Table of Contents
We collect, store, process, and use personal information and other customer data, which subjects us to governmental regulation and other legal obligations
related to privacy, information security, and data protection, and any security breaches or our actual or perceived failure to comply with such legal obligations
could harm our business.
We collect, store, process, and use personal information and other user data, and we rely on third parties that are not directly under our control to do so as
well. Our users’ health and fitness-related data and other highly personal information may include, among other information, names, addresses, phone numbers,
email addresses, payment account information, height, weight, and information such as heart rates, sleeping patterns, GPS-based location, and activity patterns.
Due to the volume and sensitivity of the personal information and data we manage and the nature of our products, the security features of our platform and
information systems are critical. If our security measures, some of which we manage using third-party solutions, are breached or fail, unauthorized persons may be
able to obtain access to or acquire sensitive user data. Furthermore, if third-party service providers that host user data on our behalf experience security breaches or
violate applicable laws, agreements, or our policies, such events may also put our users’ information at risk and could in turn have an adverse effect on our
business. Additionally, if we or any third-party, including third-party applications, with which our users choose to share their Fitbit data were to experience a
breach of systems compromising our users’ sensitive data, our brand and reputation could be adversely affected, use of our products and services could decrease,
and we could be exposed to a risk of loss, litigation, and regulatory proceedings. Depending on the nature of the information compromised, in the event of a data
breach or other unauthorized access to or acquisition of our user data, we may also have obligations to notify users about the incident and we may need to provide
some form of remedy, such as a subscription to a credit monitoring service, for the individuals affected by the incident. A growing number of legislative and
regulatory bodies have adopted consumer notification requirements in the event of unauthorized access to or acquisition of certain types of personal data. Such
breach notification laws continue to evolve and may be inconsistent from one jurisdiction to another. Complying with these obligations could cause us to incur
substantial costs and could increase negative publicity surrounding any incident that compromises user data. Our users may also inadvertently disclose or lose
control of their passwords, creating the perception that our systems are not secure against third-party access. While we maintain insurance coverage that, subject to
policy terms and conditions and a significant self-insured retention, is designed to address certain aspects of cyber risks, such insurance coverage may be
insufficient to cover all losses or all types of claims that may arise in the event we experience a security breach.
Cybersecurity risks could adversely affect our business and disrupt our operations.
The threats to network and data security are increasingly diverse and sophisticated. Despite our efforts and processes to prevent breaches, our devices, as
well as our servers, computer systems, and those of third parties that we use in our operations are vulnerable to cybersecurity risks, including cyber-attacks such as
viruses and worms, phishing attacks, denial-of-service attacks, physical or electronic break-ins, employee theft or misuse, and similar disruptions from
unauthorized tampering with our servers and computer systems or those of third parties that we use in our operations, which could lead to interruptions, delays, loss
of critical data, unauthorized access to user data, and loss of consumer confidence. In addition, we may be the target of email scams that attempt to acquire
sensitive information or company assets. Despite our efforts to create security barriers to such threats, we may not be able to entirely mitigate these risks. Any
cyber-attack that attempts to obtain our or our users’ data and assets, disrupt our service, or otherwise access our systems, or those of third parties we use, if
successful, could adversely affect our business, operating results, and financial condition, be expensive to remedy, and damage our reputation. In addition, any
such breaches may result in negative publicity, adversely affect our brand, decrease demand for our products and services, and adversely affect our operating
results and financial condition.
Our success depends on our ability to maintain our brand. If events occur that damage our brand, our business and financial results may be harmed.
Our success depends on our ability to maintain the value of the “Fitbit” brand. The “Fitbit” name is integral to our business as well as to the implementation
of our strategies for expanding our business. Maintaining, promoting, and positioning our brand will depend largely on the success of our marketing and
merchandising efforts, our ability to provide consistent, high quality products and services, and our ability to successfully secure, maintain, and defend our rights to
use the “Fitbit” mark and other trademarks important to our brand. Our brand could be harmed if we fail to achieve these objectives or if our public image or brand
were to be tarnished by negative publicity. For example, there has been media coverage of some of the users of our products reporting skin irritation, as well as
personal injury lawsuits filed against us relating to the Fitbit Zip, Fitbit One, Fitbit Flex, Fitbit Charge, Fitbit Charge HR, and Fitbit Surge products. We also
believe that our reputation and brand may be harmed if we fail to maintain a consistently high level of customer service. In addition, we believe the popularity of
the “Fitbit” brand makes it a target for counterfeiting or imitation, with third parties attempting to sell counterfeit products that attempt to replicate our products.
In addition, our products may be diverted from our authorized retailers and distributors and sold on the “gray market.” Gray market products result in
shadow inventory that is not visible to us, thus making it difficult to forecast demand accurately. Also, when gray market products enter the market, we and our
channel partners compete with often heavily discounted gray market
19