Table of Contents Table of Contents
Previous Page  21 / 188 Next Page
Information
Show Menu
Previous Page 21 / 188 Next Page
Page Background

investment in our technology could result in lower revenues and less favorable policy terms and conditions, which could

adversely affect our operating results.

If we fail to comply with restrictions on patient privacy and information security, including taking steps to ensure

that our third-party service providers and business associates who access, store, process or transmit sensitive

patient information maintain its security, integrity, confidentiality and availability, our reputation and business

operations could be materially adversely affected.

The collection, maintenance, use, protection, disclosure and disposal of individually identifiable data by our

businesses are regulated at the international, federal and state levels. These laws and rules are subject to change by

legislation or administrative or judicial interpretation. Various state laws address the use and disclosure of individually

identifiable health data to the extent they are more restrictive than those contained in the privacy and security provisions

in the federal Gramm-Leach-Bliley Act of 1999 (GLBA) and in the Health Insurance Portability and Accountability Act of

1996 (HIPAA). HIPAA also requires that we impose privacy and security requirements on our business associates (as

such term is defined in the HIPAA regulations). With regard to personal information obtained from policyholders, the

insured, or others, Aflac Japan is regulated in Japan by the Act on the Protection of Personal Information (APPI) and

guidelines issued by FSA and other governmental authorities.

Even though we provide for appropriate protections through our contracts and perform information security risk

assessments of our third-party service providers and business associates, we still have limited control over their actions

and practices. In addition, despite the security measures we have in place to ensure compliance with applicable laws and

rules, our facilities and systems, and those of our third-party providers may be vulnerable to security breaches, acts of

vandalism or theft, computer viruses, misplaced or lost data, programming and/or human errors or other similar events.

The U.S. Congress and many states are considering new privacy and security requirements that would apply to our

business. Compliance with new privacy and security laws, requirements, and new regulations may result in cost increases

due to necessary systems changes, new limitations or constraints on our business models, the development of new

administrative processes, and the effects of potential noncompliance by our business associates. They also may impose

further restrictions on our collection, disclosure and use of patient identifiable data that are housed in one or more of our

administrative databases. Noncompliance with any privacy laws or any security breach involving the misappropriation,

loss, theft or other unauthorized disclosure of sensitive or confidential member information, whether by us or by one of our

third parties, could have a material adverse effect on our business, reputation and results of operations, including:

material fines and penalties; compensatory, special, punitive and statutory damages; consent orders regarding our privacy

and security practices; adverse actions against our licenses to do business; and injunctive relief.

In addition, under Japanese laws and regulations, including the APPI, if a leak or loss of personal information by Aflac

Japan or its business associates should occur, depending on factors such as the volume of personal data involved and

the likelihood of other secondary damage, Aflac Japan may be required to file reports to the FSA; issue public releases

explaining such incident to the public; or become subject to an FSA business improvement order, which could pose a risk

to our reputation.

Extensive regulation and changes in legislation can impact profitability and growth.

Aflac's insurance subsidiaries are subject to complex laws and regulations that are administered and enforced by a

number of governmental authorities, including state insurance regulators, the SEC, the NAIC, the FIO, the FSA and

Ministry of Finance (MOF) in Japan, the U.S. Department of Justice, state attorneys general,

the U.S. Commodity Futures

Trading Commission, and

the U.S. Treasury, including the Internal Revenue Service, each of which exercises a degree of

interpretive latitude. In addition, proposals regarding the global regulation of insurance are under discussion.

Consequently, we are subject to the risk that compliance with any particular regulator's or enforcement authority's

interpretation of a legal or regulatory issue may not result in compliance with another regulator's or enforcement

authority's interpretation of the same issue, particularly when compliance is judged in hindsight. There is also a risk that

any particular regulator's or enforcement authority's interpretation of a legal or regulatory issue may change over time to

our detriment. In addition, changes in the overall legal or regulatory environment may, even absent any particular

regulator's or enforcement authority's interpretation of an issue changing, cause us to change our views regarding the

actions we need to take from a legal or regulatory risk management perspective, thus necessitating changes to our

practices that may, in some cases, limit our ability to grow or otherwise negatively impact the profitability of our business.

19

1 16 17 18 19 20 21 22 23 24 25 26 27 188  FlippingBook