Medtronic 2016 Annual Report Download - page 28

Download and view the complete annual report

Please find page 28 of the 2016 Medtronic annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 158

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158

Table of Contents
25
The size and complexity of our information technology systems makes them vulnerable to increasingly sophisticated cyber-attacks,
breakdown, destruction, loss or compromise of data, obsolescence or incompatibility among systems, or other significant disruption
including power outages and telecommunications failures. Unauthorized persons may attempt to hack into our products or systems
to obtain personal data relating to patients or employees, our confidential or proprietary information or confidential information
we hold on behalf of third parties. If third parties successfully hack into or interfere with our implanted or connected products or
services, they may create issues with product functionality that could pose a risk of loss of data, a risk to patient safety, and a risk
of product recall or field activity. We have programs in place to detect, contain and respond to data security incidents, and we
make ongoing improvements to our information-sharing products in order to minimize vulnerabilities, in accordance with industry
and regulatory standards. However, because the techniques used to obtain unauthorized access or sabotage systems change
frequently and may be difficult to detect, we may not be able to anticipate and prevent these intrusions or mitigate them when and
if they occur.
We also rely on third party vendors to supply and/or support certain aspects of our information technology systems. Third party
systems may contain defects in design or manufacture or other problems that could unexpectedly compromise information security
of our own systems, and we are dependent on these third parties to deploy appropriate security programs to protect their systems.
In addition, we continue to grow in part through new business acquisitions. With this growth we will continue to consolidate and
integrate the number of systems we operate, and to upgrade and expand our information system capabilities for stable and secure
business operations.
If we are unable to maintain reliable information technology systems and prevent data breaches, we may suffer regulatory
consequences in addition to business consequences. Our worldwide operations mean that we are subject to data protection and
cyber security laws and regulations in many jurisdictions, and that some of the data we process, store and transmit may be transmitted
across countries. In the U.S., HIPAA privacy and security rules require certain of our operations to protect the confidentiality of
patient medical records and other health information, and the Federal Trade Commission has begun to assert authority over
protection of privacy and the use of cyber security in information systems, particularly in the area of online communications and
mobile healthcare applications, in which we have a growing presence. In Europe, the General Data Protection Regulation requires
us to manage individually identifiable information in the E.U. and, in the event of violations, may impose fines of up to four
percent of our global revenue. China and Russia have also passed laws that require individually identifiable data on their citizens
to be maintained on local servers and that may restrict transfer or processing of that data. We believe that we meet the expectations
of applicable regulations and that the ongoing costs and impacts of ensuring compliance with such rules are not material to our
business. However, there is no guarantee that we will avoid enforcement actions by governmental bodies. Enforcement actions
can be costly and interrupt regular operations of our business. In addition, there has been a developing trend of civil lawsuits and
class actions relating to breaches of consumer data held by large companies. While Medtronic has not been named in any such
suits, if a substantial breach or loss of data from our records were to occur, we could become a target of such litigation.
Our information systems require an ongoing commitment of significant resources to maintain, protect, and enhance existing
systems and develop new systems to keep pace with continuing changes in information processing technology, evolving legal and
regulatory standards, the increasing need to protect patient and customer information, and the information technology needs
associated with our changing products and services. There can be no assurance that our process of consolidating the number of
systems we operate, upgrading and expanding our information systems capabilities, continuing to build security into the design
of our products, protecting and enhancing our systems and developing new systems to keep pace with continuing changes in
information processing technology will be successful or that additional systems issues will not arise in the future. Any significant
breakdown, intrusion, interruption, corruption, or destruction of these systems, as well as any data breaches, could have a material
adverse effect on our business. If we fail to maintain or protect our information systems and data integrity effectively, we could
expose patients or employees to financial or medical identity theft, suffer a loss of product functionality, lose existing customers,
have difficulty attracting new customers, have difficulty preventing, detecting, and controlling fraud, be exposed to the loss or
misuse of confidential information, have disputes with customers, physicians, and other health care professionals, suffer regulatory
sanctions or penalties under federal laws, state laws, or the laws of other jurisdictions, experience increases in operating expenses,
incur expenses or lose revenues as a result of a data privacy breach, or suffer other adverse consequences including legal action
and damage to our reputation.
Negative conditions in global credit markets may impair our ability to issue debt securities, including our commercial paper
program and the liquidity and/or market value of investments in marketable debt securities such as our other fixed income
securities, which may cause us losses and liquidity issues.
We have investments in marketable debt securities that are classified and accounted for as available-for-sale. Our debt securities
include government and agency securities, corporate debt securities, certificates of deposit, debt funds, and mortgage-backed and
other asset-backed securities. Market conditions over the past several years have included periods of significant economic
uncertainty and at times general market distress. During these periods, we may experience reduced liquidity across the fixed-
income investment market, including the securities in which we invest. In the event we need to sell these securities, we may not