The Company’s business is subject to a variety of U.S. and international laws, rules, policies and other obligations regarding data protection. The Company is subject to federal, state and international laws relating to the collection, use, retention, security and transfer of
various types of personal information. In many cases, these laws apply not only to third-party transactions, but also restrict
transfers of personal information among the Company and its international subsidiaries. Several jurisdictions have passed laws
in this area, and additional jurisdictions are considering imposing additional restrictions or have laws that are pending. These
laws continue to develop and may be inconsistent from jurisdiction to jurisdiction. Complying with emerging and changing
requirements causes the Company to incur substantial costs and has required and may in the future require the Company to
change its business practices. Noncompliance could result in significant penalties or legal liability.
The Company makes statements about its use and disclosure of personal information through its privacy policy, information
provided on its website, press statements and other privacy notices provided to customers. Any failure by the Company to
comply with these public statements or with other federal, state or international privacy or data protection laws and regulations
could result in inquiries or proceedings against the Company by governmental entities or others. In addition to reputational
impacts, penalties could include ongoing audit requirements and significant legal liability.
In addition to the risks generally relating to the collection, use, retention, security and transfer of personal information, the
Company is also subject to specific obligations relating to information considered sensitive under applicable laws, such as health
data, financial data and biometric data. Health data and financial data are subject to additional privacy, security and breach
notification requirements, and the Company is subject to audit by governmental authorities regarding the Company’s compliance
with these obligations. If the Company fails to adequately comply with these rules and requirements, or if health data or financial
data is handled in a manner not permitted by law or under the Company’s agreements with healthcare or financial institutions,
the Company can be subject to litigation or government investigations, and can be liable for associated investigatory expenses,
and can also incur significant fees or fines.
Payment card data is also subject to additional requirements. Under payment card rules and obligations, if cardholder
information is potentially compromised, the Company can be liable for associated investigatory expenses and can also incur
significant fees or fines if the Company fails to follow payment card industry data security standards. The Company could also
experience a significant increase in payment card transaction costs or lose the ability to process payment cards if it fails to follow
payment card industry data security standards, which could materially adversely affect the Company’s business, reputation,
results of operations and financial condition.