EFX, §1A diff (2017 → 2018)
Added paragraphs (9341 words)
ITEM 1A. RISK FACTORS All of the risks and uncertainties described below and the other information included in this Form 10-K should be considered and read carefully. The risks described below are not the only ones facing us. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition or results of operations. This Form 10-K also contains forward-looking statements and estimates that involve risks and uncertainties. Our actual results could differ materially from those anticipated in the forward-looking statements as a result of specific factors, including the risks and uncertainties described below. Security breaches like the 2017 cybersecurity incident and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personally identifiable information of consumers. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy. Despite our substantial investment in physical and technological security measures, employee training and contractual precautions, our information technology networks and infrastructure (or those of our third-party vendors and other service providers) are potentially vulnerable to unauthorized access to data or breaches of confidential information due to criminal conduct, attacks by hackers, employee or insider malfeasance and/or human error. In 2017, we were the target of a cybersecurity attack that involved the theft of certain personally identifiable information of approximately 145.5 million U.S. consumers, approximately 19,000 Canadian consumers and approximately 860,000 U.K. consumers. In addition, we identified approximately 2.4 million U.S. consumers whose name and partial driver’s license information were stolen in the attack. While the forensic analysis of the 2017 cybersecurity incident is complete, it is possible that further analysis will identify additional consumers affected or additional types of data accessed, which could result in additional notifications and negative publicity. Following the 2017 cybersecurity incident, we began undertaking significant remediation efforts and other steps to enhance our data security infrastructure which are ongoing. In connection with these efforts, we have incurred significant costs and expect to incur additional significant costs as we continue to enhance our data security infrastructure and take further steps to prevent unauthorized access to our systems and the data we maintain. Despite these efforts, we cannot assure you that all potential causes of this incident have been identified and remediated and that similar cyber incidents will not occur in the future. Because our products and services involve the storage and transmission of personal information of consumers, we will continue to routinely be the target of attempted cyber and other security threats by outside third parties, including technically sophisticated and well-resourced bad actors attempting to access or steal the data we store. As we transition to cloud-based technologies, we may be exposed to additional cyber threats as we migrate our data from our legacy systems to cloud-based solutions. Our increased dependence on third parties to store our cloud-based data systems may also subject us to further cyber threats. Insider or employee cyber and security threats are also a significant concern for all companies, including ours. In addition, the 2017 cybersecurity incident may embolden individuals or groups to target our systems. We must continuously plan, develop and monitor our information technology networks and infrastructure to identify, protect, detect, respond to and recover from the risk of unauthorized access, misuse, malware, phishing and other events that could have a security impact. If we experience additional breaches of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed or lost. Any such access, disclosure or other loss of information could subject us to significant additional litigation, regulatory fines, penalties, losses of customers or reputational damage, any of which could have a significant negative impact on our cash flows, competitive position, financial condition or results of operations. We cannot ensure that our insurance policies in the future will be adequate to cover losses from any future failures. Our $125.0 million cybersecurity insurance policy was not adequate to cover the losses we have incurred to date from the 2017 cybersecurity incident, and all future losses we incur as a result of the incident will not be covered by insurance. In addition, our insurance coverage will vary from time to time in both type and amount depending on availability, cost and our decisions with respect to risk retention. The government investigations and litigation resulting from the 2017 cybersecurity incident will continue to adversely impact our business and results of operations. As a result of the 2017 cybersecurity incident, we are currently a party to a consolidated multi-district consumer class action lawsuit and a consolidated multi-district financial institution class action lawsuit, as well as a consolidated securities class action lawsuit, shareholder derivative litigation and other lawsuits and claims arising out of the 2017 cybersecurity incident seeking monetary damages or other relief. A number of U.S. federal, state, local and foreign governmental officials and agencies, including Congressional committees, the FTC, the CFPB, the SEC, the U.S. Department of Justice and state attorneys general offices in the U.S., the FCA in the U.K. and the Office of the Privacy Commissioner in Canada, continue to investigate events related to the 2017 cybersecurity incident, including how it occurred, the consequences thereof and our response thereto. While we believe it is beneficial to resolve the consolidated multi-district consumer class action and one or more of the government investigations in the U.S. through a global resolution, the complexity of achieving a multi-party resolution, especially involving multiple government agencies, makes this a difficult objective to achieve. We may not have success in achieving a global resolution or even a resolution of any of these matters individually. In addition, other lawsuits, investigations and reports related to the 2017 cybersecurity incident may be filed, commenced or issued. The claims and investigations have resulted in the incurrence of significant external and internal legal costs and expenses and reputational damage to our business and are expected to continue throughout 2019 and beyond. The resolution of these matters may result in damages, costs, fines or penalties substantially in excess of our insurance coverage, which, depending on the amount, could have a material adverse effect on our liquidity or compliance with our credit agreements. If such damages, costs, fines or penalties were great enough that we could not pay them through funds generated from operating activities and/or cause a default under our revolving credit facility, we may be forced to renegotiate or obtain a waiver under our revolving credit facility and/or seek additional debt or equity financing. Such renegotiation or financing may not be available on acceptable terms, or at all. In these circumstances, if we were unable to obtain sufficient financing, we may not be able to meet our obligations as they come due. The outcome of such claims and investigations could also adversely affect or cause us to change how we operate our business. Various governmental agencies investigating the 2017 cybersecurity incident are seeking to impose injunctive relief, consent decrees, and civil penalties, which could, among other things, impact our ability to collect and use consumer information, materially increase our data security costs, reduce available resources to invest in technology and innovation and/or otherwise require us to alter how we operate our business, and put us at a competitive disadvantage. Any legislative or regulatory changes adopted in reaction to the 2017 cybersecurity incident or other companies’ data breaches could require us to make modifications to the operation of our business that could have an adverse effect and/or increase or accelerate our compliance costs. Furthermore, these matters necessitate significant attention by management, which may divert the focus of management from the operation of our business resulting in an adverse impact on our results of operations. The 2017 cybersecurity incident and the adverse publicity that followed have had a negative impact on our reputation and our relationships with our customers, and we cannot assure that it will not have a long-term effect on our relationships with our customers, our revenue and our business. Our reputation with consumers and other stakeholders and our customer relationships were damaged following the 2017 cybersecurity incident, resulting in a negative impact on our revenue. Despite our progress made toward repairing our reputation and business relationships, if we are unable to demonstrate the security of our systems and the data we maintain and retain the trust of our customers, consumers and data suppliers, we could experience a substantial negative impact on our business. Additionally, following the 2017 cybersecurity incident, certain of our International Organization for Standardization (“ISO”) certifications, which specify requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system, were suspended. Additionally, certain of our payment card industry certifications were suspended. These certifications, including the ISO 27001 certification, are critical to our business, because certain of our current and potential customers and the contracts governing certain customer relationships, as well as certain of our data suppliers, require us to maintain them as a requirement of doing business. In 2018, significant focus was placed on remediation activities in order to obtain ISO and payment card industry re-certifications. We have reacquired three independent ISO/IEC 27001:2013 certifications (representing our Corporate, U.K. and Canada environments) and two of our payment card industry certifications (U.K. and Canada). In addition, we expect to obtain the USIS and GCS payment card industry re-certification in 2019. If we fail to maintain or regain these certifications, customers may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue. The failure to realize the anticipated benefits of our technology transformation strategy could adversely impact our business and financial results. We expect our technology transformation strategy, including our transition to cloud-based technologies, will significantly increase our efficiency and productivity, the functionality of our products and services, as well as decrease the cost of our systems infrastructure, all of which we expect will drive growth and have a positive effect on our business, competitive position and results of operations. This initiative is a major undertaking as we replace many of our previous operating systems with cloud-based systems. This complex, multifaceted and extensive initiative will be expensive and may cause material unanticipated problems and expenses. If our new systems do not operate as expected, we may have to incur significant additional costs to modify them. Moreover, we may experience issues of customer migration, as many of our customers may choose not to utilize our products and services during and after our transition to cloud-based technologies. We cannot assure you that our technology transformation strategy will be beneficial to the extent, or within the timeframes, expected, or that the estimated efficiency, cost savings and other improvements will be realized as anticipated or at all. Market acceptance of cloud-based offerings is affected by a variety of factors, including information security, reliability, performance, the sufficiency of technological infrastructure to support our products and services in certain geographies, customer concerns with entrusting a third party to store and manage its data as well as the customer’s ability to access this data once a contract has expired, and consumer concerns regarding data privacy and the enactment of laws or regulations that restrict our ability to provide such services to customers. If we are unable to correctly respond to these issues, we may experience business disruptions, damage to our reputation, negative publicity, diminished customer relationships and other adverse effects on our business. Even if the anticipated benefits and savings are substantially realized, there may be consequences, internal control issues or business impacts that were not expected. Our transition and migration to cloud-based technologies may increase our risk of liability and cause us to incur significant technical, legal or other costs. Our technology transformation strategy places a significant strain on our management, operational, financial and other limited resources. As part of our technology transformation strategy, we are transitioning and migrating our data systems from traditional data centers to cloud-based platforms. This initiative will place significant strain on our management, personnel, operations, systems, technical performance and financial resources and internal financial control and reporting function. In addition, many of our existing personnel do not have experience with native cloud-based technologies and, as a result, we have and will continue to hire personnel with such experience. This effort will be time consuming and costly. Our technology transformation strategy requires management time and resources to educate employees and implement new ways of conducting business. The dedication of resources to our technology transformation strategy and cloud-based technologies limits the resources we have available to devote to other initiatives or growth opportunities, or to invest in the maintenance of our existing internal systems. We cannot guarantee that our strategy is the right one or that investments in alternative technologies or other initiatives would not be a better use of our limited resources. Additionally, as a result of our migration efforts in connection with our technology transformation strategy, we may experience a loss of continuity, loss of accumulated knowledge or loss of efficiency during transitional periods. Reorganization and transition can require a significant amount of management and other employees’ time and focus, which may divert attention from operating activities and growing our business. If we fail to achieve some or all of the expected benefits of these activities, it could have a material adverse effect on our competitive position, business, financial condition, results of operations and cash flows. Our transition to cloud-based technologies could expose us to operational disruptions. We rely on the efficient and uninterrupted operation of complex information technology systems and networks, some of which are managed internally within the Company and some of which are outsourced to third parties. As part of our technology transformation strategy, we are upgrading the information technology systems used to operate our business and replacing them with cloud-based solutions. This transition will require substantial changes to our software and network infrastructure, which could lead to system interruptions, affect our data systems and further expose us to operational disruptions, and cause us to lose customers, all of which could have a material adverse effect on our results of operations. Upon implementation of the new cloud-based solutions, much of our information technology systems will consist of outsourced, cloud-based infrastructure, platform and software-as-a-service solutions not under our direct management or control. Any disruption to either the outsourced systems or the communication links between us and the outsourced supplier could negatively affect our ability to operate our data systems and could impair our ability to provide services to our customers. We may incur additional costs to remedy the damages caused by these disruptions. The loss of access to credit, employment, financial and other data from external sources could harm our ability to provide our products and services. We rely extensively upon data from external sources to maintain our proprietary and non-proprietary databases, including data received from customers, strategic partners and various government and public record sources. This data includes the widespread and voluntary contribution of credit data from most lenders in the U.S and many other markets as well as the contribution of data under proprietary contractual agreements, such as employers’ contribution of employment and income data to The Work Number®, financial institutions’ contribution of individual financial data to IXI, and telecommunications, cable and utility companies’ contribution of payment and fraud data to the National Cable, Telecommunications and Utility Exchange. For a variety of reasons, including concerns of data furnishers arising out of the 2017 cybersecurity incident, legislatively or judicially imposed restrictions on use, additional security breaches or competitive reasons, our data sources could withdraw, delay receipt of or increase the cost of their data provided to us. Where we currently have exclusive use of data, the providers of the data sources could elect to make the information available to competitors. We also compete with several of our third-party data suppliers. If a substantial number of data sources or certain key data sources were to withdraw or be unable to provide their data, if we were to lose access to data due to government regulation, if we lose exclusive right to the use of data, or if the collection, disclosure or use of data becomes uneconomical, our ability to provide products and services to our clients could have a significant negative impact, which could result in decreased revenue, net income and earnings per share and reputational loss. There can be no assurance that we would be able to obtain data from alternative sources if our current sources become unavailable. Negative changes in general economic conditions, including interest rates, unemployment rates, income, home prices, investment values and consumer confidence, could adversely affect us. Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions, including the demand and availability of affordable credit and capital, the level and volatility of interest rates, inflation, employment levels, consumer confidence and housing demand, both inside and outside the U.S. Business customers use our credit information and related analytical services and data to process applications for new credit cards, automobile loans, home and equity loans and other consumer loans, and to manage their existing credit relationships. Demand for our services tends to be correlated to general levels of economic activity and to consumer credit activity, which can be impacted by changes in interest rates. Bank and other lenders’ willingness to extend credit are adversely affected by elevated consumer delinquency and loan losses in a weak economy. Consumer demand for credit (i.e., rates of spending and levels of indebtedness) also tends to grow more slowly or decline during periods of economic contraction or slow economic growth. For example, in 2018, our revenue was negatively impacted in the U.S. by the weak mortgage market; in Argentina by the substantial weakening of the economy and local currency; in Australia by weak real estate and mortgage markets and overall weakness in consumer credit markets. Our customer base suffers when financial markets experience volatility, illiquidity and disruption and the potential for increased and continuing disruptions going forward presents considerable risks to our business and revenue. High or rising rates of unemployment and interest, declines in income, home prices or investment values, lower consumer confidence and reduced access to credit adversely affect demand for many of our products and services, and consequently our revenue and results of operations, as consumers may postpone or reduce their spending and use of credit, and lenders may reduce the amount of credit offered or available. Our markets are highly competitive and new product introductions and pricing strategies being offered by our competitors could decrease our sales and market share or require us to enhance our products and services or reduce our prices in a manner that reduces our operating margins. We operate in a number of geographic, product and service markets that are highly competitive. Competitors may develop products and services that are superior to or that achieve greater market acceptance than our products and services. The size of our competitors varies across market segments, as do the resources we have allocated to the segments we target. Therefore, some of our competitors may have significantly greater financial, technical, marketing or other resources than we do in one or more of our market segments, or overall. As a result, our competitors may be in a position to respond more quickly than we can to new or emerging technologies and changes in customer requirements, or may devote greater resources than we can to the development, enhancement, promotion, sale and support of products and services, or some of our customers may develop products of their own that replace the products they currently purchase from us, which would result in lower revenue. In addition, many of our competitors have extensive consumer relationships, including relationships with our current and potential customers. Moreover, new competitors or alliances among our competitors may emerge and potentially reduce our market share, revenue or margins. We also sell our information to competing firms, and buy information from certain of our competitors, in order to sell “tri-bureau” and other products, most notably into the U.S. mortgage market. Changes in prices between competitors for this information and/or changes in the design or sale of tri-bureau versus single bureau product offerings may affect our revenue or profitability. Some of our competitors may choose to sell products that compete with ours at lower prices by accepting lower margins and profitability, or may be able to sell products competitive to ours at lower prices, individually or as a part of integrated suites, given proprietary ownership of data, technological superiority or economies of scale. Price reductions by our competitors could negatively impact our margins and results of operations and could also harm our ability to obtain new customers on favorable terms. Historically, certain of our key products have experienced declines in per unit pricing due to competitive factors and customer demand. Since a significant portion of our operating expenses is relatively fixed in nature due to sales, information technology and development and other costs, if we were unable to respond quickly enough to changes in competition or customer demand, we could experience further reductions in our operating margins. Our relationships with key long-term customers may be materially diminished or terminated. We have long-standing relationships with a number of our customers, many of whom could unilaterally terminate their relationship with us or materially reduce the amount of business they conduct with us at any time. Many of our material customer agreements can be terminated by the customer for convenience on advance written notice, which provides our customers with the opportunity to renegotiate their contracts with us or to award more business to our competitors. We also provide our services to business partners who may combine them with their own or other branded services to be offered as a bundle to consumers, governmental agencies and businesses in support of fraud or credit protection, credit monitoring, identity authentication, insurance or credit underwriting, and collections. Some of these partners are the largest providers of credit information or identity protection services to the consumer market. Market competition, business requirements, financial condition and consolidation through mergers or acquisitions, could adversely affect our ability to continue or expand our relationships with our customers and business partners. There is no guarantee that we will be able to retain or renew existing agreements, maintain relationships with any of our customers or business partners on acceptable terms or at all, or collect amounts owed to us from insolvent customers or business partners. The loss of one or more of our major customers or business partners could adversely affect our business, financial condition and results of operations. If we do not introduce successful new products, services and analytical capabilities in a timely manner, or if the market does not adopt our new services, our competitiveness and operating results will suffer. We generally sell our products in industries that are characterized by rapid technological changes, frequent new product and service introductions and changing industry standards. In addition, certain of the markets in which we operate are seasonal and cyclical. Without the timely introduction of new products, services and enhancements, our products and services will become technologically or commercially obsolete over time, in which case our revenue and operating results would suffer. The success of our new products and services will depend on several factors, including our ability to properly identify customer needs; innovate and develop new technologies, services and applications; successfully commercialize new technologies in a timely manner; produce and deliver our products in sufficient volumes on time; differentiate our offerings from competitor offerings; price our products competitively; anticipate our competitors’ development of new products, services or technological innovations; and control product quality in our product development process. Our resources have to be committed to any new products and services before knowing whether the market will adopt the new offerings. In addition, our management is and will continue to be intensely focused on enhancing our security measures and responding to consumer and customer concerns relating to the 2017 cybersecurity incident and may not be able to devote sufficient time or resources to new product development, which could cause us to be less competitive as compared to our peers, lose out on new revenue opportunities and have an adverse effect on our growth and our business. The demand for some of our products and services may be negatively impacted to the extent the availability of free or less expensive consumer information increases. Public or commercial sources of free or relatively inexpensive consumer credit, credit score and other information have become increasingly available, particularly through the internet, and this trend is expected to continue. In addition, governmental agencies in particular have increased the amount of information to which they provide free public access and these or other sources of free or relatively inexpensive consumer information from competitors or other commercial sources may reduce demand for our services, particularly in our USIS and Global Consumer Solutions business units. Recently, there also has been an increase in companies offering free or low-cost direct-to-consumer credit services (such as credit scores, reports and monitoring) as part of alternative business models that use such services as a means to introduce consumers to other products and services. To the extent that our customers choose not to obtain services from us and instead rely on information obtained at no cost or relatively inexpensively from these other sources, our business, financial condition and results of operations may be adversely affected. Due to the 2017 cybersecurity incident and our provision of free services to consumers in connection therewith, we ceased the advertisement and sale of new products in our direct-to-consumer business from September 2017 through October 2018, which resulted in a significant decline in revenue in that business. Furthermore, in late January 2018, we began offering a new credit lock service, Lock & Alert™, that is free for life and is aimed at empowering U.S. consumers to control access to their Equifax credit file directly and quickly from their smartphone or computer. Additionally, effective September 2018, federal law allows consumers to place freezes on their credit files at all credit bureaus including Equifax. If a significant number of consumers lock or freeze their file, our population of data is reduced which could affect our product offerings and value to our customers in our other businesses. If our systems do not meet customer requirements for response time or high availability, or we experience system constraints or failures, or our customers do not modify and/or upgrade their systems to accept new releases of our products and services, our services to our customers could be delayed or interrupted, which could result in lost revenues or customers, lower margins, or other harm to our business and reputation. We depend on reliable, stable, efficient and uninterrupted operation of our technology network, systems, and data centers to provide service to our customers. Many of the services and systems upon which we rely have been outsourced to third parties. In addition, many of our revenue streams are dependent on links to third party telecommunications providers. These systems and operations, and the personnel that support, service and operate these systems, could be exposed to interruption, damage or destruction from power loss, telecommunication failures, computer viruses, denial-of-service attacks, employee or insider malfeasance, human error, fire, natural disasters, war, terrorist acts or civil unrest. We may not have sufficient disaster recovery or redundant operations in place to cover a loss or failure of systems or telecommunications links in a timely manner. In addition, as part of our technology transformation, we continue to be intensely focused on enhancing our data security infrastructure and effecting our technology transformation strategy and implementation of those enhancements could result in service interruptions. Our customers expect high system availability and response time performance, as well as a very high degree of system resilience. Any significant system interruption or series of minor interruptions could result in the loss of customers and/or lost revenues, lower margins or other significant harm to our business or reputation. We and our customers are subject to various current laws and governmental regulations, and could be affected by new laws or regulations, including as a result of the 2017 cybersecurity incident, compliance with which may cause us to incur significant expenses and change our business practices, and if we fail to maintain satisfactory compliance with certain regulations, we could be subject to civil or criminal penalties. We are subject to a number of U.S. federal, state, local and foreign laws and regulations relating to consumer privacy, data and financial protection. See “Item 1. Business-Governmental Regulation” in this Form 10-K for a summary of the U.S. and foreign consumer and data protection laws and regulations to which we are subject. These regulations are complex, change frequently, have tended to become more stringent over time, and are subject to administrative interpretation and judicial construction in ways that could harm our business. Examples of such new laws and regulations include recent amendments to the FCRA requiring the provision of free credit freezes to consumers, new cybersecurity and other requirements promulgated by the New York Department of Financial Services and the passage of the California Consumer Protection Act. Furthermore, we expect there to be an increased focus on laws and regulations related to our business because of the great public concern in the U.S. with regard to the operation of credit reporting agencies, as well as the collection, use, accuracy, correction and sharing of personal information, which was in part heightened by the 2017 cybersecurity incident. There are a number of legislative proposals pending before the U.S. Congress, various state legislative bodies and foreign governments concerning data protection that could affect us and the President of the United States could act by Executive Order. In addition, a growing number of legislative and regulatory bodies have adopted consumer notification and other requirements in the event that consumer information is accessed by unauthorized persons and additional regulations regarding the use, access, accuracy and security of such data are possible. In the U.S., state laws provide for disparate notification regimes, all of which we are subject to. Further, any perception that our practices or products are an invasion of privacy, whether or not consistent with current or future regulations and industry practices, may subject us to public criticism, private class actions, reputational harm, or claims by regulators, which could disrupt our business and expose us to increased liability. We devote substantial compliance, legal and operational business resources to facilitate compliance with applicable regulations and requirements. In the future, we may be subject to significant additional expense to ensure continued compliance with applicable laws and regulations and to investigate, defend or remedy actual or alleged violations. Additionally, we cooperate with CFPB supervisory examinations and respond to other state, federal and foreign government examinations of or inquiries of our business practices. Any failure by us to comply with, or remedy any violations of, applicable laws and regulations could result in the curtailment of certain of our operations, the imposition of fines and penalties, liability to private plaintiffs as a result of individual or class action litigation, restrictions on our ability to carry on or expand our operations and reputational harm. It is difficult to predict the impact on our business if we were subject to allegations of having violated existing laws. For example, in Europe, the GDPR, which includes extensive regulations for certain security incidents, could result in fines of up to four percent of annual worldwide “turnover” (a measure similar to revenues in the U.S.). In addition, because many of our products are regulated or sold to customers in various industries, we must comply with additional regulations in marketing our products. Moreover, our compliance with privacy laws and regulations and our reputation depend in part on customers’ adherence to privacy laws and regulations and their use of our services in ways consistent with consumer expectations and regulatory requirements. We cannot predict the ultimate impact on our business of new or proposed CFPB, FCA or other rules, supervisory examinations or government investigations or enforcement actions. The following legal and regulatory developments also could have a substantial negative impact on our business, financial condition or results of operations: • amendment, enactment or interpretation of laws and regulations that restrict the access and use of personal information and reduce the availability or effectiveness of our solutions or the supply of data available to customers; • changes in cultural and consumer attitudes in favor of further restrictions on information collection and sharing, which may lead to regulations that prevent full utilization of our solutions; • failure of data suppliers or customers to comply with laws or regulations, where mutual compliance is required; • failure of our solutions to comply with current laws and regulations; and • failure of our solutions to adapt to changes in the regulatory environment in an efficient, cost effective manner. These laws and regulations (as well as actions that may be taken by legislatures and regulatory bodies in other countries) and the consequences of any violation could limit our ability to pursue business opportunities we might otherwise consider engaging in, impose additional costs on us, result in significant loss of revenue, result in significant restitution and fines, impact the value of assets we hold, or otherwise adversely affect our business. See “Item 1. Business-Governmental Regulation” and “Item 3. Legal Proceedings” in this Form 10-K. Regulatory oversight of our contractual relationships with certain of our customers may adversely affect our business. The federal banking agencies, including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the CFPB, as well as many state banking agencies have issued guidance to insured depository institutions and other providers of financial services on assessing and managing risks associated with third-party relationships, which include all business arrangements between a financial services provider and another entity, by contract or otherwise, and generally requires banks and financial services providers to exercise comprehensive oversight throughout each phase of a bank or financial service provider’s business arrangement with third-party service providers, and instructs banks and financial service providers to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships. This guidance requires more rigorous oversight of third-party relationships that involve certain “critical activities.” In light of this guidance, our existing or potential bank and financial services customers subject to this guidance may continue to revise their third-party risk management policies and processes and the terms on which they do business with us, which may adversely affect our relationship with such customers. In 2018, we entered into a consent order with certain state banking regulators in response to their multi-state review of our information security program. This consent order obligates us to, among other things, make certain changes to our corporate governance and information security practices. If we are unable or otherwise fail to comply with this consent order, our ability to do business with financial institutions in those states could be impaired. It is possible that the consent order or other actions resulting from examinations by federal or state banking regulators could lead to adverse changes in our customer relationships. Economic, political and other risks associated with international sales and operations could adversely affect our results of operations. Sales outside the U.S. comprised 29% of our total revenue in 2018. As a result, our business is subject to various risks associated with doing business internationally. In addition, many of our employees, suppliers, job functions and facilities are located outside the U.S. Accordingly, our future results could be harmed by a variety of factors including: • changes in specific country or region political, economic or other conditions; • trade protection measures; • data privacy and consumer protection regulations; • difficulty in staffing and managing widespread operations; • differing labor, intellectual property protection and technology standards and regulations; • business licensing requirements or other requirements relating to making foreign direct investments, which could increase our cost of doing business in certain jurisdictions, prevent us from entering certain markets, increase our operating costs or lead to penalties or restrictions; • difficulties associated with repatriating cash generated or held abroad in a tax-efficient manner; • implementation of exchange controls; • geopolitical instability, including terrorism and war; • foreign currency changes; • increased travel, infrastructure, legal and compliance costs of multiple international locations; • foreign laws and regulatory requirements; • terrorist activity, natural disasters and other catastrophic events; • restrictions on the import and export of technologies; • difficulties in enforcing contracts and collecting accounts receivable; • longer payment cycles; • failure to meet quality standards for outsourced work; • unfavorable tax rules; • the presence and acceptance of varying level of business corruption in international markets; and • varying business practices in foreign countries We earn revenue, pay expenses, own assets and incur liabilities in countries using currencies other than the U.S. dollar, including among others the British pound, the Australian dollar, the Canadian dollar, the Argentine peso, the Chilean peso, the Euro, the New Zealand dollar, the Costa Rican colon, the Singapore dollar, the Brazilian real, the Russian ruble and the Indian rupee. Because our consolidated financial statements are presented in U.S. dollars, we must translate revenue, income and expenses, as well as assets and liabilities, into U.S. dollars at exchange rates in effect during or at the end of each reporting period. Therefore, increases or decreases in the value of the U.S. dollar against major currencies will affect our operating revenues, operating income and the value of balance sheet items denominated in foreign currencies. In 2018, a general weakening of foreign currencies in countries where we have operations against the U.S. dollar had a negative impact on our results as reported in U.S. dollars. See “Segment Financial Results-International-Asia Pacific,” “-Europe,” “-Latin America,” and “-Canada” and “Effects of Inflation and Changes in Foreign Currency Exchange Rates” in the “Item 7. Management’s Discussion and Analysis” in this Form 10-K. Because of the geographic diversity of our operations, weaknesses in some currencies might be offset by strengths in others over time. We generally do not mitigate the risks associated with fluctuating exchange rates, although we may from time to time through forward contracts or other derivative instruments hedge a portion of our translational foreign currency exposure or exchange rate risks associated with material transactions which are denominated in a foreign currency. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Accordingly, fluctuations in foreign currency exchange rates, particularly the strengthening of the U.S. dollar against major currencies, may materially affect our consolidated financial results. Compliance with applicable U.S. and foreign laws and regulations, such as anti-corruption laws, tax laws, foreign exchange controls and restrictions on repatriation of earnings or other similar restraints, data privacy requirements, labor laws and anti-competition relations increases the cost of doing business in foreign jurisdictions. Although we have implemented policies and procedures to comply with these laws and regulations, a violation by our employees, contractors or agents could nevertheless occur. We are regularly involved in claims, suits, government investigations, supervisory examinations and other proceedings that may result in adverse outcomes. In addition to what we are currently experiencing due to the 2017 cybersecurity incident, we are regularly involved in claims, suits, government investigations, supervisory examinations and regulatory proceedings arising from the ordinary course of our business, including actions with respect to consumer protection and data protection, including purported class action lawsuits. Such claims, suits, government investigations and proceedings are inherently uncertain and their results cannot be predicted with certainty. Regardless of their outcome, such legal proceedings can have an adverse impact on us because of legal costs, diversion of management and other personnel, and other factors. In addition, it is possible that a resolution of one or more such proceedings could result in reputational harm, liability, penalties or sanctions, as well as judgments, consent decrees or orders preventing us from offering certain features, functionalities, products or services, or requiring a change in our business practices, products or technologies, which could in the future materially and adversely affect our business, operating results, and financial condition. The FCRA contains an attorney fee shifting provision to provide an incentive for consumers to bring individual and class action lawsuits against a CRA for violation of the FCRA, and the number of consumer lawsuits (both individual and class action) against us alleging a violation of the FCRA and our resulting costs associated with resolving these lawsuits have increased substantially over the past several years. We rely, in part, on acquisitions, joint ventures and other alliances to grow our business and expand our geographic reach. The acquisition, integration or divestiture of businesses by us may not produce the expected financial, operating results or IT and data security profile we expect. In addition, if we are unable to make acquisitions or successfully develop and maintain joint ventures and other alliances, our growth may be adversely impacted. Historically, we have relied, in part, on acquisitions, joint ventures and other alliances to grow our business. Any acquisitions we do complete may not be on favorable terms, and the expected benefits, synergies and growth from these initiatives may not materialize as planned. We may have difficulty assimilating new businesses and their products, services, technologies, IT systems and personnel into our operations. IT and data security profiles of acquired companies may not meet our technological standards and may take longer to integrate and remediate than planned. This may result in significantly greater transaction costs for future acquisitions than we have experienced historically, or it could mean that we will not pursue certain acquisitions where the costs of integration and remediation are too significant. We may also have difficulty integrating and operating businesses in countries and geographies where we do not currently have a significant presence, and acquisitions of businesses having a significant presence outside of the U.S. will increase our exposure to risks of conducting operations in international markets. These difficulties could disrupt our ongoing business, distract our management and workforce, increase our expenses and adversely affect our operating results and financial condition. Despite our past experience, opportunities to grow our business through acquisitions, joint ventures and other alliances may not be available to us in the future. In addition, our focus on our technology transformation strategy, our migration to cloud-based technologies and potential fines, penalties and other costs as a result of the 2017 cybersecurity incident may limit our ability to identify and complete acquisitions as we will have less time and resources to devote to identifying suitable acquisition candidates and our technological criteria and standards for acquisition candidates may increase. Dependence on outsourcing certain portions of our operations may adversely affect our ability to bring products to market and damage our reputation. Dependence on outsourced information technology and other administrative functions may impair our ability to operate effectively. As part of our efforts to streamline operations and to reduce operating costs, we have outsourced various components of our application development, information technology, operational support and administrative functions and will continue to evaluate additional outsourcing. Although we have implemented service level agreements and have established monitoring controls, if our outsourcing vendors fail to perform their obligations in a timely manner or at satisfactory quality levels including with respect to data and system security, or increase prices for their services to unreasonable levels, our ability to bring products to market and support our customers and our reputation could suffer. Any failure to perform on the part of these third-party providers could impair our ability to operate effectively and could result in lower future revenue, unrealized efficiencies and adversely impact our results of operations and our financial condition. Much of our outsourcing takes place in developing countries and, as a result, may be subject to geopolitical uncertainty. Changes in income tax laws can significantly impact our net income. Federal and state governments in the U.S. as well as a number of other governments around the world are currently facing significant fiscal pressures and have considered or may consider changes to their tax laws for revenue raising or economic competitiveness reasons. Changes to tax laws can have immediate impacts, either favorable or unfavorable, on our results of operations and cash flows, and may impact our competitive position versus certain competitors who are domiciled in other jurisdictions and subject to different tax laws. In December 2017, the U.S. enacted the Tax Cuts and Jobs Act of 2017 which significantly impacted our U.S. and global tax expense and net income and our earnings per share in 2018. The IRS issued clarification notices and the U.S. Treasury issued Proposed Regulation which also provided clarity to the Tax Act. However, the IRS could issue additional clarification and additional changes could be made to the final issuance of the Regulations. If our government contracts are terminated, if we are suspended from government work, or if our ability to compete for new contracts is adversely affected, our business could suffer. We derive a portion of our revenue from direct and indirect sales to U.S., state, local and foreign governments and their respective agencies. Such contracts are subject to various procurement laws and regulations, and contract provisions relating to their formation, administration and performance. Failure to comply with these laws, regulations or provisions in our government contracts could result in the imposition of various civil and criminal penalties, termination of contracts, forfeiture of profits, suspension of payments or suspension of future government contracting. Following the 2017 cybersecurity incident, our government contracts received enhanced scrutiny and negative media attention that resulted in the suspension of one of our contracts. If we are unable to repair the reputational damage caused by the 2017 cybersecurity incident and ensure the security of the data we maintain, our ability to maintain our existing and acquire new government contracts may be substantially impacted. Also, the government programs to which we provide services, or which are the bases of compliance services we provide non-governmental clients, including, in particular, the employer requirements under the Affordable Care Act, may be terminated or substantially altered by the government and our services would no longer be needed. If our government contracts are terminated, if we are suspended from government work, if the services we provide are no longer needed due to government program change or termination, or if our ability to compete for new contracts is adversely affected, our business could suffer. Third parties may claim that we are infringing on their intellectual property and we could suffer significant litigation or licensing expenses or be prevented from selling products or services. There has been substantial litigation in the U.S. regarding intellectual property rights in the information technology industry. From time to time, third parties may claim that one or more of our products or services infringe their intellectual property rights. We analyze and take action in response to such claims on a case by case basis. Any dispute or litigation regarding patents or other intellectual property could be costly and time-consuming due to the complexity of our technology and the uncertainty of intellectual property litigation, could divert our management and key personnel from our business operations and we may not prevail. A claim of intellectual property infringement could force us to enter into a costly or restrictive license agreement, which might not be available under acceptable terms or at all, or could subject us to significant damages or to an injunction against development and sale of certain of our products or services. Our intellectual property portfolio may not be useful in asserting a counterclaim, or negotiating a license, in response to a claim of intellectual property infringement. In certain of our businesses we rely on third-party intellectual property licenses and we cannot ensure that these licenses will be available to us in the future on favorable terms or at all. Although our policy is to obtain licenses or other rights where necessary, we cannot provide assurance that we have obtained all required licenses or rights. Third parties may misappropriate or infringe on our intellectual property and we may suffer competitive injury or expend significant resources enforcing our rights. Our success increasingly depends on our proprietary technology. We rely on various intellectual property rights, including patents, copyrights, database rights, trademarks and trade secrets, as well as contract restrictions, confidentiality provisions and licensing arrangements, to establish our proprietary rights. The extent to which such rights can be protected varies in different jurisdictions. If we do not enforce our intellectual property rights successfully our competitive position may suffer which could harm our operating results. Our pending patent and trademark applications may not be allowed or competitors may challenge the validity or scope of our intellectual property rights. In addition, our patents, copyrights, trademarks and other intellectual property rights may not provide us a significant competitive advantage. We may need to devote significant resources, including cybersecurity resources, to monitoring our intellectual property rights and we may or may not be able to detect misappropriation or infringement by third parties. Our competitive position may be harmed if we cannot detect misappropriation or infringement and enforce our intellectual property rights quickly or at all. In some circumstances, enforcement may not be available to us because a third party has a dominant intellectual property position or for other business reasons. In addition, competitors might avoid infringement by designing around our intellectual property rights or by developing non-infringing competing technologies. Intellectual property rights and our ability to enforce them may be unavailable or limited in some countries which could make it easier for competitors to capture market share and could result in lost revenue. The U.K.’s impending departure from the EU could adversely affect us. The outcome of the 2016 referendum on the U.K.’s membership in the EU approving the exit of the U.K. from the EU (referred to as “Brexit”) could cause disruptions to and create uncertainty surrounding our business, including affecting our relationships with our existing and future customers, suppliers and employees, which could have an adverse effect on our business, financial results and operations. The effects of any Brexit will depend on its terms. In addition, developments regarding Brexit may also create global economic uncertainty, which may cause our clients to closely monitor their costs and reduce their spending on our solutions and services. A downgrade to our credit ratings would increase our cost of borrowing under our credit facility and adversely affect our ability to access the capital markets. We are party to a $1.10 billion five-year unsecured revolving credit facility with a group of financial institutions that matures in September 2023 (the “Revolver”). The Revolver replaced the Company’s previous $900 million unsecured revolving credit facility that was scheduled to mature in November 2020. The cost of borrowing under the Revolver and our ability and the terms under which we may access the credit markets are affected by credit ratings assigned to our indebtedness by the major credit rating agencies. These ratings are premised on our performance under assorted financial metrics, such as leverage and interest coverage ratios and other measures of financial strength, business and financial risk, industry conditions, transparency with rating agencies and timeliness of financial reporting. Our current ratings have served to lower our borrowing costs and facilitate access to a variety of lenders. However, there can be no assurance that our credit ratings or outlook will not be lowered in the future in response to adverse changes in these metrics caused by our operating results or by actions that we take that reduce our profitability or that require us to incur additional indebtedness for items such as substantial cash acquisitions, significant increases in costs and capital spending in security and IT systems, significant costs related to settlements of litigation or regulatory requirements, or by returning excess cash to shareholders through dividends or under our share repurchase program. A downgrade of our credit ratings would increase our cost of borrowing under the Revolver, negatively affect our ability to access the capital markets on advantageous terms, or at all, negatively affect the trading price of our securities and have a significant negative impact on our business, financial condition and results of operations. We may not be able to borrow under our revolving credit facility and Receivables Facility. We are party to a $225.0 million, two-year receivables funding facility (the “Receivables Facility”) as well as the Revolver. Our Revolver and Receivables Facility have representations, covenants, financial covenants and events of default which may limit our ability to borrow under such debt obligations. Any breach of a representation or failure to comply with any covenant or financial covenant or the occurrence of any event of default under the Revolver or the Receivables Facility could result in a prohibition of further borrowings under the Revolver and Receivables Facility or acceleration of any obligations outstanding thereunder. Any event of default under the Revolver or Receivables Facility could result in a cross default under our other outstanding debt obligations. Changes in interest rates could adversely affect our cost of capital and net income. Rising interest rates, credit market dislocations and decisions and actions by credit rating agencies can affect the availability and cost of our funding and adversely affect our net income. Our business will suffer if we are not able to retain and hire key personnel. Our future success, including our ability to implement our technology transformation strategy, depends partly on the continued service of our key development, sales, marketing, executive and administrative personnel. Additionally, increased retention risk exists in certain key areas of our operations, such as IT and security, which require specialized skills, such as maintenance of certain legacy computer systems, data security experts and analytical modelers. If we fail to retain and hire a sufficient number of these personnel, we will not be able to maintain or expand our business. As part of our technology transformation strategy, we have hired a significant number of new employees and contract employees. Hiring, training, motivating, retaining and managing employees with the skills required is time-consuming and expensive. If we are not able to hire sufficient employees to support our technology transformation, or to train, motivate, retain and manage the employees we do hire, it could have a material adverse effect on our business operations or financial results. We believe our pay levels are competitive within the regions in which we operate. However, there is also intense competition for certain highly technical specialties in geographic areas where we continue to recruit, and it may become more difficult to retain our key employees. Our retirement and post-retirement pension plans are subject to financial market risks that could adversely affect our future results of operations and cash flows. We have significant retirement and post-retirement pension plan assets and obligations. The performance of the financial markets and interest rates impact our plan expenses and funding obligations. Significant decreases in market interest rates, decreases in the fair value of plan assets and investment losses on plan assets will increase our funding obligations, and adversely impact our results of operations and cash flows. We are subject to a variety of other general risks and uncertainties inherent in doing business. In addition to the specific factors discussed above, we are subject to risks that are inherent to doing business. These include growth rates, general economic and political conditions, customer satisfaction with the quality of our services, costs of obtaining insurance, changes in unemployment rates, and other events that can impact revenue and the cost of doing business. ITEM 1B.
Removed paragraphs (8325 words)
ITEM 1A. RISK FACTORS All of the risks and uncertainties described below and the other information included in this Form 10-K should be considered and read carefully. The risks described below are not the only ones facing us. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition or results of operations. This Form 10-K also contains forward-looking statements and estimates that involve risks and uncertainties. Our actual results could differ materially from those anticipated in the forward-looking statements as a result of specific factors, including the risks and uncertainties described below. Security breaches like the cybersecurity incident announced in September 2017 and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personally identifiable information of consumers. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy. Despite our substantial investment in physical and technological security measures, employee training and contractual precautions, our information technology networks and infrastructure (or those of our third-party vendors and other service providers) are vulnerable to unauthorized access to data or breaches of confidential information due to criminal conduct, attacks by hackers, employee or insider malfeasance and/or human error. In 2017, we were the target of a cybersecurity attack that involved the theft of certain personally identifiable information of U.S., Canadian and U.K. consumers. As a result of an ongoing analysis of data stolen in the 2017 cybersecurity incident, the Company recently announced that it was able to identify approximately 2.4 million U.S. consumers whose name and partial driver's license information were stolen, but who were not in the affected population of approximately 145.5 million consumers previously identified by the Company in 2017. The Company is in the process of notifying these additional consumers. It is possible that further analysis will identify additional consumers affected or additional types of data accessed, which could result in additional notifications and negative publicity. Following the cybersecurity incident, we began undertaking significant remediation efforts and other steps to enhance our data security infrastructure. In connection with these efforts, we have incurred significant costs and expect to incur additional significant costs as we take further steps to prevent unauthorized access to our systems and the data we maintain. The actions we have taken are based on our investigation of the causes of the cybersecurity incident, but there will be additional changes needed to prevent a similar incident. We cannot assure that all potential causes of the incident have been identified and remediated and will not occur again. Because our products and services involve the storage and transmission of personal information of consumers, we will continue to routinely be the target of attempted cyber and other security threats by outside third parties, including technically sophisticated and well-resourced bad actors attempting to access or steal the data we store. Insider or employee cyber and security threats are also a significant concern for all companies, including ours. In addition, the 2017 cybersecurity incident may embolden individuals or groups to target our systems. We must continuously monitor and develop our information technology networks and infrastructure to prevent, detect, address and mitigate the risk of unauthorized access, misuse, computer viruses and other events that could have a security impact. If we experience additional breaches of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed or lost. Any such access, disclosure or other loss of information could subject us to significant additional litigation, regulatory fines, penalties, losses of customers or reputational damage, any of which could have a significant negative impact on our cash flows, competitive position, financial condition or results of operations. We expect our insurance coverage will not be adequate to compensate us for all losses that may occur due to the 2017 cybersecurity incident and we cannot ensure that our insurance policies in the future will be adequate to cover losses from any future failures. In addition, our third-party insurance coverage will vary from time to time in both type and amount depending on availability, cost and our decisions with respect to risk retention. The government investigations and litigation resulting from the 2017 cybersecurity incident will continue to adversely impact our business and results of operations. As a result of the 2017 cybersecurity incident, we are currently a party to a consolidated multi-district consumer class action lawsuit and a consolidated multi-district financial institution class action lawsuit, as well as securities class action lawsuits, shareholder derivative litigation and other lawsuits and claims allegedly arising out of the cybersecurity incident seeking monetary damages or other relief. A number of U.S. federal, state, local and foreign governmental officials and agencies, including Congressional committees, the FTC, the CFPB, the SEC, the U.S. Department of Justice and state attorneys general offices in the U.S., the FCA in the U.K. and the Office of the Privacy Commissioner in Canada, continue to investigate events related to the 2017 cybersecurity incident, including how it occurred, the consequences thereof and our response thereto. Additional lawsuits, investigations and reports related to the 2017 cybersecurity incident may be filed, commenced or issued. The claims and investigations have resulted in the incurrence of significant external and internal legal costs and expenses and reputational damage to our business and are expected to continue throughout 2018 and beyond. The resolution of these matters may result in damages, costs, fines or penalties substantially in excess of our insurance coverage, which, depending on the amount, could have a material adverse effect on our liquidity or compliance with our credit agreements. If such damages, costs, fines or penalties were great enough that we could not pay them through funds generated from operating activities and/or cause a default under our revolving credit facility, we may be forced to renegotiate or obtain a waiver under our revolving credit facility and/or seek additional debt or equity financing. Such renegotiation or financing may not be available on acceptable terms, or at all. In these circumstances, if we were unable to obtain sufficient financing, we may not be able to meet our obligations as they come due. The outcome of such claims and investigations could also adversely affect or cause us to change how we operate our business. The governmental agencies investigating the cybersecurity incident may seek to impose injunctive relief, consent decrees, or other civil or criminal penalties, which could, among other things, impact our ability to collect and use consumer information, materially increase our data security costs and/or otherwise require us to alter how we operate our business. Any legislative or regulatory changes adopted in reaction to the cybersecurity incident or other companies’ data breaches could require us to make modifications to the operation of our business that could have an adverse effect and/or increase or accelerate our compliance costs. Furthermore, these matters necessitate significant attention by management, which may divert the focus of management from the operation of our business resulting in an adverse impact on our results of operations. The cybersecurity incident and the adverse publicity that followed have had a negative impact on our reputation, and we cannot assure it will not have a long-term effect on our relationships with our customers, our revenue and our business. Our revenue growth in 2017 as compared to 2016 was negatively impacted by the cybersecurity incident. Certain of our customers have determined to defer or cancel new contracts or projects and others could consider such actions unless and until we can provide assurances regarding our ability to prevent unauthorized access to our systems and the data we maintain. Many of our customers are requiring security audits of our systems and any negative results of such audits may cause further losses of customers. In addition, some of our current and potential customers and the contracts governing certain customer relationships, as well as certain of our data suppliers, require us to maintain International Organization for Standardization (“ISO”) certifications, such as ISO 27001 certification, that specify requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system. Due to the 2017 cybersecurity incident, certain of our ISO certifications have been suspended and we will be required to take additional remediation steps to retain such certifications, which efforts may not be successful. Additionally, certain of our payment card industry certifications have been suspended which could result in fines and loss of access to data if we are not able to complete the necessary remediation steps to retain these certifications, which would adversely affect our ability to offer certain products to customers. If we are unable to demonstrate the security of our systems and the data we maintain and rebuild the trust of our customers, consumers and data suppliers, and if further negative publicity continues, we could experience a substantial negative impact on our business. The loss of access to credit, employment, financial and other data from external sources could harm our ability to provide our products and services. We rely extensively upon data from external sources to maintain our proprietary and non-proprietary databases, including data received from customers, strategic partners and various government and public record sources. This data includes the widespread and voluntary contribution of credit data from most lenders in the U.S and many other markets as well as the contribution of data under proprietary contractual agreements, such as employers’ contribution of employment and income data to The Work Number, financial institutions’ contribution of individual financial data to IXI, and telecommunications, cable and utility companies’ contribution of payment and fraud data to the National Cable, Telecommunications and Utility Exchange. For a variety of reasons, including concerns of data furnishers arising out of the 2017 cybersecurity incident, legislatively or judicially imposed restrictions on use, additional security breaches or competitive reasons, our data sources could withdraw, delay receipt of or increase the cost of their data provided to us. Where we currently have exclusive use of data, the providers of the data sources could elect to make the information available to competitors. We also compete with several of our third-party data suppliers. If a substantial number of data sources or certain key data sources were to withdraw or be unable to provide their data, if we were to lose access to data due to government regulation, if we lose exclusive right to the use of data, or if the collection, disclosure or use of data becomes uneconomical, our ability to provide products and services to our clients could have a significant negative impact, which could result in decreased revenue, net income and earnings per share and reputational loss. There can be no assurance that we would be able to obtain data from alternative sources if our current sources become unavailable. Negative changes in general economic conditions, including interest rates, unemployment rates, income, home prices, investment values and consumer confidence, could adversely affect us. Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions, including the demand and availability of affordable credit and capital, the level and volatility of interest rates, inflation, employment levels, consumer confidence and housing demand, both inside and outside the U.S. Business customers use our credit information and related analytical services and data to process applications for new credit cards, automobile loans, home and equity loans and other consumer loans, and to manage their existing credit relationships. Demand for our services tends to be correlated to general levels of economic activity and to consumer credit activity. Bank and other lenders’ willingness to extend credit is adversely affected by elevated consumer delinquency and loan losses in a weak economy. Consumer demand for credit (i.e., rates of spending and levels of indebtedness) also tends to grow more slowly or decline during periods of economic contraction or slow economic growth. Our customer base suffers when financial markets experience volatility, illiquidity and disruption, which has occurred in the past and which could reoccur, and the potential for increased and continuing disruptions going forward presents considerable risks to our business and revenue. High or rising rates of unemployment and interest, declines in income, home prices or investment values, lower consumer confidence and reduced access to credit adversely affect demand for our products and services, and consequently our revenue and results of operations, as consumers may postpone or reduce their spending and use of credit, and lenders may reduce the amount of credit offered or available. Our markets are highly competitive and new product introductions and pricing strategies being offered by our competitors could decrease our sales and market share or require us to enhance our products and services or reduce our prices in a manner that reduces our operating margins. We operate in a number of geographic, product and service markets that are highly competitive. Competitors may develop products and services that are superior to or that achieve greater market acceptance than our products and services. The size of our competitors varies across market segments, as do the resources we have allocated to the segments we target. Therefore, some of our competitors may have significantly greater financial, technical, marketing or other resources than we do in one or more of our market segments, or overall. As a result, our competitors may be in a position to respond more quickly than we can to new or emerging technologies and changes in customer requirements, or may devote greater resources than we can to the development, enhancement, promotion, sale and support of products and services, or some of our customers may develop products of their own that replace the products they currently purchase from us, which would result in lower revenue. In addition, many of our competitors have extensive consumer relationships, including relationships with our current and potential customers. Moreover, new competitors or alliances among our competitors may emerge and potentially reduce our market share, revenue or margins. We also sell our information to competing firms, and buy information from certain of our competitors, in order to sell “tri-bureau” and other products, most notably into the U.S. mortgage market. Changes in prices between competitors for this information and/or changes in the design or sale of tri-bureau versus single bureau product offerings may affect our revenue or profitability. Some of our competitors may choose to sell products that compete with ours at lower prices by accepting lower margins and profitability, or may be able to sell products competitive to ours at lower prices, individually or as a part of integrated suites, given proprietary ownership of data, technological superiority or economies of scale. Price reductions by our competitors could negatively impact our margins and results of operations and could also harm our ability to obtain new customers on favorable terms. Historically, certain of our key products have experienced declines in per unit pricing due to competitive factors and customer demand. Since a significant portion of our operating expenses is relatively fixed in nature due to sales, information technology and development and other costs, if we were unable to respond quickly enough to changes in competition or customer demand, we could experience further reductions in our operating margins. Our relationships with key long-term customers may be materially diminished or terminated We have long-standing relationships with a number of our customers, many of whom could unilaterally terminate their relationship with us or materially reduce the amount of business they conduct with us at any time. Many of our material customer agreements can be terminated by the customer for convenience on advance written notice, which provides our customers with the opportunity to renegotiate their contracts with us or to award more business to our competitors. We also provide our services to business partners who may combine them with their own or other branded services to be offered as a bundle to consumers, governmental agencies and businesses in support of fraud or credit protection, credit monitoring, identity authentication, insurance or credit underwriting, and collections. Some of these partners are the largest providers of credit information or identity protection services to the consumer market. Market competition, business requirements, financial condition and consolidation through mergers or acquisitions, could adversely affect our ability to continue or expand our relationships with our customers and business partners. There is no guarantee that we will be able to retain or renew existing agreements, maintain relationships with any of our customers or business partners on acceptable terms or at all, or collect amounts owed to us from insolvent customers or business partners. The loss of one or more of our major customers or business partners could adversely affect our business, financial condition and results of operations. If we do not introduce successful new products, services and analytical capabilities in a timely manner, or if the market does not adopt our new services, our competitiveness and operating results will suffer. We generally sell our products in industries that are characterized by rapid technological changes, frequent new product and service introductions and changing industry standards. In addition, certain of the markets in which we operate are seasonal and cyclical. Without the timely introduction of new products, services and enhancements, our products and services will become technologically or commercially obsolete over time, in which case our revenue and operating results would suffer. The success of our new products and services will depend on several factors, including our ability to properly identify customer needs; innovate and develop new technologies, services and applications; successfully commercialize new technologies in a timely manner; produce and deliver our products in sufficient volumes on time; differentiate our offerings from competitor offerings; price our products competitively; anticipate our competitors’ development of new products, services or technological innovations; and control product quality in our product development process. Our resources have to be committed to any new products and services before knowing whether the market will adopt the new offerings. In addition, our management is and will continue to be intensely focused on enhancing our security measures and responding to consumer and customer concerns relating to the 2017 cybersecurity incident and may not be able to devote sufficient time to new product development, which could cause us to be less competitive as compared to our peers, lose out on new revenue opportunities and have an adverse effect on our growth and our business. The demand for some of our products and services may be negatively impacted to the extent the availability of free or less expensive consumer information increases. Public or commercial sources of free or relatively inexpensive consumer credit, credit score and other information have become increasingly available, particularly through the internet, and this trend is expected to continue. In addition, governmental agencies in particular have increased the amount of information to which they provide free public access and these or other sources of free or relatively inexpensive consumer information from competitors or other commercial sources may reduce demand for our services, particularly in our USIS and Global Consumer Solutions business units. Recently, there also has been an increase in companies offering free or low-cost direct to consumer credit services (such as credit scores, reports and monitoring) as part of alternative business models that use such services as a means to introduce consumers to other products and services. To the extent that our customers choose not to obtain services from us and instead rely on information obtained at no cost or relatively inexpensively from these other sources, our business, financial condition and results of operations may be adversely affected. Due to the 2017 cybersecurity incident and our provision of free services to consumers in connection therewith, we ceased the advertisement and sale of new products in our direct to consumer business, which resulted in a significant decline in revenue in that business. Furthermore, in late January 2018, we began offering a new credit lock service, Lock & AlertTM, that is free for life and is aimed at empowering consumers to control access to their Equifax credit file directly and quickly from their smartphone or computer. We expect services like our Lock & AlertTM to continue to increase, thereby eliminating the market for many consumer direct products and services. As a result of these factors, we expect that revenue from our direct to consumer business will continue to decline. Additionally, if a significant number of consumers lock or freeze their file, our population of data is reduced which could affect our product offerings and value to our customers in our other businesses. If we experience system constraints or failures, or our customers do not modify and/or upgrade their systems to accept new releases of our products and services, our services to our customers could be delayed or interrupted, which could result in lost revenues or customers, lower margins, or other harm to our business and reputation. We depend on reliable, stable, efficient and uninterrupted operation of our technology network, systems, and data centers to provide service to our customers. Many of the services and systems upon which we rely have been outsourced to third parties. In addition, many of our revenue streams are dependent on links to third party telecommunications providers. These systems and operations, and the personnel that support, service and operate these systems, could be exposed to interruption, damage or destruction from power loss, telecommunication failures, computer viruses, denial-of-service attacks, employee or insider malfeasance, human error, fire, natural disasters, war, terrorist acts or civil unrest. We may not have sufficient disaster recovery or redundant operations in place to cover a loss or failure of systems or telecommunications links in a timely manner. In addition, we will continue to be intensely focused on enhancing our data security infrastructure and implementation of those enhancements could result in service interruptions. Any significant delay or interruption could result in lost revenues or customers, lower margins, or other significant harm to our business or reputation. We and our customers are subject to various current laws and governmental regulations, and could be affected by new laws or regulations, including as a result of the 2017 cybersecurity incident, compliance with which may cause us to incur significant expenses and change our business practices, and if we fail to maintain satisfactory compliance with certain regulations, we could be subject to civil or criminal penalties. We are subject to a number of U.S. federal, state, local and foreign laws and regulations relating to consumer privacy, data and financial protection. See Item 1. Business - "Governmental Regulation" in this Form 10-K for a summary of the U.S. and foreign consumer and data protection laws and regulations to which we are subject. These regulations are complex, change frequently, have tended to become more stringent over time, and are subject to administrative interpretation and judicial construction in ways that could harm our business. Furthermore, we expect there to be an increased focus on laws and regulations related to our business because of the great public concern in the U.S. with regard to the operation of credit reporting agencies, as well as the collection, use, accuracy, correction and sharing of personal information, which was heightened by the 2017 cybersecurity incident. For example, there are a number of legislative proposals pending before the U.S. Congress, various state legislative bodies and foreign governments concerning data protection due to our 2017 cybersecurity incident and other high-profile breaches that could affect us and the President of the United States could act by Executive Order. In addition, a growing number of legislative and regulatory bodies have adopted consumer notification and other requirements in the event that consumer information is accessed by unauthorized persons and additional regulations regarding the use, access, accuracy and security of such data are possible. In the U.S., state laws provide for disparate notification regimes, all of which we are subject to. Further, any perception that our practices or products are an invasion of privacy, whether or not consistent with current or future regulations and industry practices, may subject us to public criticism, private class actions, reputational harm, or claims by regulators, which could disrupt our business and expose us to increased liability. We devote substantial compliance, legal and operational business resources to facilitate compliance with applicable regulations and requirements. In the future, we may be subject to significant additional expense to ensure continued compliance with applicable laws and regulations and to investigate, defend or remedy actual or alleged violations. Additionally, we cooperate with CFPB supervisory examinations and respond to other state, federal and foreign government investigations of our business practices. Any failure by us to comply with, or remedy any violations of, applicable laws and regulations could result in the curtailment of certain of our operations, the imposition of fines and penalties, liability to private plaintiffs as a result of individual or class action litigation, restrictions on our ability to carry on or expand our operations, and reputational harm. In addition, because many of our products are regulated or sold to customers in various industries, we must comply with additional regulations in marketing our products. Moreover, our compliance with privacy laws and regulations and our reputation depend in part on customers' adherence to privacy laws and regulations and their use of our services in ways consistent with consumer expectations and regulatory requirements. We cannot predict the ultimate impact on our business of new or proposed CFPB, FCA or other rules, supervisory examinations or government investigations or enforcement actions. The following legal and regulatory developments also could have a substantial negative impact on our business, financial condition or results of operations: • amendment, enactment or interpretation of laws and regulations that restrict the access and use of personal information and reduce the availability or effectiveness of our solutions or the supply of data available to customers; • changes in cultural and consumer attitudes in favor of further restrictions on information collection and sharing, which may lead to regulations that prevent full utilization of our solutions; • failure of data suppliers or customers to comply with laws or regulations, where mutual compliance is required; • failure of our solutions to comply with current laws and regulations; and • failure of our solutions to adapt to changes in the regulatory environment in an efficient, cost effective manner. For example, Ecuador passed a law in December 2017 that, if implemented, would effectively prohibit us from operating as a credit bureau within Ecuador unless we are selected to operate under contract to serve the public authority that the new law tasks with providing such services. These laws and regulations (as well as actions that may be taken by legislatures and regulatory bodies in other countries) and the consequences of any violation could limit our ability to pursue business opportunities we might otherwise consider engaging in, impose additional costs on us, result in significant loss of revenue, result in significant restitution and fines, impact the value of assets we hold, or otherwise adversely affect our business. See “Item 1. Business - Governmental Regulation” and “Item 3. Legal Proceedings” in this Form 10-K. Regulatory oversight of our contractual relationships with certain of our customers may adversely affect our business. The federal banking agencies, including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the CFPB, as well as many state banking agencies have issued guidance to insured depository institutions and other providers of financial services on assessing and managing risks associated with third-party relationships, which include all business arrangements between a financial services provider and another entity, by contract or otherwise, and generally requires banks and financial services providers to exercise comprehensive oversight throughout each phase of a bank or financial service provider’s business arrangement with third-party service providers, and instructs banks and financial service providers to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships. This guidance requires more rigorous oversight of third-party relationships that involve certain “critical activities.” In light of this guidance, our existing or potential bank and financial services customers subject to this guidance may continue to revise their third-party risk management policies and processes and the terms on which they do business with us, which may adversely affect our relationship with such customers. In response to the 2017 cybersecurity incident, we also have been contacted by state banking regulators seeking to examine our practices as a third-party service provider to the entities that they regulate. It is possible that these or similar examinations by federal or state banking regulators could lead to adverse changes in our customer relationships. Economic, political and other risks associated with international sales and operations could adversely affect our results of operations. Sales outside the U.S. comprised 29% of our operating revenue in 2017. As a result, our business is subject to various risks associated with doing business internationally. In addition, many of our employees, suppliers, job functions and facilities are located outside the U.S. Accordingly, our future results could be harmed by a variety of factors including: • changes in specific country or region political, economic or other conditions; • trade protection measures; • data privacy and consumer protection regulations; • difficulty in staffing and managing widespread operations; • differing labor, intellectual property protection and technology standards and regulations; • business licensing requirements or other requirements relating to making foreign direct investments, which could increase our cost of doing business in certain jurisdictions, prevent us from entering certain markets, increase our operating costs or lead to penalties or restrictions; • difficulties associated with repatriating cash generated or held abroad in a tax-efficient manner; • implementation of exchange controls; • geopolitical instability, including terrorism and war; • foreign currency changes; • increased travel, infrastructure, legal and compliance costs of multiple international locations; • foreign laws and regulatory requirements; • terrorist activity, natural disasters and other catastrophic events; • restrictions on the import and export of technologies; • difficulties in enforcing contracts and collecting accounts receivable; • longer payment cycles; • failure to meet quality standards for outsourced work; • unfavorable tax rules; • the presence and acceptance of varying level of business corruption in international markets; and • varying business practices in foreign countries We earn revenue, pay expenses, own assets and incur liabilities in countries using currencies other than the U.S. dollar, including among others the British pound, the Australian dollar, the Canadian dollar, the Argentine peso, the Chilean peso, the Euro, the New Zealand dollar, the Costa Rican colon, the Singapore dollar, the Brazilian real, the Russian ruble and the Indian rupee. Because our consolidated financial statements are presented in U.S. dollars, we must translate revenue, income and expenses, as well as assets and liabilities, into U.S. dollars at exchange rates in effect during or at the end of each reporting period. Therefore, increases or decreases in the value of the U.S. dollar against major currencies will affect our operating revenues, operating income and the value of balance sheet items denominated in foreign currencies. In 2017, a general weakening of foreign currencies in countries where we have operations against the U.S. dollar had a negative impact on our results as reported in U.S. dollars. See “Segment Financial Results - International - Asia Pacific,” “ - Europe,” “ -Latin America,” and “- Canada” and “Effects of Inflation and Changes in Foreign Currency Exchange Rates” in the Management’s Discussion and Analysis section of this Form 10-K. Because of the geographic diversity of our operations, weaknesses in some currencies might be offset by strengths in others over time. We generally do not mitigate the risks associated with fluctuating exchange rates, although we may from time to time through forward contracts or other derivative instruments hedge a portion of our translational foreign currency exposure or exchange rate risks associated with material transactions which are denominated in a foreign currency. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Accordingly, fluctuations in foreign currency exchange rates, particularly the strengthening of the U.S. dollar against major currencies, may materially affect our consolidated financial results. We also have a cost method investment in a credit information company in Brazil valued in Brazilian reais. Economic and competition risks within Brazil, and the company’s ability to successfully implement its strategic and operating plans, have had an adverse financial impact on the value of our investment and could result in an additional impairment of the investment. Compliance with applicable U.S. and foreign laws and regulations, such as anti-corruption laws, tax laws, foreign exchange controls and restrictions on repatriation of earnings or other similar restraints, data privacy requirements, labor laws and anti-competition relations increases the cost of doing business in foreign jurisdictions. Although we have implemented policies and procedures to comply with these laws and regulations, a violation by our employees, contractors or agents could nevertheless occur. We are regularly involved in claims, suits, government investigations, supervisory examinations and other proceedings that may result in adverse outcomes. In addition to what we are currently experiencing due to the 2017 cybersecurity incident, we are regularly involved in claims, suits, government investigations, supervisory examinations and regulatory proceedings arising from the ordinary course of our business, including actions with respect to consumer protection and data protection, including purported class action lawsuits. Such claims, suits, government investigations and proceedings are inherently uncertain and their results cannot be predicted with certainty. Regardless of their outcome, such legal proceedings can have an adverse impact on us because of legal costs, diversion of management and other personnel, and other factors. In addition, it is possible that a resolution of one or more such proceedings could result in reputational harm, liability, penalties, or sanctions, as well as judgments, consent decrees, or orders preventing us from offering certain features, functionalities, products, or services, or requiring a change in our business practices, products or technologies, which could in the future materially and adversely affect our business, operating results, and financial condition. The FCRA contains an attorney fee shifting provision to provide an incentive for consumers to bring individual and class action lawsuits against a CRA for violation of the FCRA, and the number of consumer lawsuits (both individual and class action) against us alleging a violation of FCRA and our resulting costs associated with resolving these lawsuits have increased substantially over the past several years. We rely, in part, on acquisitions, joint ventures and other alliances to grow our business and expand our geographic reach. The acquisition, integration or divestiture of businesses by us may not produce the expected financial, operating results or IT and data security profile we expect. In addition, if we are unable to make acquisitions or successfully develop and maintain joint ventures and other alliances, our growth may be adversely impacted. Historically, we have relied, in part, on acquisitions, joint ventures and other alliances to grow our business. Over the past several years, we have acquired many smaller businesses in the U.S. and across the world. Furthermore, during 2016, we acquired Veda, the leading provider of credit information and analysis in Australia and New Zealand, for cash consideration plus debt assumed of approximately $1.9 billion. In January 2014, we acquired TDX, a debt placement service and debt management platform company in the United Kingdom for approximately $323 million. Acquisitions may not be completed on favorable terms, and the expected benefits, synergies and growth from these initiatives may not materialize as planned. We may have difficulty assimilating new businesses and their products, services, technologies, IT systems and personnel into our operations. IT and data security profiles of acquired companies may not meet the Equifax standard and may take longer to integrate and remediate than planned. This may result in significantly greater transaction costs for future acquisitions than we have experienced historically, or it could mean that we will not pursue certain acquisitions where the costs of integration and remediation are too significant. We may also have difficulty integrating and operating businesses in countries and geographies where we do not currently have a significant presence, and acquisitions of businesses having a significant presence outside of the U.S. will increase our exposure to risks of conducting operations in international markets. Similarly, any divestitures will be accompanied by risks commonly encountered in the sale of businesses. These difficulties could disrupt our ongoing business, distract our management and workforce, increase our expenses and adversely affect our operating results and financial condition. Despite our past experience, opportunities to grow our business through acquisitions, joint ventures and other alliances may not be available to us in the future. In addition, as a result of the 2017 cybersecurity incident and the resources and management attention required in connection therewith, there may be more limited resources available for acquisitions and management’s attention is likely to be diverted away from sourcing and developing potential acquisition and joint venture opportunities, resulting in decreased growth. Dependence on outsourcing certain portions of our operations may adversely affect our ability to bring products to market and damage our reputation. Dependence on outsourced information technology and other administrative functions may impair our ability to operate effectively. As part of our efforts to streamline operations and to reduce operating costs, we have outsourced various components of our application development, information technology, operational support and administrative functions and will continue to evaluate additional outsourcing. Although we have implemented service level agreements and have established monitoring controls, if our outsourcing vendors fail to perform their obligations in a timely manner or at satisfactory quality levels including with respect to data and system security, or increase prices for their services to unreasonable levels, our ability to bring products to market and support our customers, and our reputation could suffer. Any failure to perform on the part of these third-party providers could impair our ability to operate effectively and could result in lower future revenue, unrealized efficiencies and adversely impact our results of operations and our financial condition. Much of our outsourcing takes place in developing countries and, as a result, may be subject to geopolitical uncertainty. Changes in income tax laws can significantly impact our net income. Federal and state governments in the U.S. as well as a number of other governments around the world are currently facing significant fiscal pressures and have considered or may consider changes to their tax laws for revenue raising or economic competitiveness reasons. Changes to tax laws can have immediate impacts, either favorable or unfavorable, on our results of operations and cash flows, and may impact our competitive position versus certain competitors who are domiciled in other jurisdictions and subject to different tax laws. In December 2017, the U.S. enacted the Tax Cuts and Jobs Act of 2017 which will significantly impact our U.S. and global tax expense. The application of many provisions in the Tax Cuts and Jobs Act of 2017 are uncertain at this time. The impact on Equifax will not be fully known until further guidance is provided by the U.S. Treasury. If our government contracts are terminated, if we are suspended from government work, or if our ability to compete for new contracts is adversely affected, our business could suffer. We derive a portion of our revenue from direct and indirect sales to U.S., state, local and foreign governments and their respective agencies. Such contracts are subject to various procurement laws and regulations, and contract provisions relating to their formation, administration and performance. Failure to comply with these laws, regulations or provisions in our government contracts could result in the imposition of various civil and criminal penalties, termination of contracts, forfeiture of profits, suspension of payments, or suspension of future government contracting. Following the 2017 cybersecurity incident, our government contracts received enhanced scrutiny and negative media attention that resulted in the suspension of one of our contracts. If we are unable to repair the reputational damage cause by the 2017 cybersecurity incident and ensure the security of the data we maintain, our ability to maintain our existing and acquire new government contracts may be substantially impacted. Also, the government programs to which we provide services, or which are the basis of compliance services we provide non-governmental clients, including, in particular, the employer requirements under the Affordable Care Act, may be terminated or substantially altered by the government and our services would no longer be needed. If our government contracts are terminated, if we are suspended from government work, if the services we provide are no longer needed due to government program change or termination, or if our ability to compete for new contracts is adversely affected, our business could suffer. Third parties may claim that we are infringing on their intellectual property and we could suffer significant litigation or licensing expenses or be prevented from selling products or services. There has been substantial litigation in the U.S. regarding intellectual property rights in the information technology industry. From time to time, third parties may claim that one or more of our products or services infringe their intellectual property rights. We analyze and take action in response to such claims on a case by case basis. Any dispute or litigation regarding patents or other intellectual property could be costly and time-consuming due to the complexity of our technology and the uncertainty of intellectual property litigation, could divert our management and key personnel from our business operations and we may not prevail. A claim of intellectual property infringement could force us to enter into a costly or restrictive license agreement, which might not be available under acceptable terms or at all, or could subject us to significant damages or to an injunction against development and sale of certain of our products or services. Our intellectual property portfolio may not be useful in asserting a counterclaim, or negotiating a license, in response to a claim of intellectual property infringement. In certain of our businesses we rely on third-party intellectual property licenses and we cannot ensure that these licenses will be available to us in the future on favorable terms or at all. Although our policy is to obtain licenses or other rights where necessary, we cannot provide assurance that we have obtained all required licenses or rights. Third parties may misappropriate or infringe on our intellectual property and we may suffer competitive injury or expend significant resources enforcing our rights. Our success increasingly depends on our proprietary technology. We rely on various intellectual property rights, including patents, copyrights, database rights, trademarks and trade secrets, as well as contract restrictions, confidentiality provisions and licensing arrangements, to establish our proprietary rights. The extent to which such rights can be protected varies in different jurisdictions. If we do not enforce our intellectual property rights successfully our competitive position may suffer which could harm our operating results. Our pending patent and trademark applications may not be allowed or competitors may challenge the validity or scope of our intellectual property rights. In addition, our patents, copyrights, trademarks and other intellectual property rights may not provide us a significant competitive advantage. We may need to devote significant resources, including cybersecurity resources, to monitoring our intellectual property rights and we may or may not be able to detect misappropriation or infringement by third parties. Our competitive position may be harmed if we cannot detect misappropriation or infringement and enforce our intellectual property rights quickly or at all. In some circumstances, enforcement may not be available to us because a third party has a dominant intellectual property position or for other business reasons. In addition, competitors might avoid infringement by designing around our intellectual property rights or by developing non-infringing competing technologies. Intellectual property rights and our ability to enforce them may be unavailable or limited in some countries which could make it easier for competitors to capture market share and could result in lost revenue. The U.K’s impending departure from the EU could adversely affect us. The referendum on the U.K.’s membership in the EU (referred to as “Brexit”) approving the exit of the U.K. from the EU could cause disruptions to and create uncertainty surrounding our business, including affecting our relationships with our existing and future customers, suppliers and employees, which could have an adverse effect on our business, financial results and operations. While the referendum was non-binding, the U.K. parliament has voted in favor of allowing the government to commence negotiations to determine the future terms of the U.K.’s relationship with the EU, including the terms of trade between the U.K. and the EU and other nations. The effects of Brexit will depend on any agreements the U.K. makes to retain access to EU markets either during a transitional period or more permanently. In addition, developments regarding Brexit may also create global economic uncertainty, which may cause our clients to closely monitor their costs and reduce their spending on our solutions and services. A downgrade to our credit ratings would increase our cost of borrowing under our credit facility and adversely affect our ability to access the capital markets. We are party to a $900.0 million unsecured, revolving credit facility that matures in November 2020 and an $800.0 million term loan facility that matures in November 2018 (collectively, the “Senior Credit Facilities”). The cost of borrowing under the Senior Credit Facilities and our ability and the terms under which we may access the credit markets are affected by credit ratings assigned to our indebtedness by the major credit rating agencies. These ratings are premised on our performance under assorted financial metrics, such as leverage and interest coverage ratios and other measures of financial strength, business and financial risk, industry conditions, transparency with rating agencies and timeliness of financial reporting. Our current ratings have served to lower our borrowing costs and facilitate access to a variety of lenders. However, there can be no assurance that our credit ratings or outlook will not be lowered in the future in response to adverse changes in these metrics caused by our operating results or by actions that we take that reduce our profitability or that require us to incur additional indebtedness for items such as substantial cash acquisitions, significant increases in costs and capital spending in security and IT systems, significant costs related to settlements of litigation or regulatory requirements, or by returning excess cash to shareholders through dividends or under our share repurchase program. A downgrade of our credit ratings would increase our cost of borrowing under the Senior Credit Facilities, negatively affect our ability to access the capital markets on advantageous terms, or at all, negatively affect the trading price of our securities and have a significant negative impact on our business, financial condition and results of operations. We may not be able to borrow under our revolving credit facility and Receivables Facility. We are party to a $225.0 million, 2-year receivables funding facility ("the "Receivables Facility") as well as the Senior Credit Facilities. Our revolving credit facility and Receivables Facility have representations, covenants, financial covenants and events of default which may limit our ability to borrow under such debt obligations. Any breach of a representation or failure to comply with any covenant or financial covenant or the occurrence of any event of default under the Senior Credit Facilities or the Receivables Facility could result in a prohibition of further borrowings under the revolving credit facility and Receivables Facility or acceleration of any obligations outstanding thereunder. Any event of default under the Senior Credit Facilities or Receivables Facility could result in a cross default under our other outstanding debt obligations. Changes in interest rates could adversely affect our cost of capital and net income. Rising interest rates, credit market dislocations and decisions and actions by credit rating agencies can affect the availability and cost of our funding and adversely affect our net income. Our business will suffer if we are not able to retain and hire key personnel. Our future success depends partly on the continued service of our key development, sales, marketing, executive and administrative personnel. Additionally, increased retention risk exists in certain key areas of our operations, such as IT and security, which require specialized skills, such as maintenance of certain legacy computer systems, data security experts and analytical modelers. If we fail to retain and hire a sufficient number of these personnel, we will not be able to maintain or expand our business. Further, as a result of the cybersecurity incident we may suffer increased attrition. We believe our pay levels are competitive within the regions in which we operate. However, there is also intense competition for certain highly technical specialties in geographic areas where we continue to recruit, and it may become more difficult to retain our key employees. Our retirement and post-retirement pension plans are subject to financial market risks that could adversely affect our future results of operations and cash flows. We have significant retirement and post retirement pension plan assets and obligations. The performance of the financial markets and interest rates impact our plan expenses and funding obligations. Significant decreases in market interest rates, decreases in the fair value of plan assets and investment losses on plan assets will increase our funding obligations, and adversely impact our results of operations and cash flows. We are subject to a variety of other general risks and uncertainties inherent in doing business. In addition to the specific factors discussed above, we are subject to risks that are inherent to doing business. These include growth rates, general economic and political conditions, customer satisfaction with the quality of our services, costs of obtaining insurance, changes in unemployment rates, and other events that can impact revenue and the cost of doing business. ITEM 1B.
Current §1A text (2018)
Show full section (9366 words)
ITEM 1A. RISK FACTORS All of the risks and uncertainties described below and the other information included in this Form 10-K should be considered and read carefully. The risks described below are not the only ones facing us. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition or results of operations. This Form 10-K also contains forward-looking statements and estimates that involve risks and uncertainties. Our actual results could differ materially from those anticipated in the forward-looking statements as a result of specific factors, including the risks and uncertainties described below. Security breaches like the 2017 cybersecurity incident and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personally identifiable information of consumers. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy. Despite our substantial investment in physical and technological security measures, employee training and contractual precautions, our information technology networks and infrastructure (or those of our third-party vendors and other service providers) are potentially vulnerable to unauthorized access to data or breaches of confidential information due to criminal conduct, attacks by hackers, employee or insider malfeasance and/or human error. In 2017, we were the target of a cybersecurity attack that involved the theft of certain personally identifiable information of approximately 145.5 million U.S. consumers, approximately 19,000 Canadian consumers and approximately 860,000 U.K. consumers. In addition, we identified approximately 2.4 million U.S. consumers whose name and partial driver’s license information were stolen in the attack. While the forensic analysis of the 2017 cybersecurity incident is complete, it is possible that further analysis will identify additional consumers affected or additional types of data accessed, which could result in additional notifications and negative publicity. Following the 2017 cybersecurity incident, we began undertaking significant remediation efforts and other steps to enhance our data security infrastructure which are ongoing. In connection with these efforts, we have incurred significant costs and expect to incur additional significant costs as we continue to enhance our data security infrastructure and take further steps to prevent unauthorized access to our systems and the data we maintain. Despite these efforts, we cannot assure you that all potential causes of this incident have been identified and remediated and that similar cyber incidents will not occur in the future. Because our products and services involve the storage and transmission of personal information of consumers, we will continue to routinely be the target of attempted cyber and other security threats by outside third parties, including technically sophisticated and well-resourced bad actors attempting to access or steal the data we store. As we transition to cloud-based technologies, we may be exposed to additional cyber threats as we migrate our data from our legacy systems to cloud-based solutions. Our increased dependence on third parties to store our cloud-based data systems may also subject us to further cyber threats. Insider or employee cyber and security threats are also a significant concern for all companies, including ours. In addition, the 2017 cybersecurity incident may embolden individuals or groups to target our systems. We must continuously plan, develop and monitor our information technology networks and infrastructure to identify, protect, detect, respond to and recover from the risk of unauthorized access, misuse, malware, phishing and other events that could have a security impact. If we experience additional breaches of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed or lost. Any such access, disclosure or other loss of information could subject us to significant additional litigation, regulatory fines, penalties, losses of customers or reputational damage, any of which could have a significant negative impact on our cash flows, competitive position, financial condition or results of operations. We cannot ensure that our insurance policies in the future will be adequate to cover losses from any future failures. Our $125.0 million cybersecurity insurance policy was not adequate to cover the losses we have incurred to date from the 2017 cybersecurity incident, and all future losses we incur as a result of the incident will not be covered by insurance. In addition, our insurance coverage will vary from time to time in both type and amount depending on availability, cost and our decisions with respect to risk retention. The government investigations and litigation resulting from the 2017 cybersecurity incident will continue to adversely impact our business and results of operations. As a result of the 2017 cybersecurity incident, we are currently a party to a consolidated multi-district consumer class action lawsuit and a consolidated multi-district financial institution class action lawsuit, as well as a consolidated securities class action lawsuit, shareholder derivative litigation and other lawsuits and claims arising out of the 2017 cybersecurity incident seeking monetary damages or other relief. A number of U.S. federal, state, local and foreign governmental officials and agencies, including Congressional committees, the FTC, the CFPB, the SEC, the U.S. Department of Justice and state attorneys general offices in the U.S., the FCA in the U.K. and the Office of the Privacy Commissioner in Canada, continue to investigate events related to the 2017 cybersecurity incident, including how it occurred, the consequences thereof and our response thereto. While we believe it is beneficial to resolve the consolidated multi-district consumer class action and one or more of the government investigations in the U.S. through a global resolution, the complexity of achieving a multi-party resolution, especially involving multiple government agencies, makes this a difficult objective to achieve. We may not have success in achieving a global resolution or even a resolution of any of these matters individually. In addition, other lawsuits, investigations and reports related to the 2017 cybersecurity incident may be filed, commenced or issued. The claims and investigations have resulted in the incurrence of significant external and internal legal costs and expenses and reputational damage to our business and are expected to continue throughout 2019 and beyond. The resolution of these matters may result in damages, costs, fines or penalties substantially in excess of our insurance coverage, which, depending on the amount, could have a material adverse effect on our liquidity or compliance with our credit agreements. If such damages, costs, fines or penalties were great enough that we could not pay them through funds generated from operating activities and/or cause a default under our revolving credit facility, we may be forced to renegotiate or obtain a waiver under our revolving credit facility and/or seek additional debt or equity financing. Such renegotiation or financing may not be available on acceptable terms, or at all. In these circumstances, if we were unable to obtain sufficient financing, we may not be able to meet our obligations as they come due. The outcome of such claims and investigations could also adversely affect or cause us to change how we operate our business. Various governmental agencies investigating the 2017 cybersecurity incident are seeking to impose injunctive relief, consent decrees, and civil penalties, which could, among other things, impact our ability to collect and use consumer information, materially increase our data security costs, reduce available resources to invest in technology and innovation and/or otherwise require us to alter how we operate our business, and put us at a competitive disadvantage. Any legislative or regulatory changes adopted in reaction to the 2017 cybersecurity incident or other companies’ data breaches could require us to make modifications to the operation of our business that could have an adverse effect and/or increase or accelerate our compliance costs. Furthermore, these matters necessitate significant attention by management, which may divert the focus of management from the operation of our business resulting in an adverse impact on our results of operations. The 2017 cybersecurity incident and the adverse publicity that followed have had a negative impact on our reputation and our relationships with our customers, and we cannot assure that it will not have a long-term effect on our relationships with our customers, our revenue and our business. Our reputation with consumers and other stakeholders and our customer relationships were damaged following the 2017 cybersecurity incident, resulting in a negative impact on our revenue. Despite our progress made toward repairing our reputation and business relationships, if we are unable to demonstrate the security of our systems and the data we maintain and retain the trust of our customers, consumers and data suppliers, we could experience a substantial negative impact on our business. Additionally, following the 2017 cybersecurity incident, certain of our International Organization for Standardization (“ISO”) certifications, which specify requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system, were suspended. Additionally, certain of our payment card industry certifications were suspended. These certifications, including the ISO 27001 certification, are critical to our business, because certain of our current and potential customers and the contracts governing certain customer relationships, as well as certain of our data suppliers, require us to maintain them as a requirement of doing business. In 2018, significant focus was placed on remediation activities in order to obtain ISO and payment card industry re-certifications. We have reacquired three independent ISO/IEC 27001:2013 certifications (representing our Corporate, U.K. and Canada environments) and two of our payment card industry certifications (U.K. and Canada). In addition, we expect to obtain the USIS and GCS payment card industry re-certification in 2019. If we fail to maintain or regain these certifications, customers may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue. The failure to realize the anticipated benefits of our technology transformation strategy could adversely impact our business and financial results. We expect our technology transformation strategy, including our transition to cloud-based technologies, will significantly increase our efficiency and productivity, the functionality of our products and services, as well as decrease the cost of our systems infrastructure, all of which we expect will drive growth and have a positive effect on our business, competitive position and results of operations. This initiative is a major undertaking as we replace many of our previous operating systems with cloud-based systems. This complex, multifaceted and extensive initiative will be expensive and may cause material unanticipated problems and expenses. If our new systems do not operate as expected, we may have to incur significant additional costs to modify them. Moreover, we may experience issues of customer migration, as many of our customers may choose not to utilize our products and services during and after our transition to cloud-based technologies. We cannot assure you that our technology transformation strategy will be beneficial to the extent, or within the timeframes, expected, or that the estimated efficiency, cost savings and other improvements will be realized as anticipated or at all. Market acceptance of cloud-based offerings is affected by a variety of factors, including information security, reliability, performance, the sufficiency of technological infrastructure to support our products and services in certain geographies, customer concerns with entrusting a third party to store and manage its data as well as the customer’s ability to access this data once a contract has expired, and consumer concerns regarding data privacy and the enactment of laws or regulations that restrict our ability to provide such services to customers. If we are unable to correctly respond to these issues, we may experience business disruptions, damage to our reputation, negative publicity, diminished customer relationships and other adverse effects on our business. Even if the anticipated benefits and savings are substantially realized, there may be consequences, internal control issues or business impacts that were not expected. Our transition and migration to cloud-based technologies may increase our risk of liability and cause us to incur significant technical, legal or other costs. Our technology transformation strategy places a significant strain on our management, operational, financial and other limited resources. As part of our technology transformation strategy, we are transitioning and migrating our data systems from traditional data centers to cloud-based platforms. This initiative will place significant strain on our management, personnel, operations, systems, technical performance and financial resources and internal financial control and reporting function. In addition, many of our existing personnel do not have experience with native cloud-based technologies and, as a result, we have and will continue to hire personnel with such experience. This effort will be time consuming and costly. Our technology transformation strategy requires management time and resources to educate employees and implement new ways of conducting business. The dedication of resources to our technology transformation strategy and cloud-based technologies limits the resources we have available to devote to other initiatives or growth opportunities, or to invest in the maintenance of our existing internal systems. We cannot guarantee that our strategy is the right one or that investments in alternative technologies or other initiatives would not be a better use of our limited resources. Additionally, as a result of our migration efforts in connection with our technology transformation strategy, we may experience a loss of continuity, loss of accumulated knowledge or loss of efficiency during transitional periods. Reorganization and transition can require a significant amount of management and other employees’ time and focus, which may divert attention from operating activities and growing our business. If we fail to achieve some or all of the expected benefits of these activities, it could have a material adverse effect on our competitive position, business, financial condition, results of operations and cash flows. Our transition to cloud-based technologies could expose us to operational disruptions. We rely on the efficient and uninterrupted operation of complex information technology systems and networks, some of which are managed internally within the Company and some of which are outsourced to third parties. As part of our technology transformation strategy, we are upgrading the information technology systems used to operate our business and replacing them with cloud-based solutions. This transition will require substantial changes to our software and network infrastructure, which could lead to system interruptions, affect our data systems and further expose us to operational disruptions, and cause us to lose customers, all of which could have a material adverse effect on our results of operations. Upon implementation of the new cloud-based solutions, much of our information technology systems will consist of outsourced, cloud-based infrastructure, platform and software-as-a-service solutions not under our direct management or control. Any disruption to either the outsourced systems or the communication links between us and the outsourced supplier could negatively affect our ability to operate our data systems and could impair our ability to provide services to our customers. We may incur additional costs to remedy the damages caused by these disruptions. The loss of access to credit, employment, financial and other data from external sources could harm our ability to provide our products and services. We rely extensively upon data from external sources to maintain our proprietary and non-proprietary databases, including data received from customers, strategic partners and various government and public record sources. This data includes the widespread and voluntary contribution of credit data from most lenders in the U.S and many other markets as well as the contribution of data under proprietary contractual agreements, such as employers’ contribution of employment and income data to The Work Number®, financial institutions’ contribution of individual financial data to IXI, and telecommunications, cable and utility companies’ contribution of payment and fraud data to the National Cable, Telecommunications and Utility Exchange. For a variety of reasons, including concerns of data furnishers arising out of the 2017 cybersecurity incident, legislatively or judicially imposed restrictions on use, additional security breaches or competitive reasons, our data sources could withdraw, delay receipt of or increase the cost of their data provided to us. Where we currently have exclusive use of data, the providers of the data sources could elect to make the information available to competitors. We also compete with several of our third-party data suppliers. If a substantial number of data sources or certain key data sources were to withdraw or be unable to provide their data, if we were to lose access to data due to government regulation, if we lose exclusive right to the use of data, or if the collection, disclosure or use of data becomes uneconomical, our ability to provide products and services to our clients could have a significant negative impact, which could result in decreased revenue, net income and earnings per share and reputational loss. There can be no assurance that we would be able to obtain data from alternative sources if our current sources become unavailable. Negative changes in general economic conditions, including interest rates, unemployment rates, income, home prices, investment values and consumer confidence, could adversely affect us. Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions, including the demand and availability of affordable credit and capital, the level and volatility of interest rates, inflation, employment levels, consumer confidence and housing demand, both inside and outside the U.S. Business customers use our credit information and related analytical services and data to process applications for new credit cards, automobile loans, home and equity loans and other consumer loans, and to manage their existing credit relationships. Demand for our services tends to be correlated to general levels of economic activity and to consumer credit activity, which can be impacted by changes in interest rates. Bank and other lenders’ willingness to extend credit are adversely affected by elevated consumer delinquency and loan losses in a weak economy. Consumer demand for credit (i.e., rates of spending and levels of indebtedness) also tends to grow more slowly or decline during periods of economic contraction or slow economic growth. For example, in 2018, our revenue was negatively impacted in the U.S. by the weak mortgage market; in Argentina by the substantial weakening of the economy and local currency; in Australia by weak real estate and mortgage markets and overall weakness in consumer credit markets. Our customer base suffers when financial markets experience volatility, illiquidity and disruption and the potential for increased and continuing disruptions going forward presents considerable risks to our business and revenue. High or rising rates of unemployment and interest, declines in income, home prices or investment values, lower consumer confidence and reduced access to credit adversely affect demand for many of our products and services, and consequently our revenue and results of operations, as consumers may postpone or reduce their spending and use of credit, and lenders may reduce the amount of credit offered or available. Our markets are highly competitive and new product introductions and pricing strategies being offered by our competitors could decrease our sales and market share or require us to enhance our products and services or reduce our prices in a manner that reduces our operating margins. We operate in a number of geographic, product and service markets that are highly competitive. Competitors may develop products and services that are superior to or that achieve greater market acceptance than our products and services. The size of our competitors varies across market segments, as do the resources we have allocated to the segments we target. Therefore, some of our competitors may have significantly greater financial, technical, marketing or other resources than we do in one or more of our market segments, or overall. As a result, our competitors may be in a position to respond more quickly than we can to new or emerging technologies and changes in customer requirements, or may devote greater resources than we can to the development, enhancement, promotion, sale and support of products and services, or some of our customers may develop products of their own that replace the products they currently purchase from us, which would result in lower revenue. In addition, many of our competitors have extensive consumer relationships, including relationships with our current and potential customers. Moreover, new competitors or alliances among our competitors may emerge and potentially reduce our market share, revenue or margins. We also sell our information to competing firms, and buy information from certain of our competitors, in order to sell “tri-bureau” and other products, most notably into the U.S. mortgage market. Changes in prices between competitors for this information and/or changes in the design or sale of tri-bureau versus single bureau product offerings may affect our revenue or profitability. Some of our competitors may choose to sell products that compete with ours at lower prices by accepting lower margins and profitability, or may be able to sell products competitive to ours at lower prices, individually or as a part of integrated suites, given proprietary ownership of data, technological superiority or economies of scale. Price reductions by our competitors could negatively impact our margins and results of operations and could also harm our ability to obtain new customers on favorable terms. Historically, certain of our key products have experienced declines in per unit pricing due to competitive factors and customer demand. Since a significant portion of our operating expenses is relatively fixed in nature due to sales, information technology and development and other costs, if we were unable to respond quickly enough to changes in competition or customer demand, we could experience further reductions in our operating margins. Our relationships with key long-term customers may be materially diminished or terminated. We have long-standing relationships with a number of our customers, many of whom could unilaterally terminate their relationship with us or materially reduce the amount of business they conduct with us at any time. Many of our material customer agreements can be terminated by the customer for convenience on advance written notice, which provides our customers with the opportunity to renegotiate their contracts with us or to award more business to our competitors. We also provide our services to business partners who may combine them with their own or other branded services to be offered as a bundle to consumers, governmental agencies and businesses in support of fraud or credit protection, credit monitoring, identity authentication, insurance or credit underwriting, and collections. Some of these partners are the largest providers of credit information or identity protection services to the consumer market. Market competition, business requirements, financial condition and consolidation through mergers or acquisitions, could adversely affect our ability to continue or expand our relationships with our customers and business partners. There is no guarantee that we will be able to retain or renew existing agreements, maintain relationships with any of our customers or business partners on acceptable terms or at all, or collect amounts owed to us from insolvent customers or business partners. The loss of one or more of our major customers or business partners could adversely affect our business, financial condition and results of operations. If we do not introduce successful new products, services and analytical capabilities in a timely manner, or if the market does not adopt our new services, our competitiveness and operating results will suffer. We generally sell our products in industries that are characterized by rapid technological changes, frequent new product and service introductions and changing industry standards. In addition, certain of the markets in which we operate are seasonal and cyclical. Without the timely introduction of new products, services and enhancements, our products and services will become technologically or commercially obsolete over time, in which case our revenue and operating results would suffer. The success of our new products and services will depend on several factors, including our ability to properly identify customer needs; innovate and develop new technologies, services and applications; successfully commercialize new technologies in a timely manner; produce and deliver our products in sufficient volumes on time; differentiate our offerings from competitor offerings; price our products competitively; anticipate our competitors’ development of new products, services or technological innovations; and control product quality in our product development process. Our resources have to be committed to any new products and services before knowing whether the market will adopt the new offerings. In addition, our management is and will continue to be intensely focused on enhancing our security measures and responding to consumer and customer concerns relating to the 2017 cybersecurity incident and may not be able to devote sufficient time or resources to new product development, which could cause us to be less competitive as compared to our peers, lose out on new revenue opportunities and have an adverse effect on our growth and our business. The demand for some of our products and services may be negatively impacted to the extent the availability of free or less expensive consumer information increases. Public or commercial sources of free or relatively inexpensive consumer credit, credit score and other information have become increasingly available, particularly through the internet, and this trend is expected to continue. In addition, governmental agencies in particular have increased the amount of information to which they provide free public access and these or other sources of free or relatively inexpensive consumer information from competitors or other commercial sources may reduce demand for our services, particularly in our USIS and Global Consumer Solutions business units. Recently, there also has been an increase in companies offering free or low-cost direct-to-consumer credit services (such as credit scores, reports and monitoring) as part of alternative business models that use such services as a means to introduce consumers to other products and services. To the extent that our customers choose not to obtain services from us and instead rely on information obtained at no cost or relatively inexpensively from these other sources, our business, financial condition and results of operations may be adversely affected. Due to the 2017 cybersecurity incident and our provision of free services to consumers in connection therewith, we ceased the advertisement and sale of new products in our direct-to-consumer business from September 2017 through October 2018, which resulted in a significant decline in revenue in that business. Furthermore, in late January 2018, we began offering a new credit lock service, Lock & Alert™, that is free for life and is aimed at empowering U.S. consumers to control access to their Equifax credit file directly and quickly from their smartphone or computer. Additionally, effective September 2018, federal law allows consumers to place freezes on their credit files at all credit bureaus including Equifax. If a significant number of consumers lock or freeze their file, our population of data is reduced which could affect our product offerings and value to our customers in our other businesses. If our systems do not meet customer requirements for response time or high availability, or we experience system constraints or failures, or our customers do not modify and/or upgrade their systems to accept new releases of our products and services, our services to our customers could be delayed or interrupted, which could result in lost revenues or customers, lower margins, or other harm to our business and reputation. We depend on reliable, stable, efficient and uninterrupted operation of our technology network, systems, and data centers to provide service to our customers. Many of the services and systems upon which we rely have been outsourced to third parties. In addition, many of our revenue streams are dependent on links to third party telecommunications providers. These systems and operations, and the personnel that support, service and operate these systems, could be exposed to interruption, damage or destruction from power loss, telecommunication failures, computer viruses, denial-of-service attacks, employee or insider malfeasance, human error, fire, natural disasters, war, terrorist acts or civil unrest. We may not have sufficient disaster recovery or redundant operations in place to cover a loss or failure of systems or telecommunications links in a timely manner. In addition, as part of our technology transformation, we continue to be intensely focused on enhancing our data security infrastructure and effecting our technology transformation strategy and implementation of those enhancements could result in service interruptions. Our customers expect high system availability and response time performance, as well as a very high degree of system resilience. Any significant system interruption or series of minor interruptions could result in the loss of customers and/or lost revenues, lower margins or other significant harm to our business or reputation. We and our customers are subject to various current laws and governmental regulations, and could be affected by new laws or regulations, including as a result of the 2017 cybersecurity incident, compliance with which may cause us to incur significant expenses and change our business practices, and if we fail to maintain satisfactory compliance with certain regulations, we could be subject to civil or criminal penalties. We are subject to a number of U.S. federal, state, local and foreign laws and regulations relating to consumer privacy, data and financial protection. See “Item 1. Business-Governmental Regulation” in this Form 10-K for a summary of the U.S. and foreign consumer and data protection laws and regulations to which we are subject. These regulations are complex, change frequently, have tended to become more stringent over time, and are subject to administrative interpretation and judicial construction in ways that could harm our business. Examples of such new laws and regulations include recent amendments to the FCRA requiring the provision of free credit freezes to consumers, new cybersecurity and other requirements promulgated by the New York Department of Financial Services and the passage of the California Consumer Protection Act. Furthermore, we expect there to be an increased focus on laws and regulations related to our business because of the great public concern in the U.S. with regard to the operation of credit reporting agencies, as well as the collection, use, accuracy, correction and sharing of personal information, which was in part heightened by the 2017 cybersecurity incident. There are a number of legislative proposals pending before the U.S. Congress, various state legislative bodies and foreign governments concerning data protection that could affect us and the President of the United States could act by Executive Order. In addition, a growing number of legislative and regulatory bodies have adopted consumer notification and other requirements in the event that consumer information is accessed by unauthorized persons and additional regulations regarding the use, access, accuracy and security of such data are possible. In the U.S., state laws provide for disparate notification regimes, all of which we are subject to. Further, any perception that our practices or products are an invasion of privacy, whether or not consistent with current or future regulations and industry practices, may subject us to public criticism, private class actions, reputational harm, or claims by regulators, which could disrupt our business and expose us to increased liability. We devote substantial compliance, legal and operational business resources to facilitate compliance with applicable regulations and requirements. In the future, we may be subject to significant additional expense to ensure continued compliance with applicable laws and regulations and to investigate, defend or remedy actual or alleged violations. Additionally, we cooperate with CFPB supervisory examinations and respond to other state, federal and foreign government examinations of or inquiries of our business practices. Any failure by us to comply with, or remedy any violations of, applicable laws and regulations could result in the curtailment of certain of our operations, the imposition of fines and penalties, liability to private plaintiffs as a result of individual or class action litigation, restrictions on our ability to carry on or expand our operations and reputational harm. It is difficult to predict the impact on our business if we were subject to allegations of having violated existing laws. For example, in Europe, the GDPR, which includes extensive regulations for certain security incidents, could result in fines of up to four percent of annual worldwide “turnover” (a measure similar to revenues in the U.S.). In addition, because many of our products are regulated or sold to customers in various industries, we must comply with additional regulations in marketing our products. Moreover, our compliance with privacy laws and regulations and our reputation depend in part on customers’ adherence to privacy laws and regulations and their use of our services in ways consistent with consumer expectations and regulatory requirements. We cannot predict the ultimate impact on our business of new or proposed CFPB, FCA or other rules, supervisory examinations or government investigations or enforcement actions. The following legal and regulatory developments also could have a substantial negative impact on our business, financial condition or results of operations: • amendment, enactment or interpretation of laws and regulations that restrict the access and use of personal information and reduce the availability or effectiveness of our solutions or the supply of data available to customers; • changes in cultural and consumer attitudes in favor of further restrictions on information collection and sharing, which may lead to regulations that prevent full utilization of our solutions; • failure of data suppliers or customers to comply with laws or regulations, where mutual compliance is required; • failure of our solutions to comply with current laws and regulations; and • failure of our solutions to adapt to changes in the regulatory environment in an efficient, cost effective manner. These laws and regulations (as well as actions that may be taken by legislatures and regulatory bodies in other countries) and the consequences of any violation could limit our ability to pursue business opportunities we might otherwise consider engaging in, impose additional costs on us, result in significant loss of revenue, result in significant restitution and fines, impact the value of assets we hold, or otherwise adversely affect our business. See “Item 1. Business-Governmental Regulation” and “Item 3. Legal Proceedings” in this Form 10-K. Regulatory oversight of our contractual relationships with certain of our customers may adversely affect our business. The federal banking agencies, including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the CFPB, as well as many state banking agencies have issued guidance to insured depository institutions and other providers of financial services on assessing and managing risks associated with third-party relationships, which include all business arrangements between a financial services provider and another entity, by contract or otherwise, and generally requires banks and financial services providers to exercise comprehensive oversight throughout each phase of a bank or financial service provider’s business arrangement with third-party service providers, and instructs banks and financial service providers to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships. This guidance requires more rigorous oversight of third-party relationships that involve certain “critical activities.” In light of this guidance, our existing or potential bank and financial services customers subject to this guidance may continue to revise their third-party risk management policies and processes and the terms on which they do business with us, which may adversely affect our relationship with such customers. In 2018, we entered into a consent order with certain state banking regulators in response to their multi-state review of our information security program. This consent order obligates us to, among other things, make certain changes to our corporate governance and information security practices. If we are unable or otherwise fail to comply with this consent order, our ability to do business with financial institutions in those states could be impaired. It is possible that the consent order or other actions resulting from examinations by federal or state banking regulators could lead to adverse changes in our customer relationships. Economic, political and other risks associated with international sales and operations could adversely affect our results of operations. Sales outside the U.S. comprised 29% of our total revenue in 2018. As a result, our business is subject to various risks associated with doing business internationally. In addition, many of our employees, suppliers, job functions and facilities are located outside the U.S. Accordingly, our future results could be harmed by a variety of factors including: • changes in specific country or region political, economic or other conditions; • trade protection measures; • data privacy and consumer protection regulations; • difficulty in staffing and managing widespread operations; • differing labor, intellectual property protection and technology standards and regulations; • business licensing requirements or other requirements relating to making foreign direct investments, which could increase our cost of doing business in certain jurisdictions, prevent us from entering certain markets, increase our operating costs or lead to penalties or restrictions; • difficulties associated with repatriating cash generated or held abroad in a tax-efficient manner; • implementation of exchange controls; • geopolitical instability, including terrorism and war; • foreign currency changes; • increased travel, infrastructure, legal and compliance costs of multiple international locations; • foreign laws and regulatory requirements; • terrorist activity, natural disasters and other catastrophic events; • restrictions on the import and export of technologies; • difficulties in enforcing contracts and collecting accounts receivable; • longer payment cycles; • failure to meet quality standards for outsourced work; • unfavorable tax rules; • the presence and acceptance of varying level of business corruption in international markets; and • varying business practices in foreign countries We earn revenue, pay expenses, own assets and incur liabilities in countries using currencies other than the U.S. dollar, including among others the British pound, the Australian dollar, the Canadian dollar, the Argentine peso, the Chilean peso, the Euro, the New Zealand dollar, the Costa Rican colon, the Singapore dollar, the Brazilian real, the Russian ruble and the Indian rupee. Because our consolidated financial statements are presented in U.S. dollars, we must translate revenue, income and expenses, as well as assets and liabilities, into U.S. dollars at exchange rates in effect during or at the end of each reporting period. Therefore, increases or decreases in the value of the U.S. dollar against major currencies will affect our operating revenues, operating income and the value of balance sheet items denominated in foreign currencies. In 2018, a general weakening of foreign currencies in countries where we have operations against the U.S. dollar had a negative impact on our results as reported in U.S. dollars. See “Segment Financial Results-International-Asia Pacific,” “-Europe,” “-Latin America,” and “-Canada” and “Effects of Inflation and Changes in Foreign Currency Exchange Rates” in the “Item 7. Management’s Discussion and Analysis” in this Form 10-K. Because of the geographic diversity of our operations, weaknesses in some currencies might be offset by strengths in others over time. We generally do not mitigate the risks associated with fluctuating exchange rates, although we may from time to time through forward contracts or other derivative instruments hedge a portion of our translational foreign currency exposure or exchange rate risks associated with material transactions which are denominated in a foreign currency. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Accordingly, fluctuations in foreign currency exchange rates, particularly the strengthening of the U.S. dollar against major currencies, may materially affect our consolidated financial results. Compliance with applicable U.S. and foreign laws and regulations, such as anti-corruption laws, tax laws, foreign exchange controls and restrictions on repatriation of earnings or other similar restraints, data privacy requirements, labor laws and anti-competition relations increases the cost of doing business in foreign jurisdictions. Although we have implemented policies and procedures to comply with these laws and regulations, a violation by our employees, contractors or agents could nevertheless occur. We are regularly involved in claims, suits, government investigations, supervisory examinations and other proceedings that may result in adverse outcomes. In addition to what we are currently experiencing due to the 2017 cybersecurity incident, we are regularly involved in claims, suits, government investigations, supervisory examinations and regulatory proceedings arising from the ordinary course of our business, including actions with respect to consumer protection and data protection, including purported class action lawsuits. Such claims, suits, government investigations and proceedings are inherently uncertain and their results cannot be predicted with certainty. Regardless of their outcome, such legal proceedings can have an adverse impact on us because of legal costs, diversion of management and other personnel, and other factors. In addition, it is possible that a resolution of one or more such proceedings could result in reputational harm, liability, penalties or sanctions, as well as judgments, consent decrees or orders preventing us from offering certain features, functionalities, products or services, or requiring a change in our business practices, products or technologies, which could in the future materially and adversely affect our business, operating results, and financial condition. The FCRA contains an attorney fee shifting provision to provide an incentive for consumers to bring individual and class action lawsuits against a CRA for violation of the FCRA, and the number of consumer lawsuits (both individual and class action) against us alleging a violation of the FCRA and our resulting costs associated with resolving these lawsuits have increased substantially over the past several years. We rely, in part, on acquisitions, joint ventures and other alliances to grow our business and expand our geographic reach. The acquisition, integration or divestiture of businesses by us may not produce the expected financial, operating results or IT and data security profile we expect. In addition, if we are unable to make acquisitions or successfully develop and maintain joint ventures and other alliances, our growth may be adversely impacted. Historically, we have relied, in part, on acquisitions, joint ventures and other alliances to grow our business. Any acquisitions we do complete may not be on favorable terms, and the expected benefits, synergies and growth from these initiatives may not materialize as planned. We may have difficulty assimilating new businesses and their products, services, technologies, IT systems and personnel into our operations. IT and data security profiles of acquired companies may not meet our technological standards and may take longer to integrate and remediate than planned. This may result in significantly greater transaction costs for future acquisitions than we have experienced historically, or it could mean that we will not pursue certain acquisitions where the costs of integration and remediation are too significant. We may also have difficulty integrating and operating businesses in countries and geographies where we do not currently have a significant presence, and acquisitions of businesses having a significant presence outside of the U.S. will increase our exposure to risks of conducting operations in international markets. These difficulties could disrupt our ongoing business, distract our management and workforce, increase our expenses and adversely affect our operating results and financial condition. Despite our past experience, opportunities to grow our business through acquisitions, joint ventures and other alliances may not be available to us in the future. In addition, our focus on our technology transformation strategy, our migration to cloud-based technologies and potential fines, penalties and other costs as a result of the 2017 cybersecurity incident may limit our ability to identify and complete acquisitions as we will have less time and resources to devote to identifying suitable acquisition candidates and our technological criteria and standards for acquisition candidates may increase. Dependence on outsourcing certain portions of our operations may adversely affect our ability to bring products to market and damage our reputation. Dependence on outsourced information technology and other administrative functions may impair our ability to operate effectively. As part of our efforts to streamline operations and to reduce operating costs, we have outsourced various components of our application development, information technology, operational support and administrative functions and will continue to evaluate additional outsourcing. Although we have implemented service level agreements and have established monitoring controls, if our outsourcing vendors fail to perform their obligations in a timely manner or at satisfactory quality levels including with respect to data and system security, or increase prices for their services to unreasonable levels, our ability to bring products to market and support our customers and our reputation could suffer. Any failure to perform on the part of these third-party providers could impair our ability to operate effectively and could result in lower future revenue, unrealized efficiencies and adversely impact our results of operations and our financial condition. Much of our outsourcing takes place in developing countries and, as a result, may be subject to geopolitical uncertainty. Changes in income tax laws can significantly impact our net income. Federal and state governments in the U.S. as well as a number of other governments around the world are currently facing significant fiscal pressures and have considered or may consider changes to their tax laws for revenue raising or economic competitiveness reasons. Changes to tax laws can have immediate impacts, either favorable or unfavorable, on our results of operations and cash flows, and may impact our competitive position versus certain competitors who are domiciled in other jurisdictions and subject to different tax laws. In December 2017, the U.S. enacted the Tax Cuts and Jobs Act of 2017 which significantly impacted our U.S. and global tax expense and net income and our earnings per share in 2018. The IRS issued clarification notices and the U.S. Treasury issued Proposed Regulation which also provided clarity to the Tax Act. However, the IRS could issue additional clarification and additional changes could be made to the final issuance of the Regulations. If our government contracts are terminated, if we are suspended from government work, or if our ability to compete for new contracts is adversely affected, our business could suffer. We derive a portion of our revenue from direct and indirect sales to U.S., state, local and foreign governments and their respective agencies. Such contracts are subject to various procurement laws and regulations, and contract provisions relating to their formation, administration and performance. Failure to comply with these laws, regulations or provisions in our government contracts could result in the imposition of various civil and criminal penalties, termination of contracts, forfeiture of profits, suspension of payments or suspension of future government contracting. Following the 2017 cybersecurity incident, our government contracts received enhanced scrutiny and negative media attention that resulted in the suspension of one of our contracts. If we are unable to repair the reputational damage caused by the 2017 cybersecurity incident and ensure the security of the data we maintain, our ability to maintain our existing and acquire new government contracts may be substantially impacted. Also, the government programs to which we provide services, or which are the bases of compliance services we provide non-governmental clients, including, in particular, the employer requirements under the Affordable Care Act, may be terminated or substantially altered by the government and our services would no longer be needed. If our government contracts are terminated, if we are suspended from government work, if the services we provide are no longer needed due to government program change or termination, or if our ability to compete for new contracts is adversely affected, our business could suffer. Third parties may claim that we are infringing on their intellectual property and we could suffer significant litigation or licensing expenses or be prevented from selling products or services. There has been substantial litigation in the U.S. regarding intellectual property rights in the information technology industry. From time to time, third parties may claim that one or more of our products or services infringe their intellectual property rights. We analyze and take action in response to such claims on a case by case basis. Any dispute or litigation regarding patents or other intellectual property could be costly and time-consuming due to the complexity of our technology and the uncertainty of intellectual property litigation, could divert our management and key personnel from our business operations and we may not prevail. A claim of intellectual property infringement could force us to enter into a costly or restrictive license agreement, which might not be available under acceptable terms or at all, or could subject us to significant damages or to an injunction against development and sale of certain of our products or services. Our intellectual property portfolio may not be useful in asserting a counterclaim, or negotiating a license, in response to a claim of intellectual property infringement. In certain of our businesses we rely on third-party intellectual property licenses and we cannot ensure that these licenses will be available to us in the future on favorable terms or at all. Although our policy is to obtain licenses or other rights where necessary, we cannot provide assurance that we have obtained all required licenses or rights. Third parties may misappropriate or infringe on our intellectual property and we may suffer competitive injury or expend significant resources enforcing our rights. Our success increasingly depends on our proprietary technology. We rely on various intellectual property rights, including patents, copyrights, database rights, trademarks and trade secrets, as well as contract restrictions, confidentiality provisions and licensing arrangements, to establish our proprietary rights. The extent to which such rights can be protected varies in different jurisdictions. If we do not enforce our intellectual property rights successfully our competitive position may suffer which could harm our operating results. Our pending patent and trademark applications may not be allowed or competitors may challenge the validity or scope of our intellectual property rights. In addition, our patents, copyrights, trademarks and other intellectual property rights may not provide us a significant competitive advantage. We may need to devote significant resources, including cybersecurity resources, to monitoring our intellectual property rights and we may or may not be able to detect misappropriation or infringement by third parties. Our competitive position may be harmed if we cannot detect misappropriation or infringement and enforce our intellectual property rights quickly or at all. In some circumstances, enforcement may not be available to us because a third party has a dominant intellectual property position or for other business reasons. In addition, competitors might avoid infringement by designing around our intellectual property rights or by developing non-infringing competing technologies. Intellectual property rights and our ability to enforce them may be unavailable or limited in some countries which could make it easier for competitors to capture market share and could result in lost revenue. The U.K.’s impending departure from the EU could adversely affect us. The outcome of the 2016 referendum on the U.K.’s membership in the EU approving the exit of the U.K. from the EU (referred to as “Brexit”) could cause disruptions to and create uncertainty surrounding our business, including affecting our relationships with our existing and future customers, suppliers and employees, which could have an adverse effect on our business, financial results and operations. The effects of any Brexit will depend on its terms. In addition, developments regarding Brexit may also create global economic uncertainty, which may cause our clients to closely monitor their costs and reduce their spending on our solutions and services. A downgrade to our credit ratings would increase our cost of borrowing under our credit facility and adversely affect our ability to access the capital markets. We are party to a $1.10 billion five-year unsecured revolving credit facility with a group of financial institutions that matures in September 2023 (the “Revolver”). The Revolver replaced the Company’s previous $900 million unsecured revolving credit facility that was scheduled to mature in November 2020. The cost of borrowing under the Revolver and our ability and the terms under which we may access the credit markets are affected by credit ratings assigned to our indebtedness by the major credit rating agencies. These ratings are premised on our performance under assorted financial metrics, such as leverage and interest coverage ratios and other measures of financial strength, business and financial risk, industry conditions, transparency with rating agencies and timeliness of financial reporting. Our current ratings have served to lower our borrowing costs and facilitate access to a variety of lenders. However, there can be no assurance that our credit ratings or outlook will not be lowered in the future in response to adverse changes in these metrics caused by our operating results or by actions that we take that reduce our profitability or that require us to incur additional indebtedness for items such as substantial cash acquisitions, significant increases in costs and capital spending in security and IT systems, significant costs related to settlements of litigation or regulatory requirements, or by returning excess cash to shareholders through dividends or under our share repurchase program. A downgrade of our credit ratings would increase our cost of borrowing under the Revolver, negatively affect our ability to access the capital markets on advantageous terms, or at all, negatively affect the trading price of our securities and have a significant negative impact on our business, financial condition and results of operations. We may not be able to borrow under our revolving credit facility and Receivables Facility. We are party to a $225.0 million, two-year receivables funding facility (the “Receivables Facility”) as well as the Revolver. Our Revolver and Receivables Facility have representations, covenants, financial covenants and events of default which may limit our ability to borrow under such debt obligations. Any breach of a representation or failure to comply with any covenant or financial covenant or the occurrence of any event of default under the Revolver or the Receivables Facility could result in a prohibition of further borrowings under the Revolver and Receivables Facility or acceleration of any obligations outstanding thereunder. Any event of default under the Revolver or Receivables Facility could result in a cross default under our other outstanding debt obligations. Changes in interest rates could adversely affect our cost of capital and net income. Rising interest rates, credit market dislocations and decisions and actions by credit rating agencies can affect the availability and cost of our funding and adversely affect our net income. Our business will suffer if we are not able to retain and hire key personnel. Our future success, including our ability to implement our technology transformation strategy, depends partly on the continued service of our key development, sales, marketing, executive and administrative personnel. Additionally, increased retention risk exists in certain key areas of our operations, such as IT and security, which require specialized skills, such as maintenance of certain legacy computer systems, data security experts and analytical modelers. If we fail to retain and hire a sufficient number of these personnel, we will not be able to maintain or expand our business. As part of our technology transformation strategy, we have hired a significant number of new employees and contract employees. Hiring, training, motivating, retaining and managing employees with the skills required is time-consuming and expensive. If we are not able to hire sufficient employees to support our technology transformation, or to train, motivate, retain and manage the employees we do hire, it could have a material adverse effect on our business operations or financial results. We believe our pay levels are competitive within the regions in which we operate. However, there is also intense competition for certain highly technical specialties in geographic areas where we continue to recruit, and it may become more difficult to retain our key employees. Our retirement and post-retirement pension plans are subject to financial market risks that could adversely affect our future results of operations and cash flows. We have significant retirement and post-retirement pension plan assets and obligations. The performance of the financial markets and interest rates impact our plan expenses and funding obligations. Significant decreases in market interest rates, decreases in the fair value of plan assets and investment losses on plan assets will increase our funding obligations, and adversely impact our results of operations and cash flows. We are subject to a variety of other general risks and uncertainties inherent in doing business. In addition to the specific factors discussed above, we are subject to risks that are inherent to doing business. These include growth rates, general economic and political conditions, customer satisfaction with the quality of our services, costs of obtaining insurance, changes in unemployment rates, and other events that can impact revenue and the cost of doing business. ITEM 1B.