Vulnerabilities in our consumer and partner account security and workflow practices could and have resulted in unauthorized access to confidential
data. These risks are likely to increase as we expand our offerings, integrate our products and services including as we incorporate AI and machine learning,
and store and process more data, including personal information and payment data. The disclosure of non-public Company-sensitive information by our
workforce or other parties, through external media channels such as social media, could lead to information loss, reputational harm, or loss of a competitive
advantage. We expend significant resources to protect against security breaches, and regularly increase our security-related expenditures to maintain or increase
our systems' security. We have experienced and responded to cyberattacks, which we believe have not had a material impact on the integrity of our systems or
the security of data, including personal information maintained by us. Security breaches could result in negative publicity, damage our reputation, expose us to
risk of loss or litigation and possible liability, subject us to regulatory penalties and sanctions, or cause consumers to lose confidence in our security and choose
to use the services of our competitors, any of which would have an adverse effect on our brands, market share, results of operations, and financial condition.
See Part I, Item 1A, Risk Factors -"Cyberattacks and system vulnerabilities could lead to sustained service outages, data loss, reduced revenue, increased
costs, liability claims, or harm to our competitive position." Additionally, our consumers' personal data could be affected by security breaches at third parties
upon which we rely, such as travel service providers, connectivity partners, payroll providers, health plan providers, payment processors, data exchange
services (for example, XML Providers), or GDSs. See below Part I, Item 1A, Risk Factors - "Our business relies on a global supply chain of third party
services providers and we are exposed to risks because we rely on the resilience, security, and legal compliance of their products and services." Our efforts to
protect information from unauthorized access may also result in the rejection of legitimate attempts to book reservations through our services, which could
result in lost business.
In the operation of our business, we receive and store a large volume of personally identifiable data and payment information. This data is increasingly
subject to legislation and regulations in numerous jurisdictions around the world. The European Union's General Data Protection Regulation (the "GDPR")
imposes significant compliance obligations and costs on us. Under the GDPR, violations could result in fines of up to 20 million Euros or up to 4% of the
annual global revenues of the infringer, whichever is greater. Several data protection authorities have imposed significant fines on companies of various sizes
across industry sectors for violations of the GDPR. The California Consumer Privacy Act (the "CCPA"), which became operative in January 2020, and the
California Privacy Rights Act, which became operative in January 2023, each impose new privacy requirements and rights for consumers in California and has
resulted and will continue to result in additional complexity and costs related to compliance. Many other states in the United States and jurisdictions globally
have adopted or may adopt similar data protection regulations. These regulations are typically intended to protect the security of personal data that is collected,
processed, and transmitted in or from the governing jurisdiction as well as to give individuals greater rights and/or control over how their data is processed. In
many cases, these laws apply not only to third-party transactions, but also to transfers of information between us and our subsidiaries, including employee
information. These laws and their interpretations continue to develop and may be inconsistent from jurisdiction to jurisdiction. Furthermore, enforcement
actions often cause interpretation of these new laws to evolve, which could require changing our initial responses to these laws. For example, the invalidation
of the EU-US Privacy Shield in 2020 altered one of the acceptable approaches which many companies relied upon to ensure compliant data transfers between
the European Union and the United States. Additionally, some of these regulations, such as the CCPA, give consumers a private right of action against
companies for violations of these rules. While we have invested and continue to invest significant resources to comply with the GDPR, CCPA, and other
privacy regulations, many of these regulations (such as the Personal Information Protection Law in the People's Republic of China) are new, complex, and
subject to interpretation. Non-compliance with these laws could result in negative publicity, damage to our reputation, significant penalties, or other legal
liability. If legislation or regulations are expanded to require changes in our business practices or if governing jurisdictions interpret or implement their
legislation or regulations in ways that negatively affect our business, our results of operations, financial condition, or competitive position could be adversely
affected.
Cyberattacks and system vulnerabilities could lead to sustained service outages, data loss, reduced revenue, increased costs, liability claims, or harm
to our competitive position.
If our systems cannot cope with the level of demand required to service our consumers and accommodations, we could experience unanticipated
disruptions in service, slower response times, decreased customer service and customer satisfaction, and delays in the introduction of new services. As an
online business, we are dependent on the internet and maintaining connectivity between ourselves and consumers, sources of internet traffic, such as Google,
and our travel service providers and restaurants. As consumers increasingly turn to mobile and other smart devices, we also depend on consumers' access to the
internet through mobile carriers and their systems. Disruptions in internet access, especially if widespread or prolonged, could materially adversely affect our
business and results of operations. While we maintain redundant systems and hosting services, it is possible that we could experience an interruption in our
business, and we do not carry business interruption insurance sufficient to compensate us for all losses that may occur.
21