CFIUS Update: Chinese Company Ordered to Divest Acquisition of U.S. Hotel Software Company

On March 6, 2020, President Trump issued an Executive Order (EO) instructing the Chinese company Beijing Shiji Information Technology Co. Ltd. (Shiji) to divest its acquisition of StayNTouch Inc., a U.S.-based software company providing management systems to hotels. Pursuant to the EO, Shiji is required to fully divest its interest in StayNTouch within 120 days, with the possibility of a 90-day extension. The President determined that there was “credible evidence” that Shiji, through its acquisition of StayNTouch, “might take action that threatens to impair the national security of the United States.” The EO does not specify CFIUS’s particular concerns but it appears that StayNTouch’s platform could provide Shiji with access to a large database of personal and financial information of its users.

Shiji Group had acquired StayNTouch in 2018, which offers a cloud-based property management system for hotels that helps track reservations and room inventory. Many details of the CFIUS review are unclear and the Committee generally keeps such information confidential. Statements from Shiji expressing disappointment with the decision indicate that the company offered a range of potential mitigation proposals, including further restricting access to guest data and appointing an independent monitor. However, it appears CFIUS rejected the proposal and recommended that the deal be unwound.

Pursuant to the EO, Shiji is required to divest “all interests in StayNTouch; StayNTouch’s assets, intellectual property, data (including customer data managed and stored by StayNTouch), personnel, and customer contracts; and any operations developed, held, or controlled, whether directly or indirectly, by StayNTouch at the time of, or since, its acquisition.” Further, Shiji is required to immediately refrain from accessing, and to ensure any of its subsidiaries or affiliates refrain from accessing, “hotel guest data through StayNTouch” until the divestment has been completed and verified by CFIUS. Additionally, within seven days Shiji is required to ensure that controls are in place “to prevent any such data access” until the divestment has been completed and verified by CFIUS.

The EO also authorizes CFIUS to implement necessary and appropriate measures to ensure compliance, including permitting designated U.S. Government employees access to StayNTouch’s U.S. premises and facilities, for purposes of verifying compliance with the EO, to (i) “inspect and copy any books, ledgers, accounts correspondence, memoranda, and other records and documents in the possession or under the control of [Shiji] or StayNTouch that concern any matter relating to this order;” (ii) “inspect or audit any information systems, networks, hardware, software, data, communications, or property in the possession or under the control of [Shiji] or StayNTouch;” and (iii) interview officers, employees, or agents of [Shiji] or StayNTouch concerning any matter relating to this order.”

This action illustrates the U.S. Government’s growing concern with protecting U.S. personal data and follows CFIUS’s recently ordered divestitures of Grindr and PatientsLikeMe. On March 6, 2020, Chinese company Beijing Kunlun Tech Co. Ltd., which was ordered by CFIUS to divest its stake in Grindr, announced that it has agreed to sell its stake in Grindr to San Vicente Acquisition LLC for roughly $608.5 million.

The Executive Order is available here.