{ "ticker": "IRM", "company": "IRM", "filing_type": "10-K", "year_current": "2025", "year_prior": "2024", "summary": { "added": 0, "removed": 0, "modified": 2, "unchanged": 13, "total_current": 15, "total_prior": 15 }, "source": "SEC EDGAR", "url": "https://riskdiff.com/irm/2025-vs-2024/", "markdown_url": "https://riskdiff.com/irm/2025-vs-2024/index.md", "json_url": "https://riskdiff.com/irm/2025-vs-2024/index.json", "generated": "2026-06-01", "ai_summary": null, "risks": [ { "status": "MODIFIED", "current_title": "IRON MOUNTAIN 2024 FORM 10-K", "prior_title": "IRON MOUNTAIN 2023 FORM 10-K", "similarity_score": 0.721, "confidence": "medium", "key_changes": [ "Reworded sentence: \"19 Table of ContentsPart I Table of Contents Part I Our business could be adversely impacted if there are deficiencies in our disclosure controls and procedures or internal control over financial reporting.\"" ], "current_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources.", "prior_body": "9 Table of ContentsPart I Table of Contents Part I Our customers may shift from paper and tape storage to alternative technologies that may shift our revenue mix away from storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Storage volume and/or demand for our traditional storage related services may decline as our customers adopt alternative storage technologies or as retention requirements evolve, which may require significantly less space than traditional physical records and tape storage. While volumes in our Global RIM Business segment were relatively steady in 2023 and we expect them to remain relatively consistent in the near term, we can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with data privacy regulations, and that we assume higher liability under our contracts. We have an established privacy compliance framework and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Digital and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging artificial intelligence (\"AI\") regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues, and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service, and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties, and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve unforeseen difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "MODIFIED", "current_title": "GENERAL RISK FACTORS", "prior_title": "GENERAL RISK FACTORS", "similarity_score": 0.61, "confidence": "medium", "key_changes": [ "Removed sentence: \"Our business could be adversely impacted if there are deficiencies in our disclosure controls and procedures or internal control over financial reporting.\"", "Removed sentence: \"The design and effectiveness of our disclosure controls and procedures and internal control over financial reporting may not prevent all errors, misstatements or misrepresentations.\"", "Removed sentence: \"While management will continue to review the effectiveness of our disclosure controls and procedures and internal control over financial reporting, there can be no guarantee that our internal control over financial reporting will be effective in accomplishing all control objectives all of the time.\"", "Removed sentence: \"Furthermore, our disclosure controls and procedures and internal control over financial reporting with respect to entities that we do not control or manage may be substantially more limited than those we maintain with respect to the subsidiaries that we have controlled or managed over the course of time.\"", "Removed sentence: \"Deficiencies, including any material weakness, in our internal control over financial reporting which may occur in the future could result in misstatements of our results of operations, restatements of our financial statements, a decline in our stock price, or otherwise materially adversely affect our business, reputation, results of operations, financial condition or liquidity.\"" ], "current_body": "Our cash distributions are not guaranteed and may fluctuate. As a REIT, we are generally required to distribute at least 90% of our REIT taxable income to our stockholders. Furthermore, we are committed to growing our dividends, and have stated this publicly. Our board of directors, in its sole discretion, will determine, on a quarterly basis, the amount of cash to be distributed to our stockholders based on a number of factors including, but not limited to, our results of operations, cash flow and capital requirements, economic conditions, tax considerations, borrowing capacity and other factors, including debt covenant restrictions that may impose limitations on cash payments, future acquisitions and divestitures, any stock repurchase program and general market demand for our space and related services. Consequently, our distribution levels may fluctuate and we may not be able to meet our public commitments with respect to dividend growth.", "prior_body": "Our cash distributions are not guaranteed and may fluctuate. As a REIT, we are generally required to distribute at least 90% of our REIT taxable income to our stockholders. Furthermore, we are committed to growing our dividends, and have stated this publicly. Our board of directors, in its sole discretion, will determine, on a quarterly basis, the amount of cash to be distributed to our stockholders based on a number of factors including, but not limited to, our results of operations, cash flow and capital requirements, economic conditions, tax considerations, borrowing capacity and other factors, including debt covenant restrictions that may impose limitations on cash payments, future acquisitions and divestitures, any stock repurchase program and general market demand for our space and related services. Consequently, our distribution levels may fluctuate and we may not be able to meet our public commitments with respect to dividend growth. Our business could be adversely impacted if there are deficiencies in our disclosure controls and procedures or internal control over financial reporting. The design and effectiveness of our disclosure controls and procedures and internal control over financial reporting may not prevent all errors, misstatements or misrepresentations. While management will continue to review the effectiveness of our disclosure controls and procedures and internal control over financial reporting, there can be no guarantee that our internal control over financial reporting will be effective in accomplishing all control objectives all of the time. Furthermore, our disclosure controls and procedures and internal control over financial reporting with respect to entities that we do not control or manage may be substantially more limited than those we maintain with respect to the subsidiaries that we have controlled or managed over the course of time. Deficiencies, including any material weakness, in our internal control over financial reporting which may occur in the future could result in misstatements of our results of operations, restatements of our financial statements, a decline in our stock price, or otherwise materially adversely affect our business, reputation, results of operations, financial condition or liquidity." }, { "status": "UNCHANGED", "current_title": "BUSINESS RISKS", "prior_title": "BUSINESS RISKS", "current_body": "Failure to execute our strategic growth plan may adversely impact our financial condition and results of operations. As part of our strategic growth plan, including Project Matterhorn, we expect to invest in our existing businesses, including records and information management storage and services businesses in our higher-growth markets, data centers, digital solutions, ALM business and other complementary businesses, and in new businesses, business strategies, products, services, technologies and geographies. These initiatives may involve significant risks and uncertainties, including: •our inability to maintain relationships with key customers and suppliers or to execute on our plan to incorporate the digitization of our customers’ records and new digital information technologies into our offerings; •failure to achieve satisfactory returns on new product offerings, acquired companies, joint ventures, growth initiatives or other investments, particularly in markets where we do not currently operate or have a substantial presence; •our inability to identify suitable companies to acquire, invest in or partner with; •our inability to complete acquisitions or investments on satisfactory terms; •our inability to structure acquisitions or investments in a manner that complies with our debt covenants or is consistent with our leverage ratio goals; •challenges in managing costs to offset the impact of inflationary pressure; •increased demands on our management, operating systems, internal controls and financial and physical resources and, if necessary, our inability to successfully expand our infrastructure; •incurring additional debt necessary to acquire suitable companies or make other growth investments if we are unable to pay the purchase price or make the investment out of working capital or the issuance of our common stock or other equity securities; •our inability to manage the budgeting, forecasting and other process control issues presented by future growth, particularly with respect to new lines of business; •insufficient revenues to offset expenses and liabilities associated with new investments; and •our inability to attract, develop and retain skilled employees to lead and support our strategic growth plan, particularly in new businesses, technologies, products or offerings outside our core competencies. Our new ventures are inherently risky and we can provide no assurance that such strategies and offerings will be successful in achieving the desired returns within a reasonable timeframe, if at all, and that they will not adversely affect our business, reputation, financial condition and operating results. If stored records and tapes become less active, our service revenue growth and profits from related services may decline. Our Records Management and Data Management service revenue growth is being negatively impacted by declining activity rates as stored records and tapes are becoming less active and more archival. The amount of information available to customers digitally or in their own information systems has been steadily increasing in recent years, and we believe this trend will continue. As a result, our customers are less likely than they have been in the past to retrieve records and rotate tapes, thereby reducing their activity levels. At the same time, many of our costs related to records and tape related services remain relatively fixed. In addition, our reputation for providing secure information storage is critical to our success, and actions to manage cost structure, such as outsourcing certain transportation, security or other functions, could negatively impact our reputation and adversely affect our business, and, if we are unable to appropriately align our cost structure with decreased levels of service activity, our operating results could be adversely affected." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2024 FORM 10-K", "prior_title": "IRON MOUNTAIN 2023 FORM 10-K", "current_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2024 FORM 10-K", "prior_title": "IRON MOUNTAIN 2023 FORM 10-K", "current_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2024 FORM 10-K", "prior_title": "IRON MOUNTAIN 2023 FORM 10-K", "current_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2024 FORM 10-K", "prior_title": "IRON MOUNTAIN 2023 FORM 10-K", "current_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2024 FORM 10-K", "prior_title": "IRON MOUNTAIN 2023 FORM 10-K", "current_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2024 FORM 10-K", "prior_title": "IRON MOUNTAIN 2023 FORM 10-K", "current_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "UNCHANGED", "current_title": "RISKS RELATED TO OUR TAXATION AS A REIT", "prior_title": "RISKS RELATED TO OUR TAXATION AS A REIT", "current_body": "If we fail to remain qualified for taxation as a REIT, we will be subject to tax at corporate income tax rates and will not be able to deduct distributions to stockholders when computing our taxable income. We have elected to be taxed as a REIT for federal income tax purposes beginning with our 2014 taxable year. We believe that our organization and method of operation comply with the rules and regulations promulgated under the Internal Revenue Code of 1986, as amended (the \"Code\"), such that we will continue to qualify for taxation as a REIT. However, we can provide no assurance that we will remain qualified for taxation as a REIT. We also have invested in subsidiaries that have elected or that we expect will elect to be taxed as REITs and therefore must independently satisfy all REIT qualification requirements. We may in the future invest in other such subsidiary REITs. If such a subsidiary REIT were to fail to qualify as a REIT, it may cause us to fail to remain qualified for taxation as a REIT. If we fail to remain qualified for taxation as a REIT, including as a result of a cascading failure of any subsidiary REIT to remain qualified as a REIT, we will be subject to federal income taxation at corporate income tax rates unless certain relief provisions apply. Qualification for taxation as a REIT involves the application of highly technical and complex provisions of the Code to our operations, as well as various factual determinations concerning matters and circumstances not entirely within our control. There are limited judicial or administrative interpretations of applicable REIT provisions of the Code. If, in any taxable year, we fail to remain qualified for taxation as a REIT and are not entitled to relief under the Code: •we will not be allowed a deduction for distributions to stockholders in computing our taxable income; •we will be subject to federal and state income tax on our taxable income at regular corporate income tax rates; and •we would not be eligible to elect REIT status again until the fifth taxable year that begins after the first year for which we failed to qualify for taxation as a REIT." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2024 FORM 10-K", "prior_title": "IRON MOUNTAIN 2023 FORM 10-K", "current_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2024 FORM 10-K", "prior_title": "IRON MOUNTAIN 2023 FORM 10-K", "current_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2024 FORM 10-K", "prior_title": "IRON MOUNTAIN 2023 FORM 10-K", "current_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "UNCHANGED", "current_title": "RISKS RELATED TO OUR INDEBTEDNESS", "prior_title": "RISKS RELATED TO OUR INDEBTEDNESS", "current_body": "Our indebtedness could adversely affect our financial health and prevent us from fulfilling our obligations under our various debt instruments. As of December 31, 2024, our total long-term debt was approximately $13,836.4 million, stockholders' deficit was approximately $503.1 million and we had cash and cash equivalents of approximately $155.7 million. Our indebtedness could have important consequences to our current and potential investors. These risks include: •inability to satisfy our obligations with respect to our various debt instruments; •inability to make borrowings to fund future working capital, capital expenditures and strategic growth opportunities, including acquisitions, further organic development of, and investment into, our Global Data Center, ALM and Global Digital Solutions businesses and other service offerings, and other general corporate requirements, including possible required repurchases, redemptions or prepayments of our various indebtedness; •limits on our distributions to stockholders; in this regard if these limits prevented us from satisfying our REIT distribution requirements, we could fail to remain qualified for taxation as a REIT or, if these limits do not jeopardize our qualification for taxation as a REIT but do nevertheless prevent us from distributing 100% of our REIT taxable income, we will be subject to federal corporate income tax, and potentially a nondeductible excise tax, on the retained amounts; •limits on future borrowings under our existing or future credit arrangements, which could affect our ability to pay our indebtedness or to fund our other liquidity needs; •inability to generate sufficient funds to cover required interest payments; •restrictions on our ability to refinance our indebtedness on commercially reasonable terms; •limits on our flexibility in planning for, or reacting to, changes in our business and the information management services industry; and •inability to adjust to adverse economic conditions that could place us at a disadvantage to our competitors with less debt and who, therefore, may be able to take advantage of opportunities that our indebtedness prevents us from pursuing." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2024 FORM 10-K", "prior_title": "IRON MOUNTAIN 2023 FORM 10-K", "current_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." } ] }