Financial Information

PART II

Item 7. Management’s Discussion and Analysis of Financial Condition and Results of Operations.

Starwood Data Security Incident

On November 30, 2018, we announced a data security incident involving unauthorized access to the Starwood reservations database (the “Data Security Incident”). The Starwood reservations database is no longer used for business operations.

In July 2019, the ICO issued a formal notice of intent under the U.K. Data Protection Act 2018 (the “U.K. DPA”) proposing a fine in the amount of £99 million against the Company in relation to the Data Security Incident. In October 2020, the ICO issued a final decision under the U.K. DPA, which includes a fine of £18.4 million. The Company did not appeal the ICO’s decision, but has made no admission of liability in relation to the decision or the underlying allegations. In 2019, we expensed $65 million for this loss contingency, in the “Restructuring and merger-related charges” caption of our Income Statements, based on the fine initially proposed by the ICO in July 2019 and the ongoing proceeding. In 2020, we recorded a $39 million reversal of expense, based on the ICO’s issuance of the final decision. We paid a portion of the ICO fine in the 2020 fourth quarter, and the remainder is payable over the next two years. Our accrual for this loss contingency, which we present in the “Accrued expenses and other” and “Other noncurrent liabilities” captions of our Balance Sheets, was $65 million at year-end 2019 and $17 million at year-end 2020. See Note 8 for additional information.

We are currently unable to estimate the range of total possible financial impact to the Company from the Data Security Incident in excess of the expenses already incurred. However, we do not believe this incident will impact our long-term financial health. Although our insurance program includes coverage designed to limit our exposure to losses such as those related to the Data Security Incident, that insurance may not be sufficient or available to cover all of our expenses or other losses (including fines and penalties) related to the Data Security Incident. As we expected, the cost of such insurance again increased for our current policy period, and the cost of such insurance could continue to increase for future policy periods. We expect to incur significant expenses associated with the Data Security Incident in future periods, primarily related to legal proceedings and regulatory investigations (including possible additional fines and penalties), increased expenses and capital investments for information technology and information security and data privacy, and increased expenses for compliance activities and to meet increased legal and regulatory requirements. See Note 8 for additional information related to expenses incurred in 2020 and 2019, insurance recoveries, and legal proceedings and governmental investigations related to the Data Security Incident.