Fed. Trade Comm'n v. Wyndham Worldwide Corp.

• Citation: 10 F.Supp.3d 602
• Decision Date: 07 April 2014
• Docket Number: Civil Action No. 13–1887ES.
• Parties: FEDERAL TRADE COMMISSION, Plaintiff, v. WYNDHAM WORLDWIDE CORPORATION, et al., Defendants.
• Court: U.S. District Court — District of New Jersey

10 F.Supp.3d 602

FEDERAL TRADE COMMISSION, Plaintiff

v.WYNDHAM WORLDWIDE CORPORATION, et al., Defendants.

Civil Action No. 13–1887ES.

United States District Court, D. New Jersey.

Filed April 7, 2014.

Order Granting Motion to Certify Appeal June 23, 2014.

Allison Michelle Lefrak, Katherine Elizabeth McCarron, Kevin Hyland Moriarty, Kristin Krause Cohen, Andrea Vanina Arias, James Alan Trilling, John Andrew Krebs, Jonathan Eli Zimmerman, Lisa Naomi Weintraub Schifferle, Federal Trade Commission, Washington, DC, for Plaintiff.

Jennifer A. Hradil, Justin Taylor Quinn, Gibbons, PC, Newark, NJ, for Defendants.

OPINION

SALAS, District Judge.

I. Introduction

The Federal Trade Commission (the “FTC”) brought this action under Section 5(a) of the Federal Trade Commission Act (the “FTC Act”), 15 U.S.C. § 45(a), against Wyndham Worldwide Corporation (“Wyndham Worldwide”), Wyndham Hotel Group, LLC (“Hotel Group”), Wyndham Hotels and Resorts, LLC (“Hotels and Resorts”), and Wyndham Hotel Management, Inc. (“Hotel Management”) (collectively, “Wyndham” or “Defendants”). The FTC alleges that Wyndham violated Section 5(a)'s prohibition of “acts or practices in or affecting commerce” that are “unfair” or “deceptive.”

Specifically, the FTC alleges that Defendants violated both the deception and unfairness prongs of Section 5(a) “in connection with Defendants' failure to maintain reasonable and appropriate data security for consumers' sensitive personal information.” (D.E. No. 28, First Amended Complaint for Injunctive and Other Equitable Relief (“Compl.”) ¶¶ 1, 44–49). Hotels and Resorts moves to dismiss the FTC's complaint under Federal Rule of Civil Procedure 12(b)(6). (D.E. No. 91–1, Motion to Dismiss by Defendant Wyndham Hotels & Resorts LLC (“HR's Mov. Br.”) at 6).¹ Its motion to dismiss raises the following three issues.

First, Hotels and Resorts challenges the FTC's authority to assert an unfairness claim in the data-security context. Citing recent data-security legislation and the FTC's public statements, Hotels and Resorts likens this action to FDA v. Brown & Williamson Tobacco Corp., 529 U.S. 120, 120 S.Ct. 1291, 146 L.Ed.2d 121 (2000). It declares that, under Brown & Williamson, the FTC does not have the authority to bring an unfairness claim involving data security. As explained below, however, the Court rejects this challenge to the FTC's authority because the circumstances here differ from those in Brown & Williamson.

Second, Hotels and Resorts asserts that the FTC must formally promulgate regulations before bringing its unfairness claim. It contends that, without promulgating such regulations, the FTC violates fair notice principles. But precedent instructs that agencies like the FTC need not formally issue regulations. The Court, therefore, rejects Hotels and Resorts' contention that the FTC must issue regulations before bringing its unfairness claim.

Third, Hotels and Resorts argues that the FTC's allegations are pleaded insufficiently to support either an unfairness or deception claim. Hotels and Resorts asserts that the FTC fails to plead certain elements of each of these claims and fails to otherwise satisfy federal pleading requirements. As detailed below for both the unfairness and deception claims, the Court disagrees.

Having resolved each of these issues in favor of the FTC, the Court DENIES Hotels and Resorts' motion to dismiss.

II. Factual Background²

Wyndham Worldwide is in the hospitality business. (Compl. ¶ 7). “At all relevant times,” Wyndham Worldwide controlled the acts and practices of the following subsidiaries: Hotel Group, Hotels and Resorts, and Hotel Management. (Id. ¶¶ 7–10). Through these three subsidiaries, Wyndham Worldwide “franchises and manages hotels and sells timeshares.” (Id. ¶ 13).

More specifically, “Hotel Group is a wholly-owned subsidiary of Wyndham Worldwide.” (Id. ¶ 8). Both Hotels and Resorts and Hotel Management, in turn, are wholly-owned subsidiaries of Hotel Group. (Id. ¶¶ 9, 10). Hotels and Resorts licensed the “Wyndham” name to approximately seventy-five independently-owned hotels under franchise agreements. (Id. ¶ 9). Similarly, Hotel Management licensed the “Wyndham” name to approximately fifteen independently-owned hotels under management agreements. (Id. ¶ 10).

Under these agreements, Hotels and Resorts and Hotel Management require each Wyndham-branded hotel to purchase—and “configure to their specifications”—a designated computer system that, among other things, handles reservations and payment card transactions. (Id. ¶ 15). This system, known as a “property management system,” stores consumers' personal information, “including names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes.” (Id. ).

The property management systems for all Wyndham-branded hotels “are part of Hotels and Resorts' computer network” and “are linked to its corporate network.” (Id. ¶ 16). Indeed, Hotels and Resorts' computer network “includes its central reservation system” that “coordinates reservations across the Wyndham brand” and, using Hotels and Resorts' website, “consumers can make reservations at any Wyndham-branded hotel.” (Id. ¶¶ 16, 20). And, although certain Wyndham-branded hotels have their own websites, customers making reservations for these hotels “are directed back to Hotels and Resorts' website to make reservations.” (Id. ¶ 20).

The FTC alleges that, since at least April 2008, Wyndham “failed to provide reasonable and appropriate security for the personal information collected and maintained by Hotels and Resorts, Hotel Management, and the Wyndham-branded hotels.” (Id. ¶ 24). The FTC alleges that Wyndham did this “by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft.” (Id. ).

As a result of these failures, between April 2008 and January 2010, intruders gained unauthorized access—on three separate occasions—to Hotels and Resorts' computer network, including the Wyndham-branded hotels' property management systems. (Id. ¶ 25; see also id. ¶¶ 26–39 (detailing the circumstances of the three breaches and impact of each breach)). The intruders “used similar techniques on each occasion to access personal information stored on the Wyndham-branded hotels' property management system servers, including customers' payment card account numbers, expiration dates, and security codes.” (Id. ¶ 25). And, after discovering the first two breaches, Wyndham “failed to take appropriate steps in a reasonable time frame to prevent the further compromise of Hotels and Resorts' network.” (Id. ).

Wyndham's “failure to implement reasonable and appropriate security measures exposed consumers' personal information to unauthorized access, collection, and use” that “has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses.” (Id. ¶ 40). Defendants' failure “to implement reasonable and appropriate security measures” caused, for example, the following:

[T]he three data breaches described above, the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers' accounts, and more than $10.6 million in fraud loss. Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs, and lost access to funds or credit. Consumers and businesses also expended time and money resolving fraudulent charges and mitigating subsequent harm.

(Id. ¶ 40).

Given these allegations, the FTC brought this action, seeking a permanent injunction to prevent future violations of the FTC Act, as well as certain other relief. (See id. at 20–21).

III. Legal Standard

To withstand a motion to dismiss, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’ ” Iqbal, 556 U.S. at 678, 129 S.Ct. 1937 (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678, 129 S.Ct. 1937. “The plausibility standard is not akin to a ‘probability requirement,’ but it asks for more than a sheer possibility that a defendant has acted unlawfully.” Id.

“When reviewing a motion to dismiss, ‘[a]ll allegations in the complaint must be accepted as true, and the plaintiff must be given the benefit of every favorable inference to be drawn therefrom.’ ” Malleus v. George, 641 F.3d 560, 563 (3d Cir.2011) (quoting Kulwicki v. Dawson, 969 F.2d 1454, 1462 (3d Cir.1992) ). But the court is not required to accept as true “legal conclusions,” and “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Iqbal, 556 U.S. at 678, 129 S.Ct. 1937.

Finally, “[i]n deciding a Rule 12(b)(6) motion, a court must consider only the complaint, exhibits attached to the complaint, matters of the public record, as well as undisputedly authentic documents if the complainant's claims are based upon these documents.” Mayer v. Belichick, 605 F.3d 223, 230 (3d Cir.2010) ; see also Buck v. Hampton Twp. Sch. Dist., 452 F.3d 256, 260 (3d Cir.2006) (“In evaluating a motion to dismiss, we may consider documents that are attached to or submitted with the complaint, and any matters incorporated by reference or integral to the claim, items subject to judicial notice, matters of public record, orders, and items appearing in the record of the case.”) (internal quotation marks, textual modifications and citations omitted).

IV. Discussion

The Court notes that both the FTC and Hotels and Resorts seem to recognize the importance of data security and...