Financial Information

PART I

Item 1A. Risk Factors.

Technology, Information Protection, and Privacy Risks

Any disruption in the functioning of our reservation systems could adversely affect our performance and results. We manage global reservation systems that communicate reservations to our hotels from individuals who book reservations directly with us online, through our mobile apps, through our telephone call centers, or through intermediaries like travel agents, Internet travel websites, and other distribution channels. The cost, speed, accuracy and efficiency of our reservation systems are critical aspects of our business and are important considerations for hotel owners when choosing our brands. Our business may suffer if we fail to maintain, upgrade, or prevent disruption to our reservation systems. Disruptions in or changes to our reservation systems could result in a disruption to our business and the loss of important data.

A failure to keep pace with developments in technology could impair our operations or competitive position. The lodging industry continues to demand the use of sophisticated technology and systems, including those used for our reservation, revenue management, property management, human resources and payroll systems, our Loyalty Program, and technologies we make available to our guests and for our associates. These technologies and systems must be refined, updated, and/or replaced with more advanced systems on a regular basis, and our business could suffer if we cannot do that as quickly or effectively as our competitors or within budgeted costs and time frames. We also may not achieve the benefits that we anticipate from any new technology or system, and a failure to do so could result in higher than anticipated costs or could impair our operating results.

We are exposed to risks and costs associated with protecting the integrity and security of Company, associate, and guest data. In the operation of our business, we collect, store, use, and transmit large volumes of data regarding associates, guests, customers, owners, licensees, franchisees, and our own business operations, including credit card numbers, reservation and loyalty data, and other personal information, in various information systems that we maintain and in systems maintained by third parties, including our owners, franchisees, licensees, and service providers. The integrity and protection of this data is critical to our business. Our guests and associates also have a high expectation that we, as well as our owners, franchisees, licensees, and service providers, will adequately protect and appropriately use their personal information. The information, security, and privacy requirements imposed by laws and governmental regulation, our contractual obligations, and the requirements of the payment card industry are also becoming more stringent in many jurisdictions in which we operate. Our systems and the systems maintained or used by our owners, franchisees, licensees, and service providers may not be able to satisfy these changing legal and regulatory requirements and associate and guest expectations, or may require significant additional investments or time to do so. We may incur significant additional costs to meet these requirements, obligations, and expectations, and in the event of alleged or actual noncompliance, we may experience increased operating costs, increased exposure to fines and litigation, and increased risk of damage to our reputation and brand.

The Data Security Incident, and other information security incidents, could have numerous adverse effects on our business. As a result of the Data Security Incident, we are a party to or have been named as a defendant in numerous lawsuits, primarily putative class actions, brought by consumers and others in the U.S. and Canada, one securities class action lawsuit in the U.S., three shareholder derivative lawsuits in the U.S., and one purported representative action brought by a purported consumer class in the U.K. We may be named as a party in additional lawsuits and other claims may be asserted by or on behalf of guests, customers, hotel owners, stockholders or others seeking monetary damages or other relief related to the Data Security Incident. A number of federal, state and foreign governmental authorities have also made inquiries, opened investigations, or requested information and/or documents related to the Data Security Incident, including under various data protection and privacy regulations. Responding to and resolving these lawsuits, claims and/or investigations has resulted in fines, such as the fine imposed by the Information Commissioner’s Office in the United Kingdom (the “ICO”) as discussed in Note 8, and could result in material additional fines or remedial or other expenses. These fines and other expenses may not be covered by insurance. Governmental authorities investigating or seeking information about the Data Security Incident also may seek to impose undertakings, injunctive relief, consent decrees, or other civil or criminal penalties, which could, among other things, materially increase our data security costs or otherwise require us to alter how we operate our business. Significant management time and Company resources have been, and will continue to be, devoted to the Data Security Incident. Future publicity or developments related to the Data Security Incident, including as a result of subsequent reports or regulatory actions or developments, could have a range of other adverse effects on our business or prospects, including causing or contributing to loss of consumer confidence, reduced consumer demand, reduced enrollment and/or participation in our Loyalty Program, loss of development opportunities, and associate retention and recruiting difficulties. Insurance coverage designed to limit our exposure to losses such as those related to the Data Security Incident may not be sufficient or available to cover all of our expenses or other losses (including the final fine imposed by the ICO and any other fines or penalties) related to the Data Security Incident. In addition, following our March 31, 2020 announcement of an incident involving information for approximately 5.5 million guests that we believe may have been improperly accessed through an application using the login credentials of two franchise employees at a franchise property (the “Unauthorized Application Access Incident”), various governmental authorities opened investigations or requested information about the incident, and two lawsuits were filed against us related to the incident. The Unauthorized Application Access Incident or publicity related to it could negatively affect our business or reputation.

Additional cybersecurity incidents could have adverse effects on our business. We have implemented security measures to safeguard our systems and data, and we intend to continue implementing additional measures in the future, but, as we have seen in the past, our measures may not be sufficient to maintain the confidentiality, security, or availability of the data we collect, store, and use to operate our business. Measures taken by our service providers or our owners, franchisees, licensees, other business partners or their service providers also may not be sufficient. Efforts to hack or circumvent security measures, efforts to gain unauthorized access to, exploit or disrupt the operation or integrity of our data or systems, failures of systems or software to operate as designed or intended, viruses, “ransomware” or other malware, “supply chain” attacks, “phishing” or other types of business communications compromises, operator error, or inadvertent releases of data have impacted, and may in the future impact, our information systems and records or those of our owners, franchisees, licensees, other business partners, or service providers. Our reliance on computer, Internet-based, and mobile systems and communications, and the frequency and sophistication of efforts by third parties to gain unauthorized access or prevent authorized access to such systems, have greatly increased in recent years. Our increased reliance on cloud-based services and on remote access to information systems in response to COVID-19 increases the Company’s exposure to potential cybersecurity incidents. We have experienced cyberattacks, attempts to disrupt access to our systems and data, and attempts to affect the operation or integrity of our data or systems, and the frequency and sophistication of such efforts could continue to increase. Any additional significant theft of, unauthorized access to, compromise or loss of, loss of access to, or fraudulent use of guest, associate, owner, franchisee, licensee, or Company data could adversely impact our reputation and could result in legal, regulatory and other consequences, including remedial and other expenses, fines, or litigation. Depending on the nature and scope of the event, future compromises in the security of our information systems or those of our owners, franchisees, licensees, other business partners, or service providers or other future disruptions or compromises of data or systems could lead to an interruption in or other adverse effects on the operation of our systems or those of our owners, franchisees, licensees, other business partners, or service providers, resulting in operational inefficiencies and a loss of profits, and could result in negative publicity and other adverse effects on our business, including lost sales, loss of consumer confidence, boycotts, reduced enrollment and/or participation in our Loyalty Program, litigation, loss of development opportunities, or associate satisfaction, retention and recruiting difficulties, all of which could materially affect our market share, reputation, business, financial condition, or results of operations.

Because we have experienced cybersecurity incidents in the past, additional incidents or the failure to detect and appropriately respond to additional incidents could magnify the severity of the adverse effects on our business. The techniques used to obtain unauthorized access, disable or degrade service, or sabotage information systems change frequently, can be difficult to detect for long periods of time, and can involve difficult or prolonged assessment or remediation periods even once detected, which could also magnify the severity of these adverse effects. We cannot assure you that all potential causes of past significant incidents have been identified and remediated; additional measures may be needed to prevent significant incidents in the future. The steps we take may not be sufficient to prevent future significant incidents and as a result, such incidents may occur again. Although we carry cyber insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient or available to cover all expenses or other losses (including fines) or all types of claims that may arise in connection with cyberattacks, security compromises, and other related incidents. Furthermore, in the future such insurance may not be available on commercially reasonable terms, or at all.

Changes in privacy and data security laws could increase our operating costs and increase our exposure to fines and litigation. We are subject to numerous, complex, and frequently changing laws, regulations, and contractual obligations designed to protect personal information. Non-U.S. data privacy and data security laws, various U.S. federal and state laws, payment card industry security standards, and other information privacy and security standards are all applicable to us. Significant legislative, judicial, or regulatory changes could be issued in the future. Compliance with changes in applicable data privacy laws and regulations and contractual obligations, including responding to investigations into our compliance, may restrict our business operations, increase our operating costs, increase our exposure to fines and litigation in the event of alleged non-compliance, and adversely affect our reputation. Following the Data Security Incident, certain regulators also opened investigations into our privacy and security policies and practices. As a result of these investigations, we could be exposed to significant fines and remediation costs in addition to those imposed as a result of the Data Security Incident, and adverse publicity related to the investigations could adversely affect our reputation.

Changes in laws could adversely affect our ability to market our products effectively. We rely on a variety of direct marketing techniques, including email marketing, online advertising, and postal mailings. Any further restrictions in laws such as the CANSPAM Act, and various U.S. state laws, or new federal or state laws on marketing and solicitation or international privacy, e-privacy, and anti-spam laws that govern these activities could adversely affect the continuing effectiveness of email, online advertising, and postal mailing techniques and could force further changes in our marketing strategy. If this occurs, we may not be able to develop adequate alternative marketing strategies, which could impact the amount and timing of our sales of certain products. We also obtain access to potential guests and customers from travel service providers or other companies with whom we have substantial relationships, and we market to some individuals on these lists directly or by including our marketing message in the other companies’ marketing materials. If access to these lists were to be prohibited or otherwise restricted, our ability to develop new guests and customers and introduce them to our products could be impaired.