MIME 2017 Annual Report

18 We must continually monitor and develop our information technology networks and infrastructure to prevent, detect, address and mitigate the risk of unauthorized access and expend significant resources to respond to threats to security. However, despite our efforts, we may fail to identify these new and complex methods of attack, or fail to invest sufficient resources in security measures. In addition, as we increase our customer base and our brand becomes more widely known and recognized, we may become more of a target for malicious third parties. Any breach of our security measures as a result of third-party action, employee negligence and/or error, malfeasance, defects or otherwise that compromises the confidentiality, integrity or availability of our data or our customers’ data could result in: • severe harm to our reputation or brand, or materially and adversely affect the overall market perception of the security and reliability of our services; • individual customer and/or class action lawsuits, which could result in financial judgments against us and which would cause us to incur legal fees and costs; • legal or regulatory enforcement action, which could result in fines and/or penalties and which would cause us to incur legal fees and costs; and/or • additional costs associated with responding to the interruption or security breach, such as investigative and remediation costs, the costs of providing individuals and/or data owners with notice of the breach, legal fees, the costs of any additional fraud detection activities, or the costs of prolonged system disruptions or shutdowns. Any of these events could materially adversely impact our business and results of operations. Data privacy concerns, evolving regulations of cloud computing, cross-border data transfer restrictions and other domestic or foreign laws and regulations may limit the use and adoption of, or require modification of, our products and services, which could limit our ability to attract new customers or support existing customers thus reducing our revenues, harming our operating results and adversely affecting our business. Laws and regulations related to the provision of services on the Internet are increasing, as federal, state and foreign governments continue to adopt new laws and regulations addressing data privacy and the collection, processing, storage and use of personal information. For example, in the United States, these include laws and regulations promulgated under the authority of the Federal Trade Commission, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, the Graham-Leach-Bliley Act of 1999, or Gramm-Leach-Bliley, and state breach notification laws, as well as regulator enforcement positions and expectations reflected in federal and state regulatory actions, settlements, consent decrees and guidance documents. Internationally, virtually every jurisdiction in which we operate has established its own data security and privacy legal frameworks with which we, or our customers, must comply, including the Data Protection Directive 95/46/EC, or the Directive, established in the European Union, or EU, and local EU Member State legislation implementing the Directive, such as the Data Protection Act in the United Kingdom. Most recently, the EU adopted the EU General Data Protection Regulation, or GDPR, which became effective on May 25, 2018 and replaced the Directive. The GDPR applies to any company established in the EU as well as to those outside the EU if they collect and use personal data in connection with the offering of goods or services to individuals in the EU or the monitoring of their behavior. The GDPR enhances data protection obligations for processors and controllers of personal data, including, for example, expanded disclosures about how personal information is to be used, limitations on retention of information, mandatory data breach notification requirements and onerous new obligations on services providers. Under the GDPR, fines of up to 20,000,000 Euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be imposed. Given the breadth and depth of changes in data protection obligations, complying with its requirements has caused us to expend significant resources and such expenditures are likely to continue into the near future as we respond to new interpretations and enforcement actions that may follow the effective date of the regulation and as we continue to negotiate data processing agreements with our customers and business partners. To facilitate and legitimize the transfer of both customer and personnel data from the European Union to the United States, in the past we have relied on the EU-U.S. Safe Harbor Framework, which required U.S.-based companies to provide assurance that they were adhering to relevant European standards for data protection. On October 6, 2015, the Court of Justice of the European Union invalidated the EU-U.S. Safe Harbor Framework. On February 2, 2016, the U.S. and EU announced agreement on a new framework for transatlantic data flows entitled the EU-U.S. Privacy Shield and we self-certified under the EU-US Privacy Shield framework in March 2018. However, the Privacy Shield continues to be subject to legal challenges and, as a result, there is some uncertainty regarding its future validity and our ability to rely on it for EU to US data transfers. If the Privacy Shield is ultimately invalidated, we will be required to identify and implement alternative solutions to ensure that we are in compliance with European data transfer requirements. If we fail to comply fully with European privacy laws, EU data protection authorities might impose upon us a number of different sanctions, including fines and restrictions on transfers.