First Amended Complaint For Injunctive And Other Equitable Relief [PDF – 22 Pages] 004270 1 120809wyndhamcmpt
User Manual: 004270-1
Open the PDF directly: View PDF 
.
Page Count: 23
| Download | |
| Open PDF In Browser | View PDF |
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 1 of 22
1
2
3
4
5
6
7
Willard K. Tom
General Counsel
Lisa Weintraub Schifferle (DC Bar No. 463928)
Kristin Krause Cohen (DC Bar No. 485946)
Kevin H. Moriarty (DC BarNo. 975904)
Katherine E. McCarron (DC Bar No. 486335)
John A. Krebs (MA Bar No. 633535)
Andrea V. Arias (DC Bar No.1 004270)
Federal Trade Commission
600 Pennsylvania Ave, NW Mail Stop NJ-8100
Washington, D.C. 20580
Facsimile: (202) 326-3062
E-mail: lschifferle@ftc.gov
Telephone: (202) 326-3377
8
Attorneys for Plaintiff Federal Trade Commission
9
10
IN THE UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF ARIZONA
11
12
Federal Trade Commission,
13
Plaintiff,
14
v.
15
16
)
)
)
)
)
)
)
Wyndham Worldwide Corporation, a Delaware )
corporation;
)
)
17
18
19
Wyndham Hotel Group, LLC, a Delaware
limited liability company;
)
)
)
Wyndham Hotels and Resorts, LLC, a Delaware)
limited liability company; and
)
)
20
Wyndham Hotel Management, Inc., a
Delaware Corporation,
21
Defendants.
22
)
)
)
)
)
No. CV 12-1365-PHXPGR
FIRST AMENDED
COMPLAINT FOR
INJUNCTIVE AND
OTHER EQUITABLE
RELIEF
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 2 of 22
1
2
Plaintiff, the Federal Trade Commission ("FTC"), for its Complaint alleges:
1.
The FTC brings this action under Section 13(b) of the Federal Trade
3
Commission Act ("FTC Act"), 15 U.S.C. § 53(b), to obtain permanent injunctive
4
relief and other equitable relief for Defendants' acts or practices in violation of
5
Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), in connection with Defendants'
6
failure to maintain reasonable and appropriate data security for consumers'
7
sensitive personal information.
8
2.
Defendants' failure to maintain reasonable security allowed intruders
9
to obtain unauthorized access to the computer networks of Wyndham Hotels and
10
Resorts, LLC, and several hotels franchised and managed by Defendants on three
11
separate occasions in less than two years. Defendants' security failures led to
12
fraudulent charges on consumers' accounts, more than $10.6 million in fraud loss,
13
and the export of hundreds of thousands of consumers' payment card account
14
information to a domain registered in Russia. In all three security breaches,
15
hackers accessed sensitive consumer data by compromising Defendants' Phoenix,
16
Arizona data center.
JURISDICTION AND VENUE
17
18
19
20
21
3.
This Court has subject matter jurisdiction pursuant to 28 U.S.C.
§§ 1331, 1337(a), and 1345, and 15 U.S.C. §§ 45(a) and 53(b).
4.
Venue is proper in this district under 28 U.S.C. § 1391(b), (c), and
15 U.S.C . § 53(b).
22
-2-
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 3 of 22
1
2
PLAINTIFF
5.
The FTC is an independent agency of the United States Government
3
created by statute. 15 U.S.C. §§ 41-58. The FTC enforces Section 5(a) of the
4
FTC Act, 15 U.S.C. § 45(a), which prohibits unfair or deceptive acts or practices
5
in or affecting commerce.
6
6.
The FTC is authorized to initiate federal district court proceedings,
7
by its own attorneys, to enjoin violations ofthe FTC Act and to secure such
8
equitable relief as may be appropriate in each case. 15 U.S.C. § 53(b).
DEFENDANTS
9
10
7.
Defendant Wyndham Worldwide Corporation ("Wyndham
11
Worldwide") is a Delaware corporation with its principal office or place of
12
business at 22 Sylvan Way, Parsippany, New Jersey 07054. At all times material
13
to this Complaint, Wyndham Worldwide has been in the hospitality business,
14
franchising and managing hotels throughout the United States. Wyndham
15
Worldwide transacts or has transacted business in this district and throughout the
16
United States. At all relevant times, it has controlled the acts and practices of its
17
subsidiaries described below and approved of or benefitted from such subsidiaries'
18
acts and practices at issue in this Complaint. See Exhibit A for an organizational
19
chart depicting the entities named as Defendants in this Complaint.
20
8.
Defendant Wyndham Hotel Group, LLC ("Hotel Group") is a
21
Delaware limited liability company with its principal office or place of business at
22
22 Sylvan Way, Parsippany, New Jersey 07054. Hotel Group operates a data
-3 -
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 4 of 22
1
center in Phoenix, Arizona (the "Phoenix data center") that it uses to store and
2
process payment card data, and the payment card data of some of its subsidiaries,
3
including Wyndham Hotels and Resorts, LLC. Hotel Group is a wholly-owned
4
subsidiary of Wyndham Worldwide, and through its subsidiaries it franchises and
5
manages approximately 7,000 hotels under twelve hotel brands, one of which is
6
the Wyndham brand. It transacts or has transacted business in this district and
7
throughout the United States. At all relevant times, Hotel Group has controlled
8
the acts and practices of its subsidiaries described below and approved of or
9
benefitted from such subsidiaries' acts and practices at issue in this Complaint.
10
9.
Defendant Wyndham Hotels and Resorts, LLC ("Hotels and
11
Resorts") is a Delaware limited liability company with its principal office or place
12
of business at 22 Sylvan Way, Parsippany, New Jersey 07054. Hotels and Resorts
13
is a wholly-owned subsidiary of Hotel Group. Throughout the relevant time
14
period, Hotels and Resorts has licensed the Wyndham name to independent hotels
15
through franchise agreements, and provided various services to those hotels,
16
including information technology services. At all times material to this
17
Complaint, Hotels and Resorts has licensed the Wyndham name to approximately
18
seventy-five independently-owned hotels under franchise agreements. Hotels and
19
Resorts transacts or has transacted business in this district and throughout the
20
United States, including franchising hotels located in Arizona. At all relevant
21
times, Hotel Group and Wyndham Worldwide have performed various business
22
functions on behalf of Hotels and Resorts, or overseen such business functions,
-4-
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 5 of 22
1
including legal assistance, human resources, finance, and information technology
2
and security. Hotel Group and Wyndham Worldwide controlled the acts and
3
practices of Hotels and Resorts that are at issue in this Complaint.
4
10.
Defendant Wyndham Hotel Management, Inc. ("Hotel
5
Management") is a Delaware corporation with its principal office or place of
6
business at 22 Sylvan Way, Parsippany, New Jersey 07054. Hotel Management is
7
also a wholly-owned subsidiary of Hotel Group. Like Hotels and Resorts, Hotel
8
Management licenses the Wyndham name to independently-owned hotels, but
9
does so under management agreements in which it agrees to fully operate the hotel
lOon behalf of the owner. At all times material to this Complaint, Hotel
11
Management has licensed the Wyndham name to approximately fifteen
12
independently-owned hotels under management agreements. Hotel Management
13
transacts or has transacted business in this district and throughout the United
14
States, including managing at least one hotel in Arizona. At all relevant times,
15
Hotel Group and Wyndham Worldwide have performed various business
16
functions on Hotel Management's behalf, or overseen such business functions,
17
including legal assistance and information technology and security. Hotel Group
18
and Wyndham Worldwide controlled the acts and practices of Hotel Management
19
that are at issue in this Complaint.
20
11.
Defendants Wyndham Worldwide, Hotel Group, Hotels and Resorts,
21
and Hotel Management have operated as a common business enterprise while
22
engaging in the unfair and deceptive acts and practices alleged in this Complaint.
-5-
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 6 of 22
1
Defendants have conducted their business practices described below through an
2
interrelated network of companies that have common ownership, business
3
functions, employees, and office locations. Because these Defendants have
4
operated as a common enterprise, they are jointly and severally liable for the
5
unfair and deceptive acts and practices alleged below.
6
7
COMMERCE
12.
At all times material to this Complaint, Defendants have maintained
8
a substantial course of trade in or affecting commerce, as "commerce" is defined
9
in Section 4 ofthe FTC Act, 15 U.S.C. § 44.
10
DEFENDANTS' BUSINESS ACTIVITIES
11
Defendants' Business Structure
12
13.
Wyndham Worldwide is a hospitality business that, through its
13
subsidiaries, franchises and manages hotels and sells timeshares. It conducts its
14
business through three subsidiaries, including Hotel Group. At all times relevant
15
to this Complaint, Hotel Group's wholly-owned subsidiaries, Hotels and Resorts
16
and Hotel Management, licensed the Wyndham brand name to approximately
17
ninety independently-owned hotels under franchise or management agreements
18
(collectively hereinafter "Wyndham-branded hotels").
19
20
Defendants' Network Infrastructure
14.
Throughout the relevant time period, Wyndham Worldwide has been
21
responsible for creating information security policies for itself and its subsidiaries,
22
including Hotel Group and Hotels and Resorts, as well as providing oversight of
-6-
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 7 of 22
1
their information security programs. From at least 2008 until approximately June
2
2009, Hotel Group had responsibility for managing Hotels and Resorts'
3
information security program. In June 2009, Wyndham Worldwide took over
4
management and responsibility for Hotels and Resorts' information security
5
program.
6
15.
Under their franchise and management agreements, Hotels and
7
Resorts and Hotel Management require each Wyndham-branded hotel to purchase,
8
and configure to their specifications, a designated computer system, known as a
9
property management system, that handles reservations, checks guests in and out,
10
assigns rooms, manages room inventory, and handles payment card transactions.
11
These property management systems store personal information about consumers,
12
including names, addresses, email addresses, telephone numbers, payment card
13
account numbers, expiration dates, and security codes (hereinafter "personal
14
information").
15
16.
The property management systems for all Wyndham-branded hotels,
16
including those managed by Hotel Management, are part of Hotels and Resorts'
17
computer network, and are linked to its corporate network, much of which is
18
located in the Phoenix data center. Hotels and Resorts' corporate network
19
includes its central reservation system, which coordinates reservations across the
20
Wyndham brand.
21
17.
22
Each Wyndham-branded hotel's property management system is
managed by Defendants. Only Defendants, and not the owners of the Wyndham-7-
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 8 of 22
1
branded hotels, have administrator access that allows Defendants to control the
2
property management systems at the hotels. Defendants set the rules, including all
3
password requirements, that allow the Wyndham-branded hotels' employees to
4
access their property management systems.
5
18.
Defendants have even more direct control over the computer
6
networks of the Wyndham-branded hotels managed by Hotel Management. Hotel
7
Management controls the "operation" of those hotels pursuant to its management
8
agreements, including their information technology and security functions and the
9
hiring of employees to administer the hotels' computer networks.
10
19.
The owners of the Wyndham-branded hotels pay Defendants fees to
11
support their property management systems and to connect them to Hotels and
12
Resorts' computer network. Defendants' technical support team is responsible for
13
addressing and resolving any technical issues that a Wyndham-branded hotel has
14
with its property management system. As explained further below, Defendants'
15
information security failures led to the compromise of many of the Wyndham-
16
branded-hotels' property management system servers, resulting in the exposure of
17
thousands of consumers' payment card accounts.
18
19
DEFENDANTS' DECEPTIVE STATEMENTS
20.
Hotels and Resorts operates a website where consumers can make
20
reservations at any Wyndham-branded hotel. In addition, some Wyndham-
21
branded hotels operate their own individual websites, which describe the
22
individual hotel and its amenities. Customers making reservations from a
-8-
1
Wyndham-branded hotel's individual website are directed back to Hotels and
2
Resorts' website to make the reservation.
3
21.
Since at least 2008, Defendants have disseminated, or caused to be
4
disseminated, privacy policies or statements on their website to their customers
5
and potential customers. These policies or statements include, but are not limited
6
to, the following statement regarding the privacy and confidentiality of personal
7
information, disseminated on the Hotels and Resorts' website:
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
... We recognize the importance of protecting the privacy of
individual-specific (personally identifiable) information
collected about guests, callers to our central reservation
centers, visitors to our Web sites, and members participating
in our Loyalty Programs (collectively 'Customers') ....
This policy applies to residents of the United States, hotels
of our Brands located in the United States, and Loyalty
Program activities in the United States only ....
We safeguard our Customers' personally identifiable
information by using industry standard practices. Although
"guaranteed security" does not exist either on or off the
Internet, we make commercially reasonable efforts to make
our collection of such Information consistent with all
applicable laws and regulations. Currently, our Web sites
utilize a variety of different security measures designed to
protect
personally
identifiable
information
from
unauthorized access by users both inside and outside of our
company, including the use of 128-bit encryption based on a
Class 3 Digital Certificate issued by Veri sign Inc. This
allows for utilization of Secure Sockets Layer, which is a
method for encrypting data. This protects confidential
information - such as credit card numbers, online forms, and
financial data - from loss, misuse, interception and hacking.
We take commercially reasonable efforts to create and
maintain "fire walls" and other appropriate safeguards to
ensure that to the extent we control the Information, the
Information is used only as authorized by us and consistent
-9-
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 10 of 22
1
with this Policy, and that the Information is not improperly
altered or destroyed.
2
22.
There is a link to this privacy policy on each page of the Hotels and
3
Resorts' website, including its reservations page.
4
23.
Although this statement is disseminated on the Hotels and Resorts'
5
website, it states that it is the privacy policy of Hotel Group.
6
DEFENDANTS' INADEQUATE DATA SECURITY PRACTICES
7
24.
Since at least April 2008, Defendants failed to provide reasonable
8
and appropriate security for the personal information collected and maintained by
9
Hotels and Resorts, Hotel Management, and the Wyndham-branded hotels, by
10
engaging in a number of practices that, taken together, unreasonably and
11
unnecessarily exposed consumers' personal data to unauthorized access and theft.
12
Among other things, Defendants:
13
a.
failed to use readily available security measures to limit
14
access between and among the Wyndham-branded hotels'
15
property management systems, the Hotels and Resorts'
16
corporate network, and the Internet, such as by employing
17
firewalls;
18
b.
allowed software at the Wyndham-branded hotels to be
19
configured inappropriately, resulting in the storage of
20
payment card information in clear readable text;
21
c.
failed to ensure the Wyndham-branded hotels implemented
22
-10 -
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 11 of 22
1
adequate information security policies and procedures prior to
2
connecting their local computer networks to Hotels and
3
Resorts' computer network;
4
d.
failed to remedy known security vulnerabilities on Wyndham-
5
branded hotels' servers that were connected to Hotels and
6
Resorts' computer network, thereby putting personal
7
information held by Defendants and the other Wyndham-
8
branded hotels at risk. For example, Defendants permitted
9
Wyndham-branded hotels to connect insecure servers to the
10
Hotels and Resorts' network, including servers using outdated
11
operating systems that could not receive security updates or
12
patches to address known security vulnerabilities;
13
e.
allowed servers to connect to Hotels and Resorts' network,
14
despite the fact that well-known default user IDs and
15
passwords were enabled on the servers, which were easily
16
available to hackers through simple Internet searches;
17
f.
failed to employ commonly-used methods to require user IDs
18
and passwords that are difficult for hackers to guess.
19
Defendants did not require the use of complex passwords for
20
access to the Wyndham-branded hotels' property
21
management systems and allowed the use of easily guessed
22
passwords. For example, to allow remote access to a hotel's
- 11-
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 12 of 22
1
property management system, which was developed by
2
software developer Micros Systems, Inc., Defendants used
3
the phrase "micros" as both the user ID and the password;
4
g.
failed to adequately inventory computers connected to the
5
Hotels and Resorts' network so that Defendants could
6
appropriately manage the devices on its network;
h.
7
failed to employ reasonable measures to detect and prevent
8
unauthorized access to Defendants' computer network or to
9
conduct security investigations;
10
1.
failed to follow proper incident response procedures,
11
including failing to monitor Hotels and Resorts' computer
12
network for malware used in a previous intrusion; and
13
J.
failed to adequately restrict third-party vendors' access to
14
Hotels and Resorts' network and the Wyndham-branded
15
hotels' property management systems, such as by restricting
16
connections to specified IP addresses or granting temporary,
17
limited access, as necessary.
18
INTRUSIONS INTO DEFENDANTS' COMPUTER NETWORK
19
25.
As a result of the failures described above, between April 2008 and
20
January 2010, intruders were able to gain unauthorized access to Hotels and
21
Resorts' computer network, including the Wyndham-branded hotels' property
22
management systems, on three separate occasions. The intruders used similar
-12 -
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 13 of 22
1
techniques on each occasion to access personal information stored on the
2
Wyndham-branded hotels' property management system servers, including
3
customers' payment card account numbers, expiration dates, and security codes.
4
After discovering each of the first two breaches, Defendants failed to take
5
appropriate steps in a reasonable time frame to prevent the further compromise of
6
the Hotels and Resorts' network.
7
8
m~B~~
26.
In April 2008, intruders first gained access to a Phoenix, Arizona
9
Wyndham-branded hotel's local computer network that was connected to the
10
Internet. The hotel's local network was also connected to Hotels and Resorts'
11
network through the hotel's property management system. Using this access, in
12
May 2008, the intruders attempted to compromise an administrator account on the
13
Hotels and Resorts' network by guessing multiple user IDs and passwords -
14
known as a brute force attack.
15
27.
This brute force attack caused multiple user account lockouts over
16
several days, including one instance in which 212 user accounts were locked out,
17
before the intruders were ultimately successful. Account lockouts occur when a
18
user inputs an incorrect password multiple times, and are a well-known warning
19
sign that a computer network is being attacked. Defendants did not have an
20
adequate inventory of the Wyndham-branded hotels' computers connected to its
21
network, and, therefore, although they were able to determine that the account
22
lockouts were coming from two computers on Hotels and Resorts' network, they
-13 -
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 14 of 22
1
were unable to physically locate those computers. As a result, Defendants did not
2
determine that the Hotels and Resorts' network had been compromised until
3
almost four months later.
4
28.
The intruders' brute force attack led to the compromise of an
5
administrator account on the Hotels and Resorts' network. Because Defendants
6
did not appropriately limit access between and among the Wyndham-branded
7
hotels' property management systems, the Hotels and Resorts' own corporate
8
network, and the Internet - such as through the use of frrewalls - once the
9
intruders had access to the administrator account, they were able to gain unfettered
10
access to the property management system servers of a number of hotels.
11
29.
Additionally, the Phoenix hotel's property management system
12
server was using an operating system that its vendor had stopped supporting,
13
including providing security updates and patch distribution, more than three years
14
prior to the intrusion. Defendants were aware the hotel was using this unsupported
15
and insecure server, yet continued to allow it to connect to Hotels and Resorts'
16
computer network.
17
30.
In this frrst breach, the intruders installed memory-scraping malware
18
on numerous Wyndham-branded hotels' property management system servers,
19
thereby accessing payment card data associated with the authorization of payment
20
card transactions that was present temporarily on the hotels' servers.
21
22
31.
In addition, the intruders located files on some of the Wyndham-
branded hotels' property management system servers that contained payment card
-14 -
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 15 of 22
1
account infonnation for large numbers of consumers, stored in clear readable text.
2
These files were created and stored in clear text because Defendants had allowed
3
the property management systems to be configured inappropriately to create these
4
files and store the payment card infonnation that way.
5
32.
As a result of Defendants' unreasonable data security practices,
6
intruders were able to gain unauthorized access to the Hotels and Resorts'
7
corporate network, and the property management system servers of forty-one
8
Wyndham-branded hotels - twelve managed by Hotel Management and twenty-
9
nine franchisees of Hotels and Resorts. This resulted in the compromise of more
10
than 500,000 payment card accounts, and the export of hundreds of thousands of
11
consumers' payment card account numbers to a domain registered in Russia.
12
13
Second Breach
33.
In March 2009, approximately six months after Defendants
14
discovered the first breach, intruders were able again to gain unauthorized access
15
to the Hotels and Resorts' network, this time through a service provider's
16
administrator account in the Phoenix data center.
17
34.
In May 2009, Defendants learned that several Wyndham-branded
18
hotels had received complaints from consumers about fraudulent charges made to
19
their payment card accounts after using those cards to pay for stays at Wyndham-
20
branded hotels. At that point, Defendants searched Hotels and Resorts' network
21
for the memory-scraping malware used in the previous attack, and found it on the
22
property management system servers of more than thirty Wyndham-branded
- 15 -
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 16 of 22
1
hotels. As a result of Defendants' failure to monitor Hotels and Resorts' network
2
for the malware used in the previous attack, hackers had unauthorized access to
3
the Hotels and Resorts' network for approximately two months.
4
35.
In addition to again using memory-scraping malware to access
5
personal information, in this second breach the intruders reconfigured software at
6
the Wyndham-branded hotels to cause their property management systems to
7
create clear text files containing the payment card account numbers of guests using
8
their payment cards at the hotels.
9
36.
Ultimately, the intruders exploited Defendants' data security
10
vulnerabilities to gain access to the Hotels and Resorts' network and the property
11
management system servers ofthirty-nine Wyndham-branded hotels - nine of
12
which were managed by Hotel Management and thirty franchisees of Hotels and
13
Resorts. In this second incident, the intruders were able to access information for
14
more than 50,000 consumer payment card accounts and use that information to
15
make fraudulent charges on consumers' accounts.
16
17
Third Breach
37.
In late 2009, intruders again compromised an administrator account
18
on Hotels and Resorts' network. Because Defendants had still not adequately
19
limited access between and among the Wyndham-branded hotels' property
20
management systems, Hotels and Resorts' corporate network, and the Internet-
21
such as through the use of firewalls - once the intruders had access to this
22
administrator account they were able again to access multiple Wyndham-branded
- 16 -
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 17 of 22
1
hotels' property management system servers. As in the previous attacks, the
2
intruders installed memory-scraping malware to access payment card account
3
information held at the Wyndham-branded hotels.
4
38.
Again, Defendants did not detect this intrusion themselves, but
5
rather learned of the breach from a credit card issuer. The credit card issuer
6
contacted Defendants in January 2010, and indicated that the account numbers of
7
credit cards it had issued were used fraudulently shortly after its customers used
8
their credit cards to pay for stays at Wyndham-branded hotels.
9
39.
As a result of Defendants' security failures, in this instance,
10
intruders compromised Hotels and Resorts' corporate network and the property
11
management system servers of twenty-eight Wyndham-branded hotels - eight
12
managed by Hotel Management and twenty franchisees of Hotels and Resorts. As
13
a result of this third incident, the intruders were able to access information for
14
approximately 69,000 consumer payment card accounts and again make fraudulent
15
purchases on those accounts.
16
17
Total Impact of Breaches
40.
Defendants' failure to implement reasonable and appropriate
18
security measures exposed consumers' personal information to unauthorized
19
access, collection, and use. Such exposure of consumers' personal information
20
has caused and is likely to cause substantial consumer injury, including financial
21
injury, to consumers and businesses. For example, Defendants' failure to
22
implement reasonable and appropriate security measures resulted in the three data
-17 -
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 18 of 22
1
breaches described above, the compromise of more than 619,000 consumer
2
payment card account numbers, the exportation of many of those account numbers
3
to a domain registered in Russia, fraudulent charges on many consumers'
4
accounts, and more than $10.6 million in fraud loss. Consumers and businesses
5
suffered financial injury, including, but not limited to, unreimbursed fraudulent
6
charges, increased costs, and lost access to funds or credit. Consumers and
7
businesses also expended time and money resolving fraudulent charges and
8
mitigating subsequent harm.
VIOLATIONS OF THE FTC ACT
9
10
11
12
13
14
41.
Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits "unfair or
deceptive acts or practices in or affecting commerce."
42.
Misrepresentations or deceptive omissions of material fact constitute
deceptive acts or practices prohibited by Section 5(a) of the FTC Act.
43.
Acts or practices are unfair under Section 5 ofthe FTC Act if they
15
cause or are likely to cause substantial injury to consumers that consumers cannot
16
reasonably avoid themselves and that is not outweighed by countervailing benefits
17
to consumers or competition. 15 U.S.C. § 45(n).
18
Count I
19
Deception
20
44.
In numerous instances through the means described in Paragraph 21,
21
in connection with the advertising, marketing, promotion, offering for sale, or sale
22
of hotel services, Defendants have represented, directly or indirectly, expressly or
-18 -
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 19 of 22
1
by implication, that they had implemented reasonable and appropriate measures to
2
protect personal information against unauthorized access.
3
45.
In truth and in fact, in numerous instances in which Defendants have
4
made the representations set forth in Paragraph 44 of this Complaint, Defendants
5
did not implement reasonable and appropriate measures to protect personal
6
information against unauthorized access.
7
46.
Therefore, Defendants' representations as set forth in Paragraph 44
8
of this Complaint are false or misleading and constitute deceptive acts or practices
9
in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).
10
Count II
11
Unfairness
12
47.
In numerous instances Defendants have failed to employ reasonable
13
and appropriate measures to protect personal information against unauthorized
14
access.
15
48.
Defendants' actions caused or are likely to cause substantial injury
16
to consumers that consumers cannot reasonably avoid themselves and that is not
17
outweighed by countervailing benefits to consumers or competition.
18
49.
Therefore, Defendants' acts and practices as described in Paragraph
19
47 above constitute unfair acts or practices in violation of Section 5 of the FTC
20
Act, 15 U.S.C. §§ 45(a) and 45(n).
21
22
-19 -
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 20 of 22
CONSUMER INJURY
1
2
50.
Consumers have suffered and will continue to suffer substantial
3
ipjury as a result of Defendants' violations of the FTC Act. In addition,
4
Defendants have been unjustly enriched as a result of their unlawful acts or
5
practices. Absent injunctive relief by this Court, Defendants are likely to continue
6
to injure consumers, reap unjust enrichment, and harm the public interest.
7
8
THIS COURT'S POWER TO GRANT RELIEF
51.
Section 13(b) ofthe FTC Act, 15 U.S.C. § 53(b), empowers this
9
Court to grant injunctive and such other relief as the Court may deem appropriate
10
to halt and redress violations of any provision of law enforced by the FTC. The
11
Court, in the exercise of its equitable jurisdiction, may award ancillary relief,
12
including rescission or reformation of contracts, restitution, the refund of monies
13
paid, and the disgorgement of ill-gotten monies, to prevent and remedy any
14
violation of any provision of law enforced by the FTC.
PRA YER FOR RELIEF
15
16
Wherefore, Plaintiff FTC, pursuant to Section 13(b) of the FTC Act, 15
17
U.S.C. § 53(b), and the Court's own equitable powers, requests that the Court:
18
19
20
A.
Enter a permanent injunction to prevent future violations of the FTC
Act by Defendants;
B.
Award such relief as the Court fmds necessary to redress injury to
21
consumers resulting from Defendants' violations of the FTC Act, including but not
22
limited to, rescission or reformation of contracts, restitution, the refund of monies
- 20-
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 21 of 22
1
2
3
paid, and the disgorgement of ill-gotten monies; and
C.
Award Plaintiff the costs of bringing this action, as well as such
other and additional relief as the Court may determine to be just and proper.
4
5
Respectfully submitted,
6
Willard K. Tom
General Counsel
7
Dated: August 9, 2012
8
9
10
11
12
13
14
15
Kristin Krause Cohen
Kevin H. Moriarty
Katherine E. McCarron
John A. Krebs
Andrea V. Arias
Federal Trade Commission
600 Pennsylvania Ave
N.W. Mail Stop NJ-8100
Washington, D.C. 20580
Facsimile: (202) 326-3062
E-mail: Ischiffede@ftc.gov
Telephone: (202) 326-3377
Attorneys for Plaintiff
Federal Trade Commission
16
17
18
19
20
21
22
- 21 -
Case 2:12-cv-01365-PGR Document 28 Filed 08/09/12 Page 22 of 22
1
2
3
4
5
6
7
CERTIFICATE OF SERVICE
I hereby certify that on August 9,2012, I electronically transmitted the attached
document to the Clerk's Office using the CMlECF System for filing and
transmittal of a Notice of Electronic Filing to the following CMlECF registrants:
Eugene F. Assaf, Esq. eassaf@kirkland.com
K. Wynn Allen, Esq. winn.allen@kirkland.com
Douglas H. Meal, Esq. douglas.meal@ropesgray.com
Anne M. Chapman, Esq. achapman@omlaw.com
David B. Rosenbaum, Esq .. drosenbaum@omlaw.com
Attorneys for Defendants, Wyndham Worldwide Corporation, et al.
8
sf
9
10
11
12
13
14
15
16
17
18
19
20
21
22
- 22-
Lisa W. Schifferle
Case 2:12-cv-01365-PGR Document 28-1 Filed 08/09/12 Page 1 of 1
EXHIBIT A
Defendants’ Corporate Structure
Wyndham Worldwide Corporation
(Wyndham Worldwide)
Wyndham Hotel Group
(Hotel Group)
Wyndham Hotels and Resorts
(Hotels and Resorts)
Wyndhambranded hotels
under franchise
agreements
Wyndham Hotel Management
(Hotel Management)
Wyndham-branded
hotels under
management
agreements
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes Author : FTC Create Date : 2012:10:16 17:40:57-04:00 Keywords : First, Amended, Complaint, for, Injunctive, and, Other, Equitable, Relief, [PDF, –, 22, pages] Modify Date : 2012:10:16 17:40:57-04:00 Language : en XMP Toolkit : Adobe XMP Core 4.2.1-c043 52.372728, 2009/01/18-15:08:04 Format : application/pdf Title : First Amended Complaint for Injunctive and Other Equitable Relief [PDF – 22 pages] Description : First Amended Complaint for Injunctive and Other Equitable Relief [PDF – 22 pages] Creator : FTC Subject : First Amended Complaint for Injunctive and Other Equitable Relief [PDF – 22 pages] Metadata Date : 2012:10:16 17:40:57-04:00 Document ID : uuid:6822da4b-5253-41a1-b6ae-49bec91748b8 Instance ID : uuid:46b9d2ad-cc63-47b5-9c54-746f92ef0f92 Page Count : 23EXIF Metadata provided by EXIF.tools