EFX, §1A diff (2019 → 2020)
Added paragraphs (9298 words)
ITEM 1A. RISK FACTORS All of the risks and uncertainties described below and the other information included in this Form 10-K should be considered and read carefully. The risks described below are not the only ones facing us. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition or results of operations. This Form 10-K also contains forward-looking statements and estimates that involve risks and uncertainties. Our actual results could differ materially from those anticipated in the forward-looking statements as a result of specific factors, including the risks and uncertainties described below. Technology and Data Security Risks Security breaches and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation. We are a global data, analytics and technology company. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personally identifiable information of consumers, employees and strategic partners. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy. Because our products and services involve the storage and transmission of personal information of consumers, we will routinely be the target of attempted cyber and other security threats by outside third parties, including technically sophisticated and well-resourced bad actors attempting to access or steal the data we store. Insider or employee cyber and security threats are also a significant concern for all companies, including ours. Despite our substantial investment in physical and technological security measures, employee training and contractual precautions, our information technology networks and infrastructure (or those of our third-party vendors and other service providers) are potentially vulnerable to unauthorized access to data or breaches of confidential information due to criminal conduct, attacks by hackers, employee or insider malfeasance and/or human error. The techniques used to obtain unauthorized access, disable or degrade service or sabotage systems are constantly evolving and often are not recognized until launched against a target, or even some time after. We may be unable to anticipate these techniques, implement adequate preventative measures or remediate any intrusion on a timely or effective basis even if our security measures are appropriate, reasonable, and/or comply with applicable legal requirements. Certain efforts may be state-sponsored and supported by significant financial and technological resources, making them even more sophisticated and difficult to detect. Further, we are in the process of transforming our applications and infrastructure technologies, and this transition to cloud-based technologies may expose us to additional cyber threats as we migrate our data from our legacy systems to cloud-based solutions hosted by third parties. Although we have developed systems and processes that are designed to protect our data and customer data and to prevent data loss and other security breaches, and expect to continue to expend significant additional resources to bolster these protections, these security measures cannot provide absolute security. In 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of personally identifiable information of U.S., Canadian and U.K. consumers. If we experience additional breaches of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed or lost. Any such access, disclosure or other loss of information could subject us to significant litigation, regulatory fines or penalties, any of which could have a material adverse effect on our cash flows, competitive position, financial condition or results of operations. We cannot ensure that our insurance policies in the future will be adequate to cover losses from any future security breaches. For example, our $125.0 million cybersecurity insurance policy was not adequate to cover the losses we have incurred to date from the 2017 cybersecurity incident. Security breaches and the adverse publicity that may follow could also have a negative impact on our reputation and our relationship with our customers. For example, our reputation with consumers and other stakeholders and our customer relationships were damaged following the 2017 cybersecurity incident, resulting in a negative impact on our revenue. If we experience another material cybersecurity incident or are otherwise unable to demonstrate the security of our systems and the data we maintain and retain the trust of our customers, consumers and data suppliers, we could experience a substantial negative impact on our business. If we fail to achieve and maintain key industry or technical certifications, our customers and business partners may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue. We are required by customers and business partners to obtain various industry or technical certifications. Such certifications are critical to our business because certain of our current and potential customers and the contracts governing certain customer relationships, as well as certain of our data suppliers, require us to maintain them as a requirement of doing business. For example, as a result of the 2017 cybersecurity incident, we lost certain key certifications which caused certain customers and business partners to stop or pause doing business with us and temporarily limited our ability to win new business. We had to spend significant resources on remediation activities in order to obtain these key re-certifications. If we fail to achieve or maintain key industry or technical certifications as a result of another cybersecurity incident or for other reasons, customers and business partners may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue. Strategy and Market Demand Risks Our business has been and will continue to be negatively impacted by the recent COVID-19 outbreak. We face various risks related to health epidemics, pandemics and similar outbreaks, including the global outbreak of COVID-19 in 2020. The COVID-19 pandemic and the mitigation efforts by governments to attempt to control its spread have adversely impacted the global economy, leading to reduced consumer spending and lending activities and disruptions and volatility in the global capital markets. Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions. We experienced significant revenue declines in several of our markets as a result of COVID-19. We expect that the negative impacts of the COVID-19 pandemic on our operating revenue will continue until health and economic conditions improve. We continue to work with our stakeholders (including customers, employees, consumers, suppliers, business partners and local communities) to responsibly address this global pandemic. We will continue to monitor the situation and assess possible implications to our business and our stakeholders and will take appropriate actions in an effort to mitigate adverse consequences. We cannot assure you that we will be successful in any such mitigation efforts. The extent to which the coronavirus will continue to negatively impact our operations will depend on future developments which are highly uncertain and cannot be predicted with confidence, including the duration of the outbreak, new information which may emerge concerning the severity of the COVID-19 pandemic, outbreaks occurring at any of our facilities, the actions taken to control the spread of COVID-19 or treat its impact, and changes in worldwide and U.S. economic conditions. Further deteriorations in economic conditions, as a result of the COVID-19 pandemic or otherwise, could lead to a further or prolonged decline in demand for our products and services and negatively impact our business. It may also impact financial markets and corporate credit markets which could adversely impact our access to financing or the terms of any such financing. We cannot at this time predict the extent of the impact of the COVID-19 pandemic and its resulting economic impact, but it could have a material adverse effect on our business, financial position, results of operations and cash flows. To the extent the COVID-19 pandemic adversely affects our business and financial results, it may also have the effect of heightening many of the other risks described in this “Item 1A. Risk Factors” and elsewhere in this Annual Report on Form 10-K, such as our need to generate sufficient cash flows to service our indebtedness and our ability to protect our information technology networks and infrastructure from unauthorized access, misuse, malware, phishing and other events that could have a security impact as a result of our remote working environment or otherwise. The failure to realize the anticipated benefits of our technology transformation strategy could adversely impact our business and financial results. We expect our technology transformation strategy, including our transition to cloud-based technologies, will significantly increase our efficiency and productivity, the functionality of our products and services, as well as decrease the cost of our overall systems infrastructure, all of which we expect will drive growth and have a positive effect on our business, competitive position and results of operations. This initiative is a major undertaking as we replace many of our previous operating systems with cloud-based systems. This complex, multifaceted and extensive initiative is expensive and may cause material unanticipated problems and expenses. If our new systems do not operate as expected, or the data we transition to the cloud changes in a material way, we may have to incur significant additional costs to make modifications and could lose customers as a result. Moreover, we may experience issues with customer migration, as many of our customers may not migrate to cloud-based technologies on a timely basis or at all or may choose not to utilize our products and services during and after our transition to cloud-based technologies. We cannot assure you that our technology transformation strategy will be beneficial to the extent, or within the timeframes, expected, or that the estimated efficiency, cost savings and other improvements will be realized as anticipated or at all. Market acceptance of cloud-based offerings is affected by a variety of factors, including information security, reliability, performance, the sufficiency of technological infrastructure to support our products and services in certain geographies, customer and data provider concerns with entrusting a third party to store and manage its data as well as the customer’s ability to access this data once a contract has expired, and consumer concerns regarding data privacy and the enactment of laws or regulations that restrict our ability to provide such services to customers. If we are unable to correctly respond to these issues, we may experience business disruptions, damage to our reputation, negative publicity, diminished customer trust and relationships and other adverse effects on our business. Even if the anticipated benefits and savings are substantially realized, there may be consequences, internal control issues or business impacts that were not expected. Our transition and migration to cloud-based technologies may increase our risk of liability and cause us to incur significant technical, legal or other costs. The loss of access to credit, employment, financial and other data from external sources could harm our ability to provide our products and services. We rely extensively upon data from external sources to maintain our proprietary and non-proprietary databases, including data received from customers, strategic partners and various government and public record sources. This data includes the widespread and voluntary contribution of credit data from most lenders in the U.S and many other markets as well as the contribution of data under proprietary contractual agreements, such as employers’ contribution of employment and income data to The Work Number® and telecommunications, cable and utility companies’ contribution of payment and fraud data to the National Cable, Telecommunications and Utility Exchange. For a variety of reasons, including concerns of data furnishers arising out of the 2017 cybersecurity incident, legislatively or judicially imposed restrictions on use, additional security breaches or competitive reasons, our data sources could withdraw, delay receipt of or increase the cost of their data provided to us. Where we currently have exclusive use of data, the providers of the data sources could elect to make the information available to competitors. We also compete with several of our third-party data suppliers. If a substantial number of data sources or certain key data sources were to withdraw or be unable to provide their data, if we were to lose access to data due to government regulation, if we lose exclusive right to the use of data, or if the collection, disclosure or use of data becomes uneconomical, our ability to provide products and services to our clients could be adversely affected, which could result in decreased revenue, net income and earnings per share and reputational loss. There can be no assurance that we would be able to obtain data from alternative sources if our current sources become unavailable. Negative changes in general economic conditions, including interest rates, unemployment rates, income, home prices, investment values and consumer confidence, could adversely affect us. Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions, including the demand and availability of affordable credit and capital, the level and volatility of interest rates, inflation, employment levels, consumer confidence and housing demand, both inside and outside the United States. Business customers use our credit information and related analytical services and data to process applications for new credit cards, automobile loans, home and equity loans and other consumer loans, and to manage their existing credit relationships. Demand for our services tends to be correlated to general levels of economic activity and to consumer credit activity, which can be impacted by changes in interest rates. Banks’ and other lenders’ willingness to extend credit are adversely affected by elevated consumer delinquency and loan losses in a weak economy. Consumer demand for credit (i.e., rates of spending and levels of indebtedness) also tends to grow more slowly or decline during periods of economic contraction or slow economic growth. Our customer base suffers when financial markets experience volatility, illiquidity and disruption and the potential for increased and continuing disruptions going forward presents considerable risks to our business and revenue. High or rising rates of unemployment and interest, declines in income, home prices or investment values, lower consumer confidence and reduced access to credit adversely affect demand for many of our products and services, and consequently our revenue and results of operations, as consumers may postpone or reduce their spending and use of credit, and lenders may reduce the amount of credit offered or available. Our markets are highly competitive and new product introductions and pricing strategies being offered by our competitors could decrease our sales and market share or require us to enhance our products and services or reduce our prices in a manner that reduces our revenue and operating margins. We operate in a number of geographic, product and service markets that are highly competitive. Competitors may develop products and services that are superior to or that achieve greater market acceptance than our products and services. New competitors may choose to enter and compete in our markets, or existing competitors may choose to introduce new products and enter markets that we serve and that they do not currently serve. The size of our competitors varies across market segments, as do the resources we have allocated to the segments we target. Therefore, some of our competitors may have significantly greater financial, technical, marketing or other resources than we do in one or more of our market segments, or overall. As a result, our competitors may be in a position to respond more quickly than we can to new or emerging technologies and changes in customer requirements, or may devote greater resources than we can to the development, enhancement, promotion, sale and support of products and services, or some of our customers may develop products of their own that replace the products they currently purchase from us, which would result in lower revenue. In addition, many of our competitors have extensive consumer relationships, including relationships with our current and potential customers. Moreover, new competitors or alliances among our competitors may emerge and potentially reduce our market share, revenue or margins. We also sell our information to competing firms, and buy information from certain of our competitors, in order to sell “tri-bureau” and other products, most notably into the U.S. mortgage market. Changes in prices between competitors for this information and/or changes in the design or sale of tri-bureau versus single or dual bureau product offerings may affect our revenue or profitability. Some of our competitors may choose to sell products that compete with ours at lower prices by accepting lower margins and profitability, or may be able to sell products competitive to ours at lower prices, individually or as a part of integrated suites, given proprietary ownership of data, technological superiority or economies of scale. Price reductions by our competitors could negatively impact our revenue and operating margins and results of operations and could also harm our ability to obtain new customers on favorable terms. Historically, certain of our key products have experienced declines in per unit pricing due to competitive factors and customer demand. Since a significant portion of our operating expenses is relatively fixed in nature due to sales, information technology and development and other costs, if we were unable to respond quickly enough to changes in competition or customer demand, we could experience further reductions in our operating margins. If our relationships with key customers are materially diminished or terminated, our business could suffer. We have long-standing relationships with a number of our customers, many of whom could unilaterally terminate their relationship with us or materially reduce the amount of business they conduct with us at any time. Many of our material customer agreements can be terminated by the customer for convenience on advance written notice, which provides our customers with the opportunity to renegotiate their contracts with us or to award more business to our competitors. There is no guarantee that we will be able to retain or renew existing agreements, maintain relationships with any of our customers or business partners on acceptable terms or at all, or collect amounts owed to us from insolvent customers or business partners. The loss of one or more of our major customers or business partners could adversely affect our business, financial condition and results of operations. If we do not introduce successful new products, services and analytical capabilities in a timely manner, or if the market does not adopt our new services, our competitiveness and operating results will suffer. We generally sell our products in industries that are characterized by rapid technological changes, frequent new product and service introductions and changing industry standards. In addition, certain of the markets in which we operate are seasonal and cyclical. Without the timely introduction of new products, services and enhancements, our products and services will become technologically or commercially obsolete over time, in which case our revenue and operating results would suffer. The success of our new products and services will depend on several factors, including our ability to properly identify customer needs; innovate and develop new technologies, services and applications; successfully commercialize new technologies in a timely manner; produce and deliver our products in sufficient volumes on time; differentiate our offerings from competitor offerings; price our products competitively; anticipate our competitors’ development of new products, services or technological innovations; and control product quality in our product development process. Our resources have to be committed to any new products and services before knowing whether the market will adopt the new offerings. In addition, our management is and will continue to be intensely focused on enhancing our security measures and our technology transformation and may not be able to devote as much time or resources to new product development, which could cause us to be less competitive as compared to our peers, lose out on new revenue opportunities and have an adverse effect on our growth and our business. The demand for some of our products and services may be negatively impacted to the extent the availability of free or less expensive consumer information increases. Public or commercial sources of free or relatively inexpensive consumer credit, credit score and other information have become increasingly available, particularly through the internet, and this trend is expected to continue. In addition, governmental agencies in particular have increased the amount of information to which they provide free public access and these or other sources of free or relatively inexpensive consumer information from competitors or other commercial sources may reduce demand for our services, particularly in our USIS and Global Consumer Solutions business units. Recently, there also has been an increase in companies offering free or low-cost direct-to-consumer credit services (such as credit scores, reports and monitoring) as part of alternative business models that use such services as a means to introduce consumers to other products and services. To the extent that our customers choose not to obtain services from us and instead rely on information obtained at no cost or relatively inexpensively from these other sources, our business, financial condition and results of operations may be adversely affected. We rely, in part, on acquisitions, joint ventures and other alliances to grow our business and expand our geographic reach. The acquisition, integration or divestiture of businesses by us may not produce the expected financial, operating results or IT and data security profile we expect. In addition, if we are unable to make acquisitions or successfully develop and maintain joint ventures and other alliances, our growth may be adversely impacted. Historically, we have relied, in part, on acquisitions, joint ventures and other alliances to grow our business. Any acquisitions we do complete may not be on favorable terms, may involve greater-than-expected liabilities and expenses, potential impairments of tangible and intangible assets or significant write-offs and the expected benefits, synergies and growth from these initiatives may not materialize as planned. We may have difficulty assimilating new businesses and their products, services, technologies, IT systems and personnel into our operations. IT and data security profiles of acquired companies may not meet our technological standards and may take longer to integrate and remediate than planned. This may result in significantly greater transaction, remediation and integration costs for future acquisitions than we have experienced historically, or it could mean that we will not pursue certain acquisitions where the costs of integration and remediation are too significant. We may also have difficulty integrating and operating businesses in countries and geographies where we do not currently have a significant presence, and acquisitions of businesses having a significant presence outside of the U.S. will increase our exposure to risks of conducting operations in international markets. These difficulties could disrupt our ongoing business, distract our management and workforce, increase our expenses and adversely affect our operating results and financial condition. Despite our past experience, opportunities to grow our business through acquisitions, joint ventures and other alliances may not be available to us in the future. In addition, our focus on data security and our technology transformation strategy, including our migration to cloud-based technologies may limit our ability to identify and complete acquisitions as we will have less time and resources to devote to identifying suitable acquisition candidates and our technological criteria and standards for acquisition candidates may increase. If our government contracts are terminated, if we are suspended from government work, or if our ability to compete for new contracts is adversely affected, our business could suffer. We derive a portion of our revenue from direct and indirect sales to U.S., state and local governments and their respective agencies. Such contracts are subject to various procurement laws and regulations, and contract provisions relating to their formation, administration and performance. Failure to comply with these laws, regulations or provisions in our government contracts could result in the imposition of various civil and criminal penalties, termination of contracts, forfeiture of profits, suspension of payments or suspension of future government contracting. A number of our federal government contracts have received enhanced scrutiny and media attention due to the sensitive nature of the data we handle and due to the importance of the government programs we support. If we experience another material cybersecurity incident, if public scrutiny and pressure related to government services we support turns negative or if we experience uptime issues or performance problems, our ability to maintain existing or acquire new government contracts may be substantially impacted. Also, the government programs to which we provide services, or which are the bases of compliance services we provide non-governmental clients, including, in particular, the employer requirements under the Affordable Care Act, may be terminated or substantially altered by the government and our services would no longer be needed. If our government contracts are terminated, if we are suspended from government work, if the services we provide are no longer needed due to government program change or termination, or if our ability to compete for new contracts is adversely affected, our business could suffer. Operational Risks Our technology transformation strategy places a significant strain on our management, operational, financial and other limited resources. As part of our technology transformation strategy, we are transitioning and migrating our data systems from traditional data centers to cloud-based platforms. This initiative places significant strain on our management, personnel, operations, systems, technical performance and financial resources and internal financial control and reporting function. In addition, many of our existing personnel do not have experience with native cloud-based technologies and, as a result, we have and will continue to hire personnel with such experience. This effort has been, and will continue to be, time consuming and costly. Our technology transformation strategy requires management time and resources to educate employees and implement new ways of conducting business. The dedication of resources to our technology transformation strategy and cloud-based technologies limits the resources we have available to devote to other initiatives or growth opportunities, or to invest in the maintenance of our existing internal systems. We cannot guarantee that our strategy is the right one or that investments in alternative technologies or other initiatives would not be a better use of our limited resources. Additionally, as a result of our cloud migration efforts in connection with our technology transformation strategy, we may experience a loss of continuity, loss of accumulated knowledge or loss of efficiency during transitional periods. Reorganization and transition can require a significant amount of management and other employees’ time and focus, which may divert attention from operating activities and growing our business. If we fail to achieve some or all of the expected benefits of these activities, it could have a material adverse effect on our competitive position, business, financial condition, results of operations and cash flows. Our transition to cloud-based technologies could expose us to operational disruptions. We rely on the efficient and uninterrupted operation of complex information technology systems and networks, some of which are managed internally within the Company and some of which are outsourced to third parties. As part of our technology transformation strategy, we are upgrading a significant portion of the information technology systems used to operate our business and replacing them with cloud-based solutions. This transition will require substantial changes to our software and network infrastructure, which could lead to system interruptions, affect our data systems and further expose us to operational disruptions, and cause us to lose customers, all of which could have a material adverse effect on our results of operations. Upon implementation of the new cloud-based solutions, much of our information technology systems will consist of outsourced, cloud-based infrastructure, platform and software-as-a-service solutions not under our direct management or control. Any disruption to either the outsourced systems or the communication links between us and the outsourced supplier could negatively affect our ability to operate our data systems and could impair our ability to provide services to our customers. We may incur additional costs to remedy the damages caused by these disruptions. If our systems do not meet customer requirements for response time or high availability, or we experience system constraints or failures, or our customers do not migrate to the cloud or modify and/or upgrade their systems to accept new releases of our products and services, our services to our customers could be delayed or interrupted, which could result in lost revenues or customers, lower margins, service level penalties or other harm to our business and reputation. Our customers expect high system availability and response time performance, as well as a very high degree of system resilience. We depend on reliable, stable, efficient and uninterrupted operation of our technology network, systems, and data centers to provide service to our customers. Many of the services and systems upon which we rely have been outsourced to third parties. In addition, many of our revenue streams are dependent on links to third party telecommunications providers. These systems and operations, and the personnel that support, service and operate these systems, could be exposed to interruption, damage or destruction from power loss, telecommunication failures, computer viruses, denial-of-service or other cyber attacks, employee or insider malfeasance, human error, fire, natural disasters, war, terrorist acts or civil unrest. We may not have sufficient disaster recovery or redundant operations in place to cover a loss or failure of systems or telecommunications links in a timely manner. In addition, as part of our technology transformation, we are seeking to migrate our customers from traditional data platforms to cloud-based products and services. Many of our customers may not migrate to cloud-based technologies on a timely basis or at all, or may choose not to utilize our products and services during and after our transition to cloud-based technologies. If our customers’ timelines prevent them from migrating to cloud-based technologies quickly enough, they will remain on our legacy infrastructure, which could expose them to system availability and response time performance issues. Any significant system interruption or series of minor interruptions could result in the loss of customers and/or lost revenues, lower margins, service level penalties or other significant harm to our business or reputation. Dependence on outsourcing certain portions of our operations may adversely affect our ability to bring products to market and damage our reputation. Dependence on outsourced information technology and other administrative functions may impair our ability to operate effectively. As part of our technology transformation, we have outsourced various components of our application development, information technology, operational support and administrative functions and will continue to evaluate additional outsourcing. If our outsourcing vendors fail to perform their obligations in a timely manner or at satisfactory quality levels including with respect to data and system security, or increase prices for their services to unreasonable levels, our ability to bring products to market and support our customers and our reputation could suffer. Any failure to perform on the part of these third-party providers could impair our ability to operate effectively and could result in lower future revenue, unrealized efficiencies and adversely impact our results of operations and our financial condition. Some of our outsourcing takes place in developing countries and, as a result, may be subject to geopolitical uncertainty. Our business will suffer if we are not able to retain and hire key personnel. Our future success, including our ability to implement our technology transformation strategy, depends partly on the continued service of our key development, sales, marketing, executive and administrative personnel. Additionally, increased retention risk exists in certain key areas of our operations, such as IT and data security, which require specialized skills, such as migrating legacy computer systems to the cloud, data security expertise and analytical modeling. If we fail to retain and hire a sufficient number of these personnel, we will not be able to maintain or expand our business. As part of our technology transformation strategy, we have hired or contracted with a significant number of new employees and contract workers. Hiring, on-boarding training, motivating, retaining and managing employees with the skills required is time-consuming and expensive. There is intense competition for certain highly technical specialties in geographic areas where we continue to recruit, and it may become more difficult to retain our key employees. If we are not able to hire sufficient employees to support our technology transformation, or to train, motivate, retain and manage the employees we do hire, it could have a material adverse effect on our business operations or financial results. Global Operational Risks Economic, political and other risks associated with international sales and operations could adversely affect our results of operations. Sales outside the U.S. comprised 22% of our total revenue in 2020. As a result, our business is subject to various risks associated with doing business internationally and these risks may differ in each jurisdiction we operate depending on the particular product or service we offer in the jurisdiction. In addition, many of our employees, suppliers, job functions and facilities are located outside the U.S. Accordingly, our future results could be harmed by a variety of factors including: •changes in specific country or region political, economic or other conditions; •trade protection measures; •data privacy and consumer protection laws and regulations; •difficulty in staffing and managing widespread operations; •differing labor, intellectual property protection and technology standards and regulations; •business licensing requirements or other requirements relating to making foreign direct investments, which could increase our cost of doing business in certain jurisdictions, prevent us from entering certain markets, increase our operating costs or lead to penalties or restrictions; •difficulties associated with repatriating cash generated or held abroad in a tax-efficient manner; •implementation of exchange controls; •geopolitical instability, including terrorism and war; •foreign currency changes; •increased travel, infrastructure, legal and compliance costs of multiple international locations; •foreign laws and regulatory requirements; •terrorist activity, natural disasters, pandemics and other catastrophic events; •restrictions on the import and export of technologies; •difficulties in enforcing contracts and collecting accounts receivable; •longer payment cycles; •failure to meet quality standards for outsourced work; •unfavorable tax rules; •the presence and acceptance of varying level of business corruption in international markets; and •varying business practices in foreign countries. We earn revenue, pay expenses, own assets and incur liabilities in countries using currencies other than the U.S. dollar, including among others the British pound, the Australian dollar, the Canadian dollar, the Argentine peso, the Chilean peso, the Euro, the New Zealand dollar, the Costa Rican colon, the Singapore dollar, the Brazilian real, the Russian ruble and the Indian rupee. Because our consolidated financial statements are presented in U.S. dollars, we must translate revenue, income and expenses, as well as assets and liabilities, into U.S. dollars at exchange rates in effect during or at the end of each reporting period. Therefore, increases or decreases in the value of the U.S. dollar against major currencies will affect our operating revenues, operating income and the value of balance sheet items denominated in foreign currencies. We generally do not mitigate the risks associated with fluctuating exchange rates, although we may from time to time through forward contracts or other derivative instruments hedge a portion of our translational foreign currency exposure or exchange rate risks associated with material transactions which are denominated in a foreign currency. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Accordingly, fluctuations in foreign currency exchange rates, particularly the strengthening of the U.S. dollar against major currencies, may materially affect our consolidated financial results. Compliance with applicable U.S. and foreign laws and regulations, such as anti-corruption laws, tax laws, foreign exchange controls and restrictions on repatriation of earnings or other similar restraints, data privacy requirements, labor laws and anti-competition relations increases the cost of doing business in foreign jurisdictions. Although we have implemented policies and procedures to comply with these laws and regulations, a violation by our employees, contractors or agents could nevertheless occur. The U.K.’s departure from the EU could adversely affect us. We are subject to risks and uncertainties associated with the U.K.’s withdrawal from the EU (referred to as “Brexit”), including implications for the free flow of labor and goods in the U.K. and the EU and other financial, legal, tax and trade implications. Brexit could cause disruptions to and create uncertainty surrounding our business in the U.K., including affecting our relationships with our existing and future customers, suppliers and employees, which could have an adverse effect on our business, financial results and operations. Legal and Regulatory Risks As part of a global settlement, we entered into agreements with various parties to settle the U.S. Consumer MDL Litigation and certain federal and state government investigations arising out of the 2017 cybersecurity incident. If we are unable to comply with our obligations under these agreements, if the U.S. Consumer MDL Litigation settlement is not upheld on appeal, or if other lawsuits or investigations are filed or commenced, it could have a material adverse effect on our financial condition. In July 2019, the Company entered into multiple agreements that resolve the U.S. consolidated consumer class action cases, captioned In re: Equifax, Inc. Customer Data Security Breach Litigation, MDL No. 2800 (Consumer Cases) (the “U.S. Consumer MDL Litigation”), and the investigations of the FTC, the CFPB, the Attorneys General of 48 states, the District of Columbia and Puerto Rico (the “MSAG Group”) and the NYDFS (collectively, the “Consumer Settlement”) relating to the 2017 cybersecurity incident. On January 13, 2020, the U.S. District Court for the Northern District of Georgia (the “Court”) entered an order granting final approval of the settlement in connection with the U.S. Consumer MDL Litigation, from which several objectors have appealed. Until the appeals are finally adjudicated or dismissed and the settlement becomes final in accordance with its terms, we can provide no assurance that the U.S. Consumer MDL Litigation will be resolved as contemplated by the settlement agreement. If the Court’s order approving the settlement agreement was overturned by an appellate court and not cured in accordance with the terms of the consent orders with the FTC and CFPB, the consent orders with the FTC, CFPB and MSAG Group would remain in place and the Consumer Restitution Fund (as defined below) would be administered by the FTC. In that event, there is a risk that we would not be able to settle the U.S. Consumer MDL Litigation on acceptable terms or at all, which could have a material adverse effect on our financial condition. In addition to the monetary payments and consumer redress, we also agreed as part of the Consumer Settlement to implement certain business practice commitments related to consumer assistance and our information security program, including third party assessments of our program. These business practice commitments are extensive and require a significant amount of attention from management. To the extent we are unable to comply or we are viewed as not being in compliance with these business practice commitments or other requirements of a relevant order, we could face an enforcement action or contempt proceeding that could potentially result in fines, penalties and new business practice commitments, which, depending on the amount and type, could have a material adverse effect on our financial condition. In addition, other lawsuits and investigations related to the 2017 cybersecurity incident are still outstanding and additional lawsuits or investigations may be filed, commenced or issued. The resolution of these additional matters may result in damages, costs, fines or penalties, which, depending on the amount, could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods. Any future losses we incur as a result of the incident will not be covered by insurance. We and our customers are subject to various current laws and governmental regulations, and could be affected by new and evolving consumer privacy and cybersecurity or other data-related laws or regulations, compliance with which may cause us to incur significant expenses and change our business practices, and if we fail to maintain satisfactory compliance with certain laws and regulations, we could be subject to civil or criminal penalties. We are subject to a number of U.S. federal, state, local and foreign laws and regulations relating to consumer privacy, cybersecurity, data and financial protection. See “Item 1. Business-Governmental Regulation” in this Form 10-K for a summary of the U.S. and foreign consumer and data protection laws and regulations to which we are subject. These regulations are complex, change frequently, have tended to become more stringent over time, and are subject to administrative interpretation and judicial construction in ways that could harm our business. In addition, new laws and regulations at the state and federal level are enacted or considered frequently. Examples of such new and evolving laws and regulations include amendments to the FCRA requiring the provision of free credit freezes to consumers, cybersecurity and other requirements promulgated by the New York Department of Financial Services, the CCPA which took effect on January 1, 2020, the California data broker registration requirements that took effect on January 31, 2020, and the CPRA taking effect on January 1, 2023. Furthermore, we expect there to be an increased focus on laws and regulations related to our business, including by the new U.S. presidential administration and the new U.S. Congress, because of the great public concern in the U.S. with regard to the operation of credit reporting agencies, as well as the collection, use, accuracy, correction and sharing of personal information. We also use algorithms, artificial intelligence and machine learning in our business processes. There are a number of legislative proposals pending before the U.S. Congress, various state legislative bodies and foreign governments concerning privacy or cybersecurity that could affect us. The Canadian government has initiated a review of consumer privacy laws, and several U.S. states have introduced varying comprehensive privacy laws modeled to some degree on the CCPA and/or the GDPR. Compliance with multiple state laws containing varying requirements could be complicated and costly. In Europe, although the GDPR already includes certain provisions relating to the automated processing of personal data, there has also been discussion of new legislative proposals to regulate business use of artificial intelligence and machine learning technologies which, if enacted, could impose new legal requirements addressing among other issues, privacy, discrimination and human rights. The specifics of such legislation and the number of jurisdictions that will introduce legislation in this area remain unclear at this time. In addition, a growing number of legislative and regulatory bodies have adopted consumer notification and other requirements in the event that consumer information is accessed or acquired by unauthorized persons and additional regulations regarding the use, access, accuracy and security of such data are possible. In the U.S., state laws provide for disparate notification regimes, all of which we are subject to. Further, any perception that our practices or products are an invasion of privacy, whether or not consistent with current or future regulations and industry practices, may subject us to public criticism, private class actions, reputational harm, or claims by regulators, which could disrupt our business and expose us to increased liability. We devote substantial compliance, legal and operational business resources to strive for compliance with applicable regulations and requirements. In the future, we may be subject to significant additional expense related to compliance with applicable laws and regulations, including new laws and evolving interpretations that are difficult to predict, and to investigate, defend or remedy actual or alleged violations. Additionally, we cooperate with CFPB supervisory examinations and respond to other state, federal and foreign government examinations of or inquiries into our business practices. The enactment of new laws and how they are interpreted could impact our business. In particular, legislative activity in the privacy area may result in new laws that are applicable to us and that may hinder our business, for example, by restricting use or sharing of consumer data, including for marketing or advertising or limiting the use of, or otherwise regulating artificial intelligence and machine learning, including the use of algorithms and automated processing in ways that could materially affect our business, or which may lead to significant increases in the cost of compliance. Any failure by us to comply with, or remedy any violations of, applicable laws and regulations, could result in new costs for our operations, the curtailment of certain of our operations, the imposition of fines and penalties, liability to private plaintiffs as a result of individual or class action litigation, restrictions on the operation of our business and reputational harm. It is difficult to predict the impact on our business if we were subject to allegations of having violated existing laws. For example, in Europe, the GDPR, which includes extensive regulations for certain security incidents, could result in fines of up to four percent of annual worldwide “turnover” (a measure similar to revenues in the U.S.). In addition, because many of our products are regulated or sold to customers in various industries, we must comply with additional regulations in marketing our products. Moreover, our compliance with privacy laws and regulations and our reputation depend in part on customers’ adherence to privacy laws and regulations and their use of our services in ways consistent with consumer expectations and regulatory requirements. We cannot predict the ultimate impact on our business of new or proposed rules, supervisory examinations or government investigations or enforcement actions. The following legal and regulatory developments also could have a substantial negative impact on our business, financial condition or results of operations: •amendment, enactment or interpretation of laws and regulations that restrict the access and use of personal information and reduce the availability or effectiveness of our solutions or the supply of data available to customers; •changes in cultural and consumer attitudes in favor of further restrictions on information collection and sharing, which may lead to regulations that prevent full utilization of our solutions; •failure of data suppliers or customers to comply with laws or regulations, where mutual compliance is required; •failure of our solutions to comply with current laws and regulations; and •failure of our solutions to adapt to changes in the regulatory environment in an efficient, cost effective manner. These laws and regulations (as well as actions that may be taken by legislatures and regulatory bodies in other countries) and the consequences of any violation could limit our ability to pursue business opportunities we might otherwise consider engaging in, impose additional costs on us, result in significant loss of revenue, result in significant restitution and fines, impact the value of assets we hold, or otherwise adversely affect our business. The CFPB has supervisory and examination authority over our business and may initiate enforcement actions with regard to our compliance with federal consumer financial laws. The CFPB, which was established under the Dodd-Frank Act and commenced operations in July 2011, has broad authority over our business. This includes authority to issue regulations under federal consumer financial protection laws, such as under FCRA and other laws applicable to us and our financial customers. The CFPB is authorized to prevent “unfair, deceptive or abusive acts or practices” through its regulatory, supervisory and enforcement authority. In 2012, credit reporting companies like us became subject to a federal supervision program for the first time under the CFPB’s authority to supervise and examine certain non-depository institutions that are “larger participants” of the consumer credit reporting market. The CFPB conducts examinations and investigations, and may issue subpoenas and bring civil actions in federal court for violations of the federal consumer financial laws including FCRA. In these proceedings, the CFPB can seek relief that includes: rescission or reformation of contracts, restitution, disgorgement of profits, payment of damages, limits on activities and civil money penalties of up to $1.0 million per day for known violations. The CFPB conducts periodic examinations of us and the consumer credit reporting industry, which could result in new regulations or enforcement actions or proceedings. Actions by the CFPB could result in requirements to alter or cease offering affected products and services, making them less attractive and restricting our ability to offer them. Although we have committed resources to enhancing our compliance programs, actions by the CFPB or other regulators against us could result in reputational harm. Our compliance costs and legal and regulatory exposure could increase materially if the CFPB or other regulators enact new regulations, change regulations that were previously adopted, modify through supervision or enforcement past regulatory guidance, or interpret existing regulations in a manner different or stricter than have been previously interpreted. Regulatory oversight of our contractual relationships with certain of our customers may adversely affect our business. The federal banking agencies, including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the CFPB, as well as many state banking agencies have issued guidance to insured depository institutions and other providers of financial services on assessing and managing risks associated with third-party relationships, which include all business arrangements between a financial services provider and another entity, by contract or otherwise, and generally requires banks and financial services providers to exercise comprehensive oversight throughout each phase of a bank or financial service provider’s business arrangement with third-party service providers, and instructs banks and financial service providers to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships. This guidance requires more rigorous oversight of third-party relationships that involve certain “critical activities.” In light of this guidance, our existing or potential bank and financial services customers subject to this guidance may continue to revise their third-party risk management policies and processes and the terms on which they do business with us, which may adversely affect our relationship with such customers. In 2018, we entered into a consent order with certain state banking regulators in response to their multi-state review of our information security program. This consent order obligates us to, among other things, make certain changes to our corporate governance and information security practices. If we are unable or otherwise fail to comply with this consent order, our ability to do business with financial institutions in those states could be impaired. It is possible that the consent order or other actions resulting from examinations by federal or state banking regulators could lead to adverse changes in our customer relationships. We are regularly involved in claims, suits, government investigations, supervisory examinations and other proceedings that may result in adverse outcomes. We are regularly involved in claims, suits, government investigations, supervisory examinations and regulatory proceedings arising from the ordinary course of our business, including actions with respect to consumer protection and data protection, including purported class action lawsuits. Such claims, suits, government investigations and proceedings are inherently uncertain and their results cannot be predicted with certainty. Regardless of their outcome, such legal proceedings can have an adverse impact on us because of legal costs, diversion of management and other personnel, and other factors. In addition, it is possible that a resolution of one or more such proceedings could result in reputational harm, liability, penalties or sanctions, as well as judgments, consent decrees or orders preventing us from offering certain features, functionalities, products or services, or requiring a change in our business practices, products or technologies, which could in the future materially and adversely affect our business, operating results, and financial condition. The FCRA contains an attorney fee shifting provision that provides an incentive for consumers to bring individual and class action lawsuits against a CRA for violation of the FCRA, and the number of consumer lawsuits (both individual and class action) against us alleging a violation of the FCRA and our resulting costs associated with resolving these lawsuits have increased substantially over the past several years. Third parties may claim that we are infringing on their intellectual property and we could suffer significant litigation or licensing expenses or be prevented from selling products or services. There has been substantial litigation in the U.S. regarding intellectual property rights in the information technology industry. From time to time, third parties may make claims that one or more of our products or services infringe their intellectual property rights. We analyze and take action in response to each such claim on a case by case basis. A dispute or litigation regarding patents or other intellectual property can be costly and time-consuming due to the complexity of our technology and the inherent uncertainty of intellectual property litigation, could divert our management and key personnel from our business operations, and we may not prevail. A claim of intellectual property infringement could force us to enter into a costly or restrictive license agreement, which might not be available under acceptable terms or at all, or could subject us to significant damages or to an injunction against development and sale of certain of our products or services. Our intellectual property portfolio may not be useful in asserting a counterclaim, or providing commercial leverage for negotiating a license, in response to a claim of intellectual property infringement. In certain of our businesses we rely on third-party intellectual property licenses and we cannot ensure that these licenses will be available to us in the future on favorable terms or at all. Although our policy is to obtain licenses or other rights where necessary, we cannot provide assurance that we have obtained all required licenses or rights. Third parties may misappropriate or infringe on our intellectual property and we may suffer competitive injury or expend significant resources enforcing our rights. Our success increasingly depends on our proprietary technology and its ability to differentiate us from our competitors. We rely on various intellectual property rights, including patents, copyrights, database rights, trademarks and trade secrets, as well as contract restrictions, confidentiality provisions and licensing arrangements, to establish and protect our proprietary rights. The extent to which such rights can be protected varies in different jurisdictions. If we do not protect and enforce our intellectual property rights successfully, our competitive position may suffer which could harm our operating results. Our pending patent and trademark applications may not be allowed or competitors may challenge the validity or scope of our intellectual property rights. In addition, our patents, copyrights, trademarks and other intellectual property rights may not provide us a significant competitive advantage. We may need to devote significant resources to monitoring our intellectual property rights and we may or may not be able to detect misappropriation or infringement by third parties. Our competitive position may be harmed if we cannot detect misappropriation or infringement and enforce our intellectual property rights quickly or at all. In some circumstances, enforcement may not be available to us because a third party has a dominant intellectual property position or for other business reasons. In addition, competitors might avoid infringement by designing around our intellectual property rights or by developing non-infringing competing technologies. Intellectual property rights and our ability to enforce them may be unavailable or limited in some countries, which could make it easier for competitors to capture market share and could result in lost revenue. Financial Market Risks Our retirement and post-retirement pension plans are subject to financial market risks that could adversely affect our future results of operations and cash flows. We have significant retirement and post-retirement pension plan assets and obligations. The performance of the financial markets and interest rates impact our plan expenses and funding obligations. Significant decreases in interest rates, decreases in the fair value of plan assets and investment losses on plan assets will increase our funding obligations, and adversely impact our results of operations and cash flows. ITEM 1B.
Removed paragraphs (9003 words)
ITEM 1A. RISK FACTORS All of the risks and uncertainties described below and the other information included in this Form 10-K should be considered and read carefully. The risks described below are not the only ones facing us. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition or results of operations. This Form 10-K also contains forward-looking statements and estimates that involve risks and uncertainties. Our actual results could differ materially from those anticipated in the forward-looking statements as a result of specific factors, including the risks and uncertainties described below. Security breaches and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation. We are a global data, analytics and technology company. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personally identifiable information of consumers, employees and strategic partners. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy. Despite our substantial investment in physical and technological security measures, employee training and contractual precautions, our information technology networks and infrastructure (or those of our third-party vendors and other service providers) are potentially vulnerable to unauthorized access to data or breaches of confidential information due to criminal conduct, attacks by hackers, employee or insider malfeasance and/or human error. For example, in 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of personally identifiable information of U.S., Canadian and U.K. consumers. Following the 2017 cybersecurity incident, we began undertaking significant remediation efforts and other steps to enhance our data security infrastructure which are ongoing. In connection with these efforts, we have incurred significant costs and expect to incur additional significant costs as we continue to enhance our data security infrastructure and take further steps to prevent unauthorized access to our systems and the data we maintain. Despite these efforts, we cannot assure you that all potential causes of this incident have been identified and remediated and that similar cyber incidents will not occur in the future. Because our products and services involve the storage and transmission of personal information of consumers, we will continue to routinely be the target of attempted cyber and other security threats by outside third parties, including technically sophisticated and well-resourced bad actors attempting to access or steal the data we store. We are in the process of transforming our applications and infrastructure technologies, transitioning to cloud-based technologies. As we transition to cloud-based technologies, we may be exposed to additional cyber threats as we migrate our data from our legacy systems to cloud-based solutions. Our increased dependence on third parties to store our cloud-based data systems may also subject us to further cyber threats. Insider or employee cyber and security threats are also a significant concern for all companies, including ours. We must continuously plan, develop and monitor our information technology networks and infrastructure to identify, protect, detect, respond to and recover from the risk of unauthorized access, misuse, malware, phishing and other events that could have a security impact. Because the techniques used to obtain unauthorized access, disable or degrade service or sabotage systems change frequently and often are not recognized until launched against a target, or even some time after, we may be unable to anticipate these techniques, implement adequate preventative measures or remediate any intrusion on a timely or effective basis even if our security measures are appropriate, reasonable, and/or in accordance with applicable legal requirements. If we experience additional breaches of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed or lost. Any such access, disclosure or other loss of information could subject us to significant litigation, regulatory fines, penalties, losses of customers or reputational damage, any of which could have a material adverse effect on our cash flows, competitive position, financial condition or results of operations. We cannot ensure that our insurance policies in the future will be adequate to cover losses from any future security breaches. Our $125.0 million cybersecurity insurance policy was not adequate to cover the losses we have incurred to date from the 2017 cybersecurity incident, and all future losses we incur as a result of the incident will not be covered by insurance. In addition, our insurance coverage will vary from time to time in both type and amount depending on availability, cost and our decisions with respect to risk retention. As part of a global settlement, we entered into agreements with various parties to settle the U.S. Consumer MDL Litigation and certain federal and state government investigations arising out of the 2017 cybersecurity incident. If we are unable to comply with our obligations under these agreements, or if other lawsuits or investigations are filed or commenced, it could have a material adverse effect on our financial condition. In July 2019, the Company entered into multiple agreements that resolve the U.S. consolidated consumer class action cases, captioned In re: Equifax, Inc. Customer Data Security Breach Litigation, MDL No. 2800 (Consumer Cases) (the “U.S. Consumer MDL Litigation”), and the investigations of the FTC, the CFPB, the Attorneys General of 48 states, the District of Columbia and Puerto Rico (the “MSAG Group”) and the NYDFS (collectively, the “Consumer Settlement”) relating to the 2017 cybersecurity incident. On January 13, 2020, the U.S. District Court for the Northern District of Georgia (the “Court”) entered an order granting final approval of the settlement in connection with the U.S. Consumer MDL Litigation, from which several objectors have appealed. Until the appeals are finally adjudicated or dismissed, we can provide no assurance that the U.S. Consumer MDL Litigation will be resolved as contemplated by the settlement agreement. If the Court’s order approving the settlement agreement were reversed by an appellate court, there is a risk that we would not be able to settle the U.S. Consumer MDL Litigation on acceptable terms or at all, which could have a material adverse effect on our financial condition. In addition to the monetary payments and consumer redress, we also agreed as part of the Consumer Settlement to implement certain business practice commitments related to consumer assistance and our information security program, including third party assessments of our program. These business practice commitments are extensive and will require a significant amount of attention from management. We can provide no assurance that we will be able to comply with these business practice commitments. To the extent we were unable to comply or we are viewed as not being in compliance with these business practice commitments or other requirements of a relevant order, we could face an enforcement action or contempt proceeding that could potentially result in fines, penalties and new business practice commitments, which, depending on the amount and type, could have a material adverse effect on our financial condition. In addition, other lawsuits and investigations related to the 2017 cybersecurity incident are still outstanding and additional lawsuits or investigations may be filed, commenced or issued. The resolution of these additional matters may result in damages, costs, fines or penalties, which, depending on the amount, could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods. The 2017 cybersecurity incident and the adverse publicity that followed have had a negative impact on our reputation and our relationships with our customers, and we cannot assure that it will not have a long-term effect on our relationships with our customers, our revenue and our business. Our reputation with consumers and other stakeholders and our customer relationships were damaged following the 2017 cybersecurity incident, resulting in a negative impact on our revenue. Despite our progress made toward repairing our reputation and business relationships, if we experience another cybersecurity incident or are otherwise unable to demonstrate the security of our systems and the data we maintain and retain the trust of our customers, consumers and data suppliers, we could experience a substantial negative impact on our business. If we fail to achieve and maintain key industry or technical certifications, our customers and business partners may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue. We are required by customers and business partners to obtain various industry or technical certifications, including from the International Organization for Standardization (“ISO”). ISO certifications specify requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system. Industry and technical certifications, such as the ISO certifications, are critical to our business because certain of our current and potential customers and the contracts governing certain customer relationships, as well as certain of our data suppliers, require us to maintain them as a requirement of doing business. As a result of the 2017 cybersecurity incident, we lost certain key certifications which adversely affected our business. We had to spend significant resources on remediation activities in order to obtain certain re-certifications. If we fail to achieve or maintain key industry or technical certifications as a result of another cybersecurity incident or for other reasons, customers and business partners may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue. The failure to realize the anticipated benefits of our technology transformation strategy could adversely impact our business and financial results. We expect our technology transformation strategy, including our transition to cloud-based technologies, will significantly increase our efficiency and productivity, the functionality of our products and services, as well as decrease the cost of our overall systems infrastructure, all of which we expect will drive growth and have a positive effect on our business, competitive position and results of operations. This initiative is a major undertaking as we replace many of our previous operating systems with cloud-based systems. This complex, multifaceted and extensive initiative will be expensive and may cause material unanticipated problems and expenses. If our new systems do not operate as expected, we may have to incur significant additional costs to modify them. Moreover, we may experience issues with customer migration, as many of our customers may not want to migrate or may choose not to utilize our products and services during and after our transition to cloud-based technologies. We cannot assure you that our technology transformation strategy will be beneficial to the extent, or within the timeframes, expected, or that the estimated efficiency, cost savings and other improvements will be realized as anticipated or at all. Market acceptance of cloud-based offerings is affected by a variety of factors, including information security, reliability, performance, the sufficiency of technological infrastructure to support our products and services in certain geographies, customer concerns with entrusting a third party to store and manage its data as well as the customer’s ability to access this data once a contract has expired, and consumer concerns regarding data privacy and the enactment of laws or regulations that restrict our ability to provide such services to customers. If we are unable to correctly respond to these issues, we may experience business disruptions, damage to our reputation, negative publicity, diminished customer trust and relationships and other adverse effects on our business. Even if the anticipated benefits and savings are substantially realized, there may be consequences, internal control issues or business impacts that were not expected. Our transition and migration to cloud-based technologies may increase our risk of liability and cause us to incur significant technical, legal or other costs. Our technology transformation strategy places a significant strain on our management, operational, financial and other limited resources. As part of our technology transformation strategy, we are transitioning and migrating our data systems from traditional data centers to cloud-based platforms. This initiative will place significant strain on our management, personnel, operations, systems, technical performance and financial resources and internal financial control and reporting function. In addition, many of our existing personnel do not have experience with native cloud-based technologies and, as a result, we have and will continue to hire personnel with such experience. This effort will be time consuming and costly. Our technology transformation strategy requires management time and resources to educate employees and implement new ways of conducting business. The dedication of resources to our technology transformation strategy and cloud-based technologies limits the resources we have available to devote to other initiatives or growth opportunities, or to invest in the maintenance of our existing internal systems. We cannot guarantee that our strategy is the right one or that investments in alternative technologies or other initiatives would not be a better use of our limited resources. Additionally, as a result of our cloud migration efforts in connection with our technology transformation strategy, we may experience a loss of continuity, loss of accumulated knowledge or loss of efficiency during transitional periods. Reorganization and transition can require a significant amount of management and other employees’ time and focus, which may divert attention from operating activities and growing our business. If we fail to achieve some or all of the expected benefits of these activities, it could have a material adverse effect on our competitive position, business, financial condition, results of operations and cash flows. Our transition to cloud-based technologies could expose us to operational disruptions. We rely on the efficient and uninterrupted operation of complex information technology systems and networks, some of which are managed internally within the Company and some of which are outsourced to third parties. As part of our technology transformation strategy, we are upgrading a significant portion of the information technology systems used to operate our business and replacing them with cloud-based solutions. This transition will require substantial changes to our software and network infrastructure, which could lead to system interruptions, affect our data systems and further expose us to operational disruptions, and cause us to lose customers, all of which could have a material adverse effect on our results of operations. Upon implementation of the new cloud-based solutions, much of our information technology systems will consist of outsourced, cloud-based infrastructure, platform and software-as-a-service solutions not under our direct management or control. Any disruption to either the outsourced systems or the communication links between us and the outsourced supplier could negatively affect our ability to operate our data systems and could impair our ability to provide services to our customers. We may incur additional costs to remedy the damages caused by these disruptions. If our systems do not meet customer requirements for response time or high availability, or we experience system constraints or failures, or our customers do not modify and/or upgrade their systems to accept new releases of our products and services, our services to our customers could be delayed or interrupted, which could result in lost revenues or customers, lower margins or other harm to our business and reputation. We depend on reliable, stable, efficient and uninterrupted operation of our technology network, systems, and data centers to provide service to our customers. Many of the services and systems upon which we rely have been outsourced to third parties. In addition, many of our revenue streams are dependent on links to third party telecommunications providers. These systems and operations, and the personnel that support, service and operate these systems, could be exposed to interruption, damage or destruction from power loss, telecommunication failures, computer viruses, denial-of-service or other cyber attacks, employee or insider malfeasance, human error, fire, natural disasters, war, terrorist acts or civil unrest. We may not have sufficient disaster recovery or redundant operations in place to cover a loss or failure of systems or telecommunications links in a timely manner. In addition, as part of our technology transformation, we continue to be intensely focused on enhancing our data security infrastructure and effecting our technology transformation strategy and implementation of those enhancements could result in service interruptions. Our customers expect high system availability and response time performance, as well as a very high degree of system resilience. Any significant system interruption or series of minor interruptions could result in the loss of customers and/or lost revenues, lower margins or other significant harm to our business or reputation. The loss of access to credit, employment, financial and other data from external sources could harm our ability to provide our products and services. We rely extensively upon data from external sources to maintain our proprietary and non-proprietary databases, including data received from customers, strategic partners and various government and public record sources. This data includes the widespread and voluntary contribution of credit data from most lenders in the U.S and many other markets as well as the contribution of data under proprietary contractual agreements, such as employers’ contribution of employment and income data to The Work Number®, financial institutions’ contribution of individual financial data to IXI, and telecommunications, cable and utility companies’ contribution of payment and fraud data to the National Cable, Telecommunications and Utility Exchange. For a variety of reasons, including concerns of data furnishers arising out of the 2017 cybersecurity incident, legislatively or judicially imposed restrictions on use, additional security breaches or competitive reasons, our data sources could withdraw, delay receipt of or increase the cost of their data provided to us. Where we currently have exclusive use of data, the providers of the data sources could elect to make the information available to competitors. We also compete with several of our third-party data suppliers. If a substantial number of data sources or certain key data sources were to withdraw or be unable to provide their data, if we were to lose access to data due to government regulation, if we lose exclusive right to the use of data, or if the collection, disclosure or use of data becomes uneconomical, our ability to provide products and services to our clients could be adversely affected, which could result in decreased revenue, net income and earnings per share and reputational loss. There can be no assurance that we would be able to obtain data from alternative sources if our current sources become unavailable. Effective September 2018, federal law allows consumers to place freezes on their credit files at all credit bureaus including Equifax. If a significant number of consumers lock or freeze their file, our population of data is reduced which could affect our product offerings and value to our customers in our other businesses. Negative changes in general economic conditions, including interest rates, unemployment rates, income, home prices, investment values and consumer confidence, could adversely affect us. Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions, including the demand and availability of affordable credit and capital, the level and volatility of interest rates, inflation, employment levels, consumer confidence and housing demand, both inside and outside the U.S. Business customers use our credit information and related analytical services and data to process applications for new credit cards, automobile loans, home and equity loans and other consumer loans, and to manage their existing credit relationships. Demand for our services tends to be correlated to general levels of economic activity and to consumer credit activity, which can be impacted by changes in interest rates. Bank and other lenders’ willingness to extend credit are adversely affected by elevated consumer delinquency and loan losses in a weak economy. Consumer demand for credit (i.e., rates of spending and levels of indebtedness) also tends to grow more slowly or decline during periods of economic contraction or slow economic growth. Our customer base suffers when financial markets experience volatility, illiquidity and disruption and the potential for increased and continuing disruptions going forward presents considerable risks to our business and revenue. High or rising rates of unemployment and interest, declines in income, home prices or investment values, lower consumer confidence and reduced access to credit adversely affect demand for many of our products and services, and consequently our revenue and results of operations, as consumers may postpone or reduce their spending and use of credit, and lenders may reduce the amount of credit offered or available. Our markets are highly competitive and new product introductions and pricing strategies being offered by our competitors could decrease our sales and market share or require us to enhance our products and services or reduce our prices in a manner that reduces our operating margins. We operate in a number of geographic, product and service markets that are highly competitive. Competitors may develop products and services that are superior to or that achieve greater market acceptance than our products and services. The size of our competitors varies across market segments, as do the resources we have allocated to the segments we target. Therefore, some of our competitors may have significantly greater financial, technical, marketing or other resources than we do in one or more of our market segments, or overall. As a result, our competitors may be in a position to respond more quickly than we can to new or emerging technologies and changes in customer requirements, or may devote greater resources than we can to the development, enhancement, promotion, sale and support of products and services, or some of our customers may develop products of their own that replace the products they currently purchase from us, which would result in lower revenue. In addition, many of our competitors have extensive consumer relationships, including relationships with our current and potential customers. Moreover, new competitors or alliances among our competitors may emerge and potentially reduce our market share, revenue or margins. We also sell our information to competing firms, and buy information from certain of our competitors, in order to sell “tri-bureau” and other products, most notably into the U.S. mortgage market. Changes in prices between competitors for this information and/or changes in the design or sale of tri-bureau versus single or dual bureau product offerings may affect our revenue or profitability. Some of our competitors may choose to sell products that compete with ours at lower prices by accepting lower margins and profitability, or may be able to sell products competitive to ours at lower prices, individually or as a part of integrated suites, given proprietary ownership of data, technological superiority or economies of scale. Price reductions by our competitors could negatively impact our margins and results of operations and could also harm our ability to obtain new customers on favorable terms. Historically, certain of our key products have experienced declines in per unit pricing due to competitive factors and customer demand. Since a significant portion of our operating expenses is relatively fixed in nature due to sales, information technology and development and other costs, if we were unable to respond quickly enough to changes in competition or customer demand, we could experience further reductions in our operating margins. Our relationships with key long-term customers may be materially diminished or terminated. We have long-standing relationships with a number of our customers, many of whom could unilaterally terminate their relationship with us or materially reduce the amount of business they conduct with us at any time. Many of our material customer agreements can be terminated by the customer for convenience on advance written notice, which provides our customers with the opportunity to renegotiate their contracts with us or to award more business to our competitors. We also provide our services to business partners who may combine them with their own or other branded services to be offered as a bundle to consumers, governmental agencies and businesses in support of fraud or credit protection, credit monitoring, identity authentication, insurance or credit underwriting, and collections. Some of these partners are the largest providers of credit information or identity protection services to the consumer market. Market competition, business requirements, financial condition and consolidation through mergers or acquisitions, could adversely affect our ability to continue or expand our relationships with our customers and business partners. There is no guarantee that we will be able to retain or renew existing agreements, maintain relationships with any of our customers or business partners on acceptable terms or at all, or collect amounts owed to us from insolvent customers or business partners. The loss of one or more of our major customers or business partners could adversely affect our business, financial condition and results of operations. If we do not introduce successful new products, services and analytical capabilities in a timely manner, or if the market does not adopt our new services, our competitiveness and operating results will suffer. We generally sell our products in industries that are characterized by rapid technological changes, frequent new product and service introductions and changing industry standards. In addition, certain of the markets in which we operate are seasonal and cyclical. Without the timely introduction of new products, services and enhancements, our products and services will become technologically or commercially obsolete over time, in which case our revenue and operating results would suffer. The success of our new products and services will depend on several factors, including our ability to properly identify customer needs; innovate and develop new technologies, services and applications; successfully commercialize new technologies in a timely manner; produce and deliver our products in sufficient volumes on time; differentiate our offerings from competitor offerings; price our products competitively; anticipate our competitors’ development of new products, services or technological innovations; and control product quality in our product development process. Our resources have to be committed to any new products and services before knowing whether the market will adopt the new offerings. In addition, our management is and will continue to be intensely focused on enhancing our security measures and our technology transformation and may not be able to devote as much time or resources to new product development, which could cause us to be less competitive as compared to our peers, lose out on new revenue opportunities and have an adverse effect on our growth and our business. The demand for some of our products and services may be negatively impacted to the extent the availability of free or less expensive consumer information increases. Public or commercial sources of free or relatively inexpensive consumer credit, credit score and other information have become increasingly available, particularly through the internet, and this trend is expected to continue. In addition, governmental agencies in particular have increased the amount of information to which they provide free public access and these or other sources of free or relatively inexpensive consumer information from competitors or other commercial sources may reduce demand for our services, particularly in our USIS and Global Consumer Solutions business units. Recently, there also has been an increase in companies offering free or low-cost direct-to-consumer credit services (such as credit scores, reports and monitoring) as part of alternative business models that use such services as a means to introduce consumers to other products and services. To the extent that our customers choose not to obtain services from us and instead rely on information obtained at no cost or relatively inexpensively from these other sources, our business, financial condition and results of operations may be adversely affected. We and our customers are subject to various current laws and governmental regulations, and could be affected by new and evolving consumer privacy and cybersecurity or other data-related laws or regulations, compliance with which may cause us to incur significant expenses and change our business practices, and if we fail to maintain satisfactory compliance with certain laws and regulations, we could be subject to civil or criminal penalties. We are subject to a number of U.S. federal, state, local and foreign laws and regulations relating to consumer privacy, cybersecurity, data and financial protection. See “Item 1. Business-Governmental Regulation” in this Form 10-K for a summary of the U.S. and foreign consumer and data protection laws and regulations to which we are subject. These regulations are complex, change frequently, have tended to become more stringent over time, and are subject to administrative interpretation and judicial construction in ways that could harm our business. Examples of such new and evolving laws and regulations include recent amendments to the FCRA requiring the provision of free credit freezes to consumers, cybersecurity and other requirements promulgated by the New York Department of Financial Services, the taking effect of the CCPA on January 1, 2020, and California data broker registration requirements that took effect on January 31, 2020. Furthermore, we expect there to be an increased focus on laws and regulations related to our business because of the great public concern in the U.S. with regard to the operation of credit reporting agencies, as well as the collection, use, accuracy, correction and sharing of personal information, which was in part heightened by the 2017 cybersecurity incident. We also use algorithms, artificial intelligence and machine learning in our business processes. There are a number of legislative proposals pending before the U.S. Congress, various state legislative bodies and foreign governments concerning privacy or cybersecurity that could affect us. For example, already in 2020 several states have introduced varying comprehensive privacy laws modeled to some degree on the CCPA and/or the GDPR. Compliance with multiple state laws containing varying requirements could be complicated and costly. While in the EU the GDPR already includes certain provisions relating to the automated processing of personal data, there has also been discussion in the EU of new legislative proposals to regulate business use of artificial intelligence and machine learning technologies that if enacted could impose new legal requirements addressing among other issues, privacy, discrimination and human rights. As of now, the specifics of such legislation are unclear. However, legislation in this area could also be introduced in other countries. In addition, a growing number of legislative and regulatory bodies have adopted consumer notification and other requirements in the event that consumer information is accessed or acquired by unauthorized persons and additional regulations regarding the use, access, accuracy and security of such data are possible. In the U.S., state laws provide for disparate notification regimes, all of which we are subject to. Further, any perception that our practices or products are an invasion of privacy, whether or not consistent with current or future regulations and industry practices, may subject us to public criticism, private class actions, reputational harm, or claims by regulators, which could disrupt our business and expose us to increased liability. We devote substantial compliance, legal and operational business resources to strive for compliance with applicable regulations and requirements. In the future, we may be subject to significant additional expense related to compliance with applicable laws and regulations, including new laws and evolving interpretations that are difficult to predict, and to investigate, defend or remedy actual or alleged violations. Additionally, we cooperate with CFPB supervisory examinations and respond to other state, federal and foreign government examinations into or inquiries of our business practices. The enactment of new laws and how they are interpreted could impact our business. In particular, legislative activity in the privacy area may result in new laws that are applicable to us and that may hinder our business, for example, by restricting use or sharing of consumer data, including for marketing or advertising or limiting the use of, or otherwise regulating artificial intelligence and machine learning, including the use of algorithms and automated processing in ways that could materially affect our business, or which may lead to significant increases in the cost of compliance. Any failure by us to comply with, or remedy any violations of, applicable laws and regulations, could result in new costs for our operations, the curtailment of certain of our operations, the imposition of fines and penalties, liability to private plaintiffs as a result of individual or class action litigation, restrictions on the operation of our business and reputational harm. It is difficult to predict the impact on our business if we were subject to allegations of having violated existing laws. For example, in Europe, the GDPR, which includes extensive regulations for certain security incidents, could result in fines of up to four percent of annual worldwide “turnover” (a measure similar to revenues in the U.S.). In addition, because many of our products are regulated or sold to customers in various industries, we must comply with additional regulations in marketing our products. Moreover, our compliance with privacy laws and regulations and our reputation depend in part on customers’ adherence to privacy laws and regulations and their use of our services in ways consistent with consumer expectations and regulatory requirements. We cannot predict the ultimate impact on our business of new or proposed rules, supervisory examinations or government investigations or enforcement actions. The following legal and regulatory developments also could have a substantial negative impact on our business, financial condition or results of operations: •amendment, enactment or interpretation of laws and regulations that restrict the access and use of personal information and reduce the availability or effectiveness of our solutions or the supply of data available to customers; •changes in cultural and consumer attitudes in favor of further restrictions on information collection and sharing, which may lead to regulations that prevent full utilization of our solutions; •failure of data suppliers or customers to comply with laws or regulations, where mutual compliance is required; •failure of our solutions to comply with current laws and regulations; and •failure of our solutions to adapt to changes in the regulatory environment in an efficient, cost effective manner. These laws and regulations (as well as actions that may be taken by legislatures and regulatory bodies in other countries) and the consequences of any violation could limit our ability to pursue business opportunities we might otherwise consider engaging in, impose additional costs on us, result in significant loss of revenue, result in significant restitution and fines, impact the value of assets we hold, or otherwise adversely affect our business. See “Item 1. Business-Governmental Regulation” and “Item 3. Legal Proceedings” in this Form 10-K. Regulatory oversight of our contractual relationships with certain of our customers may adversely affect our business. The federal banking agencies, including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the CFPB, as well as many state banking agencies have issued guidance to insured depository institutions and other providers of financial services on assessing and managing risks associated with third-party relationships, which include all business arrangements between a financial services provider and another entity, by contract or otherwise, and generally requires banks and financial services providers to exercise comprehensive oversight throughout each phase of a bank or financial service provider’s business arrangement with third-party service providers, and instructs banks and financial service providers to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships. This guidance requires more rigorous oversight of third-party relationships that involve certain “critical activities.” In light of this guidance, our existing or potential bank and financial services customers subject to this guidance may continue to revise their third-party risk management policies and processes and the terms on which they do business with us, which may adversely affect our relationship with such customers. In 2018, we entered into a consent order with certain state banking regulators in response to their multi-state review of our information security program. This consent order obligates us to, among other things, make certain changes to our corporate governance and information security practices. If we are unable or otherwise fail to comply with this consent order, our ability to do business with financial institutions in those states could be impaired. It is possible that the consent order or other actions resulting from examinations by federal or state banking regulators could lead to adverse changes in our customer relationships. Economic, political and other risks associated with international sales and operations could adversely affect our results of operations. Sales outside the U.S. comprised 27% of our total revenue in 2019. As a result, our business is subject to various risks associated with doing business internationally. In addition, many of our employees, suppliers, job functions and facilities are located outside the U.S. Accordingly, our future results could be harmed by a variety of factors including: •changes in specific country or region political, economic or other conditions; •trade protection measures; •data privacy and consumer protection laws and regulations; •difficulty in staffing and managing widespread operations; •differing labor, intellectual property protection and technology standards and regulations; •business licensing requirements or other requirements relating to making foreign direct investments, which could increase our cost of doing business in certain jurisdictions, prevent us from entering certain markets, increase our operating costs or lead to penalties or restrictions; •difficulties associated with repatriating cash generated or held abroad in a tax-efficient manner; •implementation of exchange controls; •geopolitical instability, including terrorism and war; •foreign currency changes; •increased travel, infrastructure, legal and compliance costs of multiple international locations; •foreign laws and regulatory requirements; •terrorist activity, natural disasters, pandemics and other catastrophic events; •restrictions on the import and export of technologies; •difficulties in enforcing contracts and collecting accounts receivable; •longer payment cycles; •failure to meet quality standards for outsourced work; •unfavorable tax rules; •the presence and acceptance of varying level of business corruption in international markets; and •varying business practices in foreign countries. We earn revenue, pay expenses, own assets and incur liabilities in countries using currencies other than the U.S. dollar, including among others the British pound, the Australian dollar, the Canadian dollar, the Argentine peso, the Chilean peso, the Euro, the New Zealand dollar, the Costa Rican colon, the Singapore dollar, the Brazilian real, the Russian ruble and the Indian rupee. Because our consolidated financial statements are presented in U.S. dollars, we must translate revenue, income and expenses, as well as assets and liabilities, into U.S. dollars at exchange rates in effect during or at the end of each reporting period. Therefore, increases or decreases in the value of the U.S. dollar against major currencies will affect our operating revenues, operating income and the value of balance sheet items denominated in foreign currencies. We generally do not mitigate the risks associated with fluctuating exchange rates, although we may from time to time through forward contracts or other derivative instruments hedge a portion of our translational foreign currency exposure or exchange rate risks associated with material transactions which are denominated in a foreign currency. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Accordingly, fluctuations in foreign currency exchange rates, particularly the strengthening of the U.S. dollar against major currencies, may materially affect our consolidated financial results. Compliance with applicable U.S. and foreign laws and regulations, such as anti-corruption laws, tax laws, foreign exchange controls and restrictions on repatriation of earnings or other similar restraints, data privacy requirements, labor laws and anti-competition relations increases the cost of doing business in foreign jurisdictions. Although we have implemented policies and procedures to comply with these laws and regulations, a violation by our employees, contractors or agents could nevertheless occur. We are regularly involved in claims, suits, government investigations, supervisory examinations and other proceedings that may result in adverse outcomes. In addition to matters related to the 2017 cybersecurity incident, we are regularly involved in claims, suits, government investigations, supervisory examinations and regulatory proceedings arising from the ordinary course of our business, including actions with respect to consumer protection and data protection, including purported class action lawsuits. Such claims, suits, government investigations and proceedings are inherently uncertain and their results cannot be predicted with certainty. Regardless of their outcome, such legal proceedings can have an adverse impact on us because of legal costs, diversion of management and other personnel, and other factors. In addition, it is possible that a resolution of one or more such proceedings could result in reputational harm, liability, penalties or sanctions, as well as judgments, consent decrees or orders preventing us from offering certain features, functionalities, products or services, or requiring a change in our business practices, products or technologies, which could in the future materially and adversely affect our business, operating results, and financial condition. The FCRA contains an attorney fee shifting provision to provide an incentive for consumers to bring individual and class action lawsuits against a CRA for violation of the FCRA, and the number of consumer lawsuits (both individual and class action) against us alleging a violation of the FCRA and our resulting costs associated with resolving these lawsuits have increased substantially over the past several years. We rely, in part, on acquisitions, joint ventures and other alliances to grow our business and expand our geographic reach. The acquisition, integration or divestiture of businesses by us may not produce the expected financial, operating results or IT and data security profile we expect. In addition, if we are unable to make acquisitions or successfully develop and maintain joint ventures and other alliances, our growth may be adversely impacted. Historically, we have relied, in part, on acquisitions, joint ventures and other alliances to grow our business. Any acquisitions we do complete may not be on favorable terms, and the expected benefits, synergies and growth from these initiatives may not materialize as planned. We may have difficulty assimilating new businesses and their products, services, technologies, IT systems and personnel into our operations. IT and data security profiles of acquired companies may not meet our technological standards and may take longer to integrate and remediate than planned. This may result in significantly greater transaction, remediation and integration costs for future acquisitions than we have experienced historically, or it could mean that we will not pursue certain acquisitions where the costs of integration and remediation are too significant. We may also have difficulty integrating and operating businesses in countries and geographies where we do not currently have a significant presence, and acquisitions of businesses having a significant presence outside of the U.S. will increase our exposure to risks of conducting operations in international markets. These difficulties could disrupt our ongoing business, distract our management and workforce, increase our expenses and adversely affect our operating results and financial condition. Despite our past experience, opportunities to grow our business through acquisitions, joint ventures and other alliances may not be available to us in the future. In addition, our focus on data security and our technology transformation strategy, including our migration to cloud-based technologies may limit our ability to identify and complete acquisitions as we will have less time and resources to devote to identifying suitable acquisition candidates and our technological criteria and standards for acquisition candidates may increase. Dependence on outsourcing certain portions of our operations may adversely affect our ability to bring products to market and damage our reputation. Dependence on outsourced information technology and other administrative functions may impair our ability to operate effectively. As part of our technology transformation, we have outsourced various components of our application development, information technology, operational support and administrative functions and will continue to evaluate additional outsourcing. If our outsourcing vendors fail to perform their obligations in a timely manner or at satisfactory quality levels including with respect to data and system security, or increase prices for their services to unreasonable levels, our ability to bring products to market and support our customers and our reputation could suffer. Any failure to perform on the part of these third-party providers could impair our ability to operate effectively and could result in lower future revenue, unrealized efficiencies and adversely impact our results of operations and our financial condition. Some of our outsourcing takes place in developing countries and, as a result, may be subject to geopolitical uncertainty. Changes in income tax laws can significantly impact our net income. Federal and state governments in the U.S. as well as a number of other governments around the world are currently facing significant fiscal pressures and have considered or may consider changes to their tax laws for revenue raising or economic competitiveness reasons. Changes to tax laws can have immediate impacts, either favorable or unfavorable, on our results of operations and cash flows, and may impact our competitive position versus certain competitors who are domiciled in other jurisdictions and subject to different tax laws. In December 2017, the U.S. enacted the Tax Cuts and Jobs Act of 2017 (the “Tax Act”) which significantly impacted our U.S. and global tax expense and net income and our earnings per share in 2018 and 2019. The IRS issued clarification notices and the U.S. Treasury issued Proposed Regulation which also provided clarity to the Tax Act. However, the IRS could issue additional clarification and additional changes could be made to the final issuance of the Regulations. If our government contracts are terminated, if we are suspended from government work, or if our ability to compete for new contracts is adversely affected, our business could suffer. We derive a portion of our revenue from direct and indirect sales to U.S., state and local governments and their respective agencies. Such contracts are subject to various procurement laws and regulations, and contract provisions relating to their formation, administration and performance. Failure to comply with these laws, regulations or provisions in our government contracts could result in the imposition of various civil and criminal penalties, termination of contracts, forfeiture of profits, suspension of payments or suspension of future government contracting. Following the 2017 cybersecurity incident, our government contracts received enhanced scrutiny and negative media attention that resulted in the suspension of one of our contracts. If we experience another material cybersecurity incident, our ability to maintain our existing and acquire new government contracts may be substantially impacted. Also, the government programs to which we provide services, or which are the bases of compliance services we provide non-governmental clients, including, in particular, the employer requirements under the Affordable Care Act, may be terminated or substantially altered by the government and our services would no longer be needed. If our government contracts are terminated, if we are suspended from government work, if the services we provide are no longer needed due to government program change or termination, or if our ability to compete for new contracts is adversely affected, our business could suffer. Third parties may claim that we are infringing on their intellectual property and we could suffer significant litigation or licensing expenses or be prevented from selling products or services. There has been substantial litigation in the U.S. regarding intellectual property rights in the information technology industry. From time to time, third parties claim that one or more of our products or services infringe their intellectual property rights. We analyze and take action in response to each such claim on a case by case basis. A dispute or litigation regarding patents or other intellectual property can be costly and time-consuming due to the complexity of our technology and the inherent uncertainty of intellectual property litigation, could divert our management and key personnel from our business operations, and we may not prevail. A claim of intellectual property infringement could force us to enter into a costly or restrictive license agreement, which might not be available under acceptable terms or at all, or could subject us to significant damages or to an injunction against development and sale of certain of our products or services. Our intellectual property portfolio may not be useful in asserting a counterclaim, or negotiating a license, in response to a claim of intellectual property infringement. In certain of our businesses we rely on third-party intellectual property licenses and we cannot ensure that these licenses will be available to us in the future on favorable terms or at all. Although our policy is to obtain licenses or other rights where necessary, we cannot provide assurance that we have obtained all required licenses or rights. Third parties may misappropriate or infringe on our intellectual property and we may suffer competitive injury or expend significant resources enforcing our rights. Our success increasingly depends on our proprietary technology. We rely on various intellectual property rights, including patents, copyrights, database rights, trademarks and trade secrets, as well as contract restrictions, confidentiality provisions and licensing arrangements, to establish our proprietary rights. The extent to which such rights can be protected varies in different jurisdictions. If we do not enforce our intellectual property rights successfully, our competitive position may suffer which could harm our operating results. Our pending patent and trademark applications may not be allowed or competitors may challenge the validity or scope of our intellectual property rights. In addition, our patents, copyrights, trademarks and other intellectual property rights may not provide us a significant competitive advantage. We may need to devote significant resources, including cybersecurity resources, to monitoring our intellectual property rights and we may or may not be able to detect misappropriation or infringement by third parties. Our competitive position may be harmed if we cannot detect misappropriation or infringement and enforce our intellectual property rights quickly or at all. In some circumstances, enforcement may not be available to us because a third party has a dominant intellectual property position or for other business reasons. In addition, competitors might avoid infringement by designing around our intellectual property rights or by developing non-infringing competing technologies. Intellectual property rights and our ability to enforce them may be unavailable or limited in some countries, which could make it easier for competitors to capture market share and could result in lost revenue. The U.K.’s departure from the EU could adversely affect us. We are subject to risks and uncertainties associated with the U.K.’s withdrawal from the EU (referred to as “Brexit”), including implications for the free flow of labor and goods in the U.K. and the EU and other financial, legal, tax and trade implications. Brexit could cause disruptions to and create uncertainty surrounding our business in the U.K., including affecting our relationships with our existing and future customers, suppliers and employees, which could have an adverse effect on our business, financial results and operations. In addition, developments regarding Brexit may also create global economic uncertainty, which may cause our customers, particularly those who do business in the U.K., to closely monitor their costs and reduce their spending on our solutions and services. We may not be able to borrow under our revolving credit facility and Receivables Facility. We are party to a $225.0 million receivables funding facility (the “Receivables Facility”) as well as the $1.10 billion unsecured revolving credit facility (the “Revolver”). Our Revolver and Receivables Facility have representations, covenants, financial covenants and events of default which may limit our ability to borrow under such debt obligations. Any breach of a representation or failure to comply with any covenant or financial covenant or the occurrence of any event of default under the Revolver or the Receivables Facility could result in a prohibition of further borrowings under the Revolver and Receivables Facility or acceleration of any obligations outstanding thereunder. Any event of default under the Revolver or Receivables Facility could result in a cross default under our other outstanding debt obligations. Changes in interest rates could adversely affect our cost of capital and net income. Rising interest rates, credit market dislocations and decisions and actions by credit rating agencies can affect the availability and cost of our funding and adversely affect our net income. Our business will suffer if we are not able to retain and hire key personnel. Our future success, including our ability to implement our technology transformation strategy, depends partly on the continued service of our key development, sales, marketing, executive and administrative personnel. Additionally, increased retention risk exists in certain key areas of our operations, such as IT and data security, which require specialized skills, such as maintenance of certain legacy computer systems, data security experts and analytical modelers. If we fail to retain and hire a sufficient number of these personnel, we will not be able to maintain or expand our business. As part of our technology transformation strategy, we have hired a significant number of new employees and contract workers. Hiring, training, motivating, retaining and managing employees with the skills required is time-consuming and expensive. There is intense competition for certain highly technical specialties in geographic areas where we continue to recruit, and it may become more difficult to retain our key employees. If we are not able to hire sufficient employees to support our technology transformation, or to train, motivate, retain and manage the employees we do hire, it could have a material adverse effect on our business operations or financial results. Our retirement and post-retirement pension plans are subject to financial market risks that could adversely affect our future results of operations and cash flows. We have significant retirement and post-retirement pension plan assets and obligations. The performance of the financial markets and interest rates impact our plan expenses and funding obligations. Significant decreases in interest rates, decreases in the fair value of plan assets and investment losses on plan assets will increase our funding obligations, and adversely impact our results of operations and cash flows. We are subject to other risks and uncertainties inherent in doing business in our industry. In addition to the specific factors discussed above, we are subject to risks that are inherent to doing business as a global data, analytics and technology company. These include growth rates, general economic and political conditions, customer satisfaction with the quality of our products and services, technological changes, rising costs of employment, costs of obtaining insurance, changes in unemployment rates, and other events that can impact revenue and the cost of doing business in our industry. ITEM 1B.
Current §1A text (2020)
Show full section (9275 words)
ITEM 1A. RISK FACTORS All of the risks and uncertainties described below and the other information included in this Form 10-K should be considered and read carefully. The risks described below are not the only ones facing us. The occurrence of any of the following risks or additional risks and uncertainties not presently known to us or that we currently believe to be immaterial could materially and adversely affect our business, financial condition or results of operations. This Form 10-K also contains forward-looking statements and estimates that involve risks and uncertainties. Our actual results could differ materially from those anticipated in the forward-looking statements as a result of specific factors, including the risks and uncertainties described below. Technology and Data Security Risks Security breaches and other disruptions to our information technology infrastructure could compromise Company, consumer and customer information, interfere with our operations, cause us to incur significant costs for remediation and enhancement of our IT systems and expose us to legal liability, all of which could have a substantial negative impact on our business and reputation. We are a global data, analytics and technology company. In the ordinary course of business, we collect, process, transmit and store sensitive data, including intellectual property, proprietary business information and personally identifiable information of consumers, employees and strategic partners. The secure operation of our information technology networks and systems, and of the processing and maintenance of this information, is critical to our business operations and strategy. Because our products and services involve the storage and transmission of personal information of consumers, we will routinely be the target of attempted cyber and other security threats by outside third parties, including technically sophisticated and well-resourced bad actors attempting to access or steal the data we store. Insider or employee cyber and security threats are also a significant concern for all companies, including ours. Despite our substantial investment in physical and technological security measures, employee training and contractual precautions, our information technology networks and infrastructure (or those of our third-party vendors and other service providers) are potentially vulnerable to unauthorized access to data or breaches of confidential information due to criminal conduct, attacks by hackers, employee or insider malfeasance and/or human error. The techniques used to obtain unauthorized access, disable or degrade service or sabotage systems are constantly evolving and often are not recognized until launched against a target, or even some time after. We may be unable to anticipate these techniques, implement adequate preventative measures or remediate any intrusion on a timely or effective basis even if our security measures are appropriate, reasonable, and/or comply with applicable legal requirements. Certain efforts may be state-sponsored and supported by significant financial and technological resources, making them even more sophisticated and difficult to detect. Further, we are in the process of transforming our applications and infrastructure technologies, and this transition to cloud-based technologies may expose us to additional cyber threats as we migrate our data from our legacy systems to cloud-based solutions hosted by third parties. Although we have developed systems and processes that are designed to protect our data and customer data and to prevent data loss and other security breaches, and expect to continue to expend significant additional resources to bolster these protections, these security measures cannot provide absolute security. In 2017, we experienced a cybersecurity incident following a criminal attack on our systems that involved the theft of personally identifiable information of U.S., Canadian and U.K. consumers. If we experience additional breaches of our security measures, including from incidents that we fail to detect for a period of time, sensitive data may be accessed, stolen, disclosed or lost. Any such access, disclosure or other loss of information could subject us to significant litigation, regulatory fines or penalties, any of which could have a material adverse effect on our cash flows, competitive position, financial condition or results of operations. We cannot ensure that our insurance policies in the future will be adequate to cover losses from any future security breaches. For example, our $125.0 million cybersecurity insurance policy was not adequate to cover the losses we have incurred to date from the 2017 cybersecurity incident. Security breaches and the adverse publicity that may follow could also have a negative impact on our reputation and our relationship with our customers. For example, our reputation with consumers and other stakeholders and our customer relationships were damaged following the 2017 cybersecurity incident, resulting in a negative impact on our revenue. If we experience another material cybersecurity incident or are otherwise unable to demonstrate the security of our systems and the data we maintain and retain the trust of our customers, consumers and data suppliers, we could experience a substantial negative impact on our business. If we fail to achieve and maintain key industry or technical certifications, our customers and business partners may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue. We are required by customers and business partners to obtain various industry or technical certifications. Such certifications are critical to our business because certain of our current and potential customers and the contracts governing certain customer relationships, as well as certain of our data suppliers, require us to maintain them as a requirement of doing business. For example, as a result of the 2017 cybersecurity incident, we lost certain key certifications which caused certain customers and business partners to stop or pause doing business with us and temporarily limited our ability to win new business. We had to spend significant resources on remediation activities in order to obtain these key re-certifications. If we fail to achieve or maintain key industry or technical certifications as a result of another cybersecurity incident or for other reasons, customers and business partners may stop doing business with us and we may not be able to win new business, which would negatively affect our revenue. Strategy and Market Demand Risks Our business has been and will continue to be negatively impacted by the recent COVID-19 outbreak. We face various risks related to health epidemics, pandemics and similar outbreaks, including the global outbreak of COVID-19 in 2020. The COVID-19 pandemic and the mitigation efforts by governments to attempt to control its spread have adversely impacted the global economy, leading to reduced consumer spending and lending activities and disruptions and volatility in the global capital markets. Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions. We experienced significant revenue declines in several of our markets as a result of COVID-19. We expect that the negative impacts of the COVID-19 pandemic on our operating revenue will continue until health and economic conditions improve. We continue to work with our stakeholders (including customers, employees, consumers, suppliers, business partners and local communities) to responsibly address this global pandemic. We will continue to monitor the situation and assess possible implications to our business and our stakeholders and will take appropriate actions in an effort to mitigate adverse consequences. We cannot assure you that we will be successful in any such mitigation efforts. The extent to which the coronavirus will continue to negatively impact our operations will depend on future developments which are highly uncertain and cannot be predicted with confidence, including the duration of the outbreak, new information which may emerge concerning the severity of the COVID-19 pandemic, outbreaks occurring at any of our facilities, the actions taken to control the spread of COVID-19 or treat its impact, and changes in worldwide and U.S. economic conditions. Further deteriorations in economic conditions, as a result of the COVID-19 pandemic or otherwise, could lead to a further or prolonged decline in demand for our products and services and negatively impact our business. It may also impact financial markets and corporate credit markets which could adversely impact our access to financing or the terms of any such financing. We cannot at this time predict the extent of the impact of the COVID-19 pandemic and its resulting economic impact, but it could have a material adverse effect on our business, financial position, results of operations and cash flows. To the extent the COVID-19 pandemic adversely affects our business and financial results, it may also have the effect of heightening many of the other risks described in this “Item 1A. Risk Factors” and elsewhere in this Annual Report on Form 10-K, such as our need to generate sufficient cash flows to service our indebtedness and our ability to protect our information technology networks and infrastructure from unauthorized access, misuse, malware, phishing and other events that could have a security impact as a result of our remote working environment or otherwise. The failure to realize the anticipated benefits of our technology transformation strategy could adversely impact our business and financial results. We expect our technology transformation strategy, including our transition to cloud-based technologies, will significantly increase our efficiency and productivity, the functionality of our products and services, as well as decrease the cost of our overall systems infrastructure, all of which we expect will drive growth and have a positive effect on our business, competitive position and results of operations. This initiative is a major undertaking as we replace many of our previous operating systems with cloud-based systems. This complex, multifaceted and extensive initiative is expensive and may cause material unanticipated problems and expenses. If our new systems do not operate as expected, or the data we transition to the cloud changes in a material way, we may have to incur significant additional costs to make modifications and could lose customers as a result. Moreover, we may experience issues with customer migration, as many of our customers may not migrate to cloud-based technologies on a timely basis or at all or may choose not to utilize our products and services during and after our transition to cloud-based technologies. We cannot assure you that our technology transformation strategy will be beneficial to the extent, or within the timeframes, expected, or that the estimated efficiency, cost savings and other improvements will be realized as anticipated or at all. Market acceptance of cloud-based offerings is affected by a variety of factors, including information security, reliability, performance, the sufficiency of technological infrastructure to support our products and services in certain geographies, customer and data provider concerns with entrusting a third party to store and manage its data as well as the customer’s ability to access this data once a contract has expired, and consumer concerns regarding data privacy and the enactment of laws or regulations that restrict our ability to provide such services to customers. If we are unable to correctly respond to these issues, we may experience business disruptions, damage to our reputation, negative publicity, diminished customer trust and relationships and other adverse effects on our business. Even if the anticipated benefits and savings are substantially realized, there may be consequences, internal control issues or business impacts that were not expected. Our transition and migration to cloud-based technologies may increase our risk of liability and cause us to incur significant technical, legal or other costs. The loss of access to credit, employment, financial and other data from external sources could harm our ability to provide our products and services. We rely extensively upon data from external sources to maintain our proprietary and non-proprietary databases, including data received from customers, strategic partners and various government and public record sources. This data includes the widespread and voluntary contribution of credit data from most lenders in the U.S and many other markets as well as the contribution of data under proprietary contractual agreements, such as employers’ contribution of employment and income data to The Work Number® and telecommunications, cable and utility companies’ contribution of payment and fraud data to the National Cable, Telecommunications and Utility Exchange. For a variety of reasons, including concerns of data furnishers arising out of the 2017 cybersecurity incident, legislatively or judicially imposed restrictions on use, additional security breaches or competitive reasons, our data sources could withdraw, delay receipt of or increase the cost of their data provided to us. Where we currently have exclusive use of data, the providers of the data sources could elect to make the information available to competitors. We also compete with several of our third-party data suppliers. If a substantial number of data sources or certain key data sources were to withdraw or be unable to provide their data, if we were to lose access to data due to government regulation, if we lose exclusive right to the use of data, or if the collection, disclosure or use of data becomes uneconomical, our ability to provide products and services to our clients could be adversely affected, which could result in decreased revenue, net income and earnings per share and reputational loss. There can be no assurance that we would be able to obtain data from alternative sources if our current sources become unavailable. Negative changes in general economic conditions, including interest rates, unemployment rates, income, home prices, investment values and consumer confidence, could adversely affect us. Our customers, and therefore our business and revenues, are sensitive to negative changes in general economic conditions, including the demand and availability of affordable credit and capital, the level and volatility of interest rates, inflation, employment levels, consumer confidence and housing demand, both inside and outside the United States. Business customers use our credit information and related analytical services and data to process applications for new credit cards, automobile loans, home and equity loans and other consumer loans, and to manage their existing credit relationships. Demand for our services tends to be correlated to general levels of economic activity and to consumer credit activity, which can be impacted by changes in interest rates. Banks’ and other lenders’ willingness to extend credit are adversely affected by elevated consumer delinquency and loan losses in a weak economy. Consumer demand for credit (i.e., rates of spending and levels of indebtedness) also tends to grow more slowly or decline during periods of economic contraction or slow economic growth. Our customer base suffers when financial markets experience volatility, illiquidity and disruption and the potential for increased and continuing disruptions going forward presents considerable risks to our business and revenue. High or rising rates of unemployment and interest, declines in income, home prices or investment values, lower consumer confidence and reduced access to credit adversely affect demand for many of our products and services, and consequently our revenue and results of operations, as consumers may postpone or reduce their spending and use of credit, and lenders may reduce the amount of credit offered or available. Our markets are highly competitive and new product introductions and pricing strategies being offered by our competitors could decrease our sales and market share or require us to enhance our products and services or reduce our prices in a manner that reduces our revenue and operating margins. We operate in a number of geographic, product and service markets that are highly competitive. Competitors may develop products and services that are superior to or that achieve greater market acceptance than our products and services. New competitors may choose to enter and compete in our markets, or existing competitors may choose to introduce new products and enter markets that we serve and that they do not currently serve. The size of our competitors varies across market segments, as do the resources we have allocated to the segments we target. Therefore, some of our competitors may have significantly greater financial, technical, marketing or other resources than we do in one or more of our market segments, or overall. As a result, our competitors may be in a position to respond more quickly than we can to new or emerging technologies and changes in customer requirements, or may devote greater resources than we can to the development, enhancement, promotion, sale and support of products and services, or some of our customers may develop products of their own that replace the products they currently purchase from us, which would result in lower revenue. In addition, many of our competitors have extensive consumer relationships, including relationships with our current and potential customers. Moreover, new competitors or alliances among our competitors may emerge and potentially reduce our market share, revenue or margins. We also sell our information to competing firms, and buy information from certain of our competitors, in order to sell “tri-bureau” and other products, most notably into the U.S. mortgage market. Changes in prices between competitors for this information and/or changes in the design or sale of tri-bureau versus single or dual bureau product offerings may affect our revenue or profitability. Some of our competitors may choose to sell products that compete with ours at lower prices by accepting lower margins and profitability, or may be able to sell products competitive to ours at lower prices, individually or as a part of integrated suites, given proprietary ownership of data, technological superiority or economies of scale. Price reductions by our competitors could negatively impact our revenue and operating margins and results of operations and could also harm our ability to obtain new customers on favorable terms. Historically, certain of our key products have experienced declines in per unit pricing due to competitive factors and customer demand. Since a significant portion of our operating expenses is relatively fixed in nature due to sales, information technology and development and other costs, if we were unable to respond quickly enough to changes in competition or customer demand, we could experience further reductions in our operating margins. If our relationships with key customers are materially diminished or terminated, our business could suffer. We have long-standing relationships with a number of our customers, many of whom could unilaterally terminate their relationship with us or materially reduce the amount of business they conduct with us at any time. Many of our material customer agreements can be terminated by the customer for convenience on advance written notice, which provides our customers with the opportunity to renegotiate their contracts with us or to award more business to our competitors. There is no guarantee that we will be able to retain or renew existing agreements, maintain relationships with any of our customers or business partners on acceptable terms or at all, or collect amounts owed to us from insolvent customers or business partners. The loss of one or more of our major customers or business partners could adversely affect our business, financial condition and results of operations. If we do not introduce successful new products, services and analytical capabilities in a timely manner, or if the market does not adopt our new services, our competitiveness and operating results will suffer. We generally sell our products in industries that are characterized by rapid technological changes, frequent new product and service introductions and changing industry standards. In addition, certain of the markets in which we operate are seasonal and cyclical. Without the timely introduction of new products, services and enhancements, our products and services will become technologically or commercially obsolete over time, in which case our revenue and operating results would suffer. The success of our new products and services will depend on several factors, including our ability to properly identify customer needs; innovate and develop new technologies, services and applications; successfully commercialize new technologies in a timely manner; produce and deliver our products in sufficient volumes on time; differentiate our offerings from competitor offerings; price our products competitively; anticipate our competitors’ development of new products, services or technological innovations; and control product quality in our product development process. Our resources have to be committed to any new products and services before knowing whether the market will adopt the new offerings. In addition, our management is and will continue to be intensely focused on enhancing our security measures and our technology transformation and may not be able to devote as much time or resources to new product development, which could cause us to be less competitive as compared to our peers, lose out on new revenue opportunities and have an adverse effect on our growth and our business. The demand for some of our products and services may be negatively impacted to the extent the availability of free or less expensive consumer information increases. Public or commercial sources of free or relatively inexpensive consumer credit, credit score and other information have become increasingly available, particularly through the internet, and this trend is expected to continue. In addition, governmental agencies in particular have increased the amount of information to which they provide free public access and these or other sources of free or relatively inexpensive consumer information from competitors or other commercial sources may reduce demand for our services, particularly in our USIS and Global Consumer Solutions business units. Recently, there also has been an increase in companies offering free or low-cost direct-to-consumer credit services (such as credit scores, reports and monitoring) as part of alternative business models that use such services as a means to introduce consumers to other products and services. To the extent that our customers choose not to obtain services from us and instead rely on information obtained at no cost or relatively inexpensively from these other sources, our business, financial condition and results of operations may be adversely affected. We rely, in part, on acquisitions, joint ventures and other alliances to grow our business and expand our geographic reach. The acquisition, integration or divestiture of businesses by us may not produce the expected financial, operating results or IT and data security profile we expect. In addition, if we are unable to make acquisitions or successfully develop and maintain joint ventures and other alliances, our growth may be adversely impacted. Historically, we have relied, in part, on acquisitions, joint ventures and other alliances to grow our business. Any acquisitions we do complete may not be on favorable terms, may involve greater-than-expected liabilities and expenses, potential impairments of tangible and intangible assets or significant write-offs and the expected benefits, synergies and growth from these initiatives may not materialize as planned. We may have difficulty assimilating new businesses and their products, services, technologies, IT systems and personnel into our operations. IT and data security profiles of acquired companies may not meet our technological standards and may take longer to integrate and remediate than planned. This may result in significantly greater transaction, remediation and integration costs for future acquisitions than we have experienced historically, or it could mean that we will not pursue certain acquisitions where the costs of integration and remediation are too significant. We may also have difficulty integrating and operating businesses in countries and geographies where we do not currently have a significant presence, and acquisitions of businesses having a significant presence outside of the U.S. will increase our exposure to risks of conducting operations in international markets. These difficulties could disrupt our ongoing business, distract our management and workforce, increase our expenses and adversely affect our operating results and financial condition. Despite our past experience, opportunities to grow our business through acquisitions, joint ventures and other alliances may not be available to us in the future. In addition, our focus on data security and our technology transformation strategy, including our migration to cloud-based technologies may limit our ability to identify and complete acquisitions as we will have less time and resources to devote to identifying suitable acquisition candidates and our technological criteria and standards for acquisition candidates may increase. If our government contracts are terminated, if we are suspended from government work, or if our ability to compete for new contracts is adversely affected, our business could suffer. We derive a portion of our revenue from direct and indirect sales to U.S., state and local governments and their respective agencies. Such contracts are subject to various procurement laws and regulations, and contract provisions relating to their formation, administration and performance. Failure to comply with these laws, regulations or provisions in our government contracts could result in the imposition of various civil and criminal penalties, termination of contracts, forfeiture of profits, suspension of payments or suspension of future government contracting. A number of our federal government contracts have received enhanced scrutiny and media attention due to the sensitive nature of the data we handle and due to the importance of the government programs we support. If we experience another material cybersecurity incident, if public scrutiny and pressure related to government services we support turns negative or if we experience uptime issues or performance problems, our ability to maintain existing or acquire new government contracts may be substantially impacted. Also, the government programs to which we provide services, or which are the bases of compliance services we provide non-governmental clients, including, in particular, the employer requirements under the Affordable Care Act, may be terminated or substantially altered by the government and our services would no longer be needed. If our government contracts are terminated, if we are suspended from government work, if the services we provide are no longer needed due to government program change or termination, or if our ability to compete for new contracts is adversely affected, our business could suffer. Operational Risks Our technology transformation strategy places a significant strain on our management, operational, financial and other limited resources. As part of our technology transformation strategy, we are transitioning and migrating our data systems from traditional data centers to cloud-based platforms. This initiative places significant strain on our management, personnel, operations, systems, technical performance and financial resources and internal financial control and reporting function. In addition, many of our existing personnel do not have experience with native cloud-based technologies and, as a result, we have and will continue to hire personnel with such experience. This effort has been, and will continue to be, time consuming and costly. Our technology transformation strategy requires management time and resources to educate employees and implement new ways of conducting business. The dedication of resources to our technology transformation strategy and cloud-based technologies limits the resources we have available to devote to other initiatives or growth opportunities, or to invest in the maintenance of our existing internal systems. We cannot guarantee that our strategy is the right one or that investments in alternative technologies or other initiatives would not be a better use of our limited resources. Additionally, as a result of our cloud migration efforts in connection with our technology transformation strategy, we may experience a loss of continuity, loss of accumulated knowledge or loss of efficiency during transitional periods. Reorganization and transition can require a significant amount of management and other employees’ time and focus, which may divert attention from operating activities and growing our business. If we fail to achieve some or all of the expected benefits of these activities, it could have a material adverse effect on our competitive position, business, financial condition, results of operations and cash flows. Our transition to cloud-based technologies could expose us to operational disruptions. We rely on the efficient and uninterrupted operation of complex information technology systems and networks, some of which are managed internally within the Company and some of which are outsourced to third parties. As part of our technology transformation strategy, we are upgrading a significant portion of the information technology systems used to operate our business and replacing them with cloud-based solutions. This transition will require substantial changes to our software and network infrastructure, which could lead to system interruptions, affect our data systems and further expose us to operational disruptions, and cause us to lose customers, all of which could have a material adverse effect on our results of operations. Upon implementation of the new cloud-based solutions, much of our information technology systems will consist of outsourced, cloud-based infrastructure, platform and software-as-a-service solutions not under our direct management or control. Any disruption to either the outsourced systems or the communication links between us and the outsourced supplier could negatively affect our ability to operate our data systems and could impair our ability to provide services to our customers. We may incur additional costs to remedy the damages caused by these disruptions. If our systems do not meet customer requirements for response time or high availability, or we experience system constraints or failures, or our customers do not migrate to the cloud or modify and/or upgrade their systems to accept new releases of our products and services, our services to our customers could be delayed or interrupted, which could result in lost revenues or customers, lower margins, service level penalties or other harm to our business and reputation. Our customers expect high system availability and response time performance, as well as a very high degree of system resilience. We depend on reliable, stable, efficient and uninterrupted operation of our technology network, systems, and data centers to provide service to our customers. Many of the services and systems upon which we rely have been outsourced to third parties. In addition, many of our revenue streams are dependent on links to third party telecommunications providers. These systems and operations, and the personnel that support, service and operate these systems, could be exposed to interruption, damage or destruction from power loss, telecommunication failures, computer viruses, denial-of-service or other cyber attacks, employee or insider malfeasance, human error, fire, natural disasters, war, terrorist acts or civil unrest. We may not have sufficient disaster recovery or redundant operations in place to cover a loss or failure of systems or telecommunications links in a timely manner. In addition, as part of our technology transformation, we are seeking to migrate our customers from traditional data platforms to cloud-based products and services. Many of our customers may not migrate to cloud-based technologies on a timely basis or at all, or may choose not to utilize our products and services during and after our transition to cloud-based technologies. If our customers’ timelines prevent them from migrating to cloud-based technologies quickly enough, they will remain on our legacy infrastructure, which could expose them to system availability and response time performance issues. Any significant system interruption or series of minor interruptions could result in the loss of customers and/or lost revenues, lower margins, service level penalties or other significant harm to our business or reputation. Dependence on outsourcing certain portions of our operations may adversely affect our ability to bring products to market and damage our reputation. Dependence on outsourced information technology and other administrative functions may impair our ability to operate effectively. As part of our technology transformation, we have outsourced various components of our application development, information technology, operational support and administrative functions and will continue to evaluate additional outsourcing. If our outsourcing vendors fail to perform their obligations in a timely manner or at satisfactory quality levels including with respect to data and system security, or increase prices for their services to unreasonable levels, our ability to bring products to market and support our customers and our reputation could suffer. Any failure to perform on the part of these third-party providers could impair our ability to operate effectively and could result in lower future revenue, unrealized efficiencies and adversely impact our results of operations and our financial condition. Some of our outsourcing takes place in developing countries and, as a result, may be subject to geopolitical uncertainty. Our business will suffer if we are not able to retain and hire key personnel. Our future success, including our ability to implement our technology transformation strategy, depends partly on the continued service of our key development, sales, marketing, executive and administrative personnel. Additionally, increased retention risk exists in certain key areas of our operations, such as IT and data security, which require specialized skills, such as migrating legacy computer systems to the cloud, data security expertise and analytical modeling. If we fail to retain and hire a sufficient number of these personnel, we will not be able to maintain or expand our business. As part of our technology transformation strategy, we have hired or contracted with a significant number of new employees and contract workers. Hiring, on-boarding training, motivating, retaining and managing employees with the skills required is time-consuming and expensive. There is intense competition for certain highly technical specialties in geographic areas where we continue to recruit, and it may become more difficult to retain our key employees. If we are not able to hire sufficient employees to support our technology transformation, or to train, motivate, retain and manage the employees we do hire, it could have a material adverse effect on our business operations or financial results. Global Operational Risks Economic, political and other risks associated with international sales and operations could adversely affect our results of operations. Sales outside the U.S. comprised 22% of our total revenue in 2020. As a result, our business is subject to various risks associated with doing business internationally and these risks may differ in each jurisdiction we operate depending on the particular product or service we offer in the jurisdiction. In addition, many of our employees, suppliers, job functions and facilities are located outside the U.S. Accordingly, our future results could be harmed by a variety of factors including: •changes in specific country or region political, economic or other conditions; •trade protection measures; •data privacy and consumer protection laws and regulations; •difficulty in staffing and managing widespread operations; •differing labor, intellectual property protection and technology standards and regulations; •business licensing requirements or other requirements relating to making foreign direct investments, which could increase our cost of doing business in certain jurisdictions, prevent us from entering certain markets, increase our operating costs or lead to penalties or restrictions; •difficulties associated with repatriating cash generated or held abroad in a tax-efficient manner; •implementation of exchange controls; •geopolitical instability, including terrorism and war; •foreign currency changes; •increased travel, infrastructure, legal and compliance costs of multiple international locations; •foreign laws and regulatory requirements; •terrorist activity, natural disasters, pandemics and other catastrophic events; •restrictions on the import and export of technologies; •difficulties in enforcing contracts and collecting accounts receivable; •longer payment cycles; •failure to meet quality standards for outsourced work; •unfavorable tax rules; •the presence and acceptance of varying level of business corruption in international markets; and •varying business practices in foreign countries. We earn revenue, pay expenses, own assets and incur liabilities in countries using currencies other than the U.S. dollar, including among others the British pound, the Australian dollar, the Canadian dollar, the Argentine peso, the Chilean peso, the Euro, the New Zealand dollar, the Costa Rican colon, the Singapore dollar, the Brazilian real, the Russian ruble and the Indian rupee. Because our consolidated financial statements are presented in U.S. dollars, we must translate revenue, income and expenses, as well as assets and liabilities, into U.S. dollars at exchange rates in effect during or at the end of each reporting period. Therefore, increases or decreases in the value of the U.S. dollar against major currencies will affect our operating revenues, operating income and the value of balance sheet items denominated in foreign currencies. We generally do not mitigate the risks associated with fluctuating exchange rates, although we may from time to time through forward contracts or other derivative instruments hedge a portion of our translational foreign currency exposure or exchange rate risks associated with material transactions which are denominated in a foreign currency. The use of such hedging activities may not offset any or more than a portion of the adverse financial effects of unfavorable movements in foreign exchange rates over the limited time the hedges are in place. Accordingly, fluctuations in foreign currency exchange rates, particularly the strengthening of the U.S. dollar against major currencies, may materially affect our consolidated financial results. Compliance with applicable U.S. and foreign laws and regulations, such as anti-corruption laws, tax laws, foreign exchange controls and restrictions on repatriation of earnings or other similar restraints, data privacy requirements, labor laws and anti-competition relations increases the cost of doing business in foreign jurisdictions. Although we have implemented policies and procedures to comply with these laws and regulations, a violation by our employees, contractors or agents could nevertheless occur. The U.K.’s departure from the EU could adversely affect us. We are subject to risks and uncertainties associated with the U.K.’s withdrawal from the EU (referred to as “Brexit”), including implications for the free flow of labor and goods in the U.K. and the EU and other financial, legal, tax and trade implications. Brexit could cause disruptions to and create uncertainty surrounding our business in the U.K., including affecting our relationships with our existing and future customers, suppliers and employees, which could have an adverse effect on our business, financial results and operations. Legal and Regulatory Risks As part of a global settlement, we entered into agreements with various parties to settle the U.S. Consumer MDL Litigation and certain federal and state government investigations arising out of the 2017 cybersecurity incident. If we are unable to comply with our obligations under these agreements, if the U.S. Consumer MDL Litigation settlement is not upheld on appeal, or if other lawsuits or investigations are filed or commenced, it could have a material adverse effect on our financial condition. In July 2019, the Company entered into multiple agreements that resolve the U.S. consolidated consumer class action cases, captioned In re: Equifax, Inc. Customer Data Security Breach Litigation, MDL No. 2800 (Consumer Cases) (the “U.S. Consumer MDL Litigation”), and the investigations of the FTC, the CFPB, the Attorneys General of 48 states, the District of Columbia and Puerto Rico (the “MSAG Group”) and the NYDFS (collectively, the “Consumer Settlement”) relating to the 2017 cybersecurity incident. On January 13, 2020, the U.S. District Court for the Northern District of Georgia (the “Court”) entered an order granting final approval of the settlement in connection with the U.S. Consumer MDL Litigation, from which several objectors have appealed. Until the appeals are finally adjudicated or dismissed and the settlement becomes final in accordance with its terms, we can provide no assurance that the U.S. Consumer MDL Litigation will be resolved as contemplated by the settlement agreement. If the Court’s order approving the settlement agreement was overturned by an appellate court and not cured in accordance with the terms of the consent orders with the FTC and CFPB, the consent orders with the FTC, CFPB and MSAG Group would remain in place and the Consumer Restitution Fund (as defined below) would be administered by the FTC. In that event, there is a risk that we would not be able to settle the U.S. Consumer MDL Litigation on acceptable terms or at all, which could have a material adverse effect on our financial condition. In addition to the monetary payments and consumer redress, we also agreed as part of the Consumer Settlement to implement certain business practice commitments related to consumer assistance and our information security program, including third party assessments of our program. These business practice commitments are extensive and require a significant amount of attention from management. To the extent we are unable to comply or we are viewed as not being in compliance with these business practice commitments or other requirements of a relevant order, we could face an enforcement action or contempt proceeding that could potentially result in fines, penalties and new business practice commitments, which, depending on the amount and type, could have a material adverse effect on our financial condition. In addition, other lawsuits and investigations related to the 2017 cybersecurity incident are still outstanding and additional lawsuits or investigations may be filed, commenced or issued. The resolution of these additional matters may result in damages, costs, fines or penalties, which, depending on the amount, could be material to the Company’s consolidated financial condition, results of operations, or cash flows in future periods. Any future losses we incur as a result of the incident will not be covered by insurance. We and our customers are subject to various current laws and governmental regulations, and could be affected by new and evolving consumer privacy and cybersecurity or other data-related laws or regulations, compliance with which may cause us to incur significant expenses and change our business practices, and if we fail to maintain satisfactory compliance with certain laws and regulations, we could be subject to civil or criminal penalties. We are subject to a number of U.S. federal, state, local and foreign laws and regulations relating to consumer privacy, cybersecurity, data and financial protection. See “Item 1. Business-Governmental Regulation” in this Form 10-K for a summary of the U.S. and foreign consumer and data protection laws and regulations to which we are subject. These regulations are complex, change frequently, have tended to become more stringent over time, and are subject to administrative interpretation and judicial construction in ways that could harm our business. In addition, new laws and regulations at the state and federal level are enacted or considered frequently. Examples of such new and evolving laws and regulations include amendments to the FCRA requiring the provision of free credit freezes to consumers, cybersecurity and other requirements promulgated by the New York Department of Financial Services, the CCPA which took effect on January 1, 2020, the California data broker registration requirements that took effect on January 31, 2020, and the CPRA taking effect on January 1, 2023. Furthermore, we expect there to be an increased focus on laws and regulations related to our business, including by the new U.S. presidential administration and the new U.S. Congress, because of the great public concern in the U.S. with regard to the operation of credit reporting agencies, as well as the collection, use, accuracy, correction and sharing of personal information. We also use algorithms, artificial intelligence and machine learning in our business processes. There are a number of legislative proposals pending before the U.S. Congress, various state legislative bodies and foreign governments concerning privacy or cybersecurity that could affect us. The Canadian government has initiated a review of consumer privacy laws, and several U.S. states have introduced varying comprehensive privacy laws modeled to some degree on the CCPA and/or the GDPR. Compliance with multiple state laws containing varying requirements could be complicated and costly. In Europe, although the GDPR already includes certain provisions relating to the automated processing of personal data, there has also been discussion of new legislative proposals to regulate business use of artificial intelligence and machine learning technologies which, if enacted, could impose new legal requirements addressing among other issues, privacy, discrimination and human rights. The specifics of such legislation and the number of jurisdictions that will introduce legislation in this area remain unclear at this time. In addition, a growing number of legislative and regulatory bodies have adopted consumer notification and other requirements in the event that consumer information is accessed or acquired by unauthorized persons and additional regulations regarding the use, access, accuracy and security of such data are possible. In the U.S., state laws provide for disparate notification regimes, all of which we are subject to. Further, any perception that our practices or products are an invasion of privacy, whether or not consistent with current or future regulations and industry practices, may subject us to public criticism, private class actions, reputational harm, or claims by regulators, which could disrupt our business and expose us to increased liability. We devote substantial compliance, legal and operational business resources to strive for compliance with applicable regulations and requirements. In the future, we may be subject to significant additional expense related to compliance with applicable laws and regulations, including new laws and evolving interpretations that are difficult to predict, and to investigate, defend or remedy actual or alleged violations. Additionally, we cooperate with CFPB supervisory examinations and respond to other state, federal and foreign government examinations of or inquiries into our business practices. The enactment of new laws and how they are interpreted could impact our business. In particular, legislative activity in the privacy area may result in new laws that are applicable to us and that may hinder our business, for example, by restricting use or sharing of consumer data, including for marketing or advertising or limiting the use of, or otherwise regulating artificial intelligence and machine learning, including the use of algorithms and automated processing in ways that could materially affect our business, or which may lead to significant increases in the cost of compliance. Any failure by us to comply with, or remedy any violations of, applicable laws and regulations, could result in new costs for our operations, the curtailment of certain of our operations, the imposition of fines and penalties, liability to private plaintiffs as a result of individual or class action litigation, restrictions on the operation of our business and reputational harm. It is difficult to predict the impact on our business if we were subject to allegations of having violated existing laws. For example, in Europe, the GDPR, which includes extensive regulations for certain security incidents, could result in fines of up to four percent of annual worldwide “turnover” (a measure similar to revenues in the U.S.). In addition, because many of our products are regulated or sold to customers in various industries, we must comply with additional regulations in marketing our products. Moreover, our compliance with privacy laws and regulations and our reputation depend in part on customers’ adherence to privacy laws and regulations and their use of our services in ways consistent with consumer expectations and regulatory requirements. We cannot predict the ultimate impact on our business of new or proposed rules, supervisory examinations or government investigations or enforcement actions. The following legal and regulatory developments also could have a substantial negative impact on our business, financial condition or results of operations: •amendment, enactment or interpretation of laws and regulations that restrict the access and use of personal information and reduce the availability or effectiveness of our solutions or the supply of data available to customers; •changes in cultural and consumer attitudes in favor of further restrictions on information collection and sharing, which may lead to regulations that prevent full utilization of our solutions; •failure of data suppliers or customers to comply with laws or regulations, where mutual compliance is required; •failure of our solutions to comply with current laws and regulations; and •failure of our solutions to adapt to changes in the regulatory environment in an efficient, cost effective manner. These laws and regulations (as well as actions that may be taken by legislatures and regulatory bodies in other countries) and the consequences of any violation could limit our ability to pursue business opportunities we might otherwise consider engaging in, impose additional costs on us, result in significant loss of revenue, result in significant restitution and fines, impact the value of assets we hold, or otherwise adversely affect our business. The CFPB has supervisory and examination authority over our business and may initiate enforcement actions with regard to our compliance with federal consumer financial laws. The CFPB, which was established under the Dodd-Frank Act and commenced operations in July 2011, has broad authority over our business. This includes authority to issue regulations under federal consumer financial protection laws, such as under FCRA and other laws applicable to us and our financial customers. The CFPB is authorized to prevent “unfair, deceptive or abusive acts or practices” through its regulatory, supervisory and enforcement authority. In 2012, credit reporting companies like us became subject to a federal supervision program for the first time under the CFPB’s authority to supervise and examine certain non-depository institutions that are “larger participants” of the consumer credit reporting market. The CFPB conducts examinations and investigations, and may issue subpoenas and bring civil actions in federal court for violations of the federal consumer financial laws including FCRA. In these proceedings, the CFPB can seek relief that includes: rescission or reformation of contracts, restitution, disgorgement of profits, payment of damages, limits on activities and civil money penalties of up to $1.0 million per day for known violations. The CFPB conducts periodic examinations of us and the consumer credit reporting industry, which could result in new regulations or enforcement actions or proceedings. Actions by the CFPB could result in requirements to alter or cease offering affected products and services, making them less attractive and restricting our ability to offer them. Although we have committed resources to enhancing our compliance programs, actions by the CFPB or other regulators against us could result in reputational harm. Our compliance costs and legal and regulatory exposure could increase materially if the CFPB or other regulators enact new regulations, change regulations that were previously adopted, modify through supervision or enforcement past regulatory guidance, or interpret existing regulations in a manner different or stricter than have been previously interpreted. Regulatory oversight of our contractual relationships with certain of our customers may adversely affect our business. The federal banking agencies, including the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the Board of Governors of the Federal Reserve System and the CFPB, as well as many state banking agencies have issued guidance to insured depository institutions and other providers of financial services on assessing and managing risks associated with third-party relationships, which include all business arrangements between a financial services provider and another entity, by contract or otherwise, and generally requires banks and financial services providers to exercise comprehensive oversight throughout each phase of a bank or financial service provider’s business arrangement with third-party service providers, and instructs banks and financial service providers to adopt risk management processes commensurate with the level of risk and complexity of their third-party relationships. This guidance requires more rigorous oversight of third-party relationships that involve certain “critical activities.” In light of this guidance, our existing or potential bank and financial services customers subject to this guidance may continue to revise their third-party risk management policies and processes and the terms on which they do business with us, which may adversely affect our relationship with such customers. In 2018, we entered into a consent order with certain state banking regulators in response to their multi-state review of our information security program. This consent order obligates us to, among other things, make certain changes to our corporate governance and information security practices. If we are unable or otherwise fail to comply with this consent order, our ability to do business with financial institutions in those states could be impaired. It is possible that the consent order or other actions resulting from examinations by federal or state banking regulators could lead to adverse changes in our customer relationships. We are regularly involved in claims, suits, government investigations, supervisory examinations and other proceedings that may result in adverse outcomes. We are regularly involved in claims, suits, government investigations, supervisory examinations and regulatory proceedings arising from the ordinary course of our business, including actions with respect to consumer protection and data protection, including purported class action lawsuits. Such claims, suits, government investigations and proceedings are inherently uncertain and their results cannot be predicted with certainty. Regardless of their outcome, such legal proceedings can have an adverse impact on us because of legal costs, diversion of management and other personnel, and other factors. In addition, it is possible that a resolution of one or more such proceedings could result in reputational harm, liability, penalties or sanctions, as well as judgments, consent decrees or orders preventing us from offering certain features, functionalities, products or services, or requiring a change in our business practices, products or technologies, which could in the future materially and adversely affect our business, operating results, and financial condition. The FCRA contains an attorney fee shifting provision that provides an incentive for consumers to bring individual and class action lawsuits against a CRA for violation of the FCRA, and the number of consumer lawsuits (both individual and class action) against us alleging a violation of the FCRA and our resulting costs associated with resolving these lawsuits have increased substantially over the past several years. Third parties may claim that we are infringing on their intellectual property and we could suffer significant litigation or licensing expenses or be prevented from selling products or services. There has been substantial litigation in the U.S. regarding intellectual property rights in the information technology industry. From time to time, third parties may make claims that one or more of our products or services infringe their intellectual property rights. We analyze and take action in response to each such claim on a case by case basis. A dispute or litigation regarding patents or other intellectual property can be costly and time-consuming due to the complexity of our technology and the inherent uncertainty of intellectual property litigation, could divert our management and key personnel from our business operations, and we may not prevail. A claim of intellectual property infringement could force us to enter into a costly or restrictive license agreement, which might not be available under acceptable terms or at all, or could subject us to significant damages or to an injunction against development and sale of certain of our products or services. Our intellectual property portfolio may not be useful in asserting a counterclaim, or providing commercial leverage for negotiating a license, in response to a claim of intellectual property infringement. In certain of our businesses we rely on third-party intellectual property licenses and we cannot ensure that these licenses will be available to us in the future on favorable terms or at all. Although our policy is to obtain licenses or other rights where necessary, we cannot provide assurance that we have obtained all required licenses or rights. Third parties may misappropriate or infringe on our intellectual property and we may suffer competitive injury or expend significant resources enforcing our rights. Our success increasingly depends on our proprietary technology and its ability to differentiate us from our competitors. We rely on various intellectual property rights, including patents, copyrights, database rights, trademarks and trade secrets, as well as contract restrictions, confidentiality provisions and licensing arrangements, to establish and protect our proprietary rights. The extent to which such rights can be protected varies in different jurisdictions. If we do not protect and enforce our intellectual property rights successfully, our competitive position may suffer which could harm our operating results. Our pending patent and trademark applications may not be allowed or competitors may challenge the validity or scope of our intellectual property rights. In addition, our patents, copyrights, trademarks and other intellectual property rights may not provide us a significant competitive advantage. We may need to devote significant resources to monitoring our intellectual property rights and we may or may not be able to detect misappropriation or infringement by third parties. Our competitive position may be harmed if we cannot detect misappropriation or infringement and enforce our intellectual property rights quickly or at all. In some circumstances, enforcement may not be available to us because a third party has a dominant intellectual property position or for other business reasons. In addition, competitors might avoid infringement by designing around our intellectual property rights or by developing non-infringing competing technologies. Intellectual property rights and our ability to enforce them may be unavailable or limited in some countries, which could make it easier for competitors to capture market share and could result in lost revenue. Financial Market Risks Our retirement and post-retirement pension plans are subject to financial market risks that could adversely affect our future results of operations and cash flows. We have significant retirement and post-retirement pension plan assets and obligations. The performance of the financial markets and interest rates impact our plan expenses and funding obligations. Significant decreases in interest rates, decreases in the fair value of plan assets and investment losses on plan assets will increase our funding obligations, and adversely impact our results of operations and cash flows. ITEM 1B.