ESTHER SALAS, District Judge.
The Federal Trade Commission (the "FTC") brought this action under Section 5(a) of the Federal Trade Commission Act (the "FTC Act"), 15 U.S.C. § 45(a), against Wyndham Worldwide Corporation ("Wyndham Worldwide"), Wyndham Hotel Group, LLC ("Hotel Group"), Wyndham Hotels and Resorts, LLC ("Hotels and Resorts"), and Wyndham Hotel Management, Inc. ("Hotel Management") (collectively, "Wyndham" or "Defendants"). The FTC alleges that Defendants violated Section 5(a)'s prohibition of "acts or practices in or affecting commerce" that are "unfair" or "deceptive."
Specifically, the FTC alleges that Defendants violated both the deception and unfairness prongs of Section 5(a) "in connection with Defendants' failure to maintain reasonable and appropriate data security for consumers' sensitive personal information." (D.E. No. 28, First Amended Complaint for Injunctive and Other Equitable Relief ("Compl.") ¶¶ 1, 44-49).
Wyndham Worldwide, Hotel Group and Hotel Management (collectively, the "Wyndham Entities") move to dismiss the FTC's complaint under Federal Rule of Civil Procedure 12(b)(6). (D.E. No. 92-1, Motion to Dismiss by Defendants Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Wyndham Hotel Management, Inc. ("Wyndham Entities' Mov. Br.") at 4).
As explained below, because the FTC's complaint sufficiently alleges that Defendants operated as a common enterprise, the Court DENIES the Wyndham Entities' motion to dismiss.
Wyndham Worldwide is in the hospitality business. (Compl. ¶ 7). "[T]hrough its subsidiaries," Wyndham Worldwide "franchises and manages hotels and sells timeshares." (Id. ¶ 13). It "conducts its business" through the following three subsidiaries: Hotel Group, Hotels and Resorts, and Hotel Management. (Id. ¶¶ 7-10, 13). All four entities have their "principal office or place of business" at the same address in Parsippany, New Jersey. (Id. ¶¶ 7-10).
"Hotel Group is a wholly-owned subsidiary of Wyndham Worldwide." (Id. ¶ 8). Both Hotels and Resorts and Hotel Management, in turn, are wholly-owned subsidiaries of Hotel Group. (Id. ¶¶ 9, 10).
Wyndham Worldwide and Hotel Group "controlled the acts and practices" of both Hotels and Resorts and Hotel Management "that are at issue" in the FTC's complaint. (Id.). Namely, Wyndham Worldwide "has been responsible for creating information security policies for itself and its subsidiaries, including Hotel Group and Hotels and Resorts." (Id. ¶ 14). Wyndham Worldwide also provides "oversight of their information security programs." (Id.). And, from "at least 2008 until approximately June 2009, Hotel Group had responsibility for managing Hotels and Resorts' information security program." (Id.). "In June 2009, Wyndham Worldwide took over management and responsibility for Hotels and Resorts' information security program." (Id.).
Hotels and Resorts licensed the "Wyndham" name to approximately seventy-five independently-owned hotels under franchise agreements. (Id. ¶ 9). Similarly, Hotel Management licensed the "Wyndham" name to approximately fifteen independently-owned hotels under management agreements. (Id. ¶ 10). And, under these management agreements, Hotel Management "agrees to fully operate the hotel on behalf of the owner." (Id.).
Under both of these agreements, Hotels and Resorts and Hotel Management require each Wyndham-branded hotel to purchase—and "configure to their specifications"—a designated computer system that, among other things, handles reservations and payment card transactions. (Id. ¶ 15). This system, known as a "property management system," stores consumers' personal information, "including names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes." (Id.).
The FTC alleges that, since at least April 2008, Defendants "failed to provide reasonable and appropriate security for the personal information collected and maintained by Hotels and Resorts, Hotel Management, and the Wyndham-branded hotels." (Id. ¶ 24). The FTC alleges that Defendants did this "by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers' personal data to unauthorized access and theft." (Id.).
As a result of Defendants' failures, between April 2008 and January 2010, intruders gained unauthorized access— on three separate occasions— to Hotels and Resorts' computer network, including the Wyndham-branded hotels' property management systems. (Id. ¶ 25; see also id. ¶¶ 26-39 (detailing the circumstances of the three breaches and impact of each breach)). The intruders "used similar techniques on each occasion to access personal information stored on the Wyndham-branded hotels' property management system servers, including customers' payment card account numbers, expiration dates, and security codes." (Id. ¶ 25). And, after discovering the first two breaches, "Defendants failed to take appropriate steps in a reasonable time frame to prevent the further compromise of Hotels and Resorts' network." (Id.).
The FTC alleges that Defendants "operated as a common business enterprise while engaging in the unfair and deceptive acts and practices" alleged in its complaint. (Id. ¶ 11). Defendants "conducted their business practices" described in the FTC's complaint "through an interrelated network of companies that have common ownership, business functions, employees, and office locations." (Id.).
Given this purported "common enterprise," the FTC asserts that Defendants are "jointly and severally liable." (Id.). The FTC, therefore, seeks a permanent injunction "to prevent future violations of the FTC Act by Defendants," as well as certain other relief. (See id. at 20-21).
To withstand a motion to dismiss, "a complaint must contain sufficient factual matter, accepted as true, to `state a claim to relief that is plausible on its face.'" Iqbal, 556 U.S. at 678 (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Iqbal, 556 U.S. at 678. "The plausibility standard is not akin to a `probability requirement,' but it asks for more than a sheer possibility that a defendant has acted unlawfully." Id.
"When reviewing a motion to dismiss, `[a]ll allegations in the complaint must be accepted as true, and the plaintiff must be given the benefit of every favorable inference to be drawn therefrom.'" Malleus v. George, 641 F.3d 560, 563 (3d Cir. 2011) (quoting Kulwicki v. Dawson, 969 F.2d 1454, 1462 (3d Cir. 1992)). But the court is not required to accept as true "legal conclusions," and "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Iqbal, 556 U.S. at 678.
Finally, "[i]n deciding a Rule 12(b)(6) motion, a court must consider only the complaint, exhibits attached to the complaint, matters of the public record, as well as undisputedly authentic documents if the complainant's claims are based upon these documents." Mayer v. Belichick, 605 F.3d 223, 230 (3d Cir. 2010); see also Buck v. Hampton Twp. Sch. Dist., 452 F.3d 256, 260 (3d Cir. 2006) ("In evaluating a motion to dismiss, we may consider documents that are attached to or submitted with the complaint, and any matters incorporated by reference or integral to the claim, items subject to judicial notice, matters of public record, orders, and items appearing in the record of the case.") (internal quotation marks, textual modifications and citations omitted).
The Wyndham Entities argue that the complaint should be dismissed for the following two reasons that concern only them.
As discussed below, the Court finds that the FTC's allegations sufficiently support a claim for common-enterprise liability. The Court therefore rejects the Wyndham Entities' challenge to the FTC's complaint as it applies to them.
The Wyndham Entities argue that the FTC's complaint "does not allege the rigorous factual prerequisites necessary to establish" the "extraordinary theory of imputed liability" associated with a "common enterprise." (Wyndham Entities' Mov. Br. at 6-7). They argue that there is a "demanding standard" whereby the corporate entity cannot be disregarded "`absent highly unusual circumstances.'" (Id. at 7 (quoting P.F. Collier & Son Corp. v. FTC, 427 F.2d 261, 266 (6th Cir. 1970)) (emphasis provided by the Wyndham Entities)).
The Wyndham Entities criticize the FTC's factual allegations as lacking the "key facts that courts normally look for in determining whether separate corporate entities are operating as a `common enterprise.'" (Id. at 8). The Wyndham Entities argue that, "[u]nder well-established law," common-enterprise liability is "appropriate only when (i) separate corporations `do not operate as arm's length entities, but instead are so interrelated that no real distinction exists between them . . . and (ii) a failure to hold multiple corporations liable would provide `a clear mechanism for avoiding the terms of the FTC or court order.'" (D.E. No. 116, Reply in Support of Motion to Dismiss by Defendants Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Wyndham Hotel Management, Inc. ("Wyndham Entities' Reply Br.") at 2 (quoting FTC v. AmeriDebt, Inc., 343 F.Supp.2d 451, 463 (D. Md. 2004) & Delaware Watch Co. v. FTC, 332 F.2d 745, 747 (2d Cir. 1964)) (internal textual modifications omitted)).
In opposition, the FTC argues that its complaint alleges enough facts to plead a commonenterprise claim. (D.E. No. 111, Plaintiff's Response in Opposition to the Motion to Dismiss by Defendants Wyndham Worldwide Corporation, Wyndham Hotel Group, LLC, and Wyndham Hotel Management, Inc. ("FTC's Opp. Br.") at 5, 9). It contends that the complaint pleads "(1) common control, (2) shared office space and offices, (3) that business is transacted through a maze of interrelated companies, and (4) pooled resources and staff." (Id. at 5). The FTC seems to argue that the Wyndham Entities ignore the legal significance of these factors in their motion to dismiss. (Id. at 7-8).
The FTC adds that the Wyndham Entities cite "inapposite cases" that address "the question of when a court may pierce the corporate veil and hold a shareholder liable" for corporate actions. (Id. at 8). It asserts that the common-enterprise analysis is "not the same as the alter-ego analysis or piercing the corporate veil." (Id.). Finally, the FTC avers that, if the Court enters injunctive relief only against Hotels and Resorts, then the responsibility for data security could be transferred to another Wyndham entity. (Id. at 9).
"The general rule is that, absent highly unusual circumstances, the corporate entity will not be disregarded." P.F. Collier & Son Corp., 427 F.2d at 266. But, "if the structure, organization, and operation of a business venture among separate corporate entities reveal a common enterprise or a `maze of interrelated companies,' the FTC Act disregards the corporate form." FTC v. Consumer Health Benefits Ass'n, No. 10-3551, 2012 WL 1890242, at *5 (E.D.N.Y. May 23, 2012) (quoting Del. Watch Co. v. FTC, 332 F.2d 745, 746 (2d Cir. 1964)); accord FTC v. Wash. Data Res., 856 F.Supp.2d 1247, 1271 (M.D. Fla. 2012). Accordingly, "a `common enterprise' of defendants may be jointly and severally liable for violations of the FTCA." FTC v. PayDay Fin. LLC, No. 11-3017, 2013 WL 5442387, at *5 (D.S.D. Sept. 30, 2013).
P.F. Collier & Son Corp., 427 F.2d at 267. "Thus, in situations where corporations are so entwined that a judgment absolving one of them of liability would provide the other defendants with `a clear mechanism for avoiding the terms of the order,' courts have been willing to find the existence of a common enterprise." FTC v. Nat'l Urological Grp., 645 F.Supp.2d 1167, 1182 (N.D. Ga. 2008) (quoting Del. Watch Co., 332 F.2d at 747).
"When determining whether a common enterprise exists, `the pattern and frame-work of the whole enterprise must be taken into consideration.'" Id. (quoting Del. Watch Co., 332 F.2d at 746). "[C]ourts look to a variety of factors, including: common control, the sharing of office space and officers, whether business is transacted through a maze of interrelated companies, unified advertising, and evidence which reveals that no real distinction existed between the [c]orporate [d]efendants." FTC v. Millennium Telecard, Inc., No. 11-2479, 2011 WL 2745963, at *8 (D.N.J. July 12, 2011) (quoting FTC v. Wolf, No. 94-8119, 1996 WL 812940, at *7 (S.D. Fla. Jan. 31, 1996); see also Consumer Health Benefits Ass'n, 2012 WL 1890242, at *5 ("Factors relevant in a court's consideration of whether a common enterprise among entities exists include whether they (1) maintain officers and employees in common, (2) operate under common control, (3) share offices, (4) commingle funds, and (5) share advertising and marketing.").
But federal courts distinguish this inquiry from the alter-ego analysis or piercing-thecorporate-veil analysis. See FTC v. Direct Benefits Grp., No. 11-1186, 2013 WL 3771322, at *18 (M.D. Fla. July 18, 2013) ("[T]he common enterprise [inquiry] is not an alter ego analysis. The entities formally may be separate corporations[ ] but operate as a common enterprise.") (quoting FTC v. Grant Connect, LLC, 827 F.Supp.2d 1199, 1218 (D. Nev. 2011)).
Given the common-enterprise factors outlined above, the Court finds that the FTC pleads sufficient factual allegations from which the Court can reasonably infer a common-enterprise claim. Namely, as detailed below, the FTC alleges specific facts relating to common control, sharing of office space and a lack of distinction between the Defendants.
The FTC alleges that Wyndham Worldwide "has been responsible for creating information security policies for itself and its subsidiaries" and for "providing oversight of their information security programs." (Compl. ¶ 14). Its subsidiaries are identified as Hotel Group, Hotels and Resorts and Hotel Management. (Id. ¶ 13). These four entities are the Defendants in this action.
The FTC alleges that, during certain time periods, both Wyndham Worldwide and Hotel Group had responsibility for Hotels and Resorts' "information security program," (id. ¶ 14), and that both "controlled the acts and practices" of Wyndham subsidiaries, including Hotels and Resorts, (id. ¶¶ 7-8).
The FTC further alleges that Wyndham Worldwide and Hotel Group "have performed various business functions on behalf of Hotels and Resorts, or overseen such business functions." (Id. ¶ 9). These functions include "legal assistance, human resources, finance, and information technology and security." (Id.). Indeed, the privacy policy statement that the FTC reproduces in its complaint is "disseminated on the Hotels and Resorts' website," but "states that it is the privacy policy of Hotel Group." (Id. ¶¶ 21-23). Similarly, Wyndham Worldwide and Hotel Group "have performed various business functions on Hotel Management's behalf, or overseen such business functions, including legal assistance and information technology and security." (Id. ¶ 10). The FTC also pleads that all of the Defendants share office space. (Id. ¶¶ 7-10).
Thus, the FTC asserts that "Defendants have conducted their business practices described [in its complaint] through an interrelated network of companies that have common ownership, business functions, employees, and office locations." (Id. ¶ 11). Accordingly, the Court finds that the FTC's allegations sufficiently support a claim for common-enterprise liability.
To be sure, it is premature at this stage to determine whether Defendants actually operated a common enterprise sufficient for joint and several liability. This determination will, of course, depend on what the evidence ultimately shows. See In re Burlington Coat Factory Sec. Litig., 114 F.3d 1410, 1420 (3d Cir. 1997) ("The issue is not whether a plaintiff will ultimately prevail but whether the claimant is entitled to offer evidence to support the claims.") (quoting Scheuer v. Rhodes, 416 U.S. 232, 236 (1974)).
Nevertheless, the Wyndham Entities insist that the FTC's complaint must be dismissed because (1) the Defendants are not so interrelated that no real distinction exists between them and (2) that failure to find common-enterprise liability here would not provide a clear mechanism for avoiding the terms of any FTC or court order. (Wyndham Entities' Reply Br. at 2). They assert that the Defendants "are well-known companies engaged in legitimate and separate business endeavors in the hospitality industry" and "are not mere shell companies designed to perpetrate fraud and to hide ill-gotten gains." (Id. at 4-5).
But these arguments appear to attack the merits of the FTC's claim, not the adequacy of its pleadings. After all, the evidence may counter the Wyndham Entities' aforementioned contentions. See FTC v. NHS Sys., Inc., 936 F.Supp.2d 520, 533 (E.D. Pa. 2013) (finding that defendants operated as a "common enterprise" at the summary-judgment stage because, "[g]iven the common control, officers, and customers, there was no real distinction between" the defendants); Nat'l Urological Grp., 645 F. Supp. 2d at 1184 (finding, at the summary-judgment stage, that, "if one of these companies escaped liability, it would afford all three a means for continuing their operations" and that the "few distinctions between the corporations . . . are superficial in nature and would not, when considered in light of the overwhelming evidence of the corporations' interrelated functions, provide a reasonable jury with a basis to reject the application of the common enterprise theory here").
Moreover, the common-enterprise analysis does not seem to turn on whether Defendants are "shell companies designed to perpetrate fraud and to hide ill-gotten gains." (See Wyndham Entities' Reply Br. at 5 (citing FTC v. Network Servs. Depot, Inc., 617 F.3d 1127, 1131-32 (9th Cir. 2010) & NHS Sys., 936 F. Supp. 2d at 528)). After all, even if common-enterprise liability is typically found in such circumstances, the Wyndham Entities fail to cite any authority that the common-enterprise analysis depends on the existence of fraudulent activity. And, tellingly, the case law cited by the Wyndham Entities underscores that any such inquiry into fraudulent intent—even if relevant—is premature. See Network Servs. Depot, 617 F.3d at 1131 (affirming district court's grant of summary judgment); NHS Sys., 936 F. Supp. 2d at 528 (resolving the FTC's summary-judgment motion).
To be sure, the Wyndham Entities argue that the FTC "does not allege that the [D]efendants commingle corporate funds or assets, lack their own substantive businesses, engage in unified advertising, fail to maintain separate books and records, or disregard corporate formalities when dealing with third parties." (Wyndham Entities' Reply Br. at 2).
But, even accepting that the FTC fails to allege facts to this effect, the Wyndham Entities assume that these factors are prerequisites to finding common-enterprise liability. To the contrary, "no one factor is controlling." FTC v. Consumer Health Benefits Ass'n, No. 10-3551, 2011 WL 3652248, at *5 (E.D.N.Y. Aug. 18, 2011), aff'd, FTC v. Consumer Health Benefits Ass'n, No. 10-3551 (E.D.N.Y. Oct. 12, 2011). In fact, federal courts routinely consider a variety of factors. See NHS Sys., 936 F. Supp. 2d at 533; Millennium Telecard, Inc., 2011 WL 2745963, at *8. And, having examined the FTC's allegations, its complaint sufficiently supports a common-enterprise claim in view of factors that the Wyndham Entities try to discount. Cf. FTC v. John Beck Amazing Profits, LLC, 865 F.Supp.2d 1052, 1082 (C.D. Cal. 2012) ("Here, there is no dispute that these corporate defendants are controlled by Hewitt and Gravink and they share the same business address and office space. Accordingly, the Court finds that the corporate defendants operate as a common enterprise, and each of them are jointly and severally liable for any corporate defendant's violations.").
Finally, the Wyndham Entities insist that this is not a situation where failure to hold multiple corporations liable would provide "`a clear mechanism for avoiding the terms of the [FTC or court] order.'" (Wyndham Entities' Reply Br. at 2 (quoting Del. Watch Co., 332 F.2d at 747); see also 11/7/13 Tr. 159:12-160:6). They assert that this inquiry is the "second prong of the test for `common enterprise' liability under Section 5." (Wyndham Entities' Reply Br. at 5). And, to that effect, the Wyndham Entities argue that Hotels and Resorts "will bear ultimate legal responsibility for the consumer information that it collects and stores on its own computer network"—such that joining the Wyndham Entities is "wholly unnecessary to prevent [Hotels and Resorts] from avoiding the terms of any order that this Court might enter." (Id.). In short, the Wyndham Entities assert that the "Section 5 theory that the FTC has in this case attaches to the entity that collects the data, and here that is Hotels and Resorts." (11/7/13 Tr. at 163:5-7).
Indeed, "in situations where corporations are so entwined that a judgment absolving one of them of liability would provide the other defendants with `a clear mechanism for avoiding the terms of the order,' courts have been willing to find the existence of a common enterprise." Nat'l Urological Grp., 645 F. Supp. 2d at 1182 (emphasis added). But the Wyndham Entities assume that, to sustain a common-enterprise claim, the FTC must show this risk at the motion-todismiss stage. Indeed, the Wyndham Entities fail to cite any case where a court has dismissed an action—at the motion-to-dismiss stage—on this basis. Instead, as discussed above, courts consider a variety of factors to determine whether a common enterprise exists.
Having found that the FTC's allegations support a common-enterprise claim—and therefore that the Wyndham Entities must remain in this action—the Court need not resolve whether the FTC's allegations support direct liability against each of them. See Wash. Data Res., 856 F. Supp. 2d at 1272 ("[A]n act by one entity constitutes an act by each entity comprising the `common enterprise.'"); see also FTC v. AmeriDebt, Inc., 343 F.Supp.2d 451, 462-63 (D. Md. 2004) (denying, in relevant part, defendants' motion to dismiss brought on the grounds that (1) the FTC's claims failed to "sufficiently state claims against them individually" and (2) the FTC's complaint "fails to allege a common enterprise" since the court found the FTC's complaint "fairly alleges a common enterprise among" the defendants).
As set forth above, the Court hereby DENIES the Wyndham Entities' motion to dismiss. An appropriate Order accompanies this Opinion.