our third-party collaborators, consultants, contractors, suppliers, or service providers were to suffer an attack or breach, for example, that resulted in the unauthorized access to or use or disclosure of personal information, including health-related information, we may have to notify individuals, collaborators, government authorities, and the media, and may be subject to investigations, civil penalties, administrative and enforcement actions, and litigation, any of which could harm our business and reputation. Likewise, we rely on our third-party CROs and other third parties to conduct clinical studies, and similar events relating to their computer systems could also have a material adverse effect on our business.
Attacks upon information technology systems are increasing in their frequency, levels of persistence, sophistication and intensity, and are being conducted by sophisticated and organized groups and individuals with a wide range of motives and expertise. Further, the COVID-19 pandemic is generally increasing the attack surface available to criminals, as more companies and individuals work online and work remotely, and as such, the risk of a cybersecurity incident potentially occurring, and our investment in risk mitigations against such an incident, is increasing. For example, there has been an increase in phishing and spam emails as well as social engineering attempts from “hackers” hoping to use the recent COVID-19 pandemic to their advantage. Because the techniques used to obtain unauthorized access to, or to sabotage, systems change frequently and often are not recognized until launched against a target, we may be unable to anticipate these techniques or implement adequate preventative measures. We may also experience security breaches that may remain undetected for an extended period. Even if identified, we may be unable to adequately investigate or remediate incidents or breaches due to attackers increasingly using tools and techniques that are designed to circumvent controls, to avoid detection, and to remove or obfuscate forensic evidence.
To the extent that any disruption or security breach were to result in a loss of, or damage to, our data or systems, or inappropriate or unauthorized access to or disclosure or use of confidential, proprietary, or other sensitive, personal information, including health-related information, we could incur liability and suffer reputational harm, and the development and commercialization of our products could be delayed. Our insurance policies may not be adequate to compensate us for the potential losses arising from such disruptions, failure, or security breach. In addition, such insurance may not be available to us in the future on economically reasonable terms, or at all. Further, our insurance may not cover all claims made against us and defending a suit, regardless of its merit, could be costly, divert management attention, and harm our reputation.
We are subject to governmental regulation and other legal obligations related to privacy, data protection and information security. Compliance with these requirements could result in additional costs and liabilities to us or inhibit our ability to collect and process data, and the failure to comply with such requirements could have a material adverse effect on our business, financial condition or results of operations.
The global data protection landscape is rapidly evolving, and we are or may become subject to numerous state, federal and foreign laws, requirements and regulations governing the collection, use, disclosure, retention, and security of personal information, such as information that we may collect in connection with clinical trials in the U.S. and abroad. Implementation standards and enforcement practices are likely to remain uncertain for the foreseeable future, and we cannot yet determine the impact future laws, regulations, standards, or perception of their requirements may have on our business. This evolution may create uncertainty in our business, affect our ability to operate in certain jurisdictions or to collect, store, transfer use and share personal information, necessitate the acceptance of more onerous obligations in our contracts, result in liability or impose additional costs on us. Compliance with these privacy and data security requirements is rigorous and time-intensive and may increase our cost of doing business, and despite those efforts, there is a risk that we may be subject to fines and penalties, litigation and reputational harm, which could materially and adversely affect our business, financial condition and results of operations.
In the United States, we and our partners may be subject to numerous federal and state laws and regulations, including state data breach notification laws, state health information privacy laws, and federal and state consumer protection laws and regulations, that govern the collection, use, disclosure, and protection of health-related and other personal information could apply to our operations or the operations of our partners. In addition, we may obtain health information from third parties (including research institutions from which we obtain clinical trial data) that are subject