{ "ticker": "IRM", "company": "IRM", "filing_type": "10-K", "year_current": "2026", "year_prior": "2025", "summary": { "added": 0, "removed": 0, "modified": 12, "unchanged": 3, "total_current": 15, "total_prior": 15 }, "source": "SEC EDGAR", "url": "https://riskdiff.com/irm/2026-vs-2025/", "markdown_url": "https://riskdiff.com/irm/2026-vs-2025/index.md", "json_url": "https://riskdiff.com/irm/2026-vs-2025/index.json", "generated": "2026-06-01", "ai_summary": null, "risks": [ { "status": "MODIFIED", "current_title": "RISKS RELATED TO OUR TAXATION AS A REIT", "prior_title": "RISKS RELATED TO OUR TAXATION AS A REIT", "similarity_score": 0.891, "confidence": "high", "key_changes": [ "Added sentence: \"Any such corporate tax liability could be substantial and would reduce the amount of cash available for other purposes.\"", "Added sentence: \"If we fail to remain qualified for taxation as a REIT, we may need to borrow additional funds or liquidate some investments to pay any additional tax liability.\"", "Added sentence: \"Accordingly, funds available for investment and distributions to stockholders could be reduced.\"", "Added sentence: \"As a REIT, failure to make required distributions would subject us to federal corporate income tax.\"", "Added sentence: \"We expect to continue paying regular quarterly distributions; however, the amount, timing and form of our regular quarterly distributions will be determined, and will be subject to adjustment, by our board of directors.\"" ], "current_body": "If we fail to remain qualified for taxation as a REIT, we will be subject to tax at corporate income tax rates and will not be able to deduct distributions to stockholders when computing our taxable income. We have elected to be taxed as a REIT for federal income tax purposes beginning with our 2014 taxable year. We believe that our organization and method of operation comply with the rules and regulations promulgated under the Internal Revenue Code of 1986, as amended (the \"Code\"), such that we will continue to qualify for taxation as a REIT. However, we can provide no assurance that we will remain qualified for taxation as a REIT. We also have invested in subsidiaries that have elected or that we expect will elect to be taxed as REITs and therefore must independently satisfy all REIT qualification requirements. We may in the future invest in other such subsidiary REITs. If such a subsidiary REIT were to fail to qualify as a REIT, it may cause us to fail to remain qualified for taxation as a REIT. If we fail to remain qualified for taxation as a REIT, including as a result of a cascading failure of any subsidiary REIT to remain qualified as a REIT, we will be subject to federal income taxation at corporate income tax rates unless certain relief provisions apply. Qualification for taxation as a REIT involves the application of highly technical and complex provisions of the Code to our operations, as well as various factual determinations concerning matters and circumstances not entirely within our control. There are limited judicial or administrative interpretations of applicable REIT provisions of the Code. If, in any taxable year, we fail to remain qualified for taxation as a REIT and are not entitled to relief under the Code: •we will not be allowed a deduction for distributions to stockholders in computing our taxable income; •we will be subject to federal and state income tax on our taxable income at regular corporate income tax rates; and •we would not be eligible to elect REIT status again until the fifth taxable year that begins after the first year for which we failed to qualify for taxation as a REIT. Any such corporate tax liability could be substantial and would reduce the amount of cash available for other purposes. If we fail to remain qualified for taxation as a REIT, we may need to borrow additional funds or liquidate some investments to pay any additional tax liability. Accordingly, funds available for investment and distributions to stockholders could be reduced. As a REIT, failure to make required distributions would subject us to federal corporate income tax. We expect to continue paying regular quarterly distributions; however, the amount, timing and form of our regular quarterly distributions will be determined, and will be subject to adjustment, by our board of directors. To remain qualified for taxation as a REIT, we are generally required to distribute at least 90% of our REIT taxable income (determined without regard to the dividends paid deduction and excluding net capital gain) each year, or in limited circumstances, the following year, to our stockholders. Generally, we expect to distribute all or substantially all of our REIT taxable income. If our cash available for distribution falls short of our estimates, we may be unable to maintain distributions that approximate our REIT taxable income and may fail to remain qualified for taxation as a REIT. In addition, our cash flows from operations may be insufficient to fund required distributions as a result of nondeductible expenditures or as a result of differences in timing between the actual receipt of income and the payment of expenses and the recognition of income and expenses for federal income tax purposes. To the extent that we satisfy the 90% distribution requirement but distribute less than 100% of our REIT taxable income, we will be subject to federal corporate income tax on our undistributed taxable income. In addition, we will be subject to a 4% nondeductible excise tax on our undistributed taxable income if the actual amount that we distribute to our stockholders for a calendar year is less than the minimum amount specified under the Code.", "prior_body": "If we fail to remain qualified for taxation as a REIT, we will be subject to tax at corporate income tax rates and will not be able to deduct distributions to stockholders when computing our taxable income. We have elected to be taxed as a REIT for federal income tax purposes beginning with our 2014 taxable year. We believe that our organization and method of operation comply with the rules and regulations promulgated under the Internal Revenue Code of 1986, as amended (the \"Code\"), such that we will continue to qualify for taxation as a REIT. However, we can provide no assurance that we will remain qualified for taxation as a REIT. We also have invested in subsidiaries that have elected or that we expect will elect to be taxed as REITs and therefore must independently satisfy all REIT qualification requirements. We may in the future invest in other such subsidiary REITs. If such a subsidiary REIT were to fail to qualify as a REIT, it may cause us to fail to remain qualified for taxation as a REIT. If we fail to remain qualified for taxation as a REIT, including as a result of a cascading failure of any subsidiary REIT to remain qualified as a REIT, we will be subject to federal income taxation at corporate income tax rates unless certain relief provisions apply. Qualification for taxation as a REIT involves the application of highly technical and complex provisions of the Code to our operations, as well as various factual determinations concerning matters and circumstances not entirely within our control. There are limited judicial or administrative interpretations of applicable REIT provisions of the Code. If, in any taxable year, we fail to remain qualified for taxation as a REIT and are not entitled to relief under the Code: •we will not be allowed a deduction for distributions to stockholders in computing our taxable income; •we will be subject to federal and state income tax on our taxable income at regular corporate income tax rates; and •we would not be eligible to elect REIT status again until the fifth taxable year that begins after the first year for which we failed to qualify for taxation as a REIT." }, { "status": "MODIFIED", "current_title": "IRON MOUNTAIN 2025 FORM 10-K", "prior_title": "IRON MOUNTAIN 2024 FORM 10-K", "similarity_score": 0.813, "confidence": "high", "key_changes": [ "Reworded sentence: \"11 Table of ContentsPart I Table of Contents Part I Our use of joint ventures or other co-investment vehicles could expose us to additional risks and liabilities, including our lack of sole decision-making authority and our reliance on joint venture or other co-investment vehicle partners who may have economic and business interests that are inconsistent with our business interests.\"", "Removed sentence: \"We face additional risks in expanding our Global Data Center Business, including the significant amount of capital required.\"", "Removed sentence: \"Expanding our Global Data Center Business requires significant capital.\"", "Removed sentence: \"In addition, we may be required to commit significant operational and financial resources in connection with the organic growth of our Global Data Center Business substantially in advance of such newly developed data centers generating revenue.\"", "Removed sentence: \"We are currently experiencing rising construction costs which reflect the increase in cost of labor and raw materials, as well as supply chain and logistical challenges.\"" ], "current_body": "Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2025 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations, including laws relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. Our business is subject to regulation under a wide variety of laws and regulations in the jurisdictions which we operate. Although we have policies and procedures designed to comply with applicable laws and regulations, failure to comply with the various laws and regulations may result in civil and criminal liability, fines and penalties and increased costs of compliance. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our data privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI technology, such as AI and generative AI systems, have become subject to regulation under new laws and new applications of prior existing laws which require additional resources and increase compliance risks as we integrate AI into our services. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to cyberattacks and security incidents, including by state-sponsored organizations with significant financial and technological resources, breaches due to employee or contractor error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Recent developments in the cybersecurity threat landscape include the use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to promptly detect that a cyber breach has occurred, or implement security measures in a timely manner or, if and when implemented, we may not be able to determine the extent to which these measures could be circumvented. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations.", "prior_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "MODIFIED", "current_title": "IRON MOUNTAIN 2025 FORM 10-K", "prior_title": "IRON MOUNTAIN 2024 FORM 10-K", "similarity_score": 0.812, "confidence": "high", "key_changes": [ "Reworded sentence: \"13 Table of ContentsPart I Table of Contents Part I We may be subject to certain costs and potential liabilities associated with the real estate required for our business.\"" ], "current_body": "Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2025 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations, including laws relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. Our business is subject to regulation under a wide variety of laws and regulations in the jurisdictions which we operate. Although we have policies and procedures designed to comply with applicable laws and regulations, failure to comply with the various laws and regulations may result in civil and criminal liability, fines and penalties and increased costs of compliance. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our data privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI technology, such as AI and generative AI systems, have become subject to regulation under new laws and new applications of prior existing laws which require additional resources and increase compliance risks as we integrate AI into our services. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to cyberattacks and security incidents, including by state-sponsored organizations with significant financial and technological resources, breaches due to employee or contractor error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Recent developments in the cybersecurity threat landscape include the use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to promptly detect that a cyber breach has occurred, or implement security measures in a timely manner or, if and when implemented, we may not be able to determine the extent to which these measures could be circumvented. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations.", "prior_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "MODIFIED", "current_title": "RISKS RELATED TO OUR INDEBTEDNESS", "prior_title": "RISKS RELATED TO OUR INDEBTEDNESS", "similarity_score": 0.81, "confidence": "high", "key_changes": [ "Reworded sentence: \"As of December 31, 2025, our total long-term debt was approximately $16,544.5 million, stockholders' deficit was approximately $981.0 million and we had cash and cash equivalents of approximately $158.5 million.\"", "Added sentence: \"Certain of our indebtedness, including indebtedness under our Credit Agreement (as defined below), is paid at floating interest rates, and as a result, our interest expense or the cost of our debt may increase due to rising interest rates or changes to benchmark rates.\"", "Added sentence: \"Restrictive debt covenants may limit our ability to pursue our growth strategy.\"", "Added sentence: \"Our Credit Agreement and our indentures contain covenants restricting or limiting our ability to, among other things: •incur additional indebtedness; •pay dividends or make other restricted payments; •make asset dispositions; •create or permit liens; •sell, transfer or exchange assets; •guarantee certain indebtedness; •make acquisitions and other investments; and •enter into partnerships, joint ventures and co-investment vehicles.\"", "Added sentence: \"These restrictions and our long-term commitment to maintain our leverage ratio may adversely affect our ability to pursue acquisitions and other growth strategies, including our strategic growth plan.\"" ], "current_body": "Our indebtedness could adversely affect our financial health and prevent us from fulfilling our obligations under our various debt instruments. As of December 31, 2025, our total long-term debt was approximately $16,544.5 million, stockholders' deficit was approximately $981.0 million and we had cash and cash equivalents of approximately $158.5 million. Our indebtedness could have important consequences to our current and potential investors. These risks include: •inability to satisfy our obligations with respect to our various debt instruments; •inability to make borrowings to fund future working capital, capital expenditures and strategic growth opportunities, including acquisitions, further organic development of, and investment into, our Global Data Center, ALM and Global Digital Solutions businesses and other service offerings, and other general corporate requirements, including possible required repurchases, redemptions or prepayments of our various indebtedness; •limits on our distributions to stockholders; in this regard if these limits prevented us from satisfying our REIT distribution requirements, we could fail to remain qualified for taxation as a REIT or, if these limits do not jeopardize our qualification for taxation as a REIT but do nevertheless prevent us from distributing 100% of our REIT taxable income, we will be subject to federal corporate income tax, and potentially a nondeductible excise tax, on the retained amounts; •limits on future borrowings under our existing or future credit arrangements, which could affect our ability to pay our indebtedness or to fund our other liquidity needs; •inability to generate sufficient funds to cover required interest payments; •restrictions on our ability to refinance our indebtedness on commercially reasonable terms; •limits on our flexibility in planning for, or reacting to, changes in our business and the information management services industry; and •inability to adjust to adverse economic conditions that could place us at a disadvantage to our competitors with less debt and who, therefore, may be able to take advantage of opportunities that our indebtedness prevents us from pursuing. Certain of our indebtedness, including indebtedness under our Credit Agreement (as defined below), is paid at floating interest rates, and as a result, our interest expense or the cost of our debt may increase due to rising interest rates or changes to benchmark rates. Restrictive debt covenants may limit our ability to pursue our growth strategy. Our Credit Agreement and our indentures contain covenants restricting or limiting our ability to, among other things: •incur additional indebtedness; •pay dividends or make other restricted payments; •make asset dispositions; •create or permit liens; •sell, transfer or exchange assets; •guarantee certain indebtedness; •make acquisitions and other investments; and •enter into partnerships, joint ventures and co-investment vehicles. These restrictions and our long-term commitment to maintain our leverage ratio may adversely affect our ability to pursue acquisitions and other growth strategies, including our strategic growth plan. We may not have the ability to raise the funds necessary to finance the repurchase of outstanding senior notes upon a change of control event as required by our indentures. Upon the occurrence of a \"change of control\", as defined in our indentures, we will be required to offer to repurchase all of our outstanding senior notes. However, it is possible that we will not have sufficient funds at the time of a change of control to make the required repurchase of any outstanding notes or that restrictions in our Credit Agreement will not allow such repurchases. Failure to make the required repurchases could result in cross defaults or payment acceleration events under our other debt instruments. Certain important corporate events, however, such as leveraged recapitalizations that would increase the level of our indebtedness, would not constitute a \"change of control\" under our indentures.", "prior_body": "Our indebtedness could adversely affect our financial health and prevent us from fulfilling our obligations under our various debt instruments. As of December 31, 2024, our total long-term debt was approximately $13,836.4 million, stockholders' deficit was approximately $503.1 million and we had cash and cash equivalents of approximately $155.7 million. Our indebtedness could have important consequences to our current and potential investors. These risks include: •inability to satisfy our obligations with respect to our various debt instruments; •inability to make borrowings to fund future working capital, capital expenditures and strategic growth opportunities, including acquisitions, further organic development of, and investment into, our Global Data Center, ALM and Global Digital Solutions businesses and other service offerings, and other general corporate requirements, including possible required repurchases, redemptions or prepayments of our various indebtedness; •limits on our distributions to stockholders; in this regard if these limits prevented us from satisfying our REIT distribution requirements, we could fail to remain qualified for taxation as a REIT or, if these limits do not jeopardize our qualification for taxation as a REIT but do nevertheless prevent us from distributing 100% of our REIT taxable income, we will be subject to federal corporate income tax, and potentially a nondeductible excise tax, on the retained amounts; •limits on future borrowings under our existing or future credit arrangements, which could affect our ability to pay our indebtedness or to fund our other liquidity needs; •inability to generate sufficient funds to cover required interest payments; •restrictions on our ability to refinance our indebtedness on commercially reasonable terms; •limits on our flexibility in planning for, or reacting to, changes in our business and the information management services industry; and •inability to adjust to adverse economic conditions that could place us at a disadvantage to our competitors with less debt and who, therefore, may be able to take advantage of opportunities that our indebtedness prevents us from pursuing." }, { "status": "MODIFIED", "current_title": "IRON MOUNTAIN 2025 FORM 10-K", "prior_title": "IRON MOUNTAIN 2024 FORM 10-K", "similarity_score": 0.799, "confidence": "high", "key_changes": [ "Reworded sentence: \"17 Table of ContentsPart I Table of Contents Part I Even if we remain qualified for taxation as a REIT, some of our business activities are subject to corporate level income tax and foreign taxes, which will continue to reduce our cash flows, and we will have potential deferred and contingent tax liabilities.\"", "Added sentence: \"Distributions payable by REITs generally do not qualify for preferential tax rates, which could reduce the demand for and market price of our common stock.\"", "Added sentence: \"Dividends payable by United States corporations to noncorporate stockholders, such as individuals, trusts and estates, are generally eligible for reduced United States federal income tax rates applicable to \"qualified dividends\".\"", "Added sentence: \"Distributions paid by REITs generally are not treated as \"qualified dividends\" under the Code, and the reduced rates applicable to such dividends do not generally apply.\"", "Added sentence: \"However, REIT dividends paid to noncorporate stockholders that meet specified holding period requirements are generally taxed at an effective tax rate lower than applicable ordinary income tax rates due to the availability of a deduction under the Code for specified forms of income from passthrough entities.\"" ], "current_body": "Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2025 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations, including laws relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. Our business is subject to regulation under a wide variety of laws and regulations in the jurisdictions which we operate. Although we have policies and procedures designed to comply with applicable laws and regulations, failure to comply with the various laws and regulations may result in civil and criminal liability, fines and penalties and increased costs of compliance. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our data privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI technology, such as AI and generative AI systems, have become subject to regulation under new laws and new applications of prior existing laws which require additional resources and increase compliance risks as we integrate AI into our services. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to cyberattacks and security incidents, including by state-sponsored organizations with significant financial and technological resources, breaches due to employee or contractor error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Recent developments in the cybersecurity threat landscape include the use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to promptly detect that a cyber breach has occurred, or implement security measures in a timely manner or, if and when implemented, we may not be able to determine the extent to which these measures could be circumvented. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations.", "prior_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "MODIFIED", "current_title": "IRON MOUNTAIN 2025 FORM 10-K", "prior_title": "IRON MOUNTAIN 2024 FORM 10-K", "similarity_score": 0.79, "confidence": "high", "key_changes": [ "Reworded sentence: \"Table of ContentsPart I Table of Contents Part I We may be required to borrow funds, sell assets or raise equity to satisfy our REIT distribution requirements, to comply with asset ownership tests or to fund capital expenditures, future growth and expansion initiatives.\"", "Reworded sentence: \"Under the Code, no more than 25% of the value of the assets of a REIT may be represented by securities of one or more TRSs.\"", "Added sentence: \"As a REIT, we are limited in our ability to fund distribution payments using cash generated through our TRSs.\"", "Added sentence: \"Our ability to receive distributions from our TRSs is limited by the rules with which we must comply to maintain our qualification for taxation as a REIT.\"", "Added sentence: \"In particular, at least 75% of our gross income for each taxable year as a REIT must be derived from real estate, which generally includes gross income from providing customers with secure storage space or colocation or wholesale data center space.\"" ], "current_body": "Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2025 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations, including laws relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. Our business is subject to regulation under a wide variety of laws and regulations in the jurisdictions which we operate. Although we have policies and procedures designed to comply with applicable laws and regulations, failure to comply with the various laws and regulations may result in civil and criminal liability, fines and penalties and increased costs of compliance. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our data privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI technology, such as AI and generative AI systems, have become subject to regulation under new laws and new applications of prior existing laws which require additional resources and increase compliance risks as we integrate AI into our services. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to cyberattacks and security incidents, including by state-sponsored organizations with significant financial and technological resources, breaches due to employee or contractor error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Recent developments in the cybersecurity threat landscape include the use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to promptly detect that a cyber breach has occurred, or implement security measures in a timely manner or, if and when implemented, we may not be able to determine the extent to which these measures could be circumvented. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations.", "prior_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "MODIFIED", "current_title": "IRON MOUNTAIN 2025 FORM 10-K", "prior_title": "IRON MOUNTAIN 2024 FORM 10-K", "similarity_score": 0.758, "confidence": "high", "key_changes": [ "Reworded sentence: \"Table of ContentsPart I Table of Contents Part I Our customer contracts do not always limit our liability and sometimes contain terms that could subject us to significant liability or lead to disputes in contract interpretation.\"", "Removed sentence: \"We have made a commitment to prioritize sustainable energy practices, reduce our carbon footprint and transition to more renewable and sustainable sources of energy, particularly in our Global Data Center Business.\"", "Removed sentence: \"Our use of joint ventures or other co-investment vehicles could expose us to additional risks and liabilities, including our lack of sole decision-making authority and our reliance on joint venture or other co-investment vehicle partners who may have economic and business interests that are inconsistent with our business interests.\"", "Removed sentence: \"As part of our growth strategy, particularly in connection with our international and data center expansion, we currently, and may in the future, co-invest with third parties using joint ventures or other co-investment vehicles.\"", "Removed sentence: \"These ventures can result in our holding non-controlling interests in, or not having sole control over managing the affairs of, a property or portfolio of properties, business, partnership, joint venture or other entity.\"" ], "current_body": "Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2025 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations, including laws relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. Our business is subject to regulation under a wide variety of laws and regulations in the jurisdictions which we operate. Although we have policies and procedures designed to comply with applicable laws and regulations, failure to comply with the various laws and regulations may result in civil and criminal liability, fines and penalties and increased costs of compliance. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our data privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI technology, such as AI and generative AI systems, have become subject to regulation under new laws and new applications of prior existing laws which require additional resources and increase compliance risks as we integrate AI into our services. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to cyberattacks and security incidents, including by state-sponsored organizations with significant financial and technological resources, breaches due to employee or contractor error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Recent developments in the cybersecurity threat landscape include the use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to promptly detect that a cyber breach has occurred, or implement security measures in a timely manner or, if and when implemented, we may not be able to determine the extent to which these measures could be circumvented. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations.", "prior_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "MODIFIED", "current_title": "IRON MOUNTAIN 2025 FORM 10-K", "prior_title": "IRON MOUNTAIN 2024 FORM 10-K", "similarity_score": 0.724, "confidence": "medium", "key_changes": [ "Reworded sentence: \"19 Table of ContentsPart I Table of Contents Part I We face competition for customers.\"" ], "current_body": "Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2025 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations, including laws relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. Our business is subject to regulation under a wide variety of laws and regulations in the jurisdictions which we operate. Although we have policies and procedures designed to comply with applicable laws and regulations, failure to comply with the various laws and regulations may result in civil and criminal liability, fines and penalties and increased costs of compliance. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our data privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI technology, such as AI and generative AI systems, have become subject to regulation under new laws and new applications of prior existing laws which require additional resources and increase compliance risks as we integrate AI into our services. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to cyberattacks and security incidents, including by state-sponsored organizations with significant financial and technological resources, breaches due to employee or contractor error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Recent developments in the cybersecurity threat landscape include the use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to promptly detect that a cyber breach has occurred, or implement security measures in a timely manner or, if and when implemented, we may not be able to determine the extent to which these measures could be circumvented. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations.", "prior_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "MODIFIED", "current_title": "IRON MOUNTAIN 2025 FORM 10-K", "prior_title": "IRON MOUNTAIN 2024 FORM 10-K", "similarity_score": 0.662, "confidence": "medium", "key_changes": [ "Reworded sentence: \"9 Table of ContentsPart I Table of Contents Part I The development and use of AI in our business and operations presents risks and challenges that may adversely impact our business and operating results.\"", "Reworded sentence: \"We may encounter challenges in the integration process including the following: •challenges and difficulties associated with managing our larger, more complex, company; •conforming standards, controls, procedures and policies, business cultures and compensation and benefits structures between the two businesses; •consolidating corporate and administrative infrastructures; •coordinating geographically dispersed organizations; •retaining critical acquired talent; •retaining key customers; •potential unknown liabilities and unforeseen expenses or delays associated with an acquisition; and •our ability to deliver on our strategy going forward.\"", "Removed sentence: \"Our customer contracts may not always limit our liability and may sometimes contain terms that could subject us to significant liability or lead to disputes in contract interpretation.\"", "Removed sentence: \"Our customer contracts typically contain standardized provisions limiting our liability regarding the services we perform and the loss or destruction of, or damage to, records, information or other items stored with us; however, some of our contracts with large customers and governmental entities and some of the contracts assumed in our acquisitions contain no such limits or contain non-standard limits.\"", "Removed sentence: \"We can provide no assurance that our limitation of liability provisions will be enforceable in all instances or, if enforceable, that they would otherwise protect us from liability.\"" ], "current_body": "Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2025 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations, including laws relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. Our business is subject to regulation under a wide variety of laws and regulations in the jurisdictions which we operate. Although we have policies and procedures designed to comply with applicable laws and regulations, failure to comply with the various laws and regulations may result in civil and criminal liability, fines and penalties and increased costs of compliance. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our data privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI technology, such as AI and generative AI systems, have become subject to regulation under new laws and new applications of prior existing laws which require additional resources and increase compliance risks as we integrate AI into our services. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to cyberattacks and security incidents, including by state-sponsored organizations with significant financial and technological resources, breaches due to employee or contractor error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Recent developments in the cybersecurity threat landscape include the use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to promptly detect that a cyber breach has occurred, or implement security measures in a timely manner or, if and when implemented, we may not be able to determine the extent to which these measures could be circumvented. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations.", "prior_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "MODIFIED", "current_title": "IRON MOUNTAIN 2025 FORM 10-K", "prior_title": "IRON MOUNTAIN 2024 FORM 10-K", "similarity_score": 0.643, "confidence": "medium", "key_changes": [ "Reworded sentence: \"15 Table of ContentsPart I Table of Contents Part I IMI is a holding company, and, therefore, its ability to make payments on its various debt obligations depends in large part on the operations of its subsidiaries.\"" ], "current_body": "Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2025 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations, including laws relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. Our business is subject to regulation under a wide variety of laws and regulations in the jurisdictions which we operate. Although we have policies and procedures designed to comply with applicable laws and regulations, failure to comply with the various laws and regulations may result in civil and criminal liability, fines and penalties and increased costs of compliance. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our data privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI technology, such as AI and generative AI systems, have become subject to regulation under new laws and new applications of prior existing laws which require additional resources and increase compliance risks as we integrate AI into our services. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to cyberattacks and security incidents, including by state-sponsored organizations with significant financial and technological resources, breaches due to employee or contractor error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Recent developments in the cybersecurity threat landscape include the use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to promptly detect that a cyber breach has occurred, or implement security measures in a timely manner or, if and when implemented, we may not be able to determine the extent to which these measures could be circumvented. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations.", "prior_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "MODIFIED", "current_title": "IRON MOUNTAIN 2025 FORM 10-K", "prior_title": "IRON MOUNTAIN 2024 FORM 10-K", "similarity_score": 0.641, "confidence": "medium", "key_changes": [ "Reworded sentence: \"Table of ContentsPart I Table of Contents Part I We face additional risks in expanding our Global Data Center Business, including the significant amount of capital required.\"", "Reworded sentence: \"Further, many of the purchasers of the decommissioned IT asset components are geographically concentrated, particularly in China.\"", "Reworded sentence: \"Noncompliance with certain regulatory and contractual requirements could also result in us being suspended or debarred from future contracting with such government entities.\"", "Removed sentence: \"We may be subject to certain costs and potential liabilities associated with the real estate required for our business.\"", "Removed sentence: \"As of December 31, 2024, we operated approximately 1,350 facilities worldwide, including approximately 550 in the United States, and face special risks attributable to the real estate we own or lease, which could have a material adverse effect on our revenues, operating results and financial position.\"" ], "current_body": "Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2025 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations, including laws relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. Our business is subject to regulation under a wide variety of laws and regulations in the jurisdictions which we operate. Although we have policies and procedures designed to comply with applicable laws and regulations, failure to comply with the various laws and regulations may result in civil and criminal liability, fines and penalties and increased costs of compliance. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our data privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI technology, such as AI and generative AI systems, have become subject to regulation under new laws and new applications of prior existing laws which require additional resources and increase compliance risks as we integrate AI into our services. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to cyberattacks and security incidents, including by state-sponsored organizations with significant financial and technological resources, breaches due to employee or contractor error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Recent developments in the cybersecurity threat landscape include the use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to promptly detect that a cyber breach has occurred, or implement security measures in a timely manner or, if and when implemented, we may not be able to determine the extent to which these measures could be circumvented. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations.", "prior_body": "9 Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2024 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI regulations, increasing use of AI and generative AI tools and their integration into our businesses may require additional resources and create additional compliance and cybersecurity risks. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to attacks by hackers, including state-sponsored organizations with significant financial and technological resources, breaches due to employee error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations. Failure to successfully integrate acquired businesses could negatively impact our balance sheet and results of operations. Strategic acquisitions are an important element of our growth strategy and the success of any acquisition we make depends in part on our ability to integrate the acquired business and realize anticipated synergies. The process of integrating acquired businesses, particularly in new markets or for new offerings, may involve difficulties and may require a disproportionate amount of our management’s attention and our financial and other resources." }, { "status": "MODIFIED", "current_title": "GENERAL RISK FACTORS", "prior_title": "GENERAL RISK FACTORS", "similarity_score": 0.612, "confidence": "medium", "key_changes": [ "Added sentence: \"Our business could be adversely impacted if there are deficiencies in our disclosure controls and procedures or internal control over financial reporting.\"", "Added sentence: \"The design and effectiveness of our disclosure controls and procedures and internal control over financial reporting may not prevent all errors, misstatements or misrepresentations.\"", "Added sentence: \"While management will continue to review the effectiveness of our disclosure controls and procedures and internal control over financial reporting, there can be no guarantee that our internal control over financial reporting will be effective in accomplishing all control objectives all of the time.\"", "Added sentence: \"Furthermore, our disclosure controls and procedures and internal control over financial reporting with respect to entities that we do not control or manage may be substantially more limited than those we maintain with respect to the subsidiaries that we have controlled or managed over the course of time.\"", "Added sentence: \"Deficiencies, including any material weakness, in our internal control over financial reporting which may occur in the future could result in misstatements of our results of operations, restatements of our financial statements, a decline in our stock price, or otherwise materially adversely affect our business, reputation, results of operations, financial condition or liquidity.\"" ], "current_body": "Our cash distributions are not guaranteed and may fluctuate. As a REIT, we are generally required to distribute at least 90% of our REIT taxable income to our stockholders. Furthermore, we are committed to growing our dividends, and have stated this publicly. Our board of directors, in its sole discretion, will determine, on a quarterly basis, the amount of cash to be distributed to our stockholders based on a number of factors including, but not limited to, our results of operations, cash flow and capital requirements, economic conditions, tax considerations, borrowing capacity and other factors, including debt covenant restrictions that may impose limitations on cash payments, future acquisitions and divestitures, any stock repurchase program and general market demand for our space and related services. Consequently, our distribution levels may fluctuate and we may not be able to meet our public commitments with respect to dividend growth. Our business could be adversely impacted if there are deficiencies in our disclosure controls and procedures or internal control over financial reporting. The design and effectiveness of our disclosure controls and procedures and internal control over financial reporting may not prevent all errors, misstatements or misrepresentations. While management will continue to review the effectiveness of our disclosure controls and procedures and internal control over financial reporting, there can be no guarantee that our internal control over financial reporting will be effective in accomplishing all control objectives all of the time. Furthermore, our disclosure controls and procedures and internal control over financial reporting with respect to entities that we do not control or manage may be substantially more limited than those we maintain with respect to the subsidiaries that we have controlled or managed over the course of time. Deficiencies, including any material weakness, in our internal control over financial reporting which may occur in the future could result in misstatements of our results of operations, restatements of our financial statements, a decline in our stock price, or otherwise materially adversely affect our business, reputation, results of operations, financial condition or liquidity.", "prior_body": "Our cash distributions are not guaranteed and may fluctuate. As a REIT, we are generally required to distribute at least 90% of our REIT taxable income to our stockholders. Furthermore, we are committed to growing our dividends, and have stated this publicly. Our board of directors, in its sole discretion, will determine, on a quarterly basis, the amount of cash to be distributed to our stockholders based on a number of factors including, but not limited to, our results of operations, cash flow and capital requirements, economic conditions, tax considerations, borrowing capacity and other factors, including debt covenant restrictions that may impose limitations on cash payments, future acquisitions and divestitures, any stock repurchase program and general market demand for our space and related services. Consequently, our distribution levels may fluctuate and we may not be able to meet our public commitments with respect to dividend growth." }, { "status": "UNCHANGED", "current_title": "BUSINESS RISKS", "prior_title": "BUSINESS RISKS", "current_body": "Failure to execute our strategic growth plan may adversely impact our financial condition and results of operations. As part of our strategic growth plan, we expect to invest in our existing businesses, including records and information management storage and services businesses in our higher-growth markets, data centers, digital solutions, ALM business and other complementary businesses, and in new businesses, business strategies, products, services, technologies and geographies. These initiatives may involve significant risks and uncertainties, including: •our inability to maintain relationships with key customers and suppliers or to execute on our plan to incorporate the digitization of our customers’ records and new digital information technologies into our offerings; •failure to achieve satisfactory returns on new product offerings, acquired companies, joint ventures, growth initiatives or other investments, particularly in markets where we do not currently operate or have a substantial presence; •our inability to identify suitable companies to acquire, invest in or partner with; •our inability to complete acquisitions or investments on satisfactory terms; •our inability to structure acquisitions or investments in a manner that complies with our debt covenants or is consistent with our leverage ratio goals; •challenges in managing costs to offset the impact of inflationary pressure; •increased demands on our management, operating systems, internal controls and financial and physical resources and, if necessary, our inability to successfully expand our infrastructure; •incurring additional debt necessary to acquire suitable companies or make other growth investments if we are unable to pay the purchase price or make the investment out of working capital or the issuance of our common stock or other equity securities; •our inability to manage the budgeting, forecasting and other process control issues presented by future growth, particularly with respect to new lines of business; •insufficient revenues to offset expenses and liabilities associated with new investments; and •our inability to attract, develop and retain skilled employees to lead and support our strategic growth plan, particularly in new businesses, technologies, products or offerings outside our core competencies. Our new ventures are inherently risky and we can provide no assurance that such strategies and offerings will be successful in achieving the desired returns within a reasonable timeframe, if at all, and that they will not adversely affect our business, reputation, financial condition and operating results. As stored records and tapes become less active, our service revenue growth and profits from related services may decline. Our Records Management and Data Management service revenue growth is being negatively impacted by declining activity rates as stored records and tapes are becoming less active and more archival. The amount of information available to customers digitally or in their own information systems has been steadily increasing in recent years, and we believe this trend will continue. As a result, our customers are less likely than they have been in the past to retrieve records and rotate tapes, thereby reducing their activity levels. At the same time, many of our costs related to records and tape related services remain relatively fixed. In addition, our reputation for providing secure information storage is critical to our success, and actions to manage cost structure, such as outsourcing certain transportation, security or other functions, could negatively impact our reputation and adversely affect our business, and, if we are unable to appropriately align our cost structure with decreased levels of service activity, our operating results could be adversely affected." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2025 FORM 10-K", "prior_title": "IRON MOUNTAIN 2024 FORM 10-K", "current_body": "Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2025 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations, including laws relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. Our business is subject to regulation under a wide variety of laws and regulations in the jurisdictions which we operate. Although we have policies and procedures designed to comply with applicable laws and regulations, failure to comply with the various laws and regulations may result in civil and criminal liability, fines and penalties and increased costs of compliance. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our data privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI technology, such as AI and generative AI systems, have become subject to regulation under new laws and new applications of prior existing laws which require additional resources and increase compliance risks as we integrate AI into our services. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to cyberattacks and security incidents, including by state-sponsored organizations with significant financial and technological resources, breaches due to employee or contractor error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Recent developments in the cybersecurity threat landscape include the use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to promptly detect that a cyber breach has occurred, or implement security measures in a timely manner or, if and when implemented, we may not be able to determine the extent to which these measures could be circumvented. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations." }, { "status": "UNCHANGED", "current_title": "IRON MOUNTAIN 2025 FORM 10-K", "prior_title": "IRON MOUNTAIN 2024 FORM 10-K", "current_body": "Table of ContentsPart I Table of Contents Part I Our customers continue to evolve the way they store records, which could impact our storage revenue. We derive substantial revenues from rental fees for the storage of physical records and computer backup media and from storage related services. Volume in and demand for our traditional storage related services has evolved as our customers adopt alternative storage technologies or as retention requirements change, which may require significantly less space than traditional physical records and tape storage; however, volumes in our Global RIM Business segment were relatively steady in 2025 and we expect them to remain relatively consistent in the near term. We can provide no assurance that our customers will continue to store most or a portion of their records as paper documents or as tapes, or that the paper documents or tapes they do store with us will require our storage related services at the same levels as they have in the past. A significant shift by our customers to storage of data through non-paper or non-tape-based technologies, whether now existing or developed in the future, could adversely affect our businesses. In addition, the digitization of records may shift our revenue mix from the more predictable storage revenue to service revenue, which is inherently more volatile. We and our customers are subject to laws and governmental regulations, including laws relating to data privacy and cybersecurity, and our customers’ demands in this area are increasing. This may cause us to incur significant expenses and non-compliance with such regulations and demands could harm our business. Our business is subject to regulation under a wide variety of laws and regulations in the jurisdictions which we operate. Although we have policies and procedures designed to comply with applicable laws and regulations, failure to comply with the various laws and regulations may result in civil and criminal liability, fines and penalties and increased costs of compliance. We and our customers are subject to numerous laws and regulations relating to data privacy and cybersecurity. These regulations are complex, change frequently and have tended to become more stringent over time. In addition, a growing number of regulatory bodies have adopted data breach notification requirements and increased enforcement of regulations regarding the use, access, accuracy and security of personal information. Finally, as a result of the continued emphasis on information security and instances in which personal information has been compromised, our customers are requesting that we take increasingly sophisticated measures to enhance security and comply with cybersecurity and data privacy regulations and that we assume higher liability under our contracts. We have an established global privacy compliance program and devote substantial resources, and may in the future have to devote significant additional resources, to facilitate compliance with global laws and regulations, our customers’ data privacy, data residency and security demands, and to investigate, defend or remedy actual or alleged violations or breaches. Any failure by us to comply with, or remedy any violations or breaches of, laws and regulations or customer requirements could negatively impact our operations, result in the imposition of fines and penalties, contractual liability and litigation, significant costs and expenses and reputational harm. Expansion into Global Digital Solutions and ALM services means that our data privacy and security risk profile is increasing. In particular, we are hosting increasing volumes of customer digital data, including sensitive and confidential data, and disposing of customer data-bearing devices. This may result in increased regulatory exposure, contractual liability and security expectations from customers. Finally, emerging AI technology, such as AI and generative AI systems, have become subject to regulation under new laws and new applications of prior existing laws which require additional resources and increase compliance risks as we integrate AI into our services. Attacks on our internal IT systems could damage our reputation, cause us to lose revenues and adversely affect our business, financial condition and results of operations. Our reputation for providing secure information storage to customers is critical to the success of our business. Our reputation or brand, and specifically, the trust our customers place in us, could be negatively impacted in the event of perceived or actual failures by us to store information securely. Although we seek to prevent and detect attempts by unauthorized users to gain access to our IT systems, and incur significant costs to do so, our IT and network infrastructure has in the past been and may in the future be vulnerable to cyberattacks and security incidents, including by state-sponsored organizations with significant financial and technological resources, breaches due to employee or contractor error, fraud or malice or other disruptions (including, but not limited to, computer viruses and other malware, denial of service and ransomware), which may involve a breach requiring us to notify regulators, clients or employees and enlist identity theft protection. Recent developments in the cybersecurity threat landscape include the use of AI and machine learning, as well as an increased number of cyber extortion and ransomware attacks. As techniques used to breach security change frequently and are generally not recognized until launched against a target, we may not be able to promptly detect that a cyber breach has occurred, or implement security measures in a timely manner or, if and when implemented, we may not be able to determine the extent to which these measures could be circumvented. Moreover, until we have migrated businesses we acquire onto our IT systems or ensured compliance with our information technology security standards, we have in the past and may in the future face additional risks because of the continued use of predecessor IT systems. We utilize remote work arrangements and outsource certain support services, including cloud storage systems and cloud computing services, to third parties, which has in the past and may in the future subject our IT and other sensitive information to additional risk. A successful breach of the security of our IT systems could lead to theft or misuse of our customers’ proprietary or confidential information or our employees’ personal information and result in third party claims against us, regulatory penalties and reputational harm. Although we maintain insurance coverage for various cybersecurity risks, there is no guarantee that all costs or losses incurred will be fully insured. Damage to our reputation could make us less competitive, which could negatively impact our business, financial condition and results of operations." } ] }