respect to the protection of, use and disclosure of electronic PHI, including the adoption of administrative, physical and technical safeguards to protect such information, and certain notification requirements in the event of a data breach.
HIPAA imposes mandatory penalties for certain violations. Penalties for violations of HIPAA and its implementing regulations start at $119 per violation and are subject to a cap of $1,785,651 for violations of the same standard in a single calendar year. However, a single breach incident can result in violations of multiple standards. HIPAA also authorizes state attorneys general to file suit on behalf of their residents. Courts may award damages, costs and attorneys' fees related to violations of HIPAA in such cases. While HIPAA does not create a private right of action allowing individuals to sue us in civil court for violations of HIPAA, its standards have been used as the basis for duty of care in state civil suits such as those for negligence or recklessness in the misuse or breach of PHI.
In addition, HIPAA mandates that the Secretary of HHS conduct periodic compliance audits of HIPAA CEs and BAs. With regard to BAs, those audits assess the business associate's compliance with the HIPAA Privacy and Security Standards. Such audits are conducted randomly and after an entity experiences a breach affecting more than 500 individuals' data. Undergoing an audit can be costly, can result in fines or onerous obligations, and can damage a BAs reputation.
In addition to HIPAA, numerous other federal, state, and foreign laws and regulations protect the confidentiality, privacy, availability, integrity and security of PHI and other types of PII. Some of these laws and regulations may be preempted by HIPAA with respect to PHI, or may exclude PHI from their scope but impose obligations with regard to PII that is not PHI, and in some cases, can impose additional obligations with regard to PHI. These laws and regulations are often uncertain, contradictory, and subject to changing or differing interpretations, and we expect new laws, rules and regulations regarding privacy, data protection, and information security to be proposed and enacted in the future. HHS is also proposing amendments to the HIPAA Privacy Rule to modernize certain data sharing provisions and enhance patient access to their information. This complex, dynamic legal landscape regarding privacy, data protection, and information security creates significant compliance issues for us and our clients and potentially exposes us to additional expense, adverse publicity and liability. While we have implemented data privacy and security measures in an effort to comply with applicable laws and regulations relating to privacy and data protection, some PHI and other PII or confidential information is transmitted to us by third parties, who may not implement adequate security and privacy measures, but it is possible that laws, rules and regulations relating to privacy, data protection, or information security may be interpreted and applied in a manner that is inconsistent with our practices or those of third parties who transmit PHI and other PII or confidential information to us. If we or these third parties are found to have violated such laws, rules or regulations, it could result in government-imposed fines, orders requiring that we or these third parties change our or their practices, or criminal charges, which could adversely affect our business.
Complying with these various laws and regulations could cause us to incur substantial costs or require us to change our business practices, systems and compliance procedures in a manner adverse to our business.
We may eventually operate in a number of countries outside of the United States whose laws, including data privacy laws, may in some cases be more stringent than the requirements in the United States. For example, EU and UK data privacy laws have specific requirements relating to cross-border transfers of personal data to certain jurisdictions, including to the United States, have strict requirements relating to personal data collection, use or sharing, and have more stringent requirements relating to organizations' privacy programs and provide stronger individual rights. Moreover, we may also be subject to evolving international privacy and data security regulations which could result in greater compliance costs and in turn lead to penalties, where such compliance programs are not implemented correctly.
Certain of our processing activities are subject to the EU General Data Protection Regulation and the UK General Data Protection Regulation (collectively, the "GDPR") – including, those involving pseudonymised / key-coded data - as the GDPR applies extra-territorially. The GDPR imposes strict requirements on controllers and processors processing personal data, including, for example, requirements to: (i) identify a legal basis for the processing of personal data, (ii) provide robust disclosures to individuals, (iii) respond to requests from individuals to exercise their data subject rights, (iv) provide personal data breach notifications within 72 hours after discovering the breach, (v) limit the collection and retention of personal data, (vi) impose specific contractual obligations on processors engaged to process personal data on the instructions of the controller, and (vii) apply enhanced protections to health data and other special categories of personal data.
The EU GDPR also provides that EU Member States may make their own further laws and regulations limiting the processing of personal data, including genetic, biometric or health data, which could limit our ability to use and share such personal data and cause our costs to increase and harm our financial condition.
Failure to comply with the requirements of the GDPR may result in fines of up to €20 million (£17.5 million in the case of the UK GDPR) or up to 4% of the total worldwide annual turnover of our preceding fiscal year, whichever is higher, and other administrative penalties. GDPR compliance may require us to put in place additional mechanisms, which may result in compliance costs and other substantial expenditures. This may be onerous and adversely affect our business, financial condition, results of operations and the profitability of our platform of diagnostic tests. Failure to comply with the GDPR and other countries' privacy or data security-related laws, rules or regulations could result in material penalties imposed by regulators, affect our compliance with contracts entered into with our collaborators and other third-party payers, and have an adverse effect on our business and financial condition. Currently, the GDPR is only applicable to us as a processor, but as we continue to expand into the European market, the GDPR will have direct applicability to us as a controller.
The GDPR also prohibits the transfer of personal data from the EEA/UK to a country outside of the EEA/UK (e.g., the United States) unless made to a country deemed to have adequate data privacy laws by the European Commission (or UK Government in case of the UK GDPR) or a data transfer mechanism has been put in place. Until recently, one such data transfer mechanism was the EU-US Privacy Shield. However, in July 2020 the Court of Justice of the European Union (CJEU) declared the Privacy Shield to be invalid. Following an executive order on trans-Atlantic data flows issued by President Biden in October 2022, the European Commission in December 2022 announced that it had initiated the process of drafting a new adequacy decision based on a modified data transfer framework that would replace the Privacy Shield, which it completed in July 2023. Though adoption of a new adequacy decision may have the effect of making data transfers to the United States easier, it is widely expected that the updated transfer framework and the adequacy decision will also be reviewed by the CJEU. The CJEU also upheld the validity of standard contractual clauses (SCCs) as a legal mechanism to transfer personal data but companies relying on SCCs will need to carry out a transfer privacy impact assessment, which among other things, assesses laws governing access to personal data in the recipient country and considers whether supplementary measures that provide privacy protections additional to those provided under SCCs will need to be implemented to ensure an essentially equivalent level of data protection to that afforded in the EEA. In turn, the findings of the CJEU will have significant implications for cross-border data flows and may lead to increased transaction, compliance, and technological costs to support international data transfers.
Organizations operating in Canada and covered by the Personal Information Protection and Electronic Documents Act (PIPEDA), or equivalent Canadian provincial laws, must obtain an individual's consent when they collect, use or disclose that individual's personal information. Individuals have the right to access and challenge the accuracy of their personal information held by an organization, and personal information may only be used for the purposes for which it was collected. If an organization intends to use personal information for another purpose, it must again obtain that individual's consent.
We regularly monitor, defend against and respond to attacks to our networks and other information security incidents. Despite our information security efforts, our facilities, systems, and data, as well as those of our third-party service providers, may be vulnerable to privacy and information security incidents such as data breaches, viruses or other malicious code, coordinated attacks, data loss, phishing attacks, ransomware, denial of service attacks, or other security or IT incidents caused by threat actors, technological vulnerabilities or human error. If we, or any of our vendors that support our IT or have access to our data, including any third-party vendors that collect, process and store personal data on our behalf, fail to comply with laws requiring the protection of personal information, or fail to safeguard and defend personal information or other critical data assets or IT systems, we may be subject to regulatory enforcement and fines as well as private civil actions. We may be required to expend significant resources in the response, containment, mitigation of cybersecurity incidents as well as in defense against claims that our information security was unreasonable or otherwise violated applicable laws or contractual obligations.