Table of Contents Similar to other companies, our information technology systems face the threat of cyber-attacks, such as security breaches, phishing scams, malware and denial-of-service attacks. Our systems or the systems of our third-party service providers could experience unauthorized intrusions or inadvertent data breaches, which could result in the exposure or destruction of our proprietary information and/or members’ data. Because techniques used to obtain unauthorized access to systems or sabotage systems change frequently and may not be known until launched against us or our service providers, we and they may be unable to anticipate these attacks or implement adequate preventative measures. In addition, any party who is able to illicitly obtain identification and password credentials could potentially gain unauthorized access to our systems or the systems of our third-party service providers. If any such event occurs, we may have to spend significant capital and other resources to notify affected individuals, regulators and others as required under applicable law, mitigate the impact of the event and develop and implement protections to prevent future events of that nature from occurring. From time to time, employees make mistakes with respect to security policies that are not always immediately detected by compliance policies and procedures. These can include errors in software implementation or a failure to follow protocols and patch systems. Employee errors, even if promptly discovered and remediated, may disrupt operations or result in unauthorized disclosure of confidential information. We have experienced unauthorized breaches of our systems prior to this offering, which we believe did not have a material effect on our business. If a data security incident occurs, or is perceived to occur, we may be the subject of negative publicity and the perception of the effectiveness of our security measures and our reputation may be harmed, which could damage our relationships and result in the loss of existing or potential members and adversely affect our results of operations and financial condition. In addition, even if there is no compromise of member information, we could incur significant regulatory fines, be the subject of litigation or face other claims. In addition, our insurance coverage may not be sufficient in type or amount to cover us against claims related to security breaches, cyber-attacks and other related data and system incidents. Although we expect to become Payment Card Industry Data Security Standard (PCI DSS) compliant in 2019, our practices with respect to this type of information are evolving and do not yet fully comply with that industry standard and other applicable guidelines. Additionally, if new operating rules or interpretations of existing rules are adopted regarding the processing of credit cards that we are unable to comply with, we could lose the ability to give members the option to make electronic payments, which could result in the loss of existing or potential members and adversely affect our business. Our reputation, competitive advantage, financial position and relationships with our members could be materially harmed if we are unable to comply with complex and evolving data protection laws and regulations, and the costs and resources required to achieve compliance may have a materially adverse impact on our business. The collection, protection and use of personal data are governed by privacy laws and regulations enacted in the United States, Europe, Asia and other jurisdictions around the world in which we operate. These laws and regulations continue to evolve and may be inconsistent from one jurisdiction to another. Compliance with applicable privacy laws and regulations may increase our costs of doing business and adversely impact our ability to conduct our business and market our solutions, products and services to our members and potential members. For example, we are subject to the European Union’s General Data Protection Regulation (“GDPR”) in a number of jurisdictions. The GDPR imposes significant obligations, and compliance with these obligations depends in part on how particular regulators apply and interpret them. If we fail to comply with the GDPR, or if regulators assert we have failed to comply with the GDPR, it may lead to regulatory enforcement actions, which can result in monetary penalties of up to 4% of worldwide revenue, private lawsuits and/or reputational damage. Further, any U.K. exit from the European Union will increase uncertainty regarding applicable laws and regulations pending more clarity on the terms of that exit. Additionally, in June 2018, California passed the California Consumer Privacy Act (“CCPA”), which provides new data privacy rights for consumers and new operational requirements for companies, effective in 2020. The CCPA creates a private right of action that could lead to consumer class actions and other litigation against us, with statutory damages of up to $750 per violation. The California Attorney General will also maintain authority to enforce the CCPA and will be permitted to seek civil penalties for intentional violations of the CCPA of up to $7,500 per violation. Other U.S. states and the U.S. Congress are in the process of considering legislation similar to California’s legislation. If we fail to comply 33