Background
On November 10, 2025, Sonder Holdings Inc. (“Sonder”), a company operating apartment‑style and boutique hotel accommodations, announced termination of its licensing agreement with Marriott International, Inc. due to Sonder’s financial default, followed immediately by Sonder’s decision to wind down operations and initiate Chapter 7 liquidation in the U.S. (with insolvency planning abroad). While much commentary has focused on stranded guests and lodging contracts, the collapse raises significant cybersecurity and data‑privacy risks for hospitality operators, brands, and associated parties. This alert addresses key risk exposures, lessons, and recommended steps.
Key Risk Areas
Sonder’s shutdown raises critical questions around guest data (including personally identifiable information), payment data, loyalty data, and vendor credentials. Sudden loss of access or unmanaged retention/disposal can trigger GDPR, CCPA/CPRA, and state‑law exposure. Sonder’s collapse followed significant delays in systems integration. Hospitality operators, depending on shared digital platforms, must prepare for vendor distress scenarios, including data‑access loss and support abandonment.
Guest trust, notification obligations, system failures, inaccessible reservations, and orphaned guest profiles can lead to consumer-protection scrutiny and reputational damage. Reported Marriott/Sonder systems integration challenges highlight the importance of contractual data‑transition, portability, and exit clauses. Liquidation often results in degraded security controls and uncertain data handling. Further, guests or operational data may become part of a bankruptcy estate. Sonder operated internationally, increasing data‑sovereignty and transfer risks in insolvency scenarios.
Potential Sale of Data
When a partner files Chapter 7 liquidation or Chapter 11 reorganization proceedings, any guest data, loyalty-program data, and other consumer records owned or licensed by the debtor are potentially valuable assets that the debtor may seek to sell to increase recovery for creditors. Section 363(b)(1) of the bankruptcy code allows a debtor, subject to notice, a hearing, and court approval, to sell or lease such assets in a manner that is consistent with the applicable privacy policy in place on the date of the bankruptcy filing.
But if the debtor wants to sell or lease such assets in a manner inconsistent with the existing policy, the debtor can seek to do so. The bankruptcy court may, after notice and a hearing, approve such a sale after (a) considering the findings of a consumer privacy ombudsman appointed under section 332 of the bankruptcy code to evaluate the impact of the sale on consumer privacy, among other factors, and (b) ensuring compliance with non-bankruptcy law. Thus, it is important to regularly update license agreements and privacy policies (in accordance with applicable law) to protect applicable data in the event of a bankruptcy filing and regularly monitor and participate in bankruptcy cases if you have concerns about the sale or use of consumer data.
Why This Matters
Guest data is among the most sensitive assets in the hospitality industry. A partner’s collapse may also create regulatory, contractual, litigation, and reputational exposure. Operators must ensure their systems, contractual protections, and vendor oversight processes are robust. Such oversight should include:
- Vendor/Partner Health Check
- Contract Review & Remediation
- Data Governance & Records‑Retention Inventory
- Incident‑Response & Business‑Continuity Planning
- Regulatory & Notification Considerations
- Communication & Guest Trust Strategy
- Insurance / Coverage Review
Other specific areas of inquiry should include: what happens to guest data if a partner becomes insolvent? Do contracts provide clear data‑portability and transition rights? Are guest disclosures adequate? Do we have alternate systems or backups ready? Contractual exposure, regulatory scrutiny, due‑diligence obligations, reputational impact, and exit‑readiness are all heightened in these partner‑collapse scenarios.
Conclusion
The abrupt collapse of Sonder illustrates the interconnected nature of hospitality operations and the criticality of treating guest data and platform dependencies as mission‑critical assets. Operators should audit vendor ecosystems, strengthen contract protections, update incident‑response plans, and map data flows wherever third‑parties control guest information.
Further Questions
Please contact David Wheeler, Joshua Altman or your Neal Gerber Eisenberg attorney for assistance with vendor agreement updates, risk assessments, incident‑response planning, and data‑governance reviews.
This client alert is part of a series from the NGE Hospitality Industry Team addressing developments and recent news in the hospitality industry.
The NGE Hospitality Industry Team is an inter-disciplinary group focused on serving the diverse legal needs of hospitality owners, operators, and investors to achieve their business goals. The group collaborates to ensure our clients are well-informed on industry trends and ready to address both opportunities and challenges.
The content above is based on information current at the time of its publication and may not reflect the most recent developments or guidance. Neal Gerber Eisenberg LLP provides this content for general informational purposes only. It does not constitute legal advice, and does not create an attorney-client relationship. You should seek advice from professional advisers with respect to your particular circumstances.
