Madison Technologies Inc. 10-K Cybersecurity GRC - 2024-01-25

Page last updated on April 11, 2024

Madison Technologies Inc. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-01-25 16:44:20 EST.

Filings

10-K filed on 2024-01-25

Madison Technologies Inc. filed an 10-K at 2024-01-25 16:44:20 EST
Accession Number: 0001753926-24-000160

Item 1C. Cybersecurity.

Not applicable.

Item 1A. Risk Factors.

Because our services may collect and store viewer and related information, domestic and international privacy and cyber security concerns, and other laws and regulations, could result in additional costs and liabilities to us or inhibit sales of our products or services.

We may be affected by cyber-attacks and other means of gaining unauthorized access to our products, services, systems, and data. For instance, cyber criminals or insiders may target us or third parties with which we have business relationships to obtain data, or in a manner that disrupts our operations or compromises our products or the systems into which our products are integrated. The evolution of technology systems introduces ever more complex security risks that are difficult to predict and defend against. An increasing number of companies, including those with significant online operations, have recently disclosed breaches of their security, some of which involved sophisticated tactics and techniques allegedly attributable to criminal enterprises or nation-state actors. While we take measures to protect the security of personal information, it is possible that our security controls over personal information and other practices we follow may not prevent the unauthorized access to, or the unintended release of, personal information. In addition, we do not know whether our current practices will be deemed sufficient under applicable laws or whether new regulatory requirements might make our current practices insufficient. If there is a breach of our computer systems and we know or suspect that certain personal information has been accessed, or used inappropriately, we may need to inform the affected individual and may be subject to significant fines and penalties. In the event of a breach, we could face government scrutiny or consumer class actions.

Cybersecurity incidents directed at us or third-parties with whom we have relationships can range from uncoordinated individual attempts to gain unauthorized access to information technology systems to sophisticated and targeted measures known as advanced persistent threats. Cybersecurity incidents are also constantly evolving, increasing the difficulty of detecting and successfully defending against them. In the ordinary course of our business, we and such third-parties expect to collect and store personal information, as well as our proprietary business information and intellectual property and that of our customers and employees. Additionally, we expect to rely on third parties and their security procedures for the secure storage, processing, maintenance, and transmission of information that is critical to our operations. Despite measures designed to prevent, detect, address, and mitigate cybersecurity incidents, such incidents may occur to us or our third-party providers and, depending on their nature and scope, could potentially result in the misappropriation, destruction, corruption or unavailability of critical data and confidential or proprietary information (our own or that of third parties, including personal information of our customers and employees) and the disruption of business operations. We expect to experience attempted routine cyber-attacks of our information technology networks, such as through phishing scams and ransomware. Although we do not except any of these actual or attempted cyber-attacks to have a material adverse impact on our operations or financial condition, we cannot guarantee that any such incidents will not have such an impact in the future. For example, we may be at higher risk for interruptions, outages and breaches of: operational systems, including business, financial, accounting, product development, data processing or production processes owned by us or such third-parties; facility security systems, owned by us or such third-parties; in-product technology owned by us or such third-parties; any integrated software in our solutions; or customer or other data that we process or such third-parties process on our behalf. Such cyber incidents could materially disrupt operational systems; result in loss of intellectual property, trade secrets or other proprietary or competitively sensitive information; compromise certain information of customers, employees, suppliers, or others; jeopardize the security of any of our facilities or equipment; or affect the performance of in-product technology and any integrated software in our solutions.

A cyber incident could be caused by disasters, insiders (through inadvertence or with malicious intent) or malicious third parties (including nation-states or nation-state supported actors) using sophisticated, targeted methods to circumvent firewalls, encryption and other security defenses, including hacking, fraud, trickery or other forms of deception. The techniques used by cyber attackers change frequently and may be difficult to detect for long periods of time. Although we maintain information technology measures designed to protect us against intellectual property theft, data breaches and other cyber incidents, such measures will require updates and improvements, and we cannot guarantee that such measures will be adequate to detect, prevent or mitigate cyber incidents.

Any actual or alleged security breaches or alleged violations of federal or state laws or regulations relating to privacy and data security could result in mandated user notifications, litigation, government investigations, significant fines, and expenditures; divert management’s attention from operations; deterring people from using our products or services; damage our brand and reputation; and materially adversely affect our business, results of operations, and financial condition. Defending against claims or litigation based on any security breach or incident, regardless of their merit, will be costly and may cause reputation harm. In addition, we may incur significant costs for remediation that may include liability for stolen assets or information, repair of system damage, and compensation to customers, employees, and business partners. The successful assertion of one or more large claims against us that exceed available insurance coverage, denial of coverage as to any specific claim, or any change or cessation in our insurance policies and coverages, including premium increases or the imposition of large deductible requirements, could have a material adverse effect on our business, results of operations, and financial condition.

Item 1A. Risk Factors.

We may be subject to governmental regulation and other legal obligations, particularly related to privacy, data protection and information security, and our actual or perceived failure to comply with such obligations could harm our business.

We may be subject to a number of domestic and international laws and regulations that apply to cloud services and the internet generally. These laws, rules and regulations address a range of issues, including data privacy and cyber security, breach notification and restrictions or technological requirements regarding the collection, processing, use, storage, protection, disclosure, retention or transfer of data. The regulatory framework for online services, data privacy and cyber security issues worldwide can vary substantially from jurisdiction to jurisdiction, is rapidly evolving and is likely to remain uncertain for the foreseeable future. Many federal, state, local and foreign government bodies and agencies have adopted or are considering adopting laws, rules and regulations regarding the collection, processing, use, storage and disclosure of information, web browsing and geolocation data collection, data analytics, facial recognition, cyber security and breach response and notification procedures. Furthermore, existing laws and regulations are constantly evolving, and new laws and regulations that apply to our business are being introduced at every level of government in the United States, as well as internationally. As we seek to develop our business, we are, and may increasingly become subject to various laws, regulations, and standards, and may be subject to contractual obligations relating to data privacy and security in the jurisdictions in which we operate. Any significant change to applicable laws, regulations or industry practices regarding the use or disclosure of personal information, or regarding the manner in which the express or implied consent of customers for the use and disclosure of personal information is obtained, could require us to modify our products and features, possibly in a material manner and subject to increased compliance costs, which may limit our ability to develop new products and features that make use of the personal information that our customers may voluntarily share. Any failure, or perceived failure, by us to comply with any federal or state privacy or security laws, regulations, industry self-regulatory principles, or codes of conduct, regulatory guidance, orders to which we may be subject, or other legal obligations relating to data privacy or security could adversely affect our reputation, brand and business, and may result in claims, liabilities, proceedings or actions against us by governmental entities, customers or others. Any such claims, proceedings or actions could hurt our reputation, brand and business, force us to incur significant expenses in defense of such proceedings or actions, distract our management, increase our costs of doing business, result in a loss of customers and result in the imposition of monetary penalties.

In the United States, there are numerous federal and state data privacy and security laws, rules, and regulations governing the collection, use, disclosure, retention, security, transfer, storage, and other processing of personal data, including federal and state data privacy laws, data breach notification laws, and consumer protection laws. For example, the Federal Trade Commission (“FTC”) and many state attorneys general are interpreting federal and state consumer protection laws to impose standards for the online collection, use, dissemination, and security of data. Such standards require us to publish statements that describe how we handle personal data and choices individuals may have about the way we handle their personal data. If such information that we publish is considered untrue or inaccurate, we may be subject to government claims of unfair or deceptive trade practices, which could lead to significant liabilities and consequences. Moreover, according to the FTC, violating consumers’ privacy rights or failing to take appropriate steps to keep consumers’ personal data secure may constitute unfair acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act. State consumer protection laws provide similar causes of action for unfair or deceptive practices.

In March 2021, the Governor of Virginia signed into law the Virginia Consumer Data Protection Act (the “VCDPA”). The VCDPA creates consumer rights, similar to the CCPA, but also imposes security and assessment requirements for businesses. In addition, in July 2021, Colorado enacted the Colorado Privacy Act (“COCPA”), becoming the third comprehensive consumer privacy law to be passed in the United States (after the CCPA and VCDPA). The COCPA closely resembles the VCDPA, and both will be enforced by the respective states’ Attorney General and district attorneys, although the two differ in many ways. We must comply with each if our operations fall within the scope of these newly enacted comprehensive mandates, which may increase our compliance costs and potential liability. Similar laws have been proposed in other states and at the federal level, reflecting a trend toward more stringent privacy legislation in the United States. This legislation may add additional complexity, variation in requirements, restrictions and potential legal risk, require additional investment in resources to compliance programs, could impact strategies and availability of previously useful data, and could result in increased compliance costs and/or changes in business practices and policies.

In addition, some laws may require us to notify governmental authorities and/or affected individuals of data breaches involving certain personal information or other unauthorized or inadvertent access to or disclosure of such information. We may need to notify governmental authorities and affected individuals with respect to such incidents. For example, laws in all 50 U.S. states may require businesses to provide notice to consumers whose personal information has been disclosed as a result of a data breach. These laws are not consistent, and compliance in the event of a widespread data breach may be difficult and costly. We also may be contractually required to notify consumers or other counterparties of a security breach. Regardless of our contractual protections, any actual or perceived security breach or breach of our contractual obligations could harm our reputation and brand, expose us to potential liability or require us to expend significant resources on data security and in responding to any such actual or perceived breach.

We strive to comply with all applicable laws, policies, legal obligations and industry codes of conduct relating to privacy and data protection to the extent possible. Because the interpretation and application of privacy and data protection laws are still uncertain, it is possible that these laws may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another or with our existing practices or the features of our products and may conflict with other rules or regulations, making enforcement, and thus compliance requirements, ambiguous, uncertain, and potentially inconsistent. Any failure or perceived failure by us to comply with our privacy policies, privacy-related obligations to customers or other third parties, or our privacy-related legal obligations, or any compromise of security that results in the unauthorized access to or unintended release of personally identifiable information or other customer data, may result in governmental enforcement actions, litigation, or public statements against us by consumer advocacy groups or others. Any of these events could cause us to incur significant costs in investigating and defending such claims and, if found liable, pay significant damages. Further, these proceedings and any subsequent adverse outcomes may cause our customers to lose trust in us, which could have an adverse effect on our reputation and business.

We may also be subject to claims of liability or responsibility for the actions of third parties with whom we interact or upon whom it relies in relation to various products or services, including but not limited to vendors and business partners. If so, in addition to the possibility of fines, lawsuits and other claims, we could be required to fundamentally change our business activities and practices or modify our products, which could have an adverse effect on our business. Any inability to adequately address privacy and/or data concerns, even if unfounded, or comply with applicable privacy or data protection laws, regulations and policies, could result in additional cost and liability to us, damage our reputation, inhibit sales and adversely affect our business.

The costs of compliance with, and other burdens imposed by, the laws, rules, regulations and policies that are applicable to the businesses of our customers may limit the use and adoption of, and reduce the overall demand for, our products or services. Even the perception of privacy concerns, whether or not valid, may harm our reputation, inhibit adoption of our products or services by current and future customers, or adversely impact our ability to attract and retain workforce talent. Our failure to comply with applicable laws and regulations, or to protect such data, could result in enforcement action against us, including fines, imprisonment of our employees or directors and public censure, claims for damages by customers and other affected individuals, damage to our reputation and loss of goodwill (both in relation to existing customers and prospective customers), any of which could have a material adverse effect on our operations, financial performance and business.

Company Information