Our information systems are critical to the operation of our businesses. We collect, process, maintain, retain, evaluate, utilize and distribute large amounts of personally identifiable, protected health, and financial information (including payment card information) and other confidential and sensitive data about our customers, employees, members and other constituents in the ordinary course of our businesses. Some of our information systems rely upon third party systems, including cloud service providers, to accomplish these tasks. The use and disclosure of such information is regulated at the federal, state and international levels. In some cases, such laws, rules and regulations also apply to our vendors and/or may hold us liable for any violations by our vendors. These laws, rules and regulations are subject to change (and many are rapidly evolving) and in recent years have given rise to increased enforcement activity, litigation, and other disputes. For example, certain of our vendors have experienced incidents that resulted in the unauthorized disclosure of confidential information, including personal information of our members, patients or employees, which has caused us to incur expenses including those related to responding to regulatory inquiries and/or litigation. Some of these expenses are indemnified but others are not. International laws, rules and regulations governing the use and disclosure of these types of information are generally more stringent than U.S. laws and regulations, and they vary from jurisdiction to jurisdiction. Noncompliance with applicable privacy or security laws or regulations, or any security breach, information security incident, and any other incident involving the theft, misappropriation, compromise, loss or other unauthorized disclosure of, or access to, customer, member or other constituent information, whether by us, by one of our business associates or vendors or by another third party, could require us to expend significant resources to remediate any damage, could interrupt our operations and could adversely affect our brand and reputation, membership and operating results and also could expose and/or has exposed us to mandatory disclosure requirements, adverse media attention, litigation (including class action litigation), governmental investigations and enforcement proceedings, material fines, penalties and/or remediation costs, and compensatory, special, punitive and statutory damages, consent orders, adverse actions against our licenses to do business and/or injunctive relief, any of which could adversely affect our businesses, operating results, cash flows or financial condition.
Our businesses depend on our customers', members' and other constituents' willingness to entrust us with their health related and other personal information. Events that adversely affect that trust, including inadequate disclosure to our members or customers of our uses of their information, failing to keep our information technology systems and our customers', members' and other constituents' information secure from significant attack, theft, damage, loss or unauthorized disclosure or access, whether as a result of our action or inaction (including human error) or that of our business associates, vendors or other third parties, could adversely affect our brand and reputation, membership and operating results and also could expose and/or has exposed us to mandatory disclosure to the media, litigation (including class action litigation), governmental investigations and enforcement proceedings, material fines, penalties and/or remediation costs, and compensatory, special, punitive and statutory damages, consent orders, adverse actions against our licenses to do business and/or injunctive relief, any of which could adversely affect our businesses, operating results, cash flows or financial condition. There can be no assurance that awe have or will be able to adequately prevent, detect, and/or remediate such data security incidents.