Luca v. Wyndham Worldwide Corporation et alBRIEF in Opposition re Motion to DismissW.D. Pa.September 14, 2016IN THE UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF PENNSYLVANIA THOMAS LUCA JR., individually and on behalf of all others similarly situated, Plaintiff, v. WYNDHAM WORLDWIDE CORPORATION, WYNDHAM HOTEL GROUP, LLC, WYNDHAM HOTELS AND RESORTS, LLC, and WYNDHAM HOTEL MANAGEMENT, INC., Defendants. Case No. 2:16-cv-00746 (MRH) Electronically Filed and Served PLAINTIFF’S MEMORANDUM OF LAW IN OPPOSITION TO MOTION TO DISMISS FILED BY DEFENDANTS WYNDHAM WORLDWIDE CORPORATIONS AND WYNDHAM HOTEL MANAGEMENT, INC. Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 1 of 16 i TABLE OF CONTENTS INTRODUCTION .......................................................................................................................... 1 BACKGROUND ............................................................................................................................ 2 LEGAL STANDARD ..................................................................................................................... 2 ARGUMENT .................................................................................................................................. 3 I. Plaintiff Sufficiently Alleges Direct Liability Against The Wyndham Worldwide Defendants .................................................................. 3 II. Plaintiff Sufficiently Alleges Enterprise Liability .................................................. 6 III. This Court Has Personal Jurisdiction Over Wyndham Worldwide and Hotel Management ...................................................... 9 CONCLUSION ............................................................................................................................. 11 Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 2 of 16 ii TABLE OF AUTHORITIES Cases Acorda Therapeutics Inc. v. Mylan Pharm. Inc., 817 F.3d 755 (Fed. Cir. 2016) ................................................................................................... 10 Ashcroft v. Iqbal, 556 U.S. 662 (2009) .................................................................................................................... 2 Bane v. Netlink, Inc., 925 F.2d 637 (3d Cir. 1991) ...................................................................................................... 10 Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) .................................................................................................................... 2 Buck v. Hampton Twp. Sch. Dist., 452 F.3d 256 (3d Cir. 2006) .................................................................................................... 2, 3 D'Jamoos ex rel. Estate of Weingeroff v. Pilatus Aircraft Ltd., 566 F.3d 94 (3d Cir. 2009) ........................................................................................................ 11 Daimler AG v. Bauman, 134 S. Ct. 746 (2014) ................................................................................................................ 11 DiNicola v. DiPaolo, 945 F. Supp. 848 (W.D. Pa. 1996) .............................................................................................. 9 Executive Wings, Inc. v. Dolby, 131 F. Supp. 3d 404 (W.D. Pa. 2015) ....................................................................................... 10 F.T.C. v. Wyndham Worldwide Corp., No. 13-cv-1887, 2014 WL 2812049 (D.N.J. Jun. 23, 2014) ........................................... 5, 7, 8, 9 FTC v. Consumer Health Benefits Ass'n, No. 10-cv-3551, 2012 WL 1890242 (E.D.N.Y. May 23, 2012) ................................................. 6 FTC v. NHS Sys., Inc., 936 F. Supp. 2d 520 (E.D. Pa. 2013) .......................................................................................... 6 Gentex Corp. v. Abbott, 978 F. Supp. 2d 391 (M.D. Pa. 2013) ....................................................................................... 10 Goodyear Dunlop Tires Operations, S.A. v. Brown, 131 S. Ct. 2846 (2011) .............................................................................................................. 11 In re Nat'l Credit Mgmt. Group, L.L.C., 21 F. Supp. 2d 424 (D.N.J. 1998) ............................................................................................... 7 In re Shack, 177 N.J. Super. 358 (N.J. App. Div. 1981) ................................................................................. 7 Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 3 of 16 iii Isaacs v. Arizona Bd. of Regents, 608 Fed. Appx. 70 (3d Cir. 2015) ............................................................................................. 11 Malleus v. George, 641 F.3d 560 (3d Cir. 2011) ........................................................................................................ 2 Morgan v. Air Brook Limousine, Inc., 211 N.J. Super. 84 (N.J. Law Div. 1986) .................................................................................... 7 P.F. Collier & Son Corp. v. FTC, 427 F.2d 261 (6th Cir. 1970) ....................................................................................................... 6 R.Q.C. Ltd. V. JKM Enterprises, Inc., No. 1:13-cv-307, 2014 WL 4792148 (W.D. Pa. Sept. 23, 2014) .............................................. 10 Square D Co. v. Scott Elec. Co., No. 06-cv-459, 2008 WL 4462298 (W.D. Pa. Sept. 30, 2008) ................................................. 11 Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119 (W.D. Pa. 1997) .......................................................................................... 11 Statutes 15 U.S.C. § 45 ................................................................................................................................. 7 42 Pa. Cons. Stat. Ann § 5301(a)(2)(i) ........................................................................................... 9 N.J.S.A. § 56:12-14......................................................................................................................... 1 N.J.S.A. § 56:8-1............................................................................................................................. 1 N.J.S.A. § 56:8-2......................................................................................................................... 6, 7 Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 4 of 16 1 Plaintiff Thomas Luca, Jr. (“Plaintiff”) respectfully submits this memorandum of law in opposition to Wyndham Worldwide Corporation’s and Wyndham Hotel Management, Inc.’s (collectively “Wyndham Worldwide Defendants” or “Defendants”) motion to dismiss. Dkt. No. 22. For the reasons set forth herein, as well as those set forth in Plaintiff’s memorandum of law in opposition to Wyndham Hotel Group, LLC’s (“Hotel Group”) and Wyndham Hotels and Resorts, LLC’s (“Hotels and Resorts”) motion to dismiss, the Wyndham Worldwide Defendants’ Motion to dismiss must be denied. INTRODUCTION Defendants ask this Court to disregard the factual allegations pled in the Complaint and, instead, to take a selective reading of the allegations against Wyndham Worldwide Corporation (“Wyndham Worldwide”) and Wyndham Hotel Management, Inc. (“Hotel Management”) to argue that Plaintiff has failed to allege that these defendants have engaged in any activities that violate the New Jersey Consumer Fraud Act (“CFA”), N.J.S.A. §§ 56:8-1, et seq. and the New Jersey Truth-in-Consumer Contract, Warranty and Notice Act (“TCCWNA”), N.J.S.A. §§ 56:12-14, et. seq. However, if the Complaint’s allegations are to be taken as true, Plaintiff sufficiently alleges both direct and common enterprise liability against the Wyndham Worldwide Defendants. The Complaint’s allegations, as well as other documentary evidence, show that all four Wyndham Defendants actively participated in and benefitted from the unlawful scheme described in the Complaint and that all four Wyndham Defendants directed and controlled the information contained at www.wyndham.com and www.wyndhamhotelgroup.com (collectively, the “Websites”). Moreover, the Wyndham Defendants clearly share sufficient common control through overlapping executives, a single headquarters, and common resources, to find a common enterprise. Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 5 of 16 2 The Wyndham Worldwide Defendants make the argument that they are not directly liable, or liable through common enterprise liability, even though another court recently rejected these very arguments. Therefore, the Wyndham Worldwide Defendants’ Motion to Dismiss should be denied. BACKGROUND For the convenience of the Court and the parties, Plaintiff hereby incorporates by reference the Statement of Facts included as part of his concurrently filed Opposition to Wyndham Hotel Group, LLC’s and Wyndham Hotels and Resorts, LLC’s motion to dismiss. In addition, Plaintiff refers the Court to ¶¶14, 17-22 for additional facts pertinent to this motion.1 LEGAL STANDARD On a motion to dismiss, “a complaint must contain sufficient factual matter, accepted as true, to ‘state a claim to relief that is plausible on its face.’” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)).2 “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Iqbal, 556 U.S. at 678. In addition, “[a]ll allegations in the complaint must be accepted as true, and the plaintiff must be given the benefit of every favorable inference to be drawn therefrom.” Malleus v. George, 641 F.3d 560, 563 (3d Cir. 2011). A court on a motion to dismiss “may consider documents that are attached to or submitted with the complaint, and any ‘matters incorporated by reference or integral to the claim, items subject to judicial notice, matters of public record, orders, and items appearing in the record of the case.’” Buck v. Hampton Twp. Sch. Dist., 452 F.3d 256, 260 (3d Cir. 2006). 1 ¶ __, and ¶¶ ___, refer to Plaintiff’s Class Action Complaint, Dkt No. 1. 2 Unless otherwise indicated, emphasis is added and citations are omitted. Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 6 of 16 3 ARGUMENT I. Plaintiff Sufficiently Alleges Direct Liability Against The Wyndham Worldwide Defendants The Wyndham Worldwide Defendants claim (wrongly) that the Complaint contains no allegation that these Defendants directly engaged in the wrongful conduct alleged against the other Defendants. Def. Br. at 4. The Complaint, however, clearly alleges that the Wyndham Worldwide Defendants were directly involved and liable for the violations of the CFA and TCCWNA.3 As Defendants acknowledge, the Complaint does in fact set forth allegations against the Wyndham Worldwide Defendants by specifically including these entities within the definition of “Defendants.” Def. Br. at 4; ¶22. The Complaint also alleges that all of the Defendants are responsible for the content of the Websites. See, e.g., ¶¶63, 73. Defendants are incorrect, however, in claiming that Plaintiff’s allegations against each Defendant are based “solely” on a “common enterprise” theory of liability. See Def. Br. at 4. This is Defendants’ own improper interpretation of the Complaint. Plaintiff alleges direct liability against each of the Wyndham Defendants, including Wyndham Worldwide and Hotel Management. The Complaint clearly and separately alleges that Wyndham Worldwide controlled the acts and practices of Hotel Group, Hotels and Resorts, and Hotel Management. ¶¶17-20. Likewise, the Complaint alleges that Hotel Management was controlled by Wyndham Worldwide and Hotel Group. ¶20. That their actions also lead to joint and severable liability does not preclude those same actions from establishing direct liability against each Defendant, including the Wyndham Worldwide Defendants. 3 Plaintiffs submit to the Court for its consideration additional documents which the Court may take judicial notice of to further support the argument that the Wyndham Worldwide Defendants are directly involved and thus liable. Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 7 of 16 4 Contrary to the Wyndham Worldwide Defendants’ arguments, Wyndham Worldwide and Hotel Management both actively participate in the Websites. As to Hotel Management, the Websites, incorporated by reference into the Complaint, include the following nearly identical statements at the bottom of the Landing Page and elsewhere: “All hotels are either franchised by the company, or owned and/or managed by Wyndham Hotel Management, Inc. or one of its affiliates.” www.wyndhamhotelgroup.com; and “All Wyndham hotels are either franchised by the company or managed by Wyndham Hotel Management, Inc. or one of its affiliates.” www.wyndham.com. Further, according to page 9 of Wyndham Worldwide’s most recent Form 10-K, filed with the Securities Exchange Commission on February 12, 2016: “Our management business offers hotel owners the benefits of a global brand and a full range of management, marketing and reservation services.” (Emphasis added.)4 Wyndham Worldwide’s Form 10-K, at page 9, also declares its own direct involvement in operating the Websites: The sources of our revenues from franchising hotels include (i) ongoing franchise fees, which are comprised of royalty, marketing and reservation fees, (ii) initial franchise fees which relate to services provided to assist a franchised hotel to open for business under one of our brands and (iii) other service fees. Royalty fees are intended to cover the use of our trademarks. Marketing and reservation fees are intended to reimburse us for expenses associated with operating reservations systems, e-commerce channels including our brand.com websites and access to third-party distribution channels, such as online travel agents (“OTAs”), advertising and marketing programs, global sales efforts, operations support, training and other related services. Other service fees include fees derived from providing ancillary services, and are generally intended to reimburse us for direct expenses associated with providing these services. (Emphasis added.) 4 Page 9 of Wyndham Worldwide’s Form 10-K, filed with the Securities Exchange Commission on February 12, 2016 is attached hereto as Exhibit A. Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 8 of 16 5 Significantly, previous litigation involving the Federal Trade Commission (“FTC”) and Wyndham Worldwide and Hotel Management regarding alleged deceptive trade practices has disclosed additional ties which further establish direct liability of these defendants. In F.T.C. v. Wyndham Worldwide Corp., the FTC alleged: Wyndham Worldwide “has been responsible for creating information security policies for itself and its subsidiaries, including Hotel Group and Hotels and Resorts.” Wyndham Worldwide also provides “oversight of their information security programs.” And, from “at least 2008 until approximately June 2009, Hotel Group had responsibility for managing Hotels and Resorts’ information security program.” “In June 2009, Wyndham Worldwide took over management and responsibility for Hotels and Resorts’ information security program.” See F.T.C. v. Wyndham Worldwide Corp., No. 13-cv-1887, 2014 WL 2812049, at *1 (D.N.J. Jun. 23, 2014). The FTC also alleged that Wyndham Worldwide performed various business functions on behalf of Hotels and Resorts, or oversaw such business functions, including legal assistance, human resources, finance, and information technology and security. Id. at *6. Finally, the FTC alleged that Hotel Management licensed the “Wyndham” name to approximately fifteen independently-owned hotels, and, under its management agreements, agreed to fully operate the hotel and required each Wyndham-branded hotel to purchase and configure, to Hotel Management’s specifications, a designated computer system that, among other things, handled reservations and payment card transactions. Id., at *2. The FTC allegations are further proof that both Wyndham Worldwide and Hotel Management are actively involved in dissemination of information, including the information contained on the Defendants’ websites. Plaintiff has more than adequately alleged that the Wyndham Worldwide Defendants were directly liable for the actions alleged in the Complaint and thus, Defendants’ motion to dismiss should be denied. Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 9 of 16 6 II. Plaintiff Sufficiently Alleges Enterprise Liability Defendants also argue that “respect for the corporate form requires that plaintiff’s claims against Wyndham Worldwide and Hotel Management be dismissed.” Def. Br. at 5. Defendants again misconstrue and mischaracterize the nature of Plaintiff’s claims. Common enterprise liability for deceptive trade practices is not subject to an alter ego or “corporate veil” analysis, as Defendants’ cases suggest. Rather, in cases like the present, where the public interest is involved, “a strict adherence to common law principles is not required in the determination of whether a parent should be held for the acts of its subsidiary, where strict adherence would enable the corporate device to be used to circumvent the policy of the statute.” P.F. Collier & Son Corp. v. FTC, 427 F.2d 261, 267 (6th Cir. 1970). The corporate form in such cases will be disregarded where the “structure, organization, and operation of a business venture among separate corporate entities reveal a common enterprise.” FTC v. Consumer Health Benefits Ass'n, No. 10-cv-3551, 2012 WL 1890242, at *5 (E.D.N.Y. May 23, 2012). This is a fact-intensive inquiry, and courts apply numerous factors in determining whether a common enterprise exists, including “common control, the sharing of office space and officers, whether business is transacted through a maze of interrelated companies, unified advertising, and evidence which reveals that no real distinction existed between the [c]orporate [d]efendants.” FTC v. NHS Sys., Inc., 936 F. Supp. 2d 520, 533 (E.D. Pa. 2013). The identical public policy concerns that underlie the common-enterprise theory as developed under the FTC Act apply equally to state analogue statutes such as New Jersey’s CFA. The CFA provides that “[t]he act, use or employment by any person or any unconscionable commercial practice, deception, fraud, false promise [or] misrepresentation . . . in connection with the sale or advertisement of any merchandise . . . is declared to be an unlawful practice . . . .” Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 10 of 16 7 N.J.S.A. § 56:8-2. As such, the CFA is strikingly similar to the FTC Act, which provides that “unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful.” 15 U.S.C. § 45. The same conduct has been held to violate both statutes. See Morgan v. Air Brook Limousine, Inc., 211 N.J. Super. 84, 100-03 (N.J. Law Div. 1986) (failure of franchisor to provide disclosure statement mandated by the FTCA was a per se unconscionable practice under the CFA); In re Nat'l Credit Mgmt. Group, L.L.C., 21 F. Supp. 2d 424, 440-54 (D.N.J. 1998) (FTC and State of New Jersey both entitled to injunctive relief based on credit repair organization’s deceptive sales and marketing practices); accord In re Shack, 177 N.J. Super. 358, 363 (N.J. App. Div. 1981) (suggesting FTCA and CFA prohibit similar deceptive practices). The evidence before the Court here is sufficient to show common control, sharing of facilities, sharing of Websites and website information, and a lack of distinction among the Defendants, and thus, is sufficient to allege a common enterprise. The Complaint alleges that there was common control and ownership of the Wyndham entities by Wyndham Worldwide and Hotel Group. ¶¶17-20 (stating that parent Wyndham entities “controlled the acts and practices of [their] subsidiaries,” including Hotels and Resorts and Hotel Management). The Complaint alleges that all four Wyndham entities are headquartered in Parsippany, New Jersey. ¶¶17-20. The Complaint further alleges that the Websites are “almost identical,” with an identical Landing Page, List Page, Room Rates Page, Check-Out Page, and Confirmation Page, and that the Terms of Use governing access and use of both Websites are identical. ¶21. Litigation between the FTC and the Wyndham Worldwide Defendants supports the finding of common enterprise liability. The FTC alleged that Wyndham Worldwide and Hotel Group performed various business functions on behalf of Hotels and Resorts, or oversaw such business functions, including legal assistance, human resources, finance, and information technology and Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 11 of 16 8 security. F.T.C. v. Wyndham Worldwide Corp., 2014 WL 2812049, at *6. The FTC also alleged that Wyndham Worldwide and Hotel Group performed various business functions on Hotel Management’s behalf, or oversaw such business functions, including legal assistance and information technology and security. Id. The FTC alleged that Hotels and Resorts and Hotel Management both require Wyndham-branded hotels to purchase, and configure to their specifications, a property management system [which is] part of Hotels and Resorts’ computer network.” See Complaint, F.T.C. v. Wyndham Worldwide Corp., No. 13-cv-1887, ECF No. 1, ¶¶15-16 (filed June 26, 2012) (attached hereto as Exhibit B). Finally, Wyndham’s privacy policy is hosted on a website called “Wyndham”; it is the privacy policy of Hotels and Resorts, id. at ¶21; and it expressly states that it is the privacy policy of Hotel Group, id. at ¶23. The FTC litigation also includes evidence that high ranking officers were shared among the various Wyndham Defendants. For example, Wyndham itself represented that a single individual, Tim Voss, had overall responsibility for data-security efforts at Wyndham Worldwide and all of its subsidiaries. Motion to Transfer Venue, F.T.C. v. Wyndham Worldwide Corp., No. 13-cv-1887, ECF No. 23, at 8 (filed Aug. 02, 2012) (attached hereto as Exhibit C). Another individual, Bob Loewen, was the “Chief Financial Officer at [Hotel Group],” but Wyndham stated that he had knowledge of expenditures made to respond to the data breach of Hotels and Resorts’ network at issue in the litigation. Id. Kirsten Hotchkiss was represented as the Senior Vice President, Employment Counsel at Wyndham Worldwide and was stated to also be involved in coordinating the response to three data breaches, which Wyndham claimed happened at Hotels and Resorts. Id. A former employee, Jim Copenheaver, was represented by Wyndham as the Vice President of Security & Compliance at Hotel Group, but was also stated to have worked at Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 12 of 16 9 Wyndham Worldwide’s New Jersey headquarters and to have had general responsibility for the response to the first criminal data intrusion of Hotels and Resorts’ network. Id. at 9. Unsurprisingly, the district court rejected the very same arguments made here and found the FTC’s allegations sufficient to state a claim for common enterprise liability at the motion to dismiss stage against these same Wyndham defendants. F.T.C. v. Wyndham Worldwide Corp., 2014 WL 2812049, at *8. The Court should similarly reject Defendants’ arguments and deny their motion in full. III. This Court Has Personal Jurisdiction Over Wyndham Worldwide and Hotel Management The Wyndham Worldwide Defendants argue for lack of personal jurisdiction because Plaintiff failed to allege direct liability or common enterprise liability against them.5 Def. Br. at 8. The Court should reject this argument because, as set forth above, Plaintiff adequately alleges both direct and enterprise liability. See Sections A and B, supra. Moreover, as a fundamental matter, Hotel Management has consented to general personal jurisdiction in Pennsylvania by virtue of registering as a foreign corporations with the Commonwealth. Pennsylvania requires foreign corporations to register within the Commonwealth in order to conduct business therein. Pennsylvania further provides that a foreign corporation qualified under the laws of the Commonwealth is subject to the general personal jurisdiction of Pennsylvania courts. 42 Pa. Cons. Stat. Ann § 5301(a)(2)(i). The Commonwealth of Pennsylvania’s Department of State’s records reveal that Wyndham Hotel Management, Inc. is qualified as a foreign corporations to do business in Pennsylvania.6 See Exhibit D attached hereto. 5 Defendants do not challenge this Court’s jurisdiction over Hotel Group or Hotels and Resorts. 6 Courts are entitled to take judicial notice of public records such as this. DiNicola v. DiPaolo, 945 F. Supp. 848, 854 n.2 (W.D. Pa. 1996). Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 13 of 16 10 The Third Circuit has validated this statutory scheme: “[c]onsent is a traditional basis for assertion of jurisdiction long upheld as constitutional.” Bane v. Netlink, Inc., 925 F.2d 637, 641 (3d Cir. 1991); see also generally Acorda Therapeutics Inc. v. Mylan Pharm. Inc., 817 F.3d 755, 768-69 (Fed. Cir. 2016). As a result of registering with the Commonwealth of Pennsylvania, therefore, Wyndham Worldwide and Hotel Management have consented to the general jurisdiction of this Court. Furthermore, Plaintiff alleges that Wyndham Worldwide and Hotel Management are subject to personal jurisdiction because they (and Hotel Group and Hotels and Resorts) “conduct substantial business in this District.” ¶14. As alleged in the Complaint and described herein, each of the Wyndham Defendants participates in and benefits from the operation of the Websites. The Complaint (and Plaintiff’s opposition to the motion to dismiss of Hotel Group and Hotels and Resorts) explain in great detail the operation of the Websites. In addition, the Complaint alleges that Plaintiff, a Pennsylvania citizen, used the Websites to conduct business with the Defendants. ¶¶56-62. Indeed, Wyndham Worldwide admits on its website that the “Web Site can be accessed from all 50 states, as well as from other countries around the world.” See http://www.wyndhamworldwide.com/terms-conditions. Therefore, the Wyndham Worldwide Defendants clearly understand that they are doing business in Pennsylvania and cannot credibly claim that this Court does not have jurisdiction over its activities that harmed a Pennsylvania citizen. See Executive Wings, Inc. v. Dolby, 131 F. Supp. 3d 404, 412 (W.D. Pa. 2015) (where defendant uses interactive commercial website to initiate and engage in transaction with plaintiff in forum state, personal jurisdiction exists); Gentex Corp. v. Abbott, 978 F. Supp. 2d 391, 398 (M.D. Pa. 2013); R.Q.C. Ltd. V. JKM Enterprises, Inc., No. 1:13-cv-307, 2014 WL 4792148, at *4-5 (W.D. Pa. Sept. 23, 2014). Because the Defendants used the Websites to enter into contracts Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 14 of 16 11 with citizens of Pennsylvania, and because the Websites were interactive, allowing users to exchange information with the host, Defendants created sufficient contacts with Pennsylvania to establish specific personal jurisdiction. Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119, 1124 (W.D. Pa. 1997); Square D Co. v. Scott Elec. Co., No. 06-cv-459, 2008 WL 4462298, at *10- 11 (W.D. Pa. Sept. 30, 2008). The cases cited by the Wyndham Worldwide Defendants are inapposite because each involved circumstances where the defendants had insufficient contacts with the state where specific jurisdiction was alleged. See Goodyear Dunlop Tires Operations, S.A. v. Brown, 131 S. Ct. 2846, 2851 (2011); D’Jamoos ex rel. Estate of Weingeroff v. Pilatus Aircraft Ltd., 566 F.3d 94, 106 (3d Cir. 2009); Isaacs v. Arizona Bd. of Regents, 608 Fed. Appx. 70, 76 (3d Cir. 2015). Here, as shown above, Plaintiff has adequately alleged liability against all defendants under both direct and common enterprise theories. Moreover, Daimler AG v. Bauman, 134 S. Ct. 746 (2014), cited by Wyndham Worldwide Defendants, is unhelpful because it does not address situations where, like here, a defendant consents to general personal jurisdiction. In short, this Court has personal jurisdiction over the Wyndham Worldwide Defendants. CONCLUSION Based on the foregoing, Plaintiff respectfully requests that the Court deny Wyndham Worldwide and Hotel Management’s motion to dismiss. Should the Court grant their motion, Plaintiff requests an opportunity to amend his Complaint. Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 15 of 16 12 Dated: September 14, 2016 Katrina Carroll Kyle A. Shamberg LITE DEPALMA GREENBERG LLC 211 W. Wacker Drive, Suite 500 Chicago, IL 60606 Telephone: (312) 750-1265 Facsimile: (312) 212-5919 kcarroll@litedepalma.com kshamberg@litedepalma.com Joseph P. Guglielmo Erin Green Comite SCOTT+SCOTT, ATTORNEYS AT LAW, LLP The Helmsley Building 230 Park Avenue, 17th Floor New York, NY 10169 Telephone: (212) 223-6444 Facsimile: (212) 223-6334 jguglielmo@scott-scott.com ecomite@scott-scott.com Respectfully submitted, /s/ Gary F. Lynch Gary F. Lynch R. Bruce Carlson Jamisen A. Etzel Kevin Abramowicz CARLSON LYNCH SWEET KILPELA & CARPENTER, LLP 1133 Penn Avenue, 5th Floor Pittsburgh, Pennsylvania 15222 Telephone: (412) 322-9243 Facsimile: (412) 231-0246 bcarlson@carlsonlynch.com glynch@carlsonlynch.com jetzel@carlonlynch.com kabramowicz@carlsonlynch.com Joseph J. DePalma LITE DEPALMA GREENBERG LLC 570 Broad Street, Suite 1201 Newark, NJ 07102 Telephone: (973) 623-3000 Facsimile: (973) 623-0858 jdepalma@litedepalma.com CERTIFICATE OF SERVICE I hereby certify that the foregoing document was electronically filed with the Court this 14th day of September, 2016. All counsel of record will receive notice via the Court’s CM/ECF system. /s/ Gary F. Lynch Gary F. Lynch Case 2:16-cv-00746-MRH Document 26 Filed 09/14/16 Page 16 of 16 Exhibit A Case 2:16-cv-00746-MRH Document 26-1 Filed 09/14/16 Page 1 of 4 9/14/2016 Welcome to Wyndham : SEC Filings http://investor.wyndhamworldwide.com/phoenix.zhtml?c=200690&p=irolSECText&TEXT=aHR0cDovL2FwaS50ZW5rd2l6YXJkLmNvbS9maWxpbmcueG1sP… 1/3 Print Page Close Window SEC Filings 10K WYNDHAM WORLDWIDE CORP filed this Form 10K on 02/12/2016 Entire Document Table of Contents Revenues The sources of our revenues from franchising hotels include (i) ongoing franchise fees, which are comprised of royalty, marketing and reservation fees, (ii) initial franchise fees which relate to services provided to assist a franchised hotel to open for business under one of our brands and (iii) other service fees. Royalty fees are intended to cover the use of our trademarks. Marketing and reservation fees are intended to reimburse us for expenses associated with operating reservations systems, ecommerce channels including our brand.com websites and access to thirdparty distribution channels, such as online travel agents (“OTAs”), advertising and marketing programs, global sales efforts, operations support, training and other related services. Other service fees include fees derived from providing ancillary services, and are generally intended to reimburse us for direct expenses associated with providing these services. Our management business offers hotel owners the benefits of a global brand and a full range of management, marketing and reservation services. In addition to the standard franchise services, our hotel management business provides hotel owners with professional oversight and comprehensive operations support, including hiring, training and supervising the hotel managers and employees, annual budget preparation, local sales and marketing efforts, financial analysis, and food and beverage services. Revenues earned from our management business include management and service fees. Management fees are comprised of (i) base fees, which are typically a specified percentage of gross revenues from hotel operations, and (ii) incentive fees, which are typically a specified percentage of a hotel’s gross operating profit. Service fees include fees derived from accounting, design, construction and purchasing services and technical assistance provided to managed hotels. We also recognize as revenue, fees related to reimbursable payroll costs for operational employees who work at some of our managed hotels. Although these costs are funded by hotel owners, accounting guidance requires us to report these fees on a gross basis as both revenues and expenses. As such, there is no effect on our operating income. Our ownership portfolio is limited to two hotels in locations where we have developed timeshare units. Revenues earned from our owned hotels are comprised of (i) gross room nights, (ii) food and beverage services, and (iii) onsite spa, casino, golf and shop revenues. We are responsible for all operations and recognize all revenues and expenses associated with the hotels. We also earn marketing fees from the Wyndham Rewards loyalty program when a member stays at a participating hotel. Revenues are derived from a fee we charge based upon a percentage of room revenues generated from such member stays. These fees reimburse us for expenses associated with member redemptions and the overall administration and marketing of the program. Reservation Booking Channels A majority of our economy and midscale hotels are located on highway roadsides for convenience of travelers; therefore, a significant portion of room nights sold are on a walk in or direct to hotel basis. We believe their choice of hotel is attributable to the reputation and general recognition of our brand names. Another significant component of our value proposition to a hotel owner is access to our reservation booking channels, which we also refer to as our distribution platform. These channels include: our proprietary brand web and mobile sites; our mobile apps; our call center facilities; our Wyndham Rewards loyalty program; our global sales team; global distribution partners such as Sabre and Amadeus; and OTAs and other thirdparty internet referral or booking Case 2:16-cv-00746-MRH Document 26-1 Filed 09/14/16 Page 2 of 4 9/14/2016 Welcome to Wyndham : SEC Filings http://investor.wyndhamworldwide.com/phoenix.zhtml?c=200690&p=irolSECText&TEXT=aHR0cDovL2FwaS50ZW5rd2l6YXJkLmNvbS9maWxpbmcueG1sP… 2/3 sources, such as Kayak, TripAdvisor and Google. Over half of our reservation delivery comes from online sources, including our proprietary and mobile websites. For guests who choose to book their hotel stay in advance through our distribution platform, we booked approximately $4 billion in room revenue on behalf of hotels within our system (including bookings under our global sales agreements). This represents 45% of total room revenues at these hotels, compared to 42% during 2014. A key strategy for reservation delivery is the continual investment in our ecommerce capabilities (websites, mobile and other online channels), as well as the deployment of advertising spend to drive online traffic to our proprietary e commerce channels. This strategy also encompasses marketing agreements we have with travel related search websites and affiliate networks, and other initiatives to drive business directly to our online channels. In addition, to ensure our franchisees receive bookings from OTAs and other thirdparty internet sources, we provide direct connections between our central reservations system and strategic thirdparty internet booking sources. These direct connections allow us to deliver more accurate and consistent rates and inventory rooms, send bookings directly to our central reservation systems without interference or delay and reduce our franchisee distribution costs. 9 Case 2:16-cv-00746-MRH Document 26-1 Filed 09/14/16 Page 3 of 4 9/14/2016 Welcome to Wyndham : SEC Filings http://investor.wyndhamworldwide.com/phoenix.zhtml?c=200690&p=irolSECText&TEXT=aHR0cDovL2FwaS50ZW5rd2l6YXJkLmNvbS9maWxpbmcueG1sP… 3/3 Case 2:16-cv-00746-MRH Document 26-1 Filed 09/14/16 Page 4 of 4 Exhibit B Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 1 of 22 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Willard K. Tom General Counsel Lisa Weintraub Schifferle (DC Bar No. 463928) Kristin Krause Cohen (DC Bar No. 485946) Kevin H. Moriarty (DC Bar No. 975904) Katherine E. McCarron (DC Bar No. 486335) John A. Krebs (MA Bar No. 633535) Federal Trade Commission 600 Pennsylvania Ave, NW Mail Stop NJ-8100 Washington, D.C. 20580 Facsimile: (202) 326-3062 E-mail: lschifferle@ftc.gov Telephone: (202) 326-3377 Attorneys for Plaintiff Federal Trade Commission IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ARIZONA ______________________________________ ) Federal Trade Commission, ) No. ___________ ) Plaintiff, ) ) v. ) COMPLAINT FOR ) INJUNCTIVE AND Wyndham Worldwide Corporation, a Delaware ) OTHER EQUITABLE corporation; ) RELIEF ) Wyndham Hotel Group, LLC, a Delaware ) limited liability company; ) ) Wyndham Hotels and Resorts, LLC, a Delaware) limited liability company; and ) ) Wyndham Hotel Management, Inc., a ) Delaware Corporation, ) ) Defendants. ) ______________________________________ ) Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 1 of 21 PageID: 1Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 2 of 22 ‐ 2 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Plaintiff, the Federal Trade Commission (“FTC”), for its Complaint alleges: 1. The FTC brings this action under Section 13(b) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 53(b), to obtain permanent injunctive relief and other equitable relief for Defendants’ acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), in connection with Defendants’ failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information. 2. Defendants’ failure to maintain reasonable security allowed intruders to obtain unauthorized access to the computer networks of Wyndham Hotels and Resorts, LLC, and several hotels franchised and managed by Defendants on three separate occasions in less than two years. Defendants’ security failures led to fraudulent charges on consumers’ accounts, more than $10.6 million in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to a domain registered in Russia. In all three security breaches, hackers accessed sensitive consumer data by compromising Defendants’ Phoenix, Arizona data center. JURISDICTION AND VENUE 3. This Court has subject matter jurisdiction pursuant to 28 U.S.C. §§ 1331, 1337(a), and 1345, and 15 U.S.C. §§ 45(a) and 53(b). 4. Venue is proper in this district under 28 U.S.C. § 1391(b), (c), and 15 U.S.C. § 53(b). Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 2 of 21 PageID: 2Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 3 of 22 ‐ 3 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 PLAINTIFF 5. The FTC is an independent agency of the United States Government created by statute. 15 U.S.C. §§ 41-58. The FTC enforces Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), which prohibits unfair or deceptive acts or practices in or affecting commerce. 6. The FTC is authorized to initiate federal district court proceedings, by its own attorneys, to enjoin violations of the FTC Act and to secure such equitable relief as may be appropriate in each case. 15 U.S.C. § 53(b). DEFENDANTS 7. Defendant Wyndham Worldwide Corporation (“Wyndham Worldwide”) is a Delaware corporation with its principal office or place of business at 22 Sylvan Way, Parsipanny, New Jersey 07054. At all times material to this Complaint, Wyndham Worldwide has been in the hospitality business, franchising and managing hotels throughout the United States. Wyndham Worldwide transacts or has transacted business in this district and throughout the United States. At all relevant times, it has controlled the acts and practices of its subsidiaries described below and approved of or benefitted from such subsidiaries’ acts and practices at issue in this Complaint. See Exhibit A for an organizational chart depicting the entities named as Defendants in this Complaint. 8. Defendant Wyndham Hotel Group, LLC (“Hotel Group”) is a Delaware limited liability company with its principal office or place of business at 22 Sylvan Way, Parsipanny, New Jersey 07054. Hotel Group operates a data Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 3 of 21 PageID: 3Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 4 of 22 ‐ 4 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 center in Phoenix, Arizona (the “Phoenix data center”) that it uses to store and process payment card data, and the payment card data of some of its subsidiaries, including Wyndham Hotels and Resorts, LLC. Hotel Group is a wholly-owned subsidiary of Wyndham Worldwide, and through its subsidiaries it franchises and manages approximately 7,000 hotels under twelve hotel brands, one of which is the Wyndham brand. It transacts or has transacted business in this district and throughout the United States. At all relevant times, Hotel Group has controlled the acts and practices of its subsidiaries described below and approved of or benefitted from such subsidiaries’ acts and practices at issue in this Complaint. 9. Defendant Wyndham Hotels and Resorts, LLC (“Hotels and Resorts”) is a Delaware limited liability company with its principal office or place of business at 22 Sylvan Way, Parsipanny, New Jersey 07054. Hotels and Resorts is a wholly-owned subsidiary of Hotel Group. Throughout the relevant time period, Hotels and Resorts has licensed the Wyndham name to independent hotels through franchise agreements, and provided various services to those hotels, including information technology services. At all times material to this Complaint, Hotels and Resorts has licensed the Wyndham name to approximately seventy-five independently-owned hotels under franchise agreements. Hotels and Resorts transacts or has transacted business in this district and throughout the United States, including franchising hotels located in Arizona. At all relevant times, Hotel Group and Wyndham Worldwide have performed various business functions on behalf of Hotels and Resorts, or overseen such business functions, Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 4 of 21 PageID: 4Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 5 of 22 ‐ 5 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 including legal assistance, human resources, finance, and information technology and security. Hotel Group and Wyndham Worldwide controlled the acts and practices of Hotels and Resorts that are at issue in this Complaint. 10. Defendant Wyndham Hotel Management, Inc. (“Hotel Management”) is a Delaware corporation with its principal office or place of business at 22 Sylvan Way, Parsippany, New Jersey 07054. Hotel Management is also a wholly-owned subsidiary of Hotel Group. Like Hotels and Resorts, Hotel Management licenses the Wyndham name to independently-owned hotels, but does so under management agreements in which it agrees to fully operate the hotel on behalf of the owner. At all times material to this Complaint, Hotel Management has licensed the Wyndham name to approximately fifteen independently-owned hotels under management agreements. Hotel Management transacts or has transacted business in this district and throughout the United States, including managing at least one hotel in Arizona. At all relevant times, Hotel Group and Wyndham Worldwide have performed various business functions on Hotel Management’s behalf, or overseen such business functions, including legal assistance and information technology and security. Hotel Group and Wyndham Worldwide controlled the acts and practices of Hotel Management that are at issue in this Complaint. 11. Defendants Wyndham Worldwide, Hotel Group, Hotels and Resorts, and Hotel Management have operated as a common business enterprise while engaging in the unfair and deceptive acts and practices alleged in this Complaint. Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 5 of 21 PageID: 5Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 6 of 22 ‐ 6 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Defendants have conducted their business practices described below through an interrelated network of companies that have common ownership, business functions, employees, and office locations. Because these Defendants have operated as a common enterprise, they are jointly and severally liable for the unfair and deceptive acts and practices alleged below. COMMERCE 12. At all times material to this Complaint, Defendants have maintained a substantial course of trade in or affecting commerce, as “commerce” is defined in Section 4 of the FTC Act, 15 U.S.C. § 44. DEFENDANTS’ BUSINESS ACTIVITIES Defendants’ Business Structure 13. Wyndham Worldwide is a hospitality business that, through its subsidiaries, franchises and manages hotels and sells timeshares. It conducts its business through three subsidiaries, including Hotel Group. At all times relevant to this Complaint, Hotel Group’s wholly-owned subsidiaries, Hotels and Resorts and Hotel Management, licensed the Wyndham brand name to approximately ninety independently-owned hotels under franchise or management agreements (collectively hereinafter “Wyndham-branded hotels”). Defendants’ Network Infrastructure 14. Throughout the relevant time period, Wyndham Worldwide has been responsible for creating information security policies for itself and its subsidiaries, including Hotel Group and Hotels and Resorts, as well as providing oversight of Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 6 of 21 PageID: 6Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 7 of 22 ‐ 7 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 their information security programs. From at least 2008 until approximately June 2009, Hotel Group had responsibility for managing Hotels and Resorts’ information security program. In June 2009, Wyndham Worldwide took over management and responsibility for Hotels and Resorts’ information security program. 15. Under their franchise and management agreements, Hotels and Resorts and Hotel Management require each Wyndham-branded hotel to purchase, and configure to their specifications, a designated computer system, known as a property management system, that handles reservations, checks guests in and out, assigns rooms, manages room inventory, and handles payment card transactions. These property management systems store personal information about consumers, including names, addresses, email addresses, telephone numbers, payment card account numbers, expiration dates, and security codes (hereinafter “personal information”). 16. The property management systems for all Wyndham-branded hotels, including those managed by Hotel Management, are part of Hotels and Resorts’ computer network, and are linked to its corporate network, much of which is located in the Phoenix data center. Hotels and Resorts’ corporate network includes its central reservation system, which coordinates reservations across the Wyndham brand. 17. Each Wyndham-branded hotel’s property management system is managed by Defendants. Only Defendants, and not the owners of the Wyndham- Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 7 of 21 PageID: 7Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 8 of 22 ‐ 8 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 branded hotels, have administrator access that allows Defendants to control the property management systems at the hotels. Defendants set the rules, including all password requirements, that allow the Wyndham-branded hotels’ employees to access their property management systems. 18. Defendants have even more direct control over the computer networks of the Wyndham-branded hotels managed by Hotel Management. Hotel Management controls the “operation” of those hotels pursuant to its management agreements, including their information technology and security functions and the hiring of employees to administer the hotels’ computer networks. 19. The owners of the Wyndham-branded hotels pay Defendants fees to support their property management systems and to connect them to Hotels and Resorts’ computer network. Defendants’ technical support team is responsible for addressing and resolving any technical issues that a Wyndham-branded hotel has with its property management system. As explained further below, Defendants’ information security failures led to the compromise of many of the Wyndham- branded-hotels’ property management system servers, resulting in the exposure of thousands of consumers’ payment card accounts. DEFENDANTS’ DECEPTIVE STATEMENTS 20. Hotels and Resorts operates a website where consumers can make reservations at any Wyndham-branded hotel. In addition, some Wyndham- branded hotels operate their own individual websites, which describe the individual hotel and its amenities. Customers making reservations from a Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 8 of 21 PageID: 8Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 9 of 22 ‐ 9 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Wyndham-branded hotel’s individual website are directed back to Hotels and Resorts’ website to make the reservation. 21. Since at least 2008, Defendants have disseminated, or caused to be disseminated, privacy policies or statements on their website to their customers and potential customers. These policies or statements include, but are not limited to, the following statement regarding the privacy and confidentiality of personal information, disseminated on the Hotels and Resorts’ website: . . . We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program (collectively, “Customers”). . . . This Policy applies to residents of the United States, hotels of our Brands located in the United States, and Loyalty Program activities in the United States only. . . . We safeguard our Customers’ personally identifiable information by using standard industry practices. Although “guaranteed security” does not exist on or off the Internet, we take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards to ensure that to the extent we control the Information, the Information is used only as authorized by us and consistent with this Policy, and that the Information is not improperly altered or destroyed. 22. There is a link to this privacy policy on each page of the Hotels and Resorts’ website, including its reservations page. 23. Although this statement is disseminated on the Hotels and Resorts’ website, it states that it is the privacy policy of Hotel Group. Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 9 of 21 PageID: 9Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 10 of 22 ‐ 10 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 DEFENDANTS’ INADEQUATE DATA SECURITY PRACTICES 24. Since at least April 2008, Defendants failed to provide reasonable and appropriate security for the personal information collected and maintained by Hotels and Resorts, Hotel Management, and the Wyndham-branded hotels, by engaging in a number of practices that, taken together, unreasonably and unnecessarily exposed consumers’ personal data to unauthorized access and theft. Among other things, Defendants: a. failed to use readily available security measures to limit access between and among the Wyndham-branded hotels’ property management systems, the Hotels and Resorts’ corporate network, and the Internet, such as by employing firewalls; b. allowed software at the Wyndham-branded hotels to be configured inappropriately, resulting in the storage of payment card information in clear readable text; c. failed to ensure the Wyndham-branded hotels implemented adequate information security policies and procedures prior to connecting their local computer networks to Hotels and Resorts’ computer network; d. failed to remedy known security vulnerabilities on Wyndham- branded hotels’ servers that were connected to Hotels and Resorts’ computer network, thereby putting personal Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 10 of 21 PageID: 10Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 11 of 22 ‐ 11 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 information held by Defendants and the other Wyndham- branded hotels at risk. For example, Defendants permitted Wyndham-branded hotels to connect insecure servers to the Hotels and Resorts’ network, including servers using outdated operating systems that could not receive security updates or patches to address known security vulnerabilities; e. allowed servers to connect to Hotels and Resorts’ network, despite the fact that well-known default user IDs and passwords were enabled on the servers, which were easily available to hackers through simple Internet searches; f. failed to employ commonly-used methods to require user IDs and passwords that are difficult for hackers to guess. Defendants did not require the use of complex passwords for access to the Wyndham-branded hotels’ property management systems and allowed the use of easily guessed passwords. For example, to allow remote access to a hotel’s property management system, which was developed by software developer Micros Systems, Inc., Defendants used the phrase “micros” as both the user ID and the password; g. failed to adequately inventory computers connected to the Hotels and Resorts’ network so that Defendants could appropriately manage the devices on its network; Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 11 of 21 PageID: 11Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 12 of 22 ‐ 12 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 h. failed to employ reasonable measures to detect and prevent unauthorized access to Defendants’ computer network or to conduct security investigations; i. failed to follow proper incident response procedures, including failing to monitor Hotels and Resorts’ computer network for malware used in a previous intrusion; and j. failed to adequately restrict third-party vendors’ access to Hotels and Resorts’ network and the Wyndham-branded hotels’ property management systems, such as by restricting connections to specified IP addresses or granting temporary, limited access, as necessary. INTRUSIONS INTO DEFENDANTS’ COMPUTER NETWORK 25. As a result of the failures described above, between April 2008 and January 2010, intruders were able to gain unauthorized access to Hotels and Resorts’ computer network, including the Wyndham-branded hotels’ property management systems, on three separate occasions. The intruders used similar techniques on each occasion to access personal information stored on the Wyndham-branded hotels’ property management system servers, including customers’ payment card account numbers, expiration dates, and security codes. After discovering each of the first two breaches, Defendants failed to take appropriate steps in a reasonable time frame to prevent the further compromise of the Hotels and Resorts’ network. Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 12 of 21 PageID: 12Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 13 of 22 ‐ 13 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 First Breach 26. In April 2008, intruders first gained access to a Phoenix, Arizona Wyndham-branded hotel’s local computer network that was connected to the Internet. The hotel’s local network was also connected to Hotels and Resorts’ network through the hotel’s property management system. Using this access, in May 2008, the intruders attempted to compromise an administrator account on the Hotels and Resorts’ network by guessing multiple user IDs and passwords – known as a brute force attack. 27. This brute force attack caused multiple user account lockouts over several days, including one instance in which 212 user accounts were locked out, before the intruders were ultimately successful. Account lockouts occur when a user inputs an incorrect password multiple times, and are a well-known warning sign that a computer network is being attacked. Defendants did not have an adequate inventory of the Wyndham-branded hotels’ computers connected to its network, and, therefore, although they were able to determine that the account lockouts were coming from two computers on Hotels and Resorts’ network, they were unable to physically locate those computers. As a result, Defendants did not determine that the Hotels and Resorts’ network had been compromised until almost four months later. 28. The intruders’ brute force attack led to the compromise of an administrator account on the Hotels and Resorts’ network. Because Defendants did not appropriately limit access between and among the Wyndham-branded Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 13 of 21 PageID: 13Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 14 of 22 ‐ 14 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 hotels’ property management systems, the Hotels and Resorts’ own corporate network, and the Internet – such as through the use of firewalls – once the intruders had access to the administrator account, they were able to gain unfettered access to the property management system servers of a number of hotels. 29. Additionally, the Phoenix hotel’s property management system server was using an operating system that its vendor had stopped supporting, including providing security updates and patch distribution, more than three years prior to the intrusion. Defendants were aware the hotel was using this unsupported and insecure server, yet continued to allow it to connect to Hotels and Resorts’ computer network. 30. In this first breach, the intruders installed memory-scraping malware on numerous Wyndham-branded hotels’ property management system servers, thereby accessing payment card data associated with the authorization of payment card transactions that was present temporarily on the hotels’ servers. 31. In addition, the intruders located files on some of the Wyndham- branded hotels’ property management system servers that contained payment card account information for large numbers of consumers, stored in clear readable text. These files were created and stored in clear text because Defendants had allowed the property management systems to be configured inappropriately to create these files and store the payment card information that way. 32. As a result of Defendants’ unreasonable data security practices, intruders were able to gain unauthorized access to the Hotels and Resorts’ Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 14 of 21 PageID: 14Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 15 of 22 ‐ 15 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 corporate network, and the property management system servers of forty-one Wyndham-branded hotels – twelve managed by Hotel Management and twenty- nine franchisees of Hotels and Resorts. This resulted in the compromise of more than 500,000 payment card accounts, and the export of hundreds of thousands of consumers’ payment card account numbers to a domain registered in Russia. Second Breach 33. In March 2009, approximately six months after Defendants discovered the first breach, intruders were able again to gain unauthorized access to the Hotels and Resorts’ network, this time through a service provider’s administrator account in the Phoenix data center. 34. In May 2009, Defendants learned that several Wyndham-branded hotels had received complaints from consumers about fraudulent charges made to their payment card accounts after using those cards to pay for stays at Wyndham- branded hotels. At that point, Defendants searched Hotels and Resorts’ network for the memory-scraping malware used in the previous attack, and found it on the property management system servers of more than thirty Wyndham-branded hotels. As a result of Defendants’ failure to monitor Hotels and Resorts’ network for the malware used in the previous attack, hackers had unauthorized access to the Hotels and Resorts’ network for approximately two months. 35. In addition to again using memory-scraping malware to access personal information, in this second breach the intruders reconfigured software at the Wyndham-branded hotels to cause their property management systems to Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 15 of 21 PageID: 15Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 16 of 22 ‐ 16 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 create clear text files containing the payment card account numbers of guests using their payment cards at the hotels. 36. Ultimately, the intruders exploited Defendants’ data security vulnerabilities to gain access to the Hotels and Resorts’ network and the property management system servers of thirty-nine Wyndham-branded hotels – nine of which were managed by Hotel Management and thirty franchisees of Hotels and Resorts. In this second incident, the intruders were able to access information for more than 50,000 consumer payment card accounts and use that information to make fraudulent charges on consumers’ accounts. Third Breach 37. In late 2009, intruders again compromised an administrator account on Hotels and Resorts’ network. Because Defendants had still not adequately limited access between and among the Wyndham-branded hotels’ property management systems, Hotels and Resorts’ corporate network, and the Internet – such as through the use of firewalls – once the intruders had access to this administrator account they were able again to access multiple Wyndham-branded hotels’ property management system servers. As in the previous attacks, the intruders installed memory-scraping malware to access payment card account information held at the Wyndham-branded hotels. 38. Again, Defendants did not detect this intrusion themselves, but rather learned of the breach from a credit card issuer. The credit card issuer contacted Defendants in January 2010, and indicated that the account numbers of Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 16 of 21 PageID: 16Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 17 of 22 ‐ 17 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 credit cards it had issued were used fraudulently shortly after its customers used their credit cards to pay for stays at Wyndham-branded hotels. 39. As a result of Defendants’ security failures, in this instance, intruders compromised Hotels and Resorts’ corporate network and the property management system servers of twenty-eight Wyndham-branded hotels – eight managed by Hotel Management and twenty franchisees of Hotels and Resorts. As a result of this third incident, the intruders were able to access information for approximately 69,000 consumer payment card accounts and again make fraudulent purchases on those accounts. Total Impact of Breaches 40. Defendants’ failure to implement reasonable and appropriate security measures exposed consumers’ personal information to unauthorized access, collection, and use. Such exposure of consumers’ personal information has caused and is likely to cause substantial consumer injury, including financial injury, to consumers and businesses. For example, Defendants’ failure to implement reasonable and appropriate security measures resulted in the three data breaches described above, the compromise of more than 619,000 consumer payment card account numbers, the exportation of many of those account numbers to a domain registered in Russia, fraudulent charges on many consumers’ accounts, and more than $10.6 million in fraud loss. Consumers and businesses suffered financial injury, including, but not limited to, unreimbursed fraudulent charges, increased costs, and lost access to funds or credit. Consumers and Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 17 of 21 PageID: 17Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 18 of 22 ‐ 18 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 businesses also expended time and money resolving fraudulent charges and mitigating subsequent harm. VIOLATIONS OF THE FTC ACT 41. Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits “unfair or deceptive acts or practices in or affecting commerce.” 42. Misrepresentations or deceptive omissions of material fact constitute deceptive acts or practices prohibited by Section 5(a) of the FTC Act. 43. Acts or practices are unfair under Section 5 of the FTC Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. 15 U.S.C. § 45(n). Count I Deception 44. In numerous instances through the means described in Paragraph 21, in connection with the advertising, marketing, promotion, offering for sale, or sale of hotel services, Defendants have represented, directly or indirectly, expressly or by implication, that they had implemented reasonable and appropriate measures to protect personal information against unauthorized access. 45. In truth and in fact, in numerous instances in which Defendants have made the representations set forth in Paragraph 44 of this Complaint, Defendants did not implement reasonable and appropriate measures to protect personal information against unauthorized access. Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 18 of 21 PageID: 18Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 19 of 22 ‐ 19 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 46. Therefore, Defendants’ representations as set forth in Paragraph 44 of this Complaint are false or misleading and constitute deceptive acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). Count II Unfairness 47. In numerous instances Defendants have failed to employ reasonable and appropriate measures to protect personal information against unauthorized access. 48. Defendants’ actions caused or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. 49. Therefore, Defendants’ acts and practices as described in Paragraph 47 above constitute unfair acts or practices in violation of Section 5 of the FTC Act, 15 U.S.C. §§ 45(a) and 45(n). CONSUMER INJURY 50. Consumers have suffered and will continue to suffer substantial injury as a result of Defendants’ violations of the FTC Act. In addition, Defendants have been unjustly enriched as a result of their unlawful acts or practices. Absent injunctive relief by this Court, Defendants are likely to continue to injure consumers, reap unjust enrichment, and harm the public interest. THIS COURT’S POWER TO GRANT RELIEF 51. Section 13(b) of the FTC Act, 15 U.S.C. § 53(b), empowers this Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 19 of 21 PageID: 19Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 20 of 22 ‐ 20 ‐ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 Court to grant injunctive and such other relief as the Court may deem appropriate to halt and redress violations of any provision of law enforced by the FTC. The Court, in the exercise of its equitable jurisdiction, may award ancillary relief, including rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies, to prevent and remedy any violation of any provision of law enforced by the FTC. PRAYER FOR RELIEF Wherefore, Plaintiff FTC, pursuant to Section 13(b) of the FTC Act, 15 U.S.C. § 53(b), and the Court’s own equitable powers, requests that the Court: A. Enter a permanent injunction to prevent future violations of the FTC Act by Defendants; B. Award such relief as the Court finds necessary to redress injury to consumers resulting from Defendants’ violations of the FTC Act, including but not limited to, rescission or reformation of contracts, restitution, the refund of monies paid, and the disgorgement of ill-gotten monies; and C. Award Plaintiff the costs of bringing this action, as well as such other and additional relief as the Court may determine to be just and proper. Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 20 of 21 PageID: 20Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 21 of 22 Case 2:13-cv-01887-ES-JAD Document 1 Filed 06/26/12 Page 21 of 21 PageID: 21Case 2:16-cv-00746-MRH Document 26-2 Filed 09/14/16 Page 22 of 22 Exhibit C Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 1 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 David B. Rosenbaum, 009819 Anne M. Chapman, 025965 OSBORN MALEDON, P.A. 2929 North Central Avenue, Suite 2100 Phoenix, Arizona 85012-2793 (602) 640-9000 achapman@omlaw.com drosenbaum@omlaw.com Eugene F. Assaf, DC Bar 449778 (Pro Hac Vice) K. Winn Allen, DC Bar 1000590 (Pro Hac Vice) Kirkland & Ellis, LLP 655 Fifteenth St. N.W. Washington, D.C. 20005 (202) 879-5078 eugene.assaf@kirkland.com winn.allen@kirkland.com Douglas H. Meal, MA Bar 340971 (Pro Hac Vice) Ropes & Gray, LLP Prudential Tower, 800 Boylston Street Boston, MA 02199-3600 (617) 951-7517 douglas.meal@ropesgray.com Attorneys for Defendants IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF ARIZONA Federal Trade Commission, Plaintiff, vs. Wyndham Worldwide Corporation, et. al., Defendants. Case No. CV 12-1365-PHX-PGR DEFENDANTS’ MOTION TO TRANSFER VENUE AND INCORPORATED MEMORANDUM IN SUPPORT ORAL ARGUMENT REQUESTED Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 1 of 19 PageID: 85Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 2 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 1 Pursuant to 28 U.S.C. § 1404(a), defendants respectfully move to transfer this case to the United States District Court for the District of New Jersey or, in the alternative, to the United States District Court for the District of Columbia. INTRODUCTION From 2008 to 2010, Wyndham Hotels & Resorts (“WHR”) was victimized by three incidents of cyber crime. These cyber criminals, who were allegedly operating from Russia, hacked into WHR’s computer network and into the separate computer networks maintained by several independently owned hotels licensed to use the “Wyndham Hotels” brand. There is no evidence that these criminals stole (or even had access to) any guest information collected by WHR, and there is no indication that any guest suffered any financial injury as a result of these crimes. To our knowledge, the government has not been successful in apprehending those responsible for these cyber attacks. WHR is also hardly unique in having been the victim of computer hacking: a number of private companies and government agencies (including the CIA, the FBI, and the FTC itself) have also been subject to such attacks. In response to each attack, WHR took action to expel the attacker and to notify affected parties. WHR also hired outside experts to forensically examine each intrusion and instituted a program to enhance its data-security practices. Moreover, WHR fully cooperated with a two-year FTC investigation of the cyber attacks. Now—despite WHR’s cooperation with that investigation, its deployment of extensive enhancements to its information security program, and the absence of any financial injury to consumers—the FTC has filed this first-of-its-kind lawsuit seeking to hold a reputable company (along with its affiliates) liable for its own data-security practices and for those of the independent hotel owners with whom the company does business. The FTC filed this case in Arizona—not in New Jersey or D.C. where the parties, the witnesses, and the proofs of the case are located. All the defendants in this case are Delaware corporations that maintain their headquarters in New Jersey. The Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 2 of 19 PageID: 86Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 3 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 2 vast majority of the parties’ key fact witnesses reside and work on the East Coast— principally in New Jersey—including a substantial number of non-party witnesses that are, consequently, far outside the subpoena power of this Court. The acts and omissions that form the basis for the FTC’s allegations primarily occurred in New Jersey and were undertaken by defendants’ employees working in that jurisdiction. And for over two years, the parties have been involved in an extensive investigation conducted by FTC staff members located in D.C., where the FTC is headquartered. One would have thought that, if this complaint were to be filed at all, it would have been filed in New Jersey or in D.C. Arizona, by contrast, has relatively minimal contacts with this dispute. No party is headquartered in Arizona. Defendants know of only two potential witnesses who reside in Arizona, and those individuals had lower-level responsibilities than the witnesses who reside in or near New Jersey. None of the allegedly unlawful conduct that is at the core of this case took place in Arizona. And, perhaps most tellingly, the FTC never once visited Arizona during the course of its entire two-year investigation, a fact that only confirms the natural nexus this case has to the East Coast. Moreover, the FTC routinely brings enforcement actions in either the jurisdiction where the defendants are headquartered or in D.C. The FTC thus cannot seriously claim prejudice, inconvenience, or increased costs from litigating in New Jersey or D.C. Newark, New Jersey is only a 2.5 hour train ride from the FTC’s main offices in D.C. (costing from $160-$400 roundtrip), and if venue were transferred to D.C., the FTC could literally walk across the street to the courthouse. (An overnight trip to Arizona, by contrast, would require two days of travel and include two five-hour flights that can cost upwards of $1500 roundtrip.) This is not how the FTC should be spending taxpayer money, and it is not how defendants should be forced to spend their shareholders’ money. Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 3 of 19 PageID: 87Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 4 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 3 In short, there is no good reason why a dispute between New Jersey companies and a D.C.-based federal agency concerning conduct that principally occurred in New Jersey should be litigated in Arizona, particularly when the great majority of party and non-party witnesses are located in New Jersey. The Court should thus transfer this case to the District of New Jersey or, alternatively, the District of Columbia. Doing so would serve the core purposes of § 1404(a) by “protect[ing] [the] litigants, witnesses and the public against unnecessary inconvenience and expense.” Van Dusen v. Barrack, 376 U.S. 612, 616 (1964) (quotation omitted). And it would be in keeping with the practice of other federal courts that transfer FTC actions filed in jurisdictions with little connection to the parties, the key witnesses, or the operative facts. BACKGROUND WHR is a hospitality company engaged in providing services to a group of hotels operating under the “Wyndham Hotels” brand name (the “Wyndham-branded hotels”), a full-service hotel chain with over 70 locations throughout the United States. Ex. 1, Hotchkiss Decl. ¶ 4. With few exceptions, each Wyndham-branded hotel is independently owned by a third party unaffiliated with WHR or the other defendants. Id. ¶ 5. Most of those independent owners are authorized to use the “Wyndham Hotels” brand name pursuant to franchise agreements with WHR, through which WHR licenses the use of the brand name and agrees to provide certain services to the franchisee, who retains day-to-day responsibility for running the hotel. Id. ¶ 6. The remaining independent owners operate under the “Wyndham Hotel” brand pursuant to management agreements with WHR’s sister company Wyndham Hotel Management, Inc. (“WHM”), under which WHM agrees to manage the property as the agent of the owner. Id. Both WHR and WHM are wholly owned subsidiaries of defendant Wyndham Hotel Group, LLC (“WHG”), which (through other subsidiaries) franchises several other well-known hotel brands, such as Days Inn, Super 8, and Ramada. Id. ¶ 4. WHG, in turn, is a wholly owned subsidiary of Wyndham Worldwide Corporation Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 4 of 19 PageID: 88Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 5 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 4 (“WWC”). Id. WWC, WHG, WHR, and WHM all maintain their principal places of business in Parsippany, New Jersey. Id. On three separate occasions from 2008 to 2010, criminal hackers gained unauthorized access into WHR’s computer network and into the separate computer networks of several Wyndham-branded hotels located throughout the United States. Id. ¶ 8. The intrusions into the hotels’ networks may have resulted in the hackers stealing payment card data that the hotel owners had collected from their guests. Id. Significantly, there is no evidence that the intruders stole (or even had access to) any guest information collected by WHR or that any guest suffered any financial injury as the result of these crimes. Id. In response to each intrusion, WHR took action to contain and expel the intruder, to notify law enforcement and governmental officials, to alert payment card brands and processors, and to inform those guests whose payment card accounts were potentially at risk. Id. ¶ 10. WHR also retained outside experts to conduct forensic investigations of each intrusion, both with respect to WHR’s own network and the networks of the independent Wyndham-branded hotels. Id. Additionally, in the wake of the intrusions, WHR spent substantial time, money, and resources to enhance the security of its own network and to assist the Wyndham- branded hotels in improving the security of their networks. Id. ¶¶ 11-12. The current and former employees who were responsible for managing and coordinating the responses to each data intrusion, and for developing the information-security enhancements that were instituted following the intrusions, are primarily located in or near New Jersey, as are those current employees who are responsible for overseeing defendants’ existing data-security practices. Id. ¶¶ 7, 10-12. In April 2010, Federal Trade Commission (“FTC”) staff members located in Washington, D.C. commenced an investigation into WHR’s data-security practices. Id. ¶ 13. WHR cooperated fully with that investigation, including by collecting and producing over one million pages of documents and providing written responses to 51 Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 5 of 19 PageID: 89Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 6 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 5 separate interrogatories. Id. In addition, WHR employees and inside and outside counsel made seven separate oral presentations to FTC staff members in D.C. in an effort to address the Commission’s concerns. Id. After WHR had already produced voluminous pages of documents and made multiple trips to D.C. to cooperate with the investigation, the FTC served an unreasonably burdensome and overly broad civil investigative demand (“CID”) on defendants, seeking production of an enormous amount of plainly irrelevant information (at considerable expense to the company). Id. WHR moved to quash that oppressive CID, and the FTC ultimately withdrew the CID. Id. That action is telling: The FTC was prepared to force defendants to spend millions of dollars of shareholder money to respond to a CID that it later conceded was unnecessary. It is hard to imagine a more cavalier attitude toward imposing needless costs on a reputable company while wasting taxpayer money at the same time. Despite WHR’s diligent efforts to respond to each criminal intrusion, to improve the security of its own network and those maintained by the Wyndham-branded hotels, and its cooperation with the Commission’s investigation, the FTC filed this complaint on June 26, 2012. The gravamen of the FTC’s allegations is that defendants violated Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), by “fail[ing] to maintain reasonable and appropriate data security for consumers’ sensitive personal information.” Compl. ¶ 1. Count I alleges that certain statements regarding data security found on WHR’s website are false and thus amounted to “deceptive” statements under the FTC Act. Id. ¶¶ 44-46. In Count II, the complaint alleges that defendants’ purported failure to “employ reasonable and appropriate measures to protect personal information against unauthorized access” constitutes “unfair acts or practices” under the Act. Id. ¶¶ 47-49. Notably, FTC Commissioner J. Thomas Rush dissented from the staff members’ decision to include Count II. The FTC’s complaint in this case is literally unprecedented. This is the first case ever litigated in which the FTC has sought to impose Section 5 liability for supposedly Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 6 of 19 PageID: 90Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 7 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 6 inadequate data-security protections. This case is therefore of significant importance to American businesses of all sizes, who already face a dizzying array of legal obligations governing data-security matters. And by seeking to hold defendants vicariously liable for the conduct of independent hotel owners, this case threatens to undermine traditional rules of agency, endangers the franchise model of doing business, and imposes substantial costs on small businesses. LEGAL STANDARD ON A MOTION TO TRANSFER Transfer of venue here is governed by 28 U.S.C. § 1404(a), which provides that “[f]or the convenience of parties and witnesses, in the interest of justice, a district court may transfer any civil action to any other district or division where it might have been brought.” The threshold question is whether the action “might have been brought” in the proposed transferee districts. Id. If so, courts go on to consider a slate of non- exclusive factors bearing on convenience to the parties and witnesses, the location of the facts giving rise to the plaintiff’s causes of action, and the interests of justice. See Forever Living Prods. U.S. Inc. v. Geyman, 471 F. Supp. 2d 980, 983 (D. Ariz. 2006). ARGUMENT I. THIS CASE CLEARLY COULD HAVE BEEN BROUGHT IN THE DISTRICT OF NEW JERSEY OR DISTRICT OF COLUMBIA There can be no doubt that this case “might have been brought” in federal court in either New Jersey or D.C. Federal courts in New Jersey and D.C. would have personal jurisdiction over the defendants because all defendants consent to jurisdiction in those districts and maintain their corporate headquarters in New Jersey, from which they each develop, implement, and supervise the data-security practices for their particular business. Venue is also appropriate in the District of New Jersey given that all defendants are deemed to “reside” in New Jersey for purposes of the venue statute. See 28 U.S.C. § 1391(a), (c). Venue would likewise be proper in D.C., in light of the broad venue provisions of the FTC Act. See 15 U.S.C. § 53(b). Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 7 of 19 PageID: 91Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 8 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 7 II. THE SECTION 1404(a) FACTORS STRONGLY FAVOR TRANSFER The next step in the Court’s analysis is to balance various case-specific factors bearing on the convenience of the parties, the location of the relevant facts, and the interests of justice. As relevant here, those factors include: the convenience of the parties, the relative financial burdens, the convenience of witnesses, the availability of compulsory process to compel unwilling witness attendance, the availability of witnesses and their live testimony at trial, the ease of access to sources of proof, the differences in the costs of litigation in the two forums, contacts with the chosen forum … the relevant public policy of the forum state … and the relative docket congestion of the courts. Gomez v. Wells Fargo Bank, 2009 WL 1936790, at *1 (D. Ariz. July 2, 2009). The convenience of the parties and potential witnesses is of critical importance in evaluating a motion to transfer. “Indeed, the convenience of both party and non-party witnesses is probably the single-most important factor in the analysis of whether transfer should be granted.” U-Haul Int’l v. Hire A Helper, LLC, 2008 WL 4368663, at *2 (D. Ariz. Sep. 23, 2008) (quotation omitted). Likewise, the “availability of process to compel the testimony of important witnesses … is an important consideration in transfer motions” and the existence of “[w]itnesses outside the subpoena power of the court weighs heavily in a transfer decision.” Id. (quotation omitted). In this case, the convenience of party and non-party witnesses, as well as the remainder of the § 1404(a) factors, overwhelmingly favor transferring this case to New Jersey or, alternatively, to D.C. A. New Jersey Is The Most Convenient Forum For Litigating This Case Litigating this case in New Jersey will clearly be more convenient for both the FTC and for defendants. See Gomez, 2009 WL 1936790, at *1 (stating that the “convenience of the parties” is a relevant factor in transfer motions). The FTC is headquartered in D.C., and all of the staff members identified in the complaint are located there. See Compl. at 21. All four defendants in this case, moreover, maintain their principal places of business in Parsippany, New Jersey, and the employees who are likely to be engaged in this litigation are all located in New Jersey. See Hotchkiss Decl. ¶ 4; see also Gomez, 2009 WL 1936790, at *2 (granting transfer to Minnesota Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 8 of 19 PageID: 92Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 8 because defendants’ “executive management and administrative employees, who are likely to be extensively engaged in this litigation” were all located at defendants’ headquarters in Minnesota). Given the relative expense and inconvenience of travelling to Arizona, a New Jersey forum is clearly preferable for all parties.1 Additionally, virtually all the parties’ likely fact witnesses live in or near New Jersey. To combat the FTC’s allegations, defendants will need to call witnesses to testify about (i) WHR’s data-security protections before the first intrusion in April 2008; (ii) efforts to respond to each intrusion and to enhance data-security protections after each intrusion; and (iii) defendants’ current data-security practices. Essentially all the current employees who have knowledge of those issues work at defendants’ headquarters in New Jersey. See Hotchkiss Decl. ¶¶ 7, 10-12, 14-15. This includes the following witnesses: • Tim Voss: Mr. Voss is the global head of Information Security at WWC. In that role, he has overall responsibility for data-security efforts at WWC and all of its subsidiaries. Mr. Voss lives in New Jersey and works at WWC’s Parsippany, New Jersey headquarters. Id. ¶ 15(a). • Dan Kornick: Mr. Kornick is Chief Information Officer at WHG. He has responsibility for information technology at WHG, including integrating data security requirements with information technology operations. Mr. Kornick lives in New Jersey and works at WHG’s Parsippany, New Jersey headquarters. Id. ¶ 15(b). • Bob Loewen: Mr. Loewen is the Chief Financial Officer at WHG. He has knowledge of the expenditures made to respond to the intrusions and to enhance data-security protections, as well as knowledge regarding the monetary relief sought by the FTC. Mr. Loewen lives in New Jersey and works at WHG’s Parsippany, New Jersey headquarters. Id. ¶ 15(c). • Kirsten Hotchkiss: Ms. Hotchkiss is a Senior Vice President, Employment Counsel at WWC and was formerly the Corporate Compliance Officer at WWC. She was involved in coordinating the response to all three intrusions 1 A comparison of the relative travel times and costs for each potential jurisdiction shows why this is true. Traveling from Washington, D.C. to Phoenix, Arizona can take two travel days, cost upwards of $1500, and require a five-hour flight each way. Traveling from D.C. to Newark, New Jersey, in contrast, only requires a 2.5 hour train ride that typically costs from $160 to $400. And, of course, litigating this case in Washington, D.C. would be essentially costless for the FTC: those staff members involved could literally walk across the street to the courthouse. Hotchkiss Decl. ¶ 22. Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 9 of 19 PageID: 93Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 10 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 9 and in enhancing data-security protections after those intrusions. Ms. Hotchkiss lives in New Jersey and works at WWC’s Parsippany, New Jersey headquarters. Id. ¶ 14. Were this case to proceed in Phoenix, defendants would be required to send these and other witnesses across the country to testify in Arizona, a substantial disruption to both the parties and the individuals involved. In addition, there are many witnesses with significant knowledge about some of the most important issues in this case—including WHR’s data-security practices and efforts to enhance data-security protections in response to the intrusions—that are no longer employed by defendants. Id. ¶ 16. These potential witnesses include: • Chris Armstrong: Mr. Armstrong was formerly the Vice President of Information Security at WWC. He had general responsibility for the response to the second and third intrusions and for subsequent security enhancement efforts. Mr. Armstrong formerly worked at WWC’s New Jersey headquarters and still lives within 100 miles of Newark, New Jersey. Id. ¶ 16(a). • Jim Copenheaver: Mr. Copenheaver was formerly the Vice President of Security & Compliance at WHG. He had general responsibility for the response to the first criminal data intrusion and for security enhancements made after that intrusion. Mr. Copenheaver formerly worked at WWC’s New Jersey headquarters and still lives in New Jersey. Id. ¶ 16(b). • David Hisaw: Mr. Hisaw was formerly the Chief Information Officer for WWC. He had general responsibility for WWC’s information-security practices. Mr. Hisaw formerly worked at WWC’s New Jersey headquarters and still lives in New Jersey. Id. ¶ 16(c). • Peter Gibson: Mr. Gibson was formerly a Senior Vice President of Information Technology & Systems Development and Chief Technology Officer at WHG. He is likely to have knowledge of WHR’s information- security practices prior to April 2008. Mr. Gibson formerly worked at WHG’s New Jersey headquarters and still lives in New Jersey. Id. ¶ 16(d). • Thomas Burger: Mr. Burger was formerly a Director of IT Security & Risk Management at WHG and Director of Global Security Compliance at WWC. He is likely to have knowledge of all three data intrusions and efforts to respond to each intrusion and to enhance data-security protections after each intrusion. Mr. Burger formerly worked at WHG and WWC’s New Jersey headquarters and still lives in New Jersey. Id. ¶ 16(e). • Nancy Diaz: Ms. Diaz was formerly a Director of Global Information Security Management at WWC. She is likely to have knowledge of all three data intrusions, data-security practices prior to April 2008, and efforts to respond to each intrusion and to enhance data-security protections after each Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 10 of 19 PageID: 94Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 1 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 10 intrusion. Ms. Diaz formerly worked at WWC’s New Jersey headquarters and still lives in New Jersey. Id. ¶ 16(f). • Jeff Edwards: Mr. Edwards was formerly the Chief Information Officer of WHG. He is likely to have knowledge concerning the first two intrusions, data-security practices prior to April 2008, and efforts to respond to the first two intrusions and to enhance data-security protections after those intrusions. Ms. Edwards formerly worked at WHG’s New Jersey headquarters and still lives in New Jersey. Id. ¶ 16(g). As these summaries suggest, the overwhelming majority of third-party witnesses who are likely be called to testify in this case live in New Jersey or within 100 miles of Newark, New Jersey. These individuals are outside the subpoena power of this Court, but would be within the subpoena power of a District of New Jersey court. As a number of cases make clear, the unavailability of process to compel the testimony of these witnesses “weighs heavily” in favor of transferring this case to New Jersey. U- Haul Int’l, 2008 WL 4368663, at *3 (transferring case because, inter alia, “the majority of non-party witnesses would either be unwilling, inconvenienced or not subject to compulsory process if the case is tried in Arizona”) (quotation omitted); see also Leyvas v. Bezy, 2008 WL 2026276, at *4 (D. Ariz. May 9, 2008) (“[T]he inability of the Court to compel the attendance of certain witnesses would certainly favor transferring the case.”); Chodock v. Am. Econ. Ins. Co., 2005 WL 2994451, at *4 (D. Ariz. Nov. 7, 2005) (transferring case because, inter alia, “the majority of witnesses, which are located in Illinois and Indiana, are beyond the subpoena power of this Court”). Indeed, “to fix the place of trial at a point where litigants cannot compel personal attendance and may be forced to try their cases on deposition, is to create a condition not satisfactory to court, jury or most litigants.” Gulf Oil Corp. v. Gilbert, 330 U.S. 501, 511 (1947). The location of relevant documents is of limited importance in this case, given that WHR has already made substantial document productions to the FTC and that many of the relevant documents are electronically stored. However, to the extent the location of documents is relevant at all, that consideration also favors transfer to New Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 11 of 19 PageID: 95Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 2 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 11 Jersey. Most of WHR’s relevant hard-copy documents are located in New Jersey, and any document collection or production efforts would be directed by internal information-technology, legal, and litigation-support professionals located in New Jersey. Hotchkiss Decl. ¶ 20. The FTC’s hard-copy documents, moreover, are likely to be located in Washington, D.C., only a short distance from New Jersey, and defendants intend to seek expansive discovery of those materials. See, e.g., Gomez, 2009 WL 1936790, at *3-4 (granting transfer to Minnesota because, inter alia, “most if not all of [defendants’] witnesses and documentary evidence [are] located in Minnesota”). The convenience of witnesses and ease of access to sources of proof would not be served by litigating in Arizona. Defendants are aware of only two potential witnesses that are located in this district—and one of those individuals is a current WHG employee who, it can be presumed, will appear voluntarily in any jurisdiction. See Hotchkiss Decl. ¶¶ 17-18; U-Haul Int’l, 2008 WL 4368663, at *2 (“It is generally assumed that witnesses within the control of the party calling them, such as employees, will appear voluntarily.”) (quotations omitted). Additionally, because these two individuals held relatively low-level positions as compared to the above-referenced witnesses who live in or near New Jersey, see Hotchkiss Decl. ¶¶ 17-18, the testimony of these Arizona witnesses will likely be of less importance and should be given less weight in the forum analysis. In any event, the burden of requiring two witnesses to travel to New Jersey pales in comparison to the much more substantial burdens that would be imposed by requiring the far greater number of witnesses identified above to travel from New Jersey to Arizona or by the inability of this Court to compel the attendance of the numerous non-party witnesses that still live in the New Jersey area. Given that the great majority of likely witnesses in this case are located in or near New Jersey, litigating this case in Arizona would be far more costly to the parties than litigating this case on the East Coast. “Generally, litigation costs are reduced when venue is located near most of the witnesses … [and] the location of documents likely to Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 12 of 19 PageID: 96Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 3 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 12 be at issue.” Gomez, 2009 WL 1936790, at *3 (quotations omitted). The “differences in the costs of litigation” is thus yet another factor favoring transfer of this case to New Jersey. Id. at *1. Finally, the “contacts relating to the Plaintiff’s cause[s] of action,” Forever Living Prods., 471 F. Supp. 2d at 983, conclusively favor transfer to New Jersey. At all relevant times, defendants developed, implemented, and managed their data-security practices from their corporate headquarters in New Jersey. See Hotchkiss Decl. ¶ 7. Thus, defendants’ investigation of and immediate response to the three intrusions alleged in the complaint, as well as defendants’ efforts to enhance data security in the wake of those intrusions, were managed by New Jersey employees. See id. ¶¶ 10-12; Compl. ¶¶ 25, 37, 40. Each of the specific acts and omissions that the complaint alleges to have been inadequate, see Compl. ¶¶ 24(a)-24(j), were similarly overseen by employees located in New Jersey—at least to the extent those acts and omission were defendants’ responsibility at all and not the responsibility of independent hotel owners. See Hotchkiss Decl. ¶ 7, 10-12. And to the extent defendants assisted franchisees and other independent hotel owners in enhancing the security of their networks, those efforts were directed from defendants’ New Jersey headquarters. Id. ¶ 12. Finally, the statements from WHR’s website that form the basis for the FTC’s allegations of deception, see Compl. ¶¶ 20-23, 44-46, were all written, authorized, and disseminated by employees in New Jersey, and the website itself is maintained and administered by New Jersey employees. See Hotchkiss Decl. ¶ 21. B. Alternatively, Transfer To The District Of Columbia Would Be Appropriate Although this is a New Jersey case involving conduct by New Jersey corporations that took place in New Jersey, D.C. is also a plausible alternative forum for this litigation and a forum that would save the parties substantial time, expense, and resources. First, the FTC is located in D.C. and accordingly cannot claim that D.C. would be an inconvenient or burdensome place for it to litigate. See, e.g., Reiffin v. Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 13 of 19 PageID: 97Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 4 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 13 Microsoft Corp., 104 F. Supp. 2d 48, 52-53 (D.D.C. 2000) (granting transfer and noting that “any inconvenience or hardship to plaintiff occasioned by transfer to [its] home forum would be negligible or non-existent”) (quotation omitted). Indeed, it would be particularly odd for a party such as the FTC to object to litigating in its home forum. Second, D.C. is in relatively close proximity to New Jersey—where the great majority of the witnesses (both party and non-party) are located and where any relevant documents that the FTC does not already have are located. As discussed above, most of the witnesses reside in or near New Jersey, within a short distance from Washington, D.C. These current and former employees will certainly be the subject of discovery and possible trial testimony, and litigating this case in D.C. would be more convenient for those individuals than would litigating in Phoenix. Finally, many of the key documents that the FTC does not already have would likely be located in New Jersey and hence could be more easily transported to D.C. than they could be to Arizona. Third, the two-year investigation that preceded the FTC’s decision to file this action was based in D.C., and thus most (if not all) of the FTC’s relevant documents and witnesses will be located in that jurisdiction. Defendants, moreover, intend to seek expansive discovery of those materials, including documents and testimony concerning the basis for the FTC’s allegations in this case and the FTC’s past enforcement activity regarding data-security matters. See, e.g., FTC v. CyberSpy Software, LLC, 2009 WL 2386137, at *1 (M.D. Fla. July 31, 2009) (permitting deposition of FTC representative “regarding the facts supporting the agency’s case”) (quotations omitted). A D.C. venue would thus be far more convenient for those FTC staffers involved in this or prior data- security investigations, almost all of whom work at the FTC’s headquarters in D.C. C. The FTC’s Decision To Sue In Arizona Is Not Entitled To Deference The above analysis would tip the §1404(a) factors in favor of transfer even if the FTC was entitled to some deference in its choice of forum. But in this case, the FTC’s decision to sue in Arizona is entitled to no deference whatsoever for two independent Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 14 of 19 PageID: 98Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 5 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 14 reasons. First, the FTC does not “reside” in Arizona, and it is well-established that a “plaintiff’s chosen forum is given less deference when the plaintiff does not reside in that forum.” Reaves v. Cable One, Inc., 2011 WL 5331695, at *2 (D. Ariz. Nov. 7, 2011) (granting transfer); see also Leyvas, 2008 WL 2026276, at *5 (same). Second, deference is inappropriate where, as here, the operative facts underlying the plaintiff’s allegations took place outside of the plaintiff’s chosen forum. See Am. Sec. Ins. Co. v. Norcold, Inc., 2010 WL 2991585, at *2 (D. Ariz. July 26, 2010) (“Plaintiff’s choice of Arizona is entitled to only minimal consideration because the operative facts have not occurred within Arizona and Arizona has no particular interest in the parties or the subject matter.”) (quotations omitted); Leyvas, 2008 WL 2026276, at *5 (“[W]hen the plaintiff’s forum lacks significant ties to the events that gave rise to the Complaint, the deference given to the Plaintiff’s choice of forum is slight.”). Indeed, courts not only decline to afford plaintiffs deference when they sue in a forum that is foreign to both the parties and the facts, they also subject such forum choices to “close scrutiny.” Shoemake v. Union Pac. R.R., 233 F. Supp. 2d 828, 831 (E.D. Tex. 2002); see Piper Aircraft Co. v. Reyno, 454 U.S. 235, 255 & n.24 (1981) (deference to plaintiff’s forum “is much less reasonable” “[w]hen the plaintiff is foreign”). As discussed, this case has only the most tangential ties to Arizona. The only relevant Arizona connections mentioned in the complaint are: (1) defendants “transacted business” in Arizona, Compl. ¶¶ 7-11; (2) WHG “operates a data center in Phoenix, Arizona” that houses computer servers, id. ¶ 8; and (3) in the first intrusion, the hackers gained access to WHR’s network by unlawfully hacking the network of a Wyndham-branded hotel in Arizona, id. ¶ 26.2 Those allegations are irrelevant to the 2 As a matter of courtesy, defendants conferred with the FTC regarding this Motion to Transfer Venue. The FTC stated that they opposed transferring this case under § 1404(a) and that all of the facts supporting an Arizona venue were laid out in the complaint. Thus, by the FTC’s own telling, the complaint sets forth all of the relevant ties this case has to Arizona. Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 15 of 19 PageID: 99Case 2:16-cv-00746-MRH Document 26-3 Filed 09/14/16 Page 6 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 15 central issues in this case and are hardly enough to overcome its strong relationship to New Jersey. To begin, the fact that some defendants might “transact[] business” in Arizona hardly confers any unique status on this State given that defendants franchise and manage hotels throughout the United States. See Hotchkiss Decl. ¶ 4. The physical location of the WHR data center and the Wyndham-branded hotel that was first hacked, moreover, are irrelevant to the core legal issues in this case. The FTC seeks to impose liability not for the intrusions themselves and not based on any Wyndham-branded hotels’ conduct regarding information security, but for defendants’ alleged “failure to maintain reasonable and appropriate data security.” Compl. ¶ 1. And as explained above, every decision relating to the enactment and execution of WHR’s data-security practices occurred in New Jersey, where defendants have long managed and overseen their entire data-security program. See Hotchkiss Decl. ¶¶ 7, 10-12. Thus, although the alleged data breaches “may have been the necessary impetus for the activity that led to this action,” the “ultimate issue in this case hinges around” conduct that occurred in New Jersey. Reaves, 2011 WL 5331695, at *3 (granting transfer); see also Bratton v. Schering-Plough Corp., 2007 WL 2023482, at *4 (D. Ariz. July 12, 2007) (granting transfer to New Jersey because, inter alia, the alleged conduct “was developed and implemented by the corporate headquarters in New Jersey”). Indeed, the lack of meaningful Arizona ties to the FTC’s claims is only confirmed by the fact that the FTC did not once travel to Arizona during its entire two-year investigation.3 D. Transfer Would Be In Keeping With The Practice Of Other Courts Presented With FTC Actions Bearing Few Ties To The Selected Forum The FTC’s decision to file suit in this jurisdiction is puzzling for yet another reason. In the typical enforcement action under Section 5 of the FTC Act, the 3 Tellingly, even when the FTC interviewed employees of the Wyndham-branded hotel in Phoenix where the first cyber attack began, the Commission conducted those interviews in Washington, D.C. Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 16 of 19 PageID: 100Case 2:16-cv 00746-MRH Document 26-3 Filed 09/14/16 Page 17 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 16 Commission generally brings suit either in the jurisdiction where the defendant maintains its principal places of business or in Washington, D.C. See, e.g., FTC v. Hope Now Modifications, LLC, 2010 WL 1463008 (D.N.J. April 12, 2010); FTC v. Chinery, 2007 WL 1959270 (D.N.J. July 5, 2007); FTC v. Check Enforcement, 2005 WL 1677480 (D.N.J. July 18, 2005); FTC v. Mallett, 818 F. Supp. 2d 142 (D.D.C. 2011); FTC v. Cantkier, 767 F. Supp. 2d 147 (D.D.C. 2011). It is unclear why the FTC has taken a different tack here. Moreover, in those few cases like this one, where the FTC elected to bring suit in a jurisdiction that had no obvious connection to the parties, the witnesses, or the facts, courts have granted a motion to transfer. For example, in FTC v. Mazzoni & Son, Inc., 2006 WL 3716808 (N.D. Ohio Dec. 14, 2006), the FTC sued in the Northern District of Ohio, even though the corporate defendant was based in Michigan, the conduct at issue was orchestrated in Michigan, and most of the relevant witnesses were former employees who resided in Michigan. Id. at *1, *3. Under those circumstances, the court held that transfer would “promote the convenience of the witnesses, the overall (and relevant) interests of the parties and the public interest.” Id. at *4. Similarly, in FTC v. American Tax Relief LLC, 2011 WL 2893059 (N.D. Ill. July 20, 2011), the court transferred an FTC action to California because all of the defendants were located in California, the acts and omissions giving rise to the FTC’s claims occurred in California, and the relevant witnesses were located in California. Id. at *5-7. This Court should follow the lead of Mazzoni and American Tax Relief, and transfer this case to either New Jersey or D.C. E. Transfer Would Be In The Interests of Justice Finally, transferring this case would serve the interests of justice. Transfer would enhance judicial economy for the straightforward reason that the District of Arizona’s courts are comparatively more burdened. In 2011, the Ninth Circuit declared that a “judicial emergency” exists in the District of Arizona—a declaration that is Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 17 of 19 PageID: 101Case 2:16-cv 00746-MRH Document 26-3 Filed 09/14/16 Page 18 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 17 “virtually unprecedented” in recent decades. See In re Approval of the Judicial Emergency Declared in the Dist. of Ariz., 639 F.3d 970, 971 (9th Cir. 2011). In so doing, the Ninth Circuit found that this District is “experiencing inordinate pressure with its civil caseload,” that its judges are “overburdened,” and that “the backlog will continue to grow.” Id. at 973-74. Although the emergency period has expired by operation of statute (and, as a matter of law, cannot be renewed until September 2012, see 18 U.S.C. § 3174), Arizona’s courts are “still in ‘dire circumstances.’” Victoria Pelham, A Year Into Emergency, Arizona Federal Courts Still Face ‘Dire’ Situation, Cronkite News, Mar. 14, 2012, available at http://cronkitenewsonline.com/2012/03/a- year-into-emergency-arizona-federal-courts-still-face-dire-situation/. The extraordinary burdens faced by this Court, and the comparatively lighter dockets of the federal courts in New Jersey and D.C., counsel in favor of a transfer.4 See, e.g., Reaves, 2011 WL 5331695, at *5; Leyvas, 2008 WL 2026276, at *5. In addition, New Jersey and D.C. have strong interests in hosting this litigation—interests which Arizona lacks. This is a controversy involving allegations brought by a D.C.-based federal agency against New Jersey corporations concerning conduct that took place principally in New Jersey. See Compl. ¶¶ 7-11. Arizona, by contrast, has no greater interest in this case than any of the other 22 states where Wyndham-branded hotels are located. Simply put, there is no good reason to hear this case in a forum separated from the relevant parties, events, and witnesses—especially when doing so will add to the “overwhelming caseload” of an “overburdened” District. In re Approval, 639 F.3d at 974. 4 In 2011, the median time to dispose of a civil lawsuit in Arizona was 7.3 months as opposed to 6.2 and 6.5 in New Jersey and the District of Columbia, respectively. See Federal Judicial Caseload Statistics, March 31, 2011, Table C, available at http://www.uscourts.gov/Viewer.aspx?doc=/uscourts/Statistics/Federal- JudicialCaseload Statistics/2011/tables/C05Mar11.pdf. Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 18 of 19 PageID: 102Case 2:16-cv 00746-MRH Document 26-3 Filed 09/14/16 Page 19 of 20 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 DATED this 2nd day of August, 2012. By: /s/ Eugene Assaf David B. Rosenbaum, 009819 Anne M. Chapman, 025965 Osborn Maledon, P.A. 2929 North Central Avenue, Suite 2100 Phoenix, Arizona 85012-2794 Eugene F. Assaf, P.C., 449778, (Pro Hac Vice) K. Winn Allen, 1000590, (Pro Hac Vice) Kirkland & Ellis LLP 655 Fifteenth Street, N.W. Washington, D.C. 20005 Douglas H. Meal, 340971, (Pro Hac Vice) Ropes & Gray, LLP Prudential Tower, 800 Boylston Street Boston, MA 02199-3600 Attorneys for Defendants CERTIFICATE OF SERVICE I hereby certify that on August 2, 2012, I electronically transmitted the attached document to the Clerk’s Office using the CM/ECF System for filing and transmittal of a Notice of Electronic Filing to the following CM/ECF registrants: • Kristin Krause Cohen; kcohen@ftc.gov • John Andrew Krebs; jkrebs@ftc.gov • Katherine E McCarron; kmccarron@ftc.gov • Kevin H Moriarty; kmoriarty@ftc.gov • Lisa Naomi Weintraub Schifferle; lschifferle@ftc.gov Attorneys for Plaintiff, Federal Trade Commission /s/ Eugene Assaf Case 2:13-cv-01887-ES-JAD Document 23 Filed 08/02/12 Page 19 of 19 PageID: 103Case 2:16-cv 00746-MRH Document 26-3 Filed 09/14/16 Page 20 of 20 Exhibit D Case 2:16-cv-00746-MRH Document 26-4 Filed 09/14/16 Page 1 of 3 9/8/2016 https://www.corporations.pa.gov/search/corpsearch https://www.corporations.pa.gov/search/corpsearch 1/2 Corporations Search Business Entities (corpsearch.aspx) Search UCC Transactions (uccsearch.aspx) Forms Contact Corporations (http://www.dos.pa.gov/BusinessCharities/Pages/default.aspx) Login (../Account/ValidateUser) Register (../Account/Register_account) Search entity / Select entity / Order documents Order Business Documents Date: 09/08/2016 Business Name History Name Name Type Wyndham Hotel Management, Inc Current Name Business Entity Details Officers Name Wyndham Hotel Management, Inc Entity Number 4105002 Entity Type Business Corporation Status Active Citizenship Foreign Entity Creation Date 04/27/2012 Effective Date 04/27/2012 State Of Inc DE Address % Corporate Creations Network Inc PA ERIE Filed Documents The information presented below is for your reference. To place an order you will need to log in. If you do not have a PENN File account, you may register for an account by clicking here (/Account/Register_account). Show 25 entries Filter Records Showing 1 to 1 of 1 entries Previous 1 Next Select Date Document Pages Plain Copy Quantity# Price Certified Copy Quantity# Certified Copy Price Microfilm # Microfilm Start Microfilm End Line Total 04/27/2012 CERTIFICATE OF AUTHORITY 1 2 $3.00 $40.00 1 0 Case 2:16-cv-00746-MRH Document 26-4 Filed 09/14/16 Page 2 of 3 9/8/2016 https://www.corporations.pa.gov/search/corpsearch https://www.corporations.pa.gov/search/corpsearch 2/2 All Dates All Certified Copies 2 Quantity # $46.00 Select Date Document Pages Quantity# Price Line Total 09/08/2016 STATEMENT OF REGISTRATION 1 $40.00 09/08/2016 Index and Docketing Report 1 $15.00 09/08/2016 Index and Docketing Certified Report 1 $55.00 Order Total : 1 Certified Documents 1 1 1 << Back to Search Results Login Case 2:16-cv-00746-MRH Document 26-4 Filed 09/14/16 Page 3 of 3