Opinion
Case No. 19-cv-01860-MMC
06-30-2020
JAKE THOMAS, et al., Plaintiffs, v. KIMPTON HOTEL & RESTAURANT GROUP, LLC, Defendant.
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS; AFFORDING PLAINTIFFS LEAVE TO AMEND; CONTINUING CASE MANAGEMENT CONFERENCE
Before the Court is defendant Kimpton Hotel & Restaurant Group, LLC's ("Kimpton") Motion, filed February 25, 2020, "to Dismiss Plaintiff's Third Amended Complaint." Plaintiffs Jake Thomas ("Thomas"), Salvatore Galati ("Galati"), and Jonathan Martin ("Martin") have filed opposition, to which Kimpton has replied. Having read and considered the papers filed in support of and in opposition to the motion, the Court rules as follows.
By Clerk's notice filed March 18, 2020, the matter was taken under submission.
BACKGROUND
In the operative complaint, the Third Amended Complaint ("TAC"), plaintiffs allege Kimpton, an entity that "own[s] or manage[s]" a number of hotels (see TAC ¶ 1), contracted with Sabre Corporation ("Sabre") "to provide a reservation system" (see TAC ¶ 3). Plaintiffs further allege they booked hotel reservations at Kimpton hotels (see TAC ¶ 2), and, in so doing, provided Sabre with their "private identifiable information" ("PII") (see TAC ¶¶ 11, 13, 15), including "full name, credit and debit card account numbers, card expiration dates, card verification codes, emails, phone numbers, full addresses and other . . . information" (see TAC ¶ 8), which PII was subsequently "accessed by hackers" who "obtained credentials" for Sabre's "Central Reservations system" and "used those credentials to access customer data" (see TAC ¶¶ 6, 12, 14, 16). According to plaintiffs, if Sabre had "employed multiple levels of authentication," rather than "single factor authorization," the "breach" would not have occurred. (See FAC ¶ 6.)
Sabre is not a party to the above-titled action.
Based on the above allegations, plaintiffs assert nine Claims for Relief arising under the laws of various states.
LEGAL STANDARD
Dismissal under Rule 12(b)(6) of the Federal Rules of Civil Procedure "can be based on the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory." See Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1990). Rule 8(a)(2), however, "requires only 'a short and plain statement of the claim showing that the pleader is entitled to relief.'" See Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007) (quoting Fed. R. Civ. P. 8(a)(2)). Consequently, "a complaint attacked by a Rule 12(b)(6) motion to dismiss does not need detailed factual allegations." See id. Nonetheless, "a plaintiff's obligation to provide the grounds of his entitlement to relief requires more than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not do." See id. (internal quotation, citation, and alteration omitted).
In analyzing a motion to dismiss, a district court must accept as true all material allegations in the complaint and construe them in the light most favorable to the nonmoving party. See NL Indus., Inc. v. Kaplan, 792 F.2d 896, 898 (9th Cir. 1986). "To survive a motion to dismiss, a complaint must contain sufficient factual material, accepted as true, to 'state a claim to relief that is plausible on its face.'" Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Twombly, 550 U.S. at 570). "Factual allegations must be enough to raise a right to relief above the speculative level[.]" Twombly, 550 U.S. at 555. Courts "are not bound to accept as true a legal conclusion couched as a factual allegation." See Iqbal, 556 U.S. at 678 (internal quotation and citation omitted).
DISCUSSION
By order filed November 1, 2019 ("November 1 Order"), the Court dismissed with leave to amend each of the claims asserted in plaintiffs' First Amended Complaint ("FAC"), after which ruling plaintiffs filed a Second Amended Complaint ("SAC"). Thereafter, the Court approved the parties' stipulation to allow plaintiffs to file the TAC. By the instant motion, Kimpton argues that the TAC does not cure the deficiencies identified in the Court's November 1 Order, and, in addition, that seven of the claims asserted in the TAC are subject to dismissal for other reasons.
At the outset, the Court addresses whether, as Kimpton argues, the TAC includes insufficient facts to support a finding that Kimpton can be held liable for the acts and omissions of Sabre, which argument applies to each of the claims asserted in the TAC.
In the November 1 Order, the Court found the FAC lacked any factual allegations to support such a finding. In the TAC, plaintiffs now allege that Sabre, in operating Kimpton's reservations services, acted as an agent for Kimpton. Kimpton contends the TAC does not include factual allegations sufficient to show an agency relationship existed. As set forth below, the Court disagrees.
A "principal who personally engages in no misconduct may be vicariously liable for [a] tortious act committed by an agent within the course and scope of the agency." See Peredia v. HR Mobile Services, Inc., 25 Cal. App. 5th 680, 691 (2018). "For an agency relationship to exist, an agent must have authority to act on behalf of the principal and the person represented must have a right to control the actions of the agent." See Mavrix Photographs, LLC v. Liveiournal, Inc., 873 F.3d 1045, 1054 (9th Cir. 2017) (internal quotation, alteration, and citation omitted).
Here, plaintiffs allege facts sufficient to show Sabre had the authority to act on behalf of Kimpton. In particular, plaintiffs allege Kimpton's "online reservation system is operated by . . . Sabre" (see TAC ¶ 23) pursuant to an agreement between Kimpton and Sabre (see TAC ¶¶ 3, 79), and that Sabre, pursuant to said agreement, accepted reservations from customers on behalf of Kimpton (see TAC ¶ 23). Additionally, plaintiffs allege sufficient facts to show Kimpton had the right to control Sabre's actions, specifically, that Kimpton set the prices Sabre charged for rooms, selected the rooms Sabre could show as available to customers, decided how Sabre "would be portrayed on [Kimpton's] website," e.g., that Sabre would be "completely in the background," and, perhaps most importantly here, decided "how Sabre would safeguard customer information." (See id.)
Accordingly, as plaintiffs have sufficiently alleged the existence of an agency relationship between Kimpton and Sabre, the Court next considers, in turn, Kimpton's arguments that seven of the nine Claims for Relief are subject to dismissal for additional reasons.
Kimpton raises no additional arguments as to the First and Third Claims for Relief.
A. Second Claim for Relief: Breach of Contract
In the Second Claim for Relief, plaintiffs allege Kimpton breached the "agreement between Sabre and Kimpton," which agreement was "for the express intended benefit of Kimpton's customers." (See TAC ¶¶ 79, 81, 83.) Kimpton argues said claim is procedurally improper and substantively deficient.
As Kimpton observes, the November 1 Order, in dismissing the claims in the FAC, afforded plaintiffs leave to amend to cure the deficiencies the Court had identified. As the FAC did not include a claim that Kimpton had breached its contract with Sabre, plaintiffs' inclusion in the TAC of such claim is procedurally improper. In their opposition, plaintiffs do not argue their assertion of this new claim was procedurally proper; rather, plaintiffs, in essence, request they be afforded leave to amend to include such claim in the TAC.
Although the claim was included in the SAC, the TAC, as noted, was filed pursuant to stipulation. In the stipulation, Kimpton reserved the right to "contest whether [p]laintiffs improperly added the new second cause of action alleging third party breach of contract." (See Stipulation, filed February 5, 2020, at 2:15-20.)
Under Rule 15(a) of the Federal Rules of Civil Procedure, a "court should freely give leave [to amend] when justice so requires." See Fed. R. Civ. P. 15(a)(2). Leave to amend, however, "need not be granted where the amendment of the complaint would cause the opposing party undue prejudice, is sought in bad faith, constitutes an exercise in futility, or creates undue delay." See Ascon Properties, Inc. v. Mobil Oil Co., 866 F.2d 1149, 1160 (9th Cir. 1989).
Here, the Second Claim for Relief, as pleaded, is futile, as it is subject to dismissal for failure to state a claim. At the outset, the Court notes the TAC fails to include any facts to support a finding that customers of Kimpton hotels, such as plaintiffs, were intended third-party beneficiaries of the contract by which Sabre agreed to operate a reservation system for Kimpton. See Balsam v Tucows Inc., 627 F.3d 1158, 1161 (9th Cir. 2010) (holding, under California law, "third party qualifies as a beneficiary under a contract if the parties intended to benefit the third party and the terms of the contract make that intent evident"; affirming dismissal, where nothing in contract indicated parties to agreement "intended to benefit, or confer any rights upon, [plaintiff]"). Moreover, the TAC lacks factual allegations to support plaintiffs' conclusory assertion that Kimpton "breached" its contract with Sabre by "failing to comply with the PCI DSS [Payment Card Industry Data Security Standards]." (See TAC ¶¶ 81-83.) Although it would appear plaintiffs are basing the claim on Sabre's alleged use of "single factor" as opposed to "multi-factor" authorization (see TAC ¶ 3), the TAC includes no facts to support a finding that Kimpton was contractually obligated to require Sabre to do so. See Frances T. v. Village Green Owners Ass'n, 42 Cal. 3d 490, 512-13 (1986) (holding "rights and responsibilities of contracting parties are determined by the terms of their contract"; affirming dismissal of breach of contract claim, based on defendant's failure to "install additional lighting," where plaintiff failed to allege contract included provision requiring defendant to so act).
Accordingly, the Second Claim for Relief is subject to dismissal. // //
B. Fourth Claim for Relief: Violation of California's Unfair Competition Law
In the Fourth Claim for Relief, plaintiffs allege Kimpton violated § 17200 of the California Business & Professions Code, which prohibits, inter alia, "unlawful" business practices. See Cal. Bus. & Prof. Code § 17200. Plaintiffs base their claim on Kimpton's alleged violations of two statutes: (1) California Civil Code § 1798.81.5 (see TAC ¶ 97), which statute requires a "business that owns, licenses, or maintains personal information about a California resident" to "implement and maintain reasonable security procedures and practices" to "protect the personal information from unauthorized access," see Cal. Civ. Code. § 1798.81.5(b); and (2) 15 U.S.C. § 45 (see TAC ¶¶ 98-101), which statute prohibits "[u]nfair methods of competition in or affecting commerce" and "unfair or deceptive acts or practices in or affecting commerce," see 15 U.S.C. § 45(a)(1).
The remedies available to a plaintiff under § 17200 are "limited"; specifically, a plaintiff may only seek injunctive relief and/or restitution. See Korea Supply Co. v. Lockheed Martin Corp., 29 Cal. 4th 1134, 1152 (2003). Kimpton argues plaintiffs have failed to allege any facts to support either a claim for injunctive relief or a claim for restitution. As set forth below, the Court agrees.
As Kimpton notes, the TAC does not make clear the nature of the injunctive relief sought. In their opposition, plaintiffs describe their need for injunctive relief as follows: "[T]here exists a hazard - [Kimpton's] data security measures - which, if not ameliorated, will likely result in additional damages to [p]laintiffs . . . [;] there is a real risk that [Kimpton] will move forward with its plainly inadequate security features{;] [and] [Kimpton] has not represented that it has instituted multi-factor authentication, and its single-factor system poses a significant risk of continuing harm." (See Pls.' Opp. at 18:2-7.) As the TAC does not allege Kimpton itself has inadequate data security measures, but, rather, that Sabre's measures were inadequate, the Court understands plaintiffs to be asserting they intend to seek an injunction requiring Kimpton to cause Sabre to institute multi-factor authentication. To have standing to seek injunctive relief, however, the plaintiff must show the existence of a "real or immediate threat that the plaintiff will be wronged again," see City of Los Angeles v. Lyons, 461 U.S. 95, 111 (1983), and, here, plaintiffs do not allege facts from which the Court can infer they face, by reason of Sabre's alleged inadequate data security system, a real or immediate threat of another breach. Consequently, plaintiffs have not shown they are entitled to injunctive relief.
Plaintiffs do not allege, for example, that Sabre still possesses plaintiffs' PII, let alone that it continues to employ single factor authorization.
As to restitution, plaintiffs, in their opposition, clarify that they're seeking to recover the price they paid for Kimpton hotel rooms. Plaintiffs appear to base their claim to restitution on their allegation that they would not have stayed at a Kimpton hotel had they known of "the improper security" (see TAC ¶¶ 11, 13, 15), i.e., that Sabre employed inadequate data security measures in connection with on-line bookings. A claim for restitution is dependent, however, on a plaintiff's showing his entitlement to "the return of the excess of what the plaintiff gave the defendant over the value of what the plaintiff received." See Cortez v. Purolator Air Filtration Products Co., 23 Cal. 4th 163, 174 (2000). Here, plaintiffs do not allege facts to support a finding that the hotel rooms for which they paid were in any manner inadequate, that some portion of the room charges were attributable to data security, or that some other basis exists upon which to support a finding that they did not receive the value paid for the hotel rooms. Consequently, plaintiffs have not shown they are entitled to restitution.
Accordingly, the Fourth Claim for Relief is subject to dismissal in its entirety.
C. Fifth Claim for Relief: Violation of Colorado Consumer Protection Act
In the Fifth Claim for Relief, brought on behalf of Thomas only, plaintiffs allege Kimpton violated the Colorado Consumer Protection Act ("CCPA"), which Act prohibits "deceptive trade practice[s]." See Colo. Rev. Stat. § 6-1-105(1). Plaintiffs allege Kimpton engaged in the following nine deceptive trade practices: (1) "[r]epresenting to its customers it would employ reasonable security and privacy measures," while "permitting to be employed single factor authorization on its reservation system," (2) "[r]epresenting to its customers that it would employ reasonable security and privacy measures and yet failing to implement a multi-layered security platform"; (3) "[f]ailing to implement and maintain reasonable security and privacy measures to protect . . . PII"; (4) "[f]ailing to identify foreseeable security and privacy risks, remediate identified security and privacy risks, and adequately improve security and privacy measures"; (5) "[f]ailing to comply with common law and statutory duties pertaining to the security and privacy"; (6) "[m]isrepresenting that it would protect the privacy and confidentiality of . . . PII, including by implementing and maintaining reasonable security measures"; (7) "[m]ispresenting that it would comply with common law and statutory duties pertaining to the security and privacy"; (8) "[o]mitting, suppressing, and concealing the material fact that it did not reasonably or adequately secure . . . PII"; and (9) "[o]mitting, suppressing, and concealing the material fact it did not comply with common law and statutory duties pertaining to the security and privacy." (See TAC ¶ 110.)
Kimpton argues the CCPA does not apply extraterritorially and, consequently, that the claim is subject to dismissal, as Thomas is a resident of Arizona and plaintiffs do not allege the conduct on which the claim is based occurred in Colorado.
Under Colorado law, "a statute cannot be presumed to have any extraterritorial effect." See Peerless Ins. Co. v. Clark, 29 Colo. App. 436, 439-41 (1971). Plaintiffs cite to no exception to this rule. Nor do plaintiffs allege that Thomas was in Colorado when he made a reservation, that either Kimpton or Sabre is a resident of Colorado or engaged in any act in Colorado that induced Thomas to make a reservation, or that Sabre's reservation system is located in Colorado. Although plaintiffs rely on their allegation that one of the Kimpton hotels at which Thomas stayed is located in Colorado (see TAC ¶ 11.iv.), plaintiffs fail to allege any facts from which it reasonably can be inferred that a causal or any other legally cognizable relationship exists between the location of the hotel where Thomas stayed and the harm he is alleged to have incurred.
Accordingly, the Fifth Claim for Relief is subject to dismissal. //
D. Sixth Claim for Relief: Violation of Pennsylvania UTPCPL
In the Sixth Claim for Relief, brought on behalf of Thomas only, plaintiffs allege Kimpton violated the Pennsylvania Unfair Trade Practices and Consumer Protection Law ("UTPCPL"), which Law prohibits "[u]nfair or deceptive acts in the conduct of any trade or commerce." See Pa. Cons. Stat. § 201-3. The practices on which the claim is based are the same nine practices on which plaintiffs base the Fifth Claim for Relief. (Compare TAC ¶ 121 with TAC ¶ 110.)
Kimpton argues the UTPCPL does not apply extraterritorially and, consequently, that the claim is subject to dismissal, as Thomas is a resident of Arizona and plaintiffs do not allege the conduct on which the claim is based occurred in Pennsylvania.
Plaintiffs do not allege that Thomas was in Pennsylvania when he made a reservation, that either Kimpton or Sabre is a resident of Pennsylvania or engaged in any act in Pennsylvania that induced Thomas to make a reservation, or that Sabre's reservation system is located in Pennsylvania. Rather, similar to their argument made with respect to the Fifth Claim for Relief, plaintiffs rely on their allegation that one of the Kimpton hotels at which Thomas stayed is located in Pennsylvania. (See TAC ¶ 11.v.) As noted above with respect to the Fifth Claim for Relief, however, plaintiffs fail to allege any facts from which it be inferred that a causal or any other legally cognizable relationship exists between the location of the hotel where Thomas stayed and the harm he is alleged to have incurred.
Although the Pennsylvania Supreme Court has held that a claim under the UTPCPL may be brought by a non-Pennsylvania resident based on conduct occurring outside Pennsylvania where the defendant is headquartered in Pennsylvania, see Danganan v. Guardian Protection Services, 645 Pa. 181, 195-96 (2018), plaintiffs here allege Kimpton is a resident of California and Delaware (see TAC ¶ 18), not of Pennsylvania.
Accordingly, the Sixth Claim for Relief is subject to dismissal. // //
E. Seventh Claim for Relief: Violation of New York General Business Law § 349
In the Seventh Claim for Relief, brought on behalf of Thomas only, plaintiffs allege Kimpton violated New York General Business Law § 349, which Law prohibits "[d]eceptive acts or practices in the conduct of any business." See N.Y. Gen. Bus. Law § 349(a). The practices on which plaintiffs base this claim, with one exception, are the same practices on which plaintiffs base the Fifth Claim for Relief. (Compare TAC ¶ 129 with TAC ¶¶ 110.)
The one exception is that the Seventh Claim for Relief, unlike the Fifth Claim for Relief, is not based on an allegation that Kimpton "misrepresent[ed] that it would comply with common law and statutory duties pertaining to [plaintiffs'] security and privacy." (See id.)
Kimpton argues § 349 does not apply extraterritorially and, consequently, that the claim is subject to dismissal, as Thomas is a resident of Arizona and plaintiffs do not allege the conduct on which the claim is based occurred in New York.
As the Second Circuit has explained, a split of authority exists as to the "proper territorial analysis under section § 349"; some courts "focus on where the deception of the plaintiff occurs and require, for example, that a plaintiff actually view a deceptive statement while in New York," while others "focus on where the underlying deception 'transaction' takes place, regardless of the plaintiff's location or where the plaintiff is deceived." See Cruz v. FXDirectDealer, LLC, 720 F.3d 115, 123 (2nd Cir. 2013).
Here, under either line of authority, plaintiffs fail to state a claim. Plaintiffs do not allege Thomas was deceived while in New York, nor do plaintiffs allege facts to support a finding that any of the alleged deceptive acts took place in New York, e.g., that either Kimpton or Sabre engaged in any act in New York that induced Thomas to make a reservation. To the extent plaintiffs rely on their allegation that one of the Kimpton hotels at which Thomas stayed is located in New York (see TAC ¶ 11.vi.), such reliance is unavailing, as plaintiffs fail to allege any facts from which it be inferred that a causal or any other legally cognizable relationship exists between the location of the hotel where Thomas stayed and the harm he is alleged to have incurred.
Accordingly, the Seventh Claim for Relief is subject to dismissal.
F. Eighth Claim for Relief: Violation of Texas Deceptive Trade Practices Act
In the Eighth Claim for Relief, brought on behalf of Thomas and Martin only, plaintiffs allege Kimpton violated the Texas Deceptive Trade Practices - Consumer Protection Act ("TDTPA"), which Act prohibits "[f]alse, misleading, or deceptive acts or practices in the conduct of any trade or commerce." See Tex. Bus. & Com. Code § 17.46. The practices on which the claim is based are the same nine practices on which plaintiffs base the Fifth Claim for Relief. (Compare TAC ¶ 141 with TAC ¶ 110.)
Kimpton argues that, to the extent the claim is brought on behalf of Thomas, it is subject to dismissal on the ground the TDTPA does not apply extraterritorially and, consequently, that the claim is subject to dismissal, as Thomas is a resident of Arizona and plaintiffs do not allege the conduct on which his claim is based occurred in Texas. To the extent the claim is brought on behalf of Martin, who is a Texas resident, Kimpton argues the claim is subject to dismissal in part, specifically, as to those portions of his claim that are based on fraud.
1. Thomas
Under Texas law, "the presumption is that [a] statute is intended to have no extraterritorial effect." See Marmon v. Mustang Aviation, Inc., 430 S.W. 2d 182 (Tex. 1968) (internal quotation and citation omitted). Plaintiffs do not assert such presumption, as applied to the TDTPA, can be rebutted. Nor do plaintiffs allege Thomas was in Texas when he made a reservation, that either Kimpton or Sabre is a resident of Texas or engaged in any acts in Texas that induced Thomas to make a reservation, or that Sabre's reservation system is located in Texas. Although plaintiffs rely on their allegation that one of the Kimpton hotels at which Thomas stayed is located in Texas (see TAC ¶ 11.vii.), plaintiffs fail to allege any facts from which it can be inferred that a causal or any other legally cognizable relationship exists between the location of the hotel where Thomas stayed and the harm he is alleged to have incurred.
Accordingly, the Eighth Claim for Relief is subject to dismissal to the extent it is asserted on behalf of Thomas.
2. Martin
Kimpton argues that, to the extent the Eighth Claim for Relief is based on Kimpton's having made false statements (see, e.g., TAC ¶ 141.i), the claim is subject to dismissal. In particular, Kimpton argues, plaintiffs have failed to allege facts sufficient to support a finding that Kimpton knew the subject statements were false when they were made.
The representations on which plaintiffs rely are the following
Your card is safe. Credit and Debit Card Safety. We at IGH are committed to keeping your personal information safe. Our secure service software (SSL) is the industry standard and among the best software available today for secure commerce transactions. It encrypts all of your personal information, including payment card number, name, and address, so that it cannot be read as the information travels over the Internet.(See TAC ¶ 27; see also TAC ¶ 30.)
How we secure your information. We are committed to protecting the confidentiality and security of the information that you provide to us. To do this, technical, physical and organizational security measures are put in place to protect against any unauthorized access, disclosure, damage or loss of your information. The collection, transmission and storage of information can never be guaranteed to be completely secure[;] however, we take steps to ensure that appropriate security safeguards are in place to protect your information.(See TAC ¶ 32 (emphasis in original).)
[T]he privacy and security of your information is very important to us. Whether you are booking a room or are a member of one of our loyalty programs, we want you to trust that the information that you have provided to us is being properly managed and protected.(See TAC ¶ 35.)
Data Privacy and Site Security. IGH takes your privacy seriously and works to protect you. All personal information you provide is encrypted and secure.(See id.)
Plaintiffs allege "IGH" is Kimpton's "parent company." (See TAC ¶ 35 n.1.)
Plaintiffs allege the above-quoted statements were false when made because Sabre did not have "the best security standards, as "it always used only single factor authentication, which has proven to be unsafe years before this data breach" (see TAC ¶ 28), and because Kimpton "permitted" Sabre to employ "single factor authorization" rather than "implement a multi-layered security platform including advanced behavioral analytics to recognize potential intrusions at the outset and stop them before they become serious" (see TAC ¶ 33).
Under Texas law, a plaintiff alleging a fraud claim must show "the defendant knew the representation was false or made it recklessly as a positive assertion without any knowledge of its truth." See JPMorgan Chase Bank, N.A. v. Orca Assets G.P., L.L.C., 546 S.W. 3d 648, 653 (Tex. 2018) (internal quotation and citation omitted). Here, the TAC, while including a conclusory assertion that "Kimpton was aware that its agent, Sabre, did not have the best security standards" (see TAC ¶ 28), lacks facts to support such conclusion, e.g., that Kimpton knew, at the time it made the challenged statements, Sabre used single factor authorization and that it knew such a system was insufficient to protect PII.
Plaintiffs, in their opposition, rely on the principle that a defendant's knowledge of the falsity of a statement is often proven circumstantially, including by "acts that were subsequent to the actions at issue." See United States v. DiRoberto, 686 Fed. Appx. 458 (9th Cir. 2017). Although plaintiffs' opposition fails to identify any such act, it appears plaintiffs are relying on their allegation that, subsequent to Kimpton's becoming "aware" of the data breach, "the statement noted [in ¶ 27 of the TAC] that 'Your card is safe' was still present" on Kimpton's website. (See TAC ¶ 28.) Plaintiffs do not, however, suggest how Kimpton's continued use of such language evidences its knowledge that the statements it made to Martin, namely, statements made before the data breach, were false when made. Moreover, plaintiffs do not allege that, at the time Kimpton learned of the breach, Sabre was still operating Kimpton's reservation system and was using single factor authorization.
Accordingly, the Eight Claim for Relief is subject to dismissal to the extent it is asserted on behalf of Martin and is based on Kimpton's having made false statements.
G. Ninth Claim for Relief: Violation of Maryland Consumer Protection Act
In the Ninth Claim for Relief, brought on behalf of Martin only, plaintiffs allege Kimpton violated the Maryland Consumer Protection Act ("MCPA"), which Act prohibits "any unfair, abusive, or deceptive trade practice." See Md. Com. Law § 13-303. The practices on which plaintiffs base this claim, with two exceptions, are the same practices on which plaintiffs base the Fifth Claim for Relief. (Compare TAC ¶ 155 with TAC ¶¶ 110.)
The two exceptions are that the Ninth Claim for Relief, unlike the Fifth Claim for Relief, is not based on the allegations that Kimpton (1) "[r]epresent[ed] to its customers it would employ reasonable security and privacy measures," while "permitting to be employed single factor authorization on its reservation system" and (2) "[r]epresent[ed] to its customers that it would employ reasonable security and privacy measures and yet fail[ed] to implement a multi-layered security platform." (See id.)
Kimpton argues the MCPA does not apply extraterritorially and, consequently, the claim is subject to dismissal, as Martin is a resident of Texas and plaintiffs do not allege the conduct on which the claim is based occurred in Maryland.
Under Maryland law, "unless an intent to the contrary is expressly stated, acts of the legislature will be presumed not to have any extraterritorial effect." See Chairman v. Waldron, 285 Md. 175, 183-84 (1979). Plaintiffs do not assert such presumption, as applied to the MCPA, can be rebutted. Nor do plaintiffs allege that Martin was in Maryland when he made a reservation, that either Kimpton or Sabre is a resident of Maryland or engaged in any conduct in Maryland that induced Martin to make a reservation, or that Sabre's reservation system is located in Maryland. Although plaintiffs rely on their allegation that Martin stayed in a Kimpton hotel located in Maryland (see TAC ¶ 15), plaintiffs fail to allege any facts from which it be inferred that a causal or any other legally cognizable relationship exists between the location of the hotel where Thomas stayed and the harm Martin is alleged to have incurred.
Accordingly, the Ninth Claim for Relief is subject to dismissal.
CONCLUSION
For the reasons stated above, Kimpton's motion to dismiss is hereby GRANTED in part and DENIED in part, as follow:
1. The Second, Fourth, Fifth, Sixth, Seventh, and Ninth Claims for Relief are hereby DISMISSED.
2. To the extent the Eighth Claim for Relief is brought on behalf of Thomas, and to the extent it is brought on behalf of Martin and based on Kimpton's having made false statements, the Eighth Claim for Relief is hereby DISMISSED.
3. In all other respects, the motion is DENIED.
4. Should plaintiffs wish to amend for purposes of curing the deficiencies discussed above, plaintiffs shall file their Fourth Amended Complaint no later than July 17, 2020. If plaintiffs elect not to amend, the instant action shall proceed on the remaining claims, specifically, the First Claim for Relief, the Third Claim for Relief, and the remaining portion of the Eighth Claim for Relief.
In light of the above, the Case Management Conference Is CONTINUED from July 24, 2020, to August 21, 2020, at 10:30 a.m., at which time the parties shall appear telephonically. A Joint Case Management Statement shall be filed no later than August 14, 2020.
IT IS SO ORDERED. Dated: June 30, 2020
/s/_________
MAXINE M. CHESNEY
United States District Judge