XML 102 R19.htm IDEA: XBRL DOCUMENT v3.19.3.a.u2
Commitments And Contingencies
 12 Months Ended
Dec. 31, 2019
Commitments and Contingencies Disclosure [Abstract]  
COMMITMENTS AND CONTINGENCIES COMMITMENTS AND CONTINGENCIES
Legal Matters
The Company accrues a liability for legal contingencies when it believes that it is both probable that a liability has been incurred and that it can reasonably estimate the amount of the loss. The Company reviews these accruals and adjusts them to reflect ongoing negotiations, settlements, rulings, advice of legal counsel and other relevant information. To the extent new information is obtained and the Company's views on the probable outcomes of any pending claims, suits, assessments, regulatory investigations, or other legal proceedings change, changes in the Company's accrued liabilities would be recorded in the period in which such determination is made. In addition, in accordance with the relevant authoritative guidance, for matters in which the likelihood of material loss is at least reasonably possible, the Company provides disclosure of the possible loss or range of loss. If a reasonable estimate cannot be made, however, the Company will provide disclosure to that effect.
Due to the nature of the Company's business, the Company is subject to patent infringement claims, including current litigation alleging infringement by various Company solutions and services. The Company believes that it has meritorious defenses to the allegations made in its pending litigation and intends to vigorously defend itself; however, it is unable currently to determine the ultimate outcome of these or similar matters or the potential exposure to loss, if any. In addition, the Company is subject to various other legal proceedings, including suits, assessments, regulatory actions and investigations generally arising out of the normal course of business. Although it is difficult to predict the ultimate outcomes of these matters, the Company believes that outcomes that will materially and adversely affect its business, financial position, results of operations or cash flows are reasonably possible but not estimable at this time.
The Company was the victim of a previously disclosed cyberattack during which international cyber criminals gained intermittent access to Citrix’s internal network. The Company’s investigation of this incident confirmed that between October 13, 2018 and March 8, 2019, international cyber criminals gained intermittent access to Citrix’s internal network through “password spraying”, and over a limited number of days stole business documents and files from a shared network drive and a drive associated with a web-based tool used in the Company's consulting practice. The shared drive from which documents and files were stolen was used to store current and historical business documents and files, such as human resources and employee records, some of which contained sensitive and personal identification information of the Company's current and former
employees and, in some cases, their beneficiaries, dependents and others; customer engagement documents, including consulting services project materials, statements of work and proofs of concept, some of which were also stored on the drive associated with a web-based tool used in the Company's consulting practice; marketing materials; sales and finance documents; contracts and other legal records; and a wide assortment of other company records. The Company has completed its review of the documents and files that may have been accessed or were stolen in this incident, and the Company has completed notifications to regulators. The Company’s investigation found no indication that the cyber criminals discovered and exploited any vulnerabilities in the Company’s products or customer cloud services to gain entry, and no indication that the security of any Citrix product or customer cloud service was compromised. The Company found no impact to its financial reporting systems from this cyberattack. Additionally, the Company has taken steps to enhance its internal controls over financial reporting and disclosure controls and procedures related to cyberattacks.
Further, the Company has a program of network-security (or cyber risk) insurance policies that, with standard exclusions, insure against the costs of detecting and mitigating cyber breaches, the cost of credit monitoring, and reasonable expenses for defending and settling privacy and network security lawsuits. These policies are subject to a $500,000 self-insured retention and a total insurance limit of $200.0 million. There can be no assurance, however, that this insurance coverage is sufficient to cover this or any other cyberattack. In addition to these insurance policies, the Company maintains customary business coverage under its crime, commercial general liability, and director and officer insurance policies.
Although it is difficult to predict the ultimate outcomes of this cyberattack, to date, three putative class action lawsuits have been filed against the Company in the United States District Court for the Southern District of Florida. These matters, Howard v. Citrix, Jackson and Sargent v. Citrix, and Ramus, Young and Charles v. Citrix, were filed on May 24, 2019, May 30, 2019, and June 23, 2019, respectively, and have been consolidated. The plaintiffs, who purport to represent various classes of current and former employees (and their dependents) of the Company, generally claim to have been harmed by the Company’s alleged actions and/or omissions in connection with this incident and their personal data. They assert a variety of common law and statutory claims seeking monetary damages or other related relief.
The Company is unable to currently determine the ultimate outcome of these legal proceedings or the potential exposure or loss, if any, because the legal proceedings remain in the early stages, there is uncertainty as to the likelihood of a class or classes being certified or the ultimate size of any class if certified, and there are significant factual and legal issues to be resolved.
Beyond the matters described above, the Company believes that it is reasonably possible that outcomes from potential unasserted claims related to this cyberattack could materially and adversely affect its business, financial position, results of operations or cash flows. However, it is not possible to estimate the amount or a range of potential loss, if any, at this time, and the Company will continue to evaluate information as it becomes known, and will record an accrual for estimated losses at the time or times it is determined that a loss is both probable and reasonably estimable.
On July 25, 2019, a class action lawsuit was filed against Citrix, LogMeIn, Inc. (“LogMeIn”) and certain of their directors and officers in the Circuit Court of the 15th Judicial Circuit, Palm Beach County, Florida. The complaint alleges that the defendants violated federal securities laws by making alleged misstatements and omissions in LogMeIn’s Registration Statement and Prospectus filed in connection with the 2017 spin-off of Citrix’s GoTo family of service offerings and subsequent merger of that business with LogMeIn. The complaint seeks among other things the recovery of monetary damages.  The Company believes that Citrix and its directors have meritorious defenses to these allegations, however, the Company is unable to currently determine the ultimate outcome of this matter or the potential exposure or loss, if any.
Guarantees
The authoritative guidance requires certain guarantees to be recorded at fair value and requires a guarantor to make disclosures, even when the likelihood of making any payments under the guarantee is remote. For those guarantees and indemnifications that do not fall within the initial recognition and measurement requirements of the authoritative guidance, the Company must continue to monitor the conditions that are subject to the guarantees and indemnifications, as required under existing generally accepted accounting principles, to identify if a loss has been incurred. If the Company determines that it is probable that a loss has been incurred, any such estimable loss would be recognized. The initial recognition and measurement requirements do not apply to the provisions contained in the majority of the Company’s software license agreements that indemnify licensees of the Company’s software from damages and costs resulting from claims alleging that the Company’s software infringes the intellectual property rights of a third party. The Company has not made material payments pursuant to these provisions. The Company has not identified any losses that are probable under these provisions and, accordingly, the Company has not recorded a liability related to these indemnification provisions.
Purchase Obligations
The Company has agreements with suppliers to purchase inventory and estimates its non-cancelable obligations under these agreements for the fiscal year ended December 31, 2020 to be $10.8 million. The Company also has contingent obligations to purchase inventory for the fiscal year ended December 31, 2020 of $15.6 million. The Company does not have any purchase obligations beyond December 31, 2020.
Other Purchase Commitments
In June 2018 and 2019, the Company entered into two amended agreements with third-party providers, respectively, in the ordinary course of business, for the Company's use of certain cloud services through June 2021. Under the amended agreements, the Company is committed to a purchase of $50.0 million in fiscal year 2020.