data breach litigation. The CCPA does contain an exemption for medical information governed by the
California Confidentiality of Medical Information Act (CMIA), and for protected health information collected by a covered entity or business associate governed by the privacy, security and breach notification rule established pursuant to HIPAA and
HITECH, but the precise application and scope of this exemption as well as how it would apply to our business is not yet clear.
With laws and regulations
such as HIPAA and the CCPA imposing relatively burdensome obligations, and with substantial uncertainty over the interpretation and application of these and other laws and regulations to our business, we may face challenges in addressing their
requirements and making necessary changes to our policies and practices, and may incur significant costs and expenses in an effort to do so. For example, the increased consumer control over the sharing of their personal information under the CCPA
may affect our customers ability to share such personal information with us or may require us to delete or remove consumer information from our records or data sets, which may create considerable costs or loss of revenue for our organization.
In addition, any failure or perceived failure by us to maintain posted privacy policies which are accurate, comprehensive and fully implemented, and any
violation or perceived violation of our privacy-, data protection- or information security-related obligations to customers, users or other third parties or any of our other legal obligations relating to privacy, data protection or information
security may result in governmental investigations or enforcement actions, litigation, claims or public statements against us by consumer advocacy groups or others, and could result in significant liability, loss of relationships with key third
parties including carriers, social media networks and other data providers, or cause our consumers to lose trust in us, which could have material impacts on our revenue and operations.
We may not be able to maintain compliance with all current and potentially applicable U.S. federal and state or foreign laws and regulations relating to
privacy and cybersecurity, and actions by regulatory authorities or changes in legislation and regulation in the jurisdictions in which we operate could have a material adverse effect on our business.
We are subject to a variety of laws and regulations that involve user privacy and the collection, processing, storing, sharing, disclosing, using, transfer and
protecting of personal information and other data. These laws and regulations constantly evolve and remain subject to significant change. In addition, the application and interpretation of these laws and regulations are often uncertain. Because we
store, process and use data, some of which contain personal information, we are subject to complex and evolving federal, state and local laws and regulations regarding privacy, data protection and other matters. Many of these laws and regulations
are subject to change and uncertain interpretation. The U.S. federal and state governments and agencies may in the future enact new legislation and promulgate new regulations governing collection, use, disclosure, storage, processing, transmission
and destruction of personal information and other data. New privacy laws add additional complexity, requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs, and could impact trading
strategies and availability of previously useful data.
The New York Department of Financial Services, or NYDFS, Cybersecurity Regulation for financial
services companies, including insurance entities under NYDFS jurisdiction, requires entities to establish and maintain a cybersecurity program designed to protect private consumer data, and implement a risk assessment designed to perform core
cybersecurity functions. The regulation specifically provides for: (i) controls relating to the governance framework for a cybersecurity program; (ii) risk-based minimum standards for technology systems for data protection;
(iii) minimum standards for cyber breach responses, including notice to the NYDFS, of material events; and (iv) identification and documentation of material deficiencies, remediation plans and annual certification of regulatory compliance
with the NYDFS. The Cybersecurity Regulation also requires implementation of continuous monitoring of information technology systems or periodic penetration testing and vulnerability assessments. Similarly, the Massachusetts data protection law and
the New York Stop Hacks and Improve Data Security Act, or SHIELD Act, both require companies to implement a written information security program that contains appropriate administrative, technical, and physical safeguards as defined in the
respective statute.
In October 2017, the National Association of Insurance Commissioners, or NAIC, adopted the Insurance Data Security Model Law, or the
Cybersecurity Model Law, which is intended to establish the standards for data security and for the investigation and notification of data breaches applicable to insurance licensees in states adopting such law. To date, the Cybersecurity Model Law
has been adopted by Alabama, Connecticut, Delaware, Michigan, Mississippi, New Hampshire, Ohio and South Carolina, with several other states expected to adopt in the near future. The Cybersecurity Model Law could impose significant new regulatory
burdens intended to protect the confidentiality, integrity and availability of information systems. The NAIC model law is functionally similar to the NYDFS rule.
In addition, the California legislature enacted the CCPA in September 2018, which entered into effect in January 2020, and has encouraged copycat
legislative proposals in other states across the country such as Nevada, Virginia, New Hampshire, Illinois and Nebraska. These legislative proposals may add additional complexity, variation in requirements, restrictions and potential legal risk,
require additional investment in resources to compliance programs, and could impact strategies and availability of previously useful data.
Compliance
with existing and emerging privacy and cybersecurity laws and regulations could result in increased compliance costs and/or lead to changes in business practices and policies, and any failure to protect the confidentiality of client information
could adversely affect our reputation, lend to private litigation against us, and require additional investment in resources, impact strategies and availability of previously useful data any of which could materially and adversely affect our
business, operating results and financial condition.
64