Pharmaceutical and medical device companies have faced lawsuits and investigations pertaining to violations of health care "fraud and abuse" laws, such as the federal False Claims Act, the federal Anti-Kickback Statute ("AKS") and other state and federal laws and regulations. The AKS prohibits, among other things, knowingly and willfully offering, paying, soliciting or receiving remuneration to induce or in return for purchasing, leasing, ordering or arranging for the purchase, lease or order of any health care item or service reimbursable under federally financed health care programs. This statute has been interpreted to apply to arrangements between pharmaceutical or medical device manufacturers, on the one hand, and prescribers, purchasers, formulary managers and other health care related professionals, on the other hand. More generally, the federal False Claims Act, among other things, prohibits any person from knowingly presenting, or causing to be presented, a false claim for payment to the federal government. Pharmaceutical and medical device companies have been prosecuted or faced civil liability under these laws for a variety of alleged promotional and marketing activities, including engaging in off-label promotion that caused claims to be submitted for non-covered off-label uses. If we are in violation of any of these requirements or any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, this could have a significant impact on our business, including the imposition of significant criminal and civil fines and penalties, exclusion from federal health care programs or other sanctions, including consent orders or corporate integrity agreements.
In addition, the HHS Office of Inspector General recommends, and increasingly states require pharmaceutical companies to have comprehensive compliance programs. Moreover, the Physician Payment Sunshine Act enacted in 2010 imposes reporting and disclosure requirements on device and drug manufacturers for any "transfer of value" made or distributed to prescribers and other health care providers. Failure to submit this required information may result in significant civil monetary penalties. While we have developed corporate compliance programs based on what we believe to be current best practices, we cannot provide assurance that we or our employees or agents are or will be in compliance with all applicable federal, state or foreign regulations and laws. If we are in violation of any of these requirements or any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, those actions could have a significant impact on our business, including the imposition of significant criminal and civil fines and penalties, exclusion from federal health care programs or other sanctions, including consent orders or corporate integrity agreements.
The U.S. FCPA, the Canadian Corruption of Foreign Public Officials Act and similar worldwide anti-bribery laws generally prohibit companies and their intermediaries from making improper payments to officials for the purpose of obtaining or retaining business. Our policies mandate compliance with these anti-bribery laws. We operate in many parts of the world that have experienced governmental corruption and in certain circumstances, strict compliance with anti-bribery laws may conflict with local customs and practices or may require us to interact with doctors and hospitals, some of which may be state controlled, in a manner that is different than in the U.S. and Canada. We cannot provide assurance that our internal control policies and procedures will protect us from reckless or criminal acts committed by our employees, consultants, distributors, third party contractors or agents. Violations of these laws, or allegations of such violations, could disrupt our business and result in criminal or civil penalties or remedial measures, any of which could have a material adverse effect on our business, financial condition, cash flows and results of operations and could cause the market value of our common shares and/or debt securities to decline.
We are also subject to various state, federal and international laws and regulations governing the collection, transmission, dissemination, use, privacy, confidentiality, security, retention, availability, integrity and other processing of health-related and other sensitive and personal information, including HIPAA. Many states in which we operate have laws that protect the privacy and security of sensitive and personal information, including health-related information. Certain state laws may be more stringent or broader in scope, or offer greater individual rights, with respect to sensitive and personal information than federal, international or other state laws, and such laws may differ from each other, which may complicate compliance efforts. For example, the California Consumer Privacy Act of 2018 ("CCPA") imposes stringent data privacy and security requirements and obligations with respect to the personal information of California residents and provides for civil penalties for violations, as well as a private right of action for certain data breaches that result in the loss of personal data that may increase the likelihood of, and risks associated with, data breach litigation. The effects on our business of the CCPA and other similar state laws are potentially significant. State laws are changing rapidly and there is discussion in Congress of a new federal data protection and privacy law to which we may be subject. For instance, the California Privacy Rights Act ("CPRA") which was passed in November 2020 and took effect on January 1, 2023, maintains the core framework of the CCPA, while also making a number of substantive changes. Additionally, some statutory requirements, both in the United States and abroad, include obligations for companies to notify individuals of security breaches involving particular personal information, which could result from breaches experienced by us or our service providers. For example, laws in all 50 U.S. states require businesses to provide notice to customers whose personal data has been disclosed as a result of a data breach. The laws are not consistent, and compliance in the event of a widespread data breach is difficult and may be costly. Moreover, states have been frequently amending existing laws, requiring attention to changing regulatory requirements. We are also subject to various state and federal rules and laws governing cybersecurity risks and incidents, including an SEC rule relating to disclosure of material cybersecurity incidents and risks and state laws regarding notification of data breaches. Since these data security regimes are evolving, uncertain and complex, especially for a global business such as ours, we will need to update or enhance our compliance measures from time to time and these updates or enhancements will require further implementation costs. Any failure, or perceived failure, by us to comply with current and future regulatory or customer-driven privacy, data protection, and information security requirements, or to prevent or mitigate security breaches, cyberattacks, or improper access to, use of, or disclosure of data, or any security issues or cyber-attacks affecting our business, could result in significant liability, costs (including the costs of mitigation and recovery), a material loss of revenue resulting from the adverse impact on its reputation and brand, loss of proprietary information and data, disruption to its business and relationships, and diminished ability to retain or attract customers and business partners. Such events may result in governmental enforcement actions and prosecutions, private litigation, fines and penalties or adverse publicity, and could cause customers and business partners to lose trust in us, which could have an adverse effect on our reputation and business.
Internationally, laws and regulations in many jurisdictions apply broadly to the collection, transmission, dissemination, use, privacy, confidentiality, security, retention, availability, integrity and other processing of health-related and other sensitive and personal information. For example, the EU's GDPR, and the UK's General Data Protection Regulation ("UK GDPR"), together with national legislation, regulations and guidelines of the EU member states and the UK governing the processing of personal data, impose strict obligations and restrictions on the ability to collect, analyze, store, transfer and otherwise process personal data, including health data from clinical trials and adverse event reporting. The GDPR authorizes fines for certain violations of up to 4% of global annual revenue or €20 million, (or GBP 17.5 million under the UK GDPR), whichever is greater. European data protection authorities may interpret the GDPR and national laws differently and impose additional requirements, which contributes to the complexity of processing personal data in or from the EEA or the UK. Guidance on implementation and compliance practices is often updated or otherwise revised. These laws require data controllers to implement stringent operational requirements, including, for example, transparent and expanded disclosure to data subjects about how their personal data is collected and processed, grant rights for data subjects to access, delete or object to the processing of their data, mandatory data breach notification requirements (and in certain cases, affected individuals), set limitations on retention of information and outline significant documentary requirements to demonstrate compliance through policies, procedures, training and audits. The GDPR also provides that EU member states may introduce further conditions, including limitations, and make their own laws and regulations, further limiting the processing of ‘special categories of personal data,' including personal data related to health, biometric data used for unique identification purposes and genetic information,which could limit our ability to collect, use and share EU data, and could cause our compliance costs to increase, ultimately having an adverse impact on our business, and harm our business and financial condition.
The withdrawal of the UK from the European Union ("Brexit") also has created uncertainty with regard to the regulation of data protection in the UK. Since January 1, 2021, when the transitional period following Brexit expired, we have been required to comply with the GDPR as well as the UK GDPR (combining the GDPR and the UK's Data Protection Act of 2018), which exposes us to two parallel regimes, each of which authorizes similar fines and may subject us to increased compliance risk based on differing, and potentially inconsistent or conflicting, interpretation and enforcement by regulators and authorities (particularly, if the laws are amended in the future in divergent ways). With respect to transfers of personal data from the EEA, on June 28, 2021, the European Commission issued an adequacy decision in respect of the UK's data protection framework, enabling data transfers from EU member states to the UK to continue without requiring organizations to put in place contractual or other measures in order to lawfully transfer personal data between the territories. While it is intended to last for at least four years, the European Commission may unilaterally revoke the adequacy decision at any point, and if this occurs, it could lead to additional costs and increase our overall risk exposure.
In the EU, we are also subject to the new European Union Artificial Intelligence Act (the "EU AI Act"), regulating development and deployment of AI systems. The new EU AI Act applies to both public and private actors inside and outside of the EU as long as the AI system is placed on the EU market, or its use has an impact on people located in the EU. In the context of the European Strategy for Data, we may also be subject to the European Union's Data Act, a new regulation intended to make data more accessible and usable, encouraging data-driven innovation and increasing data availability in the area of connected devices.
In addition, in China, the Personal Information Protection Law (the "PIPL") came into effect in November 2021. The PIPL is the first national-level law comprehensively regulating issues in relation to personal information protection. The PIPL provides for very specific administrative requirements and security controls when transferring personal data outside the Peoples Republic of China. These transfer requirements came into effect on March 1, 2023.
We are also subject to Canada's federal Personal Information Protection and Electronic Documents Act and substantially similar equivalents at the provincial level with respect to the collection, use and disclosure of personal information in Canada. Such federal and provincial legislation impose data privacy and security obligations on our processing of personal information of Canadian residents. The federal, Quebec and Alberta legislation include mandatory data breach notification requirements. Canada's Anti-Spam Legislation ("CASL") also applies to the extent that we send commercial electronic messages to electronic addresses in Canada. CASL contains prescriptive consent, form, content and unsubscribe mechanism requirements. Penalties for non-compliance with CASL are up to CAD $10 million per violation. These laws and regulations may be interpreted and applied differently over time and from jurisdiction to jurisdiction, and it is possible they will be interpreted and applied in ways that will materially and adversely affect our business. The regulatory framework for data privacy, data security and data transfers worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. Complying with all of these laws and regulations involves costs to our business, and failure to comply with these laws and regulations can result in the imposition of significant civil and criminal penalties, as well as litigation, all of which could have a material adverse effect on our business, financial condition, cash flows and results of operations and could cause the market value of our common shares and/or debt securities to decline. For more information regarding applicable data privacy and security laws and regulations, see Item 1. "Business - Government Regulations" of this Form 10-K.
We are also subject to U.S. federal laws regarding reporting and payment obligations with respect to our participation in federal health care programs, including Medicare and Medicaid. Because our processes for calculating applicable government prices and the judgments involved in making these calculations involve subjective decisions and complex methodologies, these calculations are subject to risk of errors and differing interpretations. In addition, they are subject to review and challenge by the applicable governmental agencies, and it is possible that such reviews could result in changes that could have material adverse legal, regulatory, or economic consequences.
As of February 12, 2025, the new Trump administration has signed over 60 executive orders on a range of issues, including with respect to diversity, equity, inclusion and accessibility programs, policies and related issues, tariffs and other trade protection measures, environmental and energy-related matters, regulation of artificial intelligence and review of existing legislation and regulations (such as the FCPA and IRA). Additional executive orders are anticipated. In addition, these executive orders may inform future legislative reform. We are in the process of monitoring and assessing these executive orders and what, if any, impact they will have on our business and operations, but such impact could have a material adverse effect on our business, financial condition, cash flows and results of operations and could cause the market value of our common shares and/or debt securities to decline.