not always possible to identify and deter this type of misconduct, and the precautions we take to detect and prevent this activity may not be effective in controlling unknown or unmanaged risks or losses or in protecting us from governmental investigations or other actions or lawsuits stemming from a failure to be in compliance with such laws or regulations. Moreover, it is possible for a whistleblower to pursue a False Claims Act case against us even if the government considers the claim unmeritorious and declines to intervene, which could require us to incur costs defending against such a claim. Further, due to the risk that a judgment in a False Claims Act case could result in exclusion from federal health programs or debarment from government contracts, whistleblower cases often result in large settlements. If any such actions are instituted against us, and we are not successful in defending ourselves or asserting our rights, those actions could have a significant impact on our business, financial condition, and results of operations, including the imposition of significant fines or other sanctions.
Our operations, including our use of hazardous materials, chemicals, bacteria, and viruses, require us to comply with regulatory requirements and expose us to significant potential liabilities.
Our operations involve the use of hazardous materials, including chemicals, and may produce dangerous waste products. Accordingly, we, along with the third parties that conduct clinical trials and manufacture our products and product candidates on our behalf, are subject to federal, state, local and foreign laws and regulations that govern the use, manufacture, distribution, storage, handling, exposure, disposal and recordkeeping with respect to these materials. We are also subject to a variety of environmental and occupational health and safety laws. Compliance with current or future laws and regulations can require significant costs and we could be subject to substantial fines and penalties in the event of noncompliance. In addition, the risk of contamination or injury from these materials cannot be completely eliminated. In such event, we could be held liable for substantial civil damages or costs associated with the cleanup of hazardous materials.
Our failure to comply with data protection laws and regulations could lead to government enforcement actions and significant penalties against us, and adversely impact our operating results.
EU Member States, Switzerland and other countries have adopted data protection laws and regulations, which impose significant compliance obligations. For example, European Union, or EU, member states and other foreign jurisdictions, including Switzerland, have adopted data protection laws and regulations which impose significant compliance obligations. Moreover, the collection and use of personal health data in the EU is now governed under the EU General Data Protection Regulation, or the GDPR, effective in May 2018. The GDPR, which is wide-ranging in scope, imposed several requirements relating to the consent of the individuals to whom the personal data relates, the information provided to the individuals, the security and confidentiality of the personal data, data breach notification and the use of third-party processors in connection with the processing of personal data. The GDPR also imposes strict rules on the transfer of personal data out of the EU to the U.S., provides an enforcement authority and imposes large penalties for noncompliance, including the potential for fines of up to €20 million or 4% of the annual global revenues of the noncompliant company, whichever is greater. The GDPR requirements apply not only to third-party transactions, but also to transfers of information between us and our subsidiaries, including employee information. The GDPR increases our responsibility and liability in relation to personal data that we process, including in clinical trials, and we may be required to put in place additional mechanisms to ensure compliance with the GDPR, which could divert management’s attention and increase our cost of doing business. In addition, new regulation or legislative actions regarding data privacy and security (together with applicable industry standards) may increase our costs of doing business. However, despite our ongoing efforts, we may not be successful either due to various factors within our control, such as limited financial or human resources, or other factors outside our control. It is also possible that local data protection authorities may have different interpretations of the GDPR, leading to potential inconsistencies amongst various EU member states. Any failure or alleged failure (including as a result of deficiencies in our policies, procedures, or measures relating to privacy, data security, marketing, or communications) by us to comply with laws, regulations, policies, legal or contractual obligations, industry standards, or regulatory guidance relating to privacy or data security, may result in governmental investigations and enforcement actions, litigation, fines and penalties or adverse publicity. In addition, we expect that there will continue to be new proposed laws, regulations and industry standards relating to privacy and data protection in the United States, the EU and other jurisdictions, such as the California Consumer Privacy Act of 2018, which has been characterized as the first "GDPR-like" privacy statute to be enacted in the United States. Additionally, California voters approved another privacy law, the California Privacy Rights Act (the CPRA), in the November 2020 election. Effective starting on January 1, 2023, the CPRA significantly modified the CCPA, including by expanding consumers' rights with respect to certain sensitive personal information. There are many other state-based data privacy and security laws and regulations that may impact our business, including Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, and the Texas Data Privacy and Security Act that became effective in 2024 as well as several laws that are and will be effective in 2025. We cannot determine the impact such future laws, regulations and standards may have on our business.
If we experience a significant disruption in our information technology systems or breaches of data security, including due to a cybersecurity incident, our business could be adversely affected.
We rely on information technology systems to keep financial records, capture laboratory data, maintain clinical trial data and corporate records, communicate with staff and external parties and operate other critical functions. Our information technology systems