The Company is subject to stringent and changing privacy laws, regulations and standards as well aspolicies, contracts and other obligations related to data privacy and security.
The Company collects, receives, stores, processes, uses,generates, transfers, discloses, makes accessible, protects, and shares personal information and other information (Process or Processing), including information it collects in connection with clinical trials, as necessary tooperate its business, for legal and marketing purposes, and for other business-related purposes.
There are numerous federal, state, local andinternational laws, regulations and guidance regarding privacy, information security and Processing, the number and scope of which is changing, subject to differing applications and interpretations, and which may be inconsistent. The Company issubject, and may become subject in the future, to certain of these laws, regulations, and guidance, and it is also subject to the terms of its external and internal privacy and security policies, representations, certifications, standards,publications, frameworks, and contractual obligations to third parties related to privacy, information security and Processing.
If the Company fails, oris perceived to have failed, to address or comply with such obligations, it could:
| | | increase its compliance and operational costs; |
| | | expose it to regulatory scrutiny, actions, fines and penalties; |
| | | result in reputational harm; interrupt or stop its clinical trials; |
| | | result in litigation and liability; result in an inability to process personal data or to operate in certainjurisdictions; or |
| | | harm its business operations or financial results or otherwise result in a material harm to its business. |
Additionally, given that these obligations impose complex and burdensome obligations and that there is substantial uncertainty over theinterpretation and application of these obligations, the Company may be required to incur material costs, divert management attention, and change its business operations, including its clinical trials, in an effort to comply, which could materiallyadversely affect its business, results of operations and financial condition.
The California Consumer Privacy Act of 2018 (CCPA) is anexample of the increasingly stringent data protection legislation in the United States. The CCPA gives California residents expanded rights to access and require deletion of their personal information, opt-outof certain personal information sharing, and receive detailed information about how their personal information is used. The CCPA created civil penalties for violations, as well as a private right of action for data breaches and statutory damagesranging from $100 to $750 per violation, which is expected to increase data breach class action litigation and result in significant exposure to costly legal judgements and settlements. Although there are limited exemptions for clinical trial dataunder the CCPA, the CCPA and other similar laws could impact the Companys business activities depending on how they are interpreted.
TheCompanys business operations will be adversely affected if its security measures, or those maintained on its behalf, are compromised, limited or fails.
In the ordinary course of its business, the Company handles and processes proprietary, confidential and sensitive information, including personal data,intellectual property, trade secrets, and proprietary business information owned or controlled by us or other third parties, or collectively. The Company may use and share such sensitive information with service providers and other third parties. Ifthe Company, its service providers, partners, or other relevant third parties have experienced, or in the future experience, any security incident or incidents that result in any data loss; deletion or destruction; unauthorized access to; loss,unauthorized acquisition, disclosure, or exposure of, confidential and sensitive information, it may adversely affect SeaStar Medicals business, results of operations and financial condition, including the diversion of funds to address thebreach, and interruptions, delays, or outages in its operations and development programs.
Cyberattacks, malicious internet-based activity and online andoffline fraud are prevalent and continue to increase, including the possibility that the ongoing conflict between Russia and Ukraine could result in cyberattacks or cybersecurity incidents that may have a direct or indirect impact on our operations.In addition to threats from traditional computer hackers, threat actors, software bugs, malicious code (such as viruses and worms), employee theft or misuse,denial-of-service attacks (such as credential stuffing) and ransomware attacks, sophisticated nation-state and nation-state supported actors now engage in attacks(including advanced persistent threat intrusions). The Company may also be the subject of phishing attacks, viruses, malware installation, server malfunction, software or hardware failures, loss of data or other computer assets, or other similarissues any of which could have a material and adverse effect on its business, results of operations and financial condition.
18