vendors. In addition, our eCommerce operations depend upon the secure transmission of confidential information over public
networks, including information permitting cashless payments.
Cyber threats are rapidly evolving and those threats and the means for obtaining access to information in digital and other
storage media are becoming increasingly sophisticated and frequent. Attacks against information systems and devices, whether
our own or those of our third-party service providers, create risk of cybersecurity incidents, including ransomware, malware,
phishing incidents. We expect to continue to experience such attempted attacks in the future. Cyberattacks and threat actors can
be sponsored by particular countries or sophisticated criminal organizations or be the work of hackers with a wide range of
motives and expertise. We and the businesses with which we interact have experienced and continue to experience threats to
data and systems, including by perpetrators of random or targeted malicious cyberattacks, computer viruses, phishing incidents,
worms, bot attacks, ransomware or other destructive or disruptive software and attempts to misappropriate customer
information, including credit card and payment information, and cause system failures and disruptions. Mitigation and
remediation recommendations continue to evolve, and addressing vulnerabilities is a priority for us. The increased use of
remote work infrastructure due to the COVID-19 pandemic has also increased the possible attack surfaces. Some of our systems
and third-party service providers' systems have experienced security incidents or breaches and although they did not have a
material adverse effect on our operating results, there can be no assurance of a similar result in the future.
Associate error or malfeasance, faulty password management, social engineering or other vulnerabilities and irregularities may
also result in a defeat of our or our third-party service providers' security measures and a compromise or breach of our or their
information systems. Moreover, hardware, software or applications we use may have inherent vulnerabilities or defects of
design, manufacture or operations or could be inadvertently or intentionally implemented or used in a manner that could
compromise information security.
Any compromise of our data security systems or of those of businesses with which we interact, which results in confidential
information being accessed, obtained, damaged, disclosed, destroyed, modified, lost or used by unauthorized persons could
harm our reputation and expose us to regulatory actions (including, with respect to health information, liability under the Health
Insurance Portability and Accountability Act of 1996, or "HIPAA"), customer attrition, remediation expenses, and claims from
customers, members, associates, vendors, financial institutions, payment card networks and other persons, any of which could
materially and adversely affect our business operations, financial position and results of operations. Because the techniques
used to obtain unauthorized access, disable or degrade service, or sabotage systems change frequently and may not immediately
produce signs of a compromise, we may be unable to anticipate these techniques or to implement adequate preventative
measures and we or our third-party service providers may not discover any security event, breach, vulnerability or compromise
of information for a significant period of time after the security incident occurs. To the extent that any cyberattack, ransomware
or incursion in our or one of our third-party service provider's information systems results in the loss, damage, misappropriation
or other compromise of information, we may be materially adversely affected by claims from customers, financial institutions,
regulatory authorities, payment card networks and others.
Our compliance programs, information technology, and enterprise risk management efforts cannot eliminate all systemic risk.
Disruptions in our systems caused by security incidents, breaches or cyberattacks – including attacks on those parties we do
business with (such as strategic partners, suppliers, banks, or utility companies) – could harm our ability to conduct our
operations, which may have a material effect on us, may result in losses that could have a material adverse effect on our
financial position or results of operations, or may have a cascading effect that adversely impacts our partners, third-party
service providers, customers, financial services firms, and other third parties that we interact with on a regular basis.
In addition, such security-related events could be widely publicized and could materially adversely affect our reputation with
our customers, members, associates, vendors and shareholders, could harm our competitive position particularly with respect to
our eCommerce operations, and could result in a material reduction in our net sales in our eCommerce operations, as well as in
our stores thereby materially adversely affecting our operations, net sales, results of operations, financial position, cash flows
and liquidity. Such events could also result in the release to the public of confidential information about our operations and
financial position and performance and could result in litigation or other legal actions against us or the imposition of penalties,
fines, fees or liabilities, which may not be covered by our insurance policies. Moreover, a security compromise or ransomware
event could require us to devote significant management resources to address the problems created by the issue and to expend
significant additional resources to upgrade further the security measures we employ to guard personal and confidential
information against cyberattacks and other attempts to access or otherwise compromise such information and could result in a
disruption of our operations, particularly our digital operations.
We accept payments using a variety of methods, including cash, checks, credit and debit cards, and our private label credit
cards and gift cards, and we may offer new payment options over time, which may have information security risk implications.
As a retailer accepting debit and credit cards for payment, we are subject to various industry data protection standards and
protocols, such as payment network security operating guidelines and the Payment Card Industry Data Security Standard. We
cannot be certain that the security measures we maintain to protect all of our information technology systems are able to
prevent, contain or detect cyberattacks, cyberterrorism, security incidents, breaches, or other compromises from known
malware or ransomware or other threats that may be developed in the future. In certain circumstances, our contracts with
20