Table of Contents The cost and operational consequences of implementing further data protection measures could be significant and theft of our intellectual property or proprietary business information could require substantial expenditures to remedy. Further, we cannot be certain that (a) our liability insurance will be sufficient in type or amount to cover us against claims related to security breaches, cyberattacks and other related breaches; (b) such coverage will cover any indemnification claims against us relating to any incident, will continue to be available to us on economically reasonable terms, or at all; and (c) any insurer will not deny coverage as to any future claim. The successful assertion of one or more large claims against us that exceed available insurance coverage, or the occurrence of changes in our insurance policies, including premium increases or the imposition or large deductible or co-insurance requirements, could adversely affect our reputation, business, financial condition and results of operations. Unauthorized use or disclosure of, or access to, any personal information maintained by us or on our behalf, whether through breach of our systems, breach of the systems of our suppliers or vendors by an unauthorized party, or through employee or contractor error, theft or misuse, or otherwise, could harm our business. If any such unauthorized use or disclosure of, or access to, such personal information was to occur, our operations could be seriously disrupted, and we could be subject to demands, claims and litigation by private parties and investigations, related actions and penalties by regulatory authorities. In addition, we could incur significant costs in notifying affected persons and entities and otherwise complying with the multitude of foreign, federal, state and local laws and regulations relating to the unauthorized access to, or use or disclosure of, personal information. Finally, any perceived or actual unauthorized access to, or use or disclosure of, such information could harm our reputation, substantially impair our ability to attract and retain customers and have an adverse impact on our business, financial condition and results of operations. The software we use in providing system configuration recommendations or potential energy savings estimates to customers relies in part on third-party information that may not be accurate or up-to-date; this may therefore generate inaccurate recommendations or estimates, resulting in a loss of reputation and customer confidence. We provide our customers online tools to help them determine proper system sizing and configurations, estimates of bill savings and potential revenues resulting from executing a specific curtailment strategy. These estimates are in turn based on a number of factors such as customer tariff structures, estimated wholesale electricity prices, future economic conditions and estimates of the reduction in electricity usage as a result of a curtailment activity. If the estimates we provide prove to be significantly different from actual payments or savings received by our customers, it may result in the loss of reputation and/or customer confidence. We are subject to stringent and evolving data privacy and security laws, contractual obligations, information security policies and other obligations governing the use, processing and transfer of personal information, and any unauthorized access to, or disclosure or theft of, personal information we gather, store or use could harm our reputation and subject us to claims or litigation. We receive, store and use certain personal information of our customers, and the end-users of our customers’ energy systems, including names, addresses, e-mail addresses, energy system details and performance information. We also store and use personal information of our employees. We take steps to protect the security, integrity and confidentiality of the personal information we collect, store and transmit, but there is no guarantee that inadvertent or unauthorized use or disclosure will not occur or that third parties will not gain unauthorized access to this information despite our efforts. Because techniques used to obtain unauthorized access or sabotage systems change frequently and generally are not identified until they are launched against a target, we and our suppliers or vendors may be unable to anticipate these techniques or to implement adequate preventative or mitigation measures. We are subject to a variety of local, state, national and international laws, directives and regulations that apply to the collection, use, retention, protection, disclosure, transfer and other processing of personal data in the different jurisdictions in which we operate, including, for example, comprehensive regulatory systems in the United States, Europe and Brazil. It remains unclear what additional requirements will be codified in future laws, how those laws will be enforced, and how these legal shifts impact our operations and risk. We may be required to modify our data practices and policies, at potentially substantial additional costs and expenses. Complying with these forthcoming and future laws, regulations, amendments to or re-interpretations of existing laws and regulations, and contractual or other obligations relating to privacy, data protection, data transfers, data localization, or information security may require us to make changes to our services to enable us or our customers to meet new legal requirements, incur substantial operational costs, modify our data practices and policies, and restrict our business operations. Enphase Energy, Inc. | 2023 Form 10-K | 28