Financial Information

PART II

Item 8. Financial Statements and Supplementary Data.

MARRIOTT INTERNATIONAL, INC.
NOTES TO CONSOLIDATED FINANCIAL STATEMENTS

NOTE 8. COMMITMENTS AND CONTINGENCIES

Guarantees

We issue guarantees to certain lenders and hotel owners, chiefly to obtain long-term management and franchise contracts. The guarantees generally have a stated maximum funding amount and a term of three to ten years. The terms of guarantees to lenders generally require us to fund if cash flows from hotel operations are inadequate to cover annual debt service or to repay the loan at maturity. The terms of the guarantees to hotel owners generally require us to fund if the hotels do not attain specified levels of operating profit. Guarantee fundings to lenders and hotel owners are generally recoverable out of future hotel cash flows and/or proceeds from the sale or refinancing of hotels.

We present the maximum potential amount of our future guarantee fundings and the carrying amount of our liability for our debt service, operating profit, and other guarantees (excluding contingent purchase obligations) for which we are the primary obligor at year-end 2020 in the following table:

Our liability at year-end 2020 for guarantees for which we are the primary obligor is reflected in our Balance Sheets as $16 million of “Accrued expenses and other” and $122 million of “Other noncurrent liabilities.”

Our maximum potential guarantees listed in the preceding table include $90 million of operating profit guarantees and $7 million of other guarantees that will not be in effect until the underlying properties open and we begin to operate the properties or certain other events occur.

In conjunction with financing obtained for specific projects or properties owned by us or entities in which we have an investment, we may provide industry standard indemnifications to the lender for loss, liability, or damage occurring as a result of the actions of the entity or our own actions.

Contingent Purchase Obligation

Sheraton Grand Chicago. In 2017, we granted the owner a one-time right, exercisable in 2022, to require us to purchase the leasehold interest in the land and the hotel for $300 million in cash (the “put option”). If the owner exercises the put option, we have the option to purchase, at the same time the put transaction closes, the fee simple interest in the underlying land for an additional $200 million in cash. We account for the put option as a guarantee. In the 2020 fourth quarter, we estimated that the put option is probable of being exercised under the terms of the agreement, and accordingly, we increased our recorded liability from $57 million at year-end 2019 to $300 million at year-end 2020. We recorded the related expense in the “Restructuring and merger-related charges” caption of our Income Statements.

We concluded that the entity that owns the Sheraton Grand Chicago hotel is a variable interest entity. We did not consolidate the entity because we do not have the power to direct the activities that most significantly impact the entity’s economic performance. Our maximum exposure to loss related to the entity is equal to the difference between the purchase price and the fair value of the hotel at the time that the put option is exercised, plus the maximum funding amount of an operating profit guarantee that we provided for the hotel.

Commitments

At year-end 2020, we had various purchase commitments for goods and services in the normal course of business, primarily for programs and services for which we are reimbursed by third-party owners, totaling $437 million. We expect to purchase goods and services subject to these commitments as follows: $186 million in 2021, $137 million in 2022, $48 million in 2023, and $66 million thereafter.

Letters of Credit

At year-end 2020, we had $156 million of letters of credit outstanding (all outside the Credit Facility, as defined in Note 10), most of which were for our self-insurance programs. Surety bonds issued as of year-end 2020 totaled $163 million, most of which state governments requested in connection with our self-insurance programs.

Starwood Data Security Incident

Description of Event

On November 30, 2018, we announced a data security incident involving unauthorized access to the Starwood reservations database (the “Data Security Incident”). Working with leading security experts, we determined that there was unauthorized access to the Starwood network since 2014 and that an unauthorized party had copied information from the Starwood reservations database and taken steps towards removing it. The Starwood reservations database is no longer used for business operations.

Expenses and Insurance Recoveries

In 2020, we recorded an $11 million net reversal of expenses and $29 million of accrued insurance recoveries related to the Data Security Incident; in 2019, we recorded $148 million of expenses and $84 million of accrued insurance recoveries related to the Data Security Incident; and in 2018, we recorded $28 million of expenses and $25 million of accrued insurance recoveries related to the Data Security Incident. We received insurance recoveries of $47 million in 2020 and $58 million in 2019. The net reversal of expenses for 2020 is primarily due to the reduction of the accrual for the ICO fine to reflect the amount of the final ICO fine, as further described below. We recognize insurance recoveries when they are probable of receipt and present them in our Income Statements in the same caption as the related expense, up to the amount of total expense incurred in prior and current periods. We present expenses and insurance recoveries related to the Data Security Incident in either the “Reimbursed expenses” or “Restructuring and merger-related charges” captions of our Income Statements.

Litigation, Claims, and Government Investigations

Following our announcement of the Data Security Incident, approximately 100 lawsuits were filed by consumers and others against us in U.S. federal, U.S. state and Canadian courts related to the incident. All but one of the U.S. cases were consolidated and transferred to the U.S. District Court for the District of Maryland, pursuant to orders of the U.S. Judicial Panel on Multidistrict Litigation (the “MDL”). The plaintiffs in the U.S. and Canadian cases, who generally purport to represent various classes of consumers, generally claim to have been harmed by alleged actions and/or omissions by the Company in connection with the Data Security Incident and assert a variety of common law and statutory claims seeking monetary damages, injunctive relief, costs and attorneys’ fees, and other related relief. Among the U.S. cases consolidated in the MDL proceeding is a putative class action lawsuit that was filed against us and certain of our current officers and directors on December 1, 2018, alleging violations of the federal securities laws in connection with statements regarding our cybersecurity systems and controls, and seeking certification of a class of affected persons, unspecified monetary damages, costs and attorneys’ fees, and other related relief. The MDL proceeding also includes two shareholder derivative complaints that were filed on February 26, 2019 and March 15, 2019, respectively, against the Company, certain of its officers and certain current and former members of our Board of Directors, alleging, among other claims, breach of fiduciary duty, corporate waste, unjust enrichment, mismanagement and violations of the federal securities laws, and seeking unspecified monetary damages and restitution, changes to the Company’s corporate governance and internal procedures, costs and attorneys’ fees, and other related relief. A separate shareholder derivative complaint was filed in the Delaware Court of Chancery on December 3, 2019 against the Company and certain of its officers and certain current and former members of our Board of Directors, alleging claims and seeking relief generally similar to the claims made and relief sought in the other two derivative cases. This case will not be consolidated with the MDL proceeding. We dispute the allegations in the lawsuits described above and are vigorously defending against such claims. We have filed motions to dismiss in each of these cases, some of which have been denied, but the cases generally remain at an early stage. The Canadian cases have effectively been consolidated into a single case in the province of Ontario. In April 2019, we received a letter purportedly on behalf of a stockholder of the Company (also one of the named plaintiffs in the putative securities class action described above) demanding that our Board of Directors take action against the Company’s current and certain former officers and directors to recover damages for alleged breaches of fiduciary duties and related claims arising from the Data Security Incident. The Board of Directors has constituted a demand review committee to investigate the claims made in the demand letter, and the committee has retained independent counsel to assist with the investigation. The committee’s investigation is ongoing. In addition, on August 18, 2020, a purported representative action was brought against us in the High Court of Justice for England and Wales on behalf of an alleged claimant class of English and Welsh residents alleging breaches of the General Data Protection Regulation and/or the U.K. Data Protection Act 2018 (the “U.K. DPA”) in connection with the Data Security Incident. We dispute all of the allegations in this purported action and will vigorously defend against any such claims. On November 5, 2020, the court issued an order with the consent of all parties staying this action pending resolution of another case raising similar issues, but not involving the Company, that is pending before the U.K. Supreme Court.

In addition, numerous U.S. federal, U.S. state and foreign governmental authorities made inquiries, opened investigations, or requested information and/or documents related to the Data Security Incident and related matters, including Attorneys General offices from all 50 states and the District of Columbia, the Federal Trade Commission, the Securities and Exchange Commission, certain committees of the U.S. Senate and House of Representatives, the Information Commissioner’s Office in the United Kingdom (the “ICO”) as lead supervisory authority in the European Economic Area, and regulatory authorities in various other jurisdictions. With the exception of the ICO proceeding, these matters generally remain open. In July 2019, the ICO issued a formal notice of intent under the U.K. DPA proposing a fine in the amount of £99 million against the Company in relation to the Data Security Incident. We submitted written responses to the ICO vigorously defending our position and engaged with the ICO regarding the Data Security Incident and proposed fine. In October 2020, the ICO issued a final decision under the U.K. DPA, which includes a fine of £18.4 million. The Company did not appeal the ICO’s decision, but has made no admission of liability in relation to the decision or the underlying allegations. In 2019, we expensed $65 million for this loss contingency, in the “Restructuring and merger-related charges” caption of our Income Statements, based on the fine initially proposed by the ICO in July 2019 and the ongoing proceeding. In 2020, we recorded a $39 million reversal of expense, based on the ICO’s issuance of the final decision. We paid a portion of the ICO fine in the 2020 fourth quarter, and the remainder is payable over the next two years. Our accrual for this loss contingency, which we present in the “Accrued expenses and other” and “Other noncurrent liabilities” captions of our Balance Sheets, was $65 million at year-end 2019 and $17 million at year-end 2020. Our production of information and/or documents to the state Attorneys General and the Federal Trade Commission is now complete, and we are in the early stages of discussions with those authorities to resolve their investigations and requests.

While we believe it is reasonably possible that we may incur additional losses associated with the above described proceedings and investigations related to the Data Security Incident, it is not possible to estimate the amount of loss or range of loss, if any, in excess of the amounts already incurred that might result from adverse judgments, settlements, fines, penalties or other resolution of these proceedings and investigations based on the current stage of these proceedings and investigations, the absence of specific allegations as to alleged damages, the uncertainty as to the certification of a class or classes and the size of any certified class, if applicable, and/or the lack of resolution of significant factual and legal issues.