(Andrey Burmakin)

A federal judge in Newark has ruled that the Wyndham hotel chain and its three subsidiaries are all on the hook in a suit by the Federal Trade Commission over the failure of one subsidiary to safeguard customers’ personal data.

The FTC made sufficient allegations to support a common-enterprise theory of joint and several liability, since the various Wyndham entities are under common control, pool their resources and staff and share office space, U.S. District Judge Esther Salas ruled Monday in Federal Trade Comm. v. Wyndham Worldwide Corp.

The FTC suit claims Wyndham took insufficient measures to ward off hackers after the company’s data center in Arizona was the subject of three data breaches. The center was under the operation of a subsidiary, Wyndham Hotels and Resorts, but the complaint named that company as well as three other defendants—Wyndham Worldwide Corp. and two other subsidiaries, Wyndham Hotel Group and Wyndham Hotel Management.

Wyndham, based in Parsippany-Troy Hills, runs 7,400 hotels under names such as Ramada, Days Inn and Howard Johnson.

The FTC called Wyndham a “maze of related companies.” Wyndham Worldwide is the sole owner of the company’s Hotel Group subsidiary, which, in turn, owns two other subsidiaries—Hotels and Resorts and Hotel Management.

Hotel Management is in charge of hotels that have management agreements with Wyndham. Hotels & Resorts enters into franchise agreements with hotels.

Hotels & Resorts was, at the time of the three cyber-attacks, responsible for operation of the data center, which handles reservations and payments for all of Wyndham’s hotels.

The FTC claimed the Wyndham defendants are jointly and severally liable because they “operated as a common business enterprise” while engaging in unfair and deceptive acts, and operated “through an interrelated network of companies that have common ownership, business functions, employees and office locations.”

Wyndham claimed that common-enterprise liability is only applicable when failure to hold multiple corporations liable would provide a clear mechanism for avoiding the terms of the court order in the case.

Salas said that the FTC Act does not disregard corporate entities except where “the structure, organization, and operation of a business venture among separate corporate entities reveal a common enterprise or a maze of interrelated companies.” Because the FTC has asserted that Wyndham is operated as such a network, Salas said, its allegations sufficiently support a claim for common-enterprise liability.

Salas discounted Wyndham’s assertion that the defendants are “not mere shell companies designed to perpetrate fraud and to hide ill-gotten gains.” The common enterprise analysis, she said, does not turn on whether the analysis depends on the existence of fraudulent activity. Any inquiry into fraudulent intent is premature, she said.

Wyndham argued that the FTC did not assert that the defendants commingle corporate funds or assets, lack their own substantive businesses, engage in unified advertising, or fail to maintain separate books and records.

But Salas found Wyndham was wrong in arguing that those factors are prerequisites to finding common-enterprise liability. To the contrary, no one factor is controlling, and federal courts routinely consider a variety of factors, she said. “And, having examined the FTC’s allegations, its complaint sufficiently supports a common-enterprise claim in view of factors that the Wyndham entities try to discount.”

The FTC, citing Wyndham’s failure to fix known security vulnerabilities, employ reasonable measures to detect unauthorized access, or follow proper incident response procedures, claims violations of Federal Trade Act §5(a), prohibiting unfair or deceptive practices.

On April 7, Salas denied a motion by Hotels & Resorts to dismiss the case. On Monday, she granted Wyndham’s motion to certify that order for interlocutory appeal.

Wyndham maintains that the FTC lacks statutory authority to bring its complaint. The FTC insists it possesses long-established authority to protect consumers’ data from harms stemming from inadequate security.

Wyndham’s lawyer, Eugene Assaf of Kirkland & Ellis in Washington, D.C., referred a reporter’s question to a company spokesperson, who did not respond.

FTC staff lawyers James Trilling and Kristin Cohen did not return calls.

Contact the reporter at ctoutant@alm.com.