Latch (LTCH) Risk Analysis

Use of our solutions involves the storage, transmission and processing of personal, payment, credit and other confidential and private information of our customers, and may in certain cases permit access to our customers' homes or properties or help secure them. We also maintain and process confidential and proprietary information in our business, including our employees' and contractors' personal information and confidential business information. We rely on proprietary and commercially available systems, software, tools and monitoring to protect against unauthorized use or access of the information we process and maintain. Our services and the networks and information systems we utilize in our business are at risk for breaches as a result of third-party action, employee or partner error, malfeasance or other factors. Criminals and other nefarious actors are using increasingly sophisticated methods, including cyber-attacks, phishing, social engineering and other illicit acts to capture, access or alter various types of information, to engage in illegal activities such as fraud and identity theft and to expose and exploit potential security and privacy vulnerabilities in corporate systems and websites. Unauthorized intrusion into the portions of our systems and networks and data storage devices that process and store customer confidential and private information, the loss of such information or the deployment of malware or other harmful code to our services or our networks or systems may result in negative consequences, including the actual or alleged malfunction of our products, software or services. In addition, third parties, including our partners, could also be sources of security risks to us in the event of a failure of their own security systems and infrastructure. The threats we and our partners face continue to evolve and are difficult to predict due to advances in computer capabilities, new discoveries in the field of cryptography and new and sophisticated methods used by criminals. There can be no assurances that our defensive measures will prevent cyber-attacks or that we will discover network or system intrusions or other breaches on a timely basis or at all. We cannot be certain that we will not suffer a compromise or breach of the technology protecting the systems or networks that house or access our software, services and products or on which we or our partners process or store personal information or other sensitive information or data, or that any such incident will not be believed or reported to have occurred. Any such actual or perceived compromises or breaches to systems, or unauthorized access to our customers' data, products, software or services, or acquisition or loss of data, whether suffered by us, our partners or other third parties, whether as a result of employee error or malfeasance or otherwise, could harm our business. They could, for example, cause interruptions in operations, loss of data, loss of confidence in our services, software and products and damage to our reputation and could limit the adoption of our software, services and products. They could also subject us to costs, regulatory investigations and orders, litigation, contract damages, indemnity demands and other liabilities and materially and adversely affect our customer base, sales, revenues and profits. Any of these could, in turn, have a material adverse impact on our business, financial condition, cash flows or results of operations. If such an event results in unauthorized access to or loss of any data subject to data privacy and security laws and regulations, then we could be subject to substantial fines by U.S. federal and state authorities, foreign data privacy authorities and private claims by companies or individuals. A cyber-attack may cause additional costs, such as investigative and remediation costs, the costs of providing individuals and/or data owners with notice of the breach, legal fees and the costs of any additional fraud detection activities required by law, a court or a third-party. Additionally, some of our customer contracts require us to indemnify customers from damages they may incur as a result of a breach of our systems. There can be no assurance that the limitation of liability provisions in our contracts for a security breach would be enforceable or would otherwise protect us from any such liabilities or damages with respect to any particular claim. Further, if a high profile security breach occurs with respect to another provider of smart building solutions, our customers and potential customers may lose trust in the security of our services or in the smart building technology industry generally, which could adversely impact our ability to retain existing customers or attract new ones. Even in the absence of any security breach, customer concerns about security, privacy or data protection may deter them from using our software, services and products. Our insurance policies covering errors and omissions and certain security and privacy damages and claim expenses may not be sufficient to compensate for all potential liability. Although we maintain cyber liability insurance, we cannot be certain that our coverage will be adequate for liabilities actually incurred or that insurance will continue to be available to us on economically reasonable terms, or at all.

We offer complex software and hardware products and services that can be affected by design and manufacturing defects. Sophisticated full building operating system software and applications, such as those offered by us, have issues that can unexpectedly interfere with the intended operation of hardware or software products. Defects may also exist in components and products that we source from third parties. Any such defects could make our software, services and products unsafe, create a risk of property damage and personal injury and subject us to the hazards and uncertainties of product liability claims and related litigation. In addition, from time to time, we may experience outages, service slowdowns or errors that affect our software and full building operating system offerings. As a result, our services may not perform as anticipated and may not meet customer expectations. There can be no assurance that we will be able to detect and fix all issues and defects in the hardware, software and services we offer. Failure to do so could result in widespread technical and performance issues affecting our products and services and could lead to claims against us. We maintain general liability insurance; however, design and manufacturing defects, and claims related thereto, may subject us to judgments or settlements that result in damages materially in excess of the limits of our insurance coverage. In addition, we may be exposed to recalls, product replacements or modifications, write-offs of inventory, property, plant and equipment or intangible assets, and significant warranty and other expenses such as litigation costs and regulatory fines. If we cannot successfully defend against any large claim, maintain our general liability insurance on acceptable terms or maintain adequate coverage against potential claims, our financial results could be adversely impacted. Further, given that some of our solutions are considered security systems, quality problems could subject us to substantial liability, adversely affect the experience for users of our software, services and products and result in harm to our reputation, loss of competitive advantage, poor market acceptance, reduced demand for our software, services and products, delay in new product and service introductions and lost revenue.

We have recently experienced substantial growth in our business. This growth has placed and may continue to place significant demands on our management and our operational and financial infrastructure. As our operations continue to grow in size, scope and complexity, we will need to increase our sales and marketing efforts, add additional sales and marketing personnel and senior management in various regions worldwide and improve and upgrade our systems and infrastructure to attract, service and retain an increasing number of customers. For example, we plan to explore opportunities for international expansion into the European markets and extend our offerings to current customers by introducing new software, services and products. The expansion of our systems and infrastructure will require us to commit substantial financial, operational and technical resources in advance of an increase in the volume of business, with no assurance that the volume of business will increase. Any such additional capital investments will increase our cost base. Continued growth could also strain our ability to maintain reliable service levels for our customers, develop and improve our operational, financial and management controls, enhance our billing and reporting systems and procedures and recruit, train and retain highly skilled personnel. Competition for highly skilled personnel is often intense. We may not be successful in attracting, integrating, or retaining qualified personnel to fulfill our current or future needs, including, but not limited to, senior management, engineers, designers, product managers, operations, logistics and supply chain personnel. We have from time to time experienced, and we expect to continue to experience in the future, difficulty in hiring and retaining highly skilled employees with appropriate qualifications. The loss of services of senior management or other key employees could significantly delay or prevent the achievement of our development and strategic objectives. In particular, we depend to a considerable degree on the vision, skills, experience and effort of our co-founder, Chairman and Chief Executive Officer, Luke Schoenfelder. The replacement of senior management or other key personnel would likely involve significant time and costs, and such loss could significantly delay or prevent the achievement of our business objectives and future growth. In addition, our existing systems, processes and controls may not prevent or detect all errors, omissions or fraud. We may also experience difficulties in managing improvements to our systems, processes and controls or in connection with third-party software licensed to help us with such improvements. Any future growth, particularly any additional international expansion, would add complexity to our organization and require effective communication and coordination throughout our organization. Additionally, our productivity and the quality of our solutions and services may be adversely affected if we do not integrate and train our new employees quickly and effectively. If we fail to achieve the necessary level of efficiency in our organization as we grow, our business, results of operations and financial condition could be materially and adversely affected.

The smart building technology industry in which we participate may become more competitive, and competition may intensify in the future. Our ability to compete depends on a number of factors, including: - our platforms' and solutions' functionality, performance, ease of use, reliability, availability and cost effectiveness relative to that of our competitors' products;- our success in utilizing new and proprietary technologies to offer solutions and features previously not available in the marketplace;- our success in identifying new markets, applications and technologies;- our ability to attract and retain partners;- our name recognition and reputation;- our ability to recruit software engineers and sales and marketing personnel; and - our ability to protect our intellectual property. Customers may prefer to purchase from their existing suppliers rather than a new supplier regardless of product performance or features. In the event a customer decides to evaluate a smart building solution, the customer may be more inclined to select one of our competitors if such competitor's product offerings are broader or at a better price point than those that we offer.

We believe that continuing to strengthen our current brand will be critical to achieving widespread acceptance of our software, services and products and will require continued focus on active marketing efforts. The demand for and cost of online and traditional advertising have been increasing and may continue to increase. Accordingly, we may need to increase our investment in, and devote greater resources to, advertising, marketing and other efforts to create and maintain brand loyalty among users, especially as we launch new LatchOS modules aimed to capture residents' digital services spending. Brand promotion activities may not yield increased revenues, and even if they do, any increased revenues may not offset the expenses incurred in building our brand. In addition, if we do not handle customer complaints effectively, our brand and reputation may suffer, we may lose our customers' confidence and they may choose to terminate, reduce or not renew their subscriptions. Many of our customers also participate in social media and online blogs about smart building technology solutions, including our products, and our success depends in part on our ability to minimize negative and generate positive customer feedback through such online channels where existing and potential customers seek and share information. If we fail to promote and maintain our brand, our business could be materially and adversely affected.

Our revenue, results of operations and cash flows depend on the overall demand for our software, services and products. Negative conditions in the general economy both in the United States and abroad, including conditions resulting from the COVID-19 pandemic, changes in gross domestic product growth, financial and credit market fluctuations, construction slowdowns, energy costs, international trade relations and other geopolitical issues, the availability and cost of credit and the global housing and mortgage markets could cause a decrease in consumer discretionary spending and business investment and diminish growth expectations in the U.S. economy and abroad. During weak economic times, the available pool of potential customers may decline as the prospects for new multifamily apartment and single family rental construction and residential building renovation projects diminish, which may have a corresponding impact on our growth prospects. In addition, there is an increased risk during these periods that an increased percentage of property developers will file for bankruptcy protection, which may harm our revenue, profitability and results of operations. In addition, we may determine that the cost of pursuing any claim may outweigh the recovery potential of such claim. Prolonged economic slowdowns and reductions in new residential and commercial building construction and renovation projects may result in diminished sales of our software, services and products. Further worsening, broadening or protracted extension of an economic downturn could have a negative impact on our business, revenue, results of operations and cash flows.

We currently have operations in the United States and Canada and are planning to expand our international operations to the United Kingdom, Germany and France and may further grow our international presence in the future. The future success of our business will depend, in part, on our ability to expand our operations and customer base worldwide. Operating in international markets requires significant resources and management attention and will subject us to regulatory, economic and political risks that are different from those in the United States. Due to our limited experience with international operations and developing and managing sales and distribution channels in international markets, our international expansion efforts may not be successful. In addition, we will face risks in doing business internationally that could materially and adversely affect our business, including: - our ability to comply with differing and evolving technical and environmental standards, telecommunications regulations, building and fire codes and certification requirements outside the United States;- difficulties and costs associated with staffing and managing foreign operations;- our ability to effectively price our products and subscriptions in competitive international markets;- potentially greater difficulty collecting accounts receivable and longer payment cycles;- the need to adapt and localize our products and subscriptions for specific countries;- the need to offer customer care in various languages;- reliance on third parties over which we have limited control;- availability of reliable network connectivity in targeted areas for expansion;- lower levels of adoption of credit or debit card usage for internet related purchases by foreign customers and compliance with various foreign regulations related to credit or debit card processing and data protection requirements;- difficulties in understanding and complying with local laws, regulations and customs in foreign jurisdictions;- restrictions on travel to or from countries in which we operate or inability to access certain areas;- export controls and economic sanctions;- changes in diplomatic and trade relationships, including tariffs and other non-tariff barriers, such as quotas and local content rules;- U.S. government trade restrictions, including those which may impose restrictions, including prohibitions, on the exportation, re-exportation, sale, shipment or other transfer of programming, technology, components and/or services to foreign persons;- our ability to comply with different and evolving laws, rules, and regulations, including the GDPR in the European Union, and other data privacy and data protection laws, rules and regulations;- compliance with various anti-bribery and anti-corruption laws such as the Foreign Corrupt Practices Act and the U.K. Bribery Act of 2010;- more limited protection for intellectual property rights in some countries;- adverse tax consequences;- fluctuations in currency exchange rates;- exchange control regulations, which might restrict or prohibit our conversion of other currencies into U.S. dollars;- restrictions on the transfer of funds;- new and different sources of competition;- political and economic instability created by the United Kingdom's departure from the European Union;- deterioration of political relations between the United States and other countries in which we may operate; or - political or social unrest, economic instability, conflict or war in such countries, or sanctions implemented by the United States against countries in which we operate, all of which could have a material adverse effect on our operations. We have limited experience with international regulatory environments and market practices and may not be able to penetrate or successfully operate in the markets we choose to enter. In addition, we may incur significant expenses as a result of our international expansion, and we may not be successful. We may face limited brand recognition in certain parts of the world that could lead to non-acceptance or delayed acceptance of our software, services and products by customers in new markets. Our failure to successfully manage these risks could harm our international operations and have an adverse effect on our business, financial condition and operating results.

While we have historically transacted in U.S. dollars with the majority of our customers and suppliers, we have transacted in some foreign currencies, such as the Canadian Dollar, British Pound Sterling and the New Taiwan Dollar, and may transact in additional foreign currencies in the future. Accordingly, changes in the value of foreign currencies relative to the U.S. dollar may affect our revenue and operating results. As a result of such foreign currency exchange rate fluctuations, it could be more difficult to detect underlying trends in our business and operating results. In addition, to the extent that fluctuations in currency exchange rates cause our operating results to differ from our expectations or the expectations of our investors, the trading price of our common stock could decrease.

From time to time, we may be subject to claims, lawsuits, government investigations and other proceedings involving products liability, competition and antitrust, intellectual property, privacy, consumer protection, securities, tax, labor and employment, commercial disputes and other matters that could adversely affect our business operations and financial condition. As our business grows, we may see a rise in the number and significance of these disputes and inquiries. Litigation and regulatory proceedings, and particularly the intellectual property infringement matters that we could face, may be protracted and expensive, and the results are difficult to predict. Additionally, our litigation costs could be significant. Adverse outcomes with respect to litigation or any of these legal proceedings may result in significant settlement costs or judgments, penalties and fines, or require us to modify our products or services, make content unavailable, or require us to stop offering certain features, all of which could negatively affect our revenue growth. The results of litigation, investigations, claims and regulatory proceedings cannot be predicted with certainty, and determining reserves for pending litigation and other legal and regulatory matters requires significant judgment. There can be no assurance that our expectations will prove correct, and even if these matters are resolved in our favor or without significant cash settlements, these matters, and the time and resources necessary to litigate or resolve them, could harm our business, financial condition and operating results.

Our future effective tax rates could be subject to volatility or adversely affected by a number of factors, including: - changes in the valuation of our deferred tax assets and liabilities;- expiration of, or lapses in, the research and development tax credit laws;- expiration or non-utilization of net operating loss carryforwards;- tax effects of share-based compensation;- expansion into new jurisdictions;- potential challenges to and costs related to implementation and ongoing operation of the intercompany arrangements among our domestic and foreign entities;- changes in tax laws and regulations and accounting principles, or interpretations or applications thereof; and - certain non-deductible expenses as a result of acquisitions. Any changes in our effective tax rate could adversely affect our results of operations.

We collect, store, process and use a wide variety of data from current and prospective customers and end-users of our products and services, including personal information, such as names, home addresses, email addresses and access events. Federal, state and international laws and regulations governing privacy and data protection require us to safeguard our customers' personal information. The scope of such laws and regulations is rapidly changing. We are also subject to the terms of our privacy policies and contractual obligations to third parties related to privacy, data protection and information security. We strive to comply with applicable laws, regulations, policies and other legal obligations relating to privacy, data protection and information security. However, the regulatory framework for privacy, data protection and information security is, and is likely to remain, uncertain for the foreseeable future, and it is possible that these or other actual or alleged obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. We also expect that there will continue to be new laws, regulations and industry standards concerning privacy, data protection and information security proposed and enacted in various jurisdictions. Various states throughout the United States are increasingly adopting or revising privacy, information security and data protection laws and regulations that could have a significant impact on our current and planned privacy, data protection and information security-related practices, our collection, use, sharing, retention and safeguarding of customer, consumer and/or employee information, as well as any other third-party information we receive, and some of our current or planned business activities. For example, California enacted the CCPA, which affords consumers who are California residents expanded privacy protections and control over the collection, use and sharing of their personal information. The CCPA went into effect on January 1, 2020 and gives California residents expanded rights to access and require deletion of their personal information, opt out of certain personal information sharing and receive detailed information about how their personal information is used. The CCPA also provides for a private right of action for data breaches that may increase data breach litigation. Relatedly, the CPRA was recently adopted by California voters. The CPRA significantly amends the CCPA and imposes additional data protection obligations on covered companies doing business in California, including additional consumer rights processes and opt outs for certain uses of sensitive data. It also creates a new California data protection agency specifically tasked to enforce the law, which would likely result in increased regulatory scrutiny of California businesses in the areas of data protection and security. The substantive requirements for businesses subject to the CPRA will go into effect on January 1, 2023 and become enforceable on July 1, 2023. Additionally, in 2021, Virginia and Colorado passed general data protection laws. In Virginia, the VCDPA will go into effect on January 1, 2023, and, in Colorado, CPA will go into effect on July 1, 2023. Both laws will provide residents in their respective states similar rights to those granted Californians under the CPRA, including the right to access, correct and delete their personal information, as well as the rights to opt out of the sale and processing of personal information for certain purposes. Currently, privacy bills are moving through the legislative process in 18 other states. We expect that some of these bills will be passed as laws, thereby further increasing our state privacy obligations. In addition to state privacy bills, there is also increasing local activity. For instance, in May 2021, New York City passed into law the TDPA, regulating how building access data is collected, processed and disposed of by property managers and smart access system operators. The TDPA went into effect in July 2021, and we had to make certain adjustments to our processing of data collected from New York City users of LatchOS as a result. Similar local legislation in other cities where we operate is likely, which will further increase the complexity and expense of ensuring that our privacy practices are compliant. Additionally, the interpretations of existing federal and state consumer protection laws relating to online collection, use, dissemination and security of personal information adopted by the FTC, state attorneys general, private plaintiffs and courts have evolved, and may continue to evolve, over time. Consumer protection laws require us to publish statements that describe how we handle personal information and choices individuals may have about the way we handle their personal information. If such information that we publish is considered untrue, we may be subject to government claims of unfair or deceptive trade practices, which could lead to significant liabilities and consequences. Furthermore, according to the FTC, violating consumers' privacy rights or failing to take appropriate steps to keep consumers' personal information secure may constitute unfair acts or practices in or affecting commerce and thus violate Section 5(a) of the FTC Act. The FTC expects a company's data security measures to be reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its business and the cost of available tools to improve security and reduce vulnerabilities. In Canada, PIPEDA and similar provincial laws impose obligations with respect to processing personal information. PIPEDA requires companies to obtain an individual's consent when collecting, using or disclosing that individual's personal information. Individuals have the right to access and challenge the accuracy of their personal information held by an organization, and personal information may only be used for the purposes for which it was collected. If an organization intends to use personal information for another purpose, it must again obtain that individual's consent. Failure to comply with PIPEDA could result in significant fines and penalties. In Europe, the GDPR went into effect in May 2018 and imposes strict requirements for processing the personal data of individuals within the European Economic Area. Companies that must comply with the GDPR face increased compliance obligations and risk, including more robust regulatory enforcement of data protection requirements and potential fines for noncompliance of up to €20 million or 4% of the annual global revenues of the noncompliant company, whichever is greater. Relatedly, from January 1, 2021, companies doing business in the European Union and the United Kingdom have to comply with both the GDPR and the GDPR as incorporated into United Kingdom national law, the latter regime having the ability to separately fine up to the greater of £17.5 million or 4% of global turnover. The relationship between the United Kingdom and the European Union in relation to certain aspects of data protection law remains unclear, and it is unclear how United Kingdom data protection laws and regulations will develop in the medium to longer term, and how data transfers to and from the United Kingdom will be regulated in the long term. On June 28, 2021, the European Commission announced a decision that United Kingdom data protection standards are adequate under the meaning of GDPR's Article 45, providing a mechanism to enable transfer of data from the European Union to the United Kingdom without the need for additional authorization or safeguards. This decision will be in force until June 2025 unless the European Commission re-assesses and renews or extends the decision, but the decision also can be withdrawn before such date if the United Kingdom were to lower its standards and no longer provide European Union citizens adequate protection for their personal data. These changes and uncertainties may lead to additional costs and increase our overall risk exposure. With data privacy and security laws and regulations imposing new and relatively burdensome obligations, and with substantial uncertainty over the interpretation and application of these and other laws and regulations, we may face challenges in addressing their requirements and making necessary changes to our policies and practices and may incur significant costs and expenses in an effort to do so. Any failure or perceived failure by us to comply with our privacy policies, our data privacy or security related obligations to our customers or any of our other legal obligations relating to data privacy or security may result in governmental investigations or enforcement actions, litigation, claims or public statements against us by consumer advocacy groups or others, and could result in significant liability, loss of relationships with key third parties or cause our customers to lose trust in us, which could have an adverse effect on our reputation and business. Although we have established security measures to protect customer information, our or our partners' security and testing measures may not prevent security breaches. Further, advances in computer capabilities, new discoveries in the field of cryptography, inadequate facility security or other developments may result in a compromise or breach of the technology we use to protect customer data. Any compromise of our security or breach of our customers' privacy could harm our reputation or financial condition and, therefore, our business. In addition, a party who circumvents our security measures or exploits inadequacies in our security measures could, among other effects, misappropriate customer data or other proprietary information, cause interruptions in our operations or expose customers to computer viruses or other disruptions. Actual or perceived vulnerabilities may lead to claims against us. To the extent that the measures we or our third-party business partners have taken prove to be insufficient or inadequate, we may become subject to litigation, breach notification obligations or regulatory or administrative sanctions, which could result in significant fines, penalties or damages and harm to our reputation. Depending on the nature of the information compromised, in the event of a data breach or other unauthorized access to our customer data, we may also have obligations to notify customers about the incident, and we may need to provide some form of remedy, such as a subscription to a credit monitoring service, for the individuals affected by the incident. A growing number of legislative and regulatory bodies have adopted consumer notification requirements in the event of unauthorized access to or acquisition of certain types of personal data. Such breach notification laws continue to evolve and may be inconsistent from one jurisdiction to another. Complying with these obligations could cause us to incur substantial costs and could increase negative publicity surrounding any incident that compromises customer data. Furthermore, we may be required to disclose personal data pursuant to demands from individuals, privacy advocates, regulators, government agencies and law enforcement agencies in various jurisdictions with conflicting privacy and security laws. This disclosure or refusal to disclose personal data may result in a breach of privacy and data protection policies, notices, laws, rules, court orders and regulations and could result in proceedings or actions against us in the same or other jurisdictions, damage to our reputation and brand and inability to provide our products and services to customers in certain jurisdictions. Additionally, changes in the laws and regulations that govern our collection, use and disclosure of customer data could impose additional requirements with respect to the retention and security of customer data, limit our marketing activities and have an adverse effect on our business, financial condition and operating results.