Financial Information
Jump to a Section:
PART I
Item 1A. Risk Factors.
Technology, Information Protection, and Privacy Risks
A failure to keep pace with developments in technology could impair our operations or competitive position. The lodging industry continues to demand the use of sophisticated technology and systems, including those used for our reservation, revenue management, property management, human resources and payroll systems, our Loyalty Program, and technologies we make available to our guests and for our associates. These technologies and systems must be refined, updated, and/or replaced with more advanced systems on a regular basis, and our business could suffer if we cannot do that as quickly or effectively as our competitors or within budgeted costs and time frames. We also may not achieve the benefits that we anticipate from any new technology or system, and a failure to do so could result in higher than anticipated costs or could impair our operating results.
An increase in the use of third-party Internet services to book online hotel reservations could adversely impact our business. Some of our hotel rooms are booked through Internet travel intermediaries such as Expedia.com®, Priceline.com®, Booking.com™, Travelocity.com®, and Orbitz.com®, as well as lesser-known online travel service providers. These intermediaries initially focused on leisure travel, but now also provide offerings for corporate travel and group meetings. Although our Best Rate Guarantee and Member Rate programs have helped limit guest preference shift to intermediaries and greatly reduced the ability of intermediaries to undercut the published rates at our hotels, intermediaries continue to use a variety of aggressive online marketing methods to attract guests, including the purchase by certain companies of trademarked online keywords such as “Marriott” from Internet search engines such as Google®, Bing®, Yahoo®, and Baidu® to steer guests toward their websites (a practice that has been challenged by various trademark owners in federal court). Our business and profitability could be harmed to the extent that online intermediaries succeed in significantly shifting loyalties from our lodging brands to their travel services, diverting bookings away from our direct online channels, or through their fees, increase the overall cost of Internet bookings for our hotels. In addition, if we are not able to negotiate new agreements on satisfactory terms when our existing contracts with intermediaries (which generally have 2- to 3- year terms) come up for renewal, our business and prospects could be negatively impacted in a number of ways. For example, if newly negotiated agreements are on terms less favorable to our hotels than the expiring agreements, or if we are not able to negotiate new agreements and our hotels no longer appear on intermediary websites, our bookings could decline, our profits (and the operating profits of hotels in our system) could decline, and customers and owners may be less attracted to our brands. We may not be able to recapture or offset any such loss of business through actions we take to enhance our direct marketing and reservation channels or to rely on other channels or other intermediary websites.
We are exposed to risks and costs associated with protecting the integrity and security of company, associate, and guest data. In the operation of our business, we collect, store, use, and transmit large volumes of data regarding associates, guests, customers, owners, licensees, franchisees, and our own business operations, including credit card numbers, reservation and loyalty data, and other personal information, in various information systems that we maintain and in systems maintained by third parties, including our owners, franchisees, licensees, and service providers. The integrity and protection of this data is critical to our business. If this data is inaccurate or incomplete, we could make faulty decisions.
Our guests and associates also have a high expectation that we, as well as our owners, franchisees, licensees, and service providers, will adequately protect and appropriately use their personal information. The information, security, and privacy requirements imposed by laws and governmental regulation, our contractual obligations, and the requirements of the payment card industry are also increasingly demanding in the U.S., the European Union, Asia, and other jurisdictions where we operate. Our systems and the systems maintained or used by our owners, franchisees, licensees, and service providers may not be able to satisfy these changing legal and regulatory requirements and associate and guest expectations, or may require significant additional investments or time to do so. We may incur significant additional costs to meet these requirements, obligations, and expectations, and in the event of alleged or actual noncompliance we may experience increased operating costs, increased exposure to fines and litigation, and increased risk of damage to our reputation and brand.
The Data Security Incident could have numerous adverse effects on our business. As a result of the Data Security Incident, we are a party to numerous lawsuits, primarily putative class actions, brought by consumers and others in the U.S. and Canada, one securities class action lawsuit in the U.S., and three shareholder derivative lawsuits in the U.S. We may be named as a party in additional lawsuits and other claims may be asserted by or on behalf of guests, customers, hotel owners, shareholders or others seeking monetary damages or other relief. A number of federal, state and foreign governmental authorities have also made inquiries, opened investigations, or requested information and/or documents related to the Data Security Incident, including under various data protection and privacy regulations, such as the European Union’s General Data Protection Regulation. Responding to and resolving these lawsuits, claims and investigations could result in material remedial and other expenses which may not be covered by insurance, including any fines imposed by the Information Commissioner’s Office in the United Kingdom (the “ICO”), as discussed in Note 7, or by regulatory authorities in various other jurisdictions. Governmental authorities investigating the Data Security Incident also may seek to impose undertakings, injunctive relief, consent decrees, or other civil or criminal penalties, which could, among other things, materially increase our data security costs or otherwise require us to alter how we operate our business. Significant management time and Company resources have been, and may continue to be, devoted to the Data Security Incident. Future publicity or developments related to the Data Security Incident, including as a result of subsequent reports or regulatory actions or developments, could have a range of other adverse effects on our business or prospects, including causing or contributing to loss of consumer confidence, reduced consumer demand, reduced enrollment and/or participation in our Loyalty Program, loss of development opportunities, and associate retention and recruiting difficulties. Insurance coverage designed to limit our exposure to losses such as those related to the Data Security Incident may not be sufficient or available to cover all of our expenses or other losses (including the final amount of the Proposed ICO Fine and any other fines or penalties) related to the Data Security Incident.
Additional cybersecurity incidents could have adverse effects on our business. We have implemented security measures to safeguard our systems and data, and we intend to continue implementing additional measures in the future, but, as we have seen in the past, our measures may not be sufficient to maintain the confidentiality, security, or availability of the data we collect, store, and use to operate our business. Measures taken by our service providers or our owners, franchisees, licensees, other business partners or their service providers also may not be sufficient. Efforts to hack or circumvent security measures, efforts to gain unauthorized access to, exploit or disrupt the operation or integrity of our data or systems, failures of systems or software to operate as designed or intended, viruses, “ransomware” or other malware, “phishing” or other types of business communications compromises, operator error, or inadvertent releases of data have impacted, and may in the future impact, our information systems and records or those of our owners, franchisees, licensees, other business partners, or service providers. Our reliance on computer, Internet-based, and mobile systems and communications, and the frequency and sophistication of efforts by third parties to gain unauthorized access or prevent authorized access to such systems, have greatly increased in recent years. We have experienced cyberattacks, attempts to disrupt access to our systems and data, and attempts to affect the operation or integrity of our data or systems, and the frequency and sophistication of such efforts could continue to increase. Any significant theft of, unauthorized access to, compromise or loss of, loss of access to, or fraudulent use of guest, associate, owner, franchisee, licensee, or company data could adversely impact our reputation and could result in legal, regulatory and other consequences, including remedial and other expenses, fines, or litigation. Depending on the nature and scope of the event, compromises in the security of our information systems or those of our owners, franchisees, licensees, other business partners, or service providers or other disruptions or compromises of data or systems could lead to an interruption in or other adverse effects on the operation of our systems or those of our owners, franchisees, licensees, other business partners, or service providers, resulting in operational inefficiencies and a loss of profits, and could result in negative publicity and other adverse effects on our business, including lost sales, loss of consumer confidence, boycotts, reduced enrollment and/or participation in our Loyalty Program, litigation, loss of development opportunities, or associate satisfaction, retention and recruiting difficulties, all of which could materially affect our market share, reputation, business, financial condition, or results of operations.
Because we have experienced cybersecurity incidents in the past, additional incidents or the failure to detect and appropriately respond to additional incidents could magnify the severity of the adverse effects on our business. The techniques used to obtain unauthorized access, disable or degrade service, or sabotage information systems change frequently, can be difficult to detect for long periods of time, and can involve difficult or prolonged assessment or remediation periods even once detected, which could also magnify the severity of these adverse effects. We cannot assure you that all potential causes of the Data Security Incident have been identified and remediated and will not occur again; additional measures may be needed to prevent a similar incident in the future and such measures may not be sufficient to prevent other types of incidents. Although we carry cyber insurance that is designed to protect us against certain losses related to cyber risks, that insurance coverage may not be sufficient to cover all expenses or other losses (including fines) or all types of claims that may arise in connection with cyberattacks, security compromises, and other related incidents. Furthermore, in the future such insurance may not be available on commercially reasonable terms, or at all.
Changes in privacy and data security laws could increase our operating costs, increase our exposure to fines and litigation, and adversely affect our ability to market our products effectively. We are subject to numerous, complex, and frequently changing laws, regulations, and contractual obligations designed to protect personal information, including in the U.S., the European Union, Asia, and other jurisdictions. Non-U.S. data privacy and data security laws, various U.S. federal and state laws (such as the California Consumer Privacy Act and the New York Shield Act), payment card industry security standards, and other information privacy and security standards are all applicable to us. Significant legislative or regulatory changes could be adopted in the future, including in reaction to the Data Security Incident or data breaches experienced by other companies. Compliance with changes in applicable data privacy laws and regulations (such as the California Consumer Privacy Act and the New York Shield Act) and contractual obligations, including responding to investigations into our compliance, may restrict our business operations, increase our operating costs, increase our exposure to fines and litigation in the event of alleged non-compliance, and adversely affect our reputation. Following the Data Security Incident, the ICO and certain other regulators also opened investigations into our privacy practices, including the representations in our privacy policies and how we handle individual rights requests. As a result of these investigations, we could be exposed to significant fines and remediation costs in addition to any imposed as a result of the Data Security Incident, and adverse publicity related to the investigations could adversely affect our reputation.
Additionally, we rely on a variety of direct marketing techniques, including email marketing, online advertising, and postal mailings. Any further restrictions in laws such as the CANSPAM Act, and various U.S. state laws (such as the California Consumer Privacy Act and the New York Shield Act), or new federal or state laws on marketing and solicitation or international privacy, e-privacy, and anti-spam laws that govern these activities could adversely affect the continuing effectiveness of email, online advertising, and postal mailing techniques and could force further changes in our marketing strategy. If this occurs, we may not be able to develop adequate alternative marketing strategies, which could impact the amount and timing of our sales of certain products. We also obtain access to potential guests and customers from travel service providers or other companies with whom we have substantial relationships, and we market to some individuals on these lists directly or by including our marketing message in the other companies’ marketing materials. If access to these lists were to be prohibited or otherwise restricted, our ability to develop new guests and customers and introduce them to our products could be impaired.
Any disruption in the functioning of our reservation systems could adversely affect our performance and results. We manage global reservation systems that communicate reservations to our hotels from individuals who book reservations directly with us online, through our mobile apps, through our telephone call centers, or through intermediaries like travel agents, Internet travel websites, and other distribution channels. The cost, speed, accuracy and efficiency of our reservation systems are critical aspects of our business and are important considerations for hotel owners when choosing our brands. Our business may suffer if we fail to maintain, upgrade, or prevent disruption to our reservation systems. Disruptions in or changes to our reservation systems could result in a disruption to our business and the loss of important data.