Accordingly, our efforts to protect and enforce our intellectual property rights around the world may be
inadequate to obtain a significant commercial advantage from the intellectual property that we develop or license, and we may be at heightened risk of losing our proprietary intellectual property rights around the world, including outside of such
countries, to the extent such theft or intrusion destroy the proprietary nature of our intellectual property.
Our contracts may not contain limitations
of liability, and even where they do, there can be no assurance that limitations of liability in our contracts are sufficient to protect us from liabilities, damages, or claims related to our data privacy and security obligations. We cannot be sure
that our insurance coverage will be adequate or sufficient to protect us from or to mitigate liabilities arising out of our data privacy and security practices, that such coverage will continue to be available on commercially reasonable terms or at
all, or that such coverage will pay future claims.
We are subject to stringent and evolving U.S. and foreign laws, regulations, rules, contractual
obligations, policies and other obligations related to data privacy and security. Our actual or perceived failure to comply with such obligations could lead to regulatory investigations or actions; litigation (including class claims) and mass
arbitration demands; fines and penalties; disruptions of our business operations; reputational harm; loss of revenue or profits; and other adverse business consequences.
In the ordinary course of business, we collect, receive, store, process, generate, use, transfer, disclose, make accessible, protect, secure, dispose of,
transmit and share (collectively, processing) personal information and other sensitive information, including proprietary and confidential business data, trade secrets, intellectual property, data we collect about trial participants in connection
with clinical trials and sensitive third-party data. Our data processing activities subject us to numerous data privacy and security obligations, such as various laws, regulations, guidance, industry standards, external and internal privacy and
security policies, contractual requirements and other obligations relating to data privacy and security.
In the United States, federal, state and local
governments have enacted numerous data privacy and security laws, including data breach notification laws, personal information privacy laws, consumer protection laws (e.g., Section 5 of the Federal Trade Commission Act) and other similar laws.
For example, the federal Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act (collectively, HIPAA), imposes specific requirements relating to the privacy,
security and transmission of individually identifiable health information, such as information we may obtain from research institutions from which we obtain clinical trial data. Depending on the facts and circumstances, we could be subject to
significant penalties if we violate HIPAA. The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, (collectively, CCPA) requires covered businesses that process the personal information of California
residents to, among other things: (i) provide certain disclosures to California residents regarding the business’s collection, use, and disclosure of their personal information; (ii) receive and respond to requests from California
residents to access, delete, and correct their personal information, or to opt out of certain disclosures of their personal information; and (iii) enter into specific contractual provisions with service providers that process California
resident personal information on the business’s behalf. Other states have also passed comprehensive privacy laws, and similar laws are being considered in several other states, as well as at the federal and local levels. While these laws, like
the CCPA, may also exempt some data processed in the context of clinical trials, these developments further complicate compliance efforts, and increase legal risk and compliance costs for us, and the third parties upon whom we rely.
Outside the United States, an increasing number of laws, regulations and industry standards govern data privacy and security. For example, the European
Union’s General Data Protection Regulation (EU GDPR), the United Kingdom’s GDPR (UK GDPR), Brazil’s General Data Protection Law (Lei Geral de Proteção de Dados Pessoais (LGPD)) (Law No. 13,709/2018) and China’s
Personal Information Protection Law (PIPL) impose strict requirements for processing personal data. For example, under the GDPR, companies may face temporary or definitive bans on data processing and other corrective actions; fines of up to
20.0 million Euros under the EU GDPR, 17.5 million pounds sterling under the UK GDPR or, in each case, 4% of the annual global revenue of a non-compliant undertaking, whichever is greater; or private
litigation related to processing of personal data brought by classes of data subjects or consumer protection organizations authorized at law to represent their interests.
In the ordinary course of business, we may transfer personal data from Europe and other jurisdictions to the United States or other countries. Europe and
other jurisdictions have enacted laws requiring data to be localized or limiting the transfer of personal data to other countries. In particular, the European Economic Area (EEA) and the United Kingdom (UK) have significantly restricted the transfer
of personal data to the United States and other countries whose privacy laws it generally believes are inadequate. Other jurisdictions may adopt similarly stringent interpretations of their data localization and cross-border data transfer laws.
51
