For the past two years, a federal court in New Jersey has considered important data security issues in the FTC v. Wyndham Worldwide Corp. litigation. Two recent opinions issued by the court now have brought that case back into the news—and made clear that the stakes are as high as ever.
Interlocutory Appeal to the Third Circuit
First, over the Federal Trade Commission’s (FTC’s) opposition, the district court certified an interlocutory appeal to the Third Circuit regarding its earlier denial of Wyndham’s motion to dismiss. Specifically, the district court certified two questions of law for appellate review: (i) whether the FTC has the authority under Section 5 of the FTC Act to pursue an unfairness claim involving data security; and (ii) whether the FTC must formally promulgate regulations before bringing such an unfairness claim. The question now becomes whether the Third Circuit will grant permission to appeal and thereby allow appellate consideration of the use of “unfairness” actions under Section 5 of the FTC Act to police private-sector data security standards.
The Common-Enterprise Theory
Second, the district court denied a separate motion in which various corporations within the Wyndham family had sought dismissal of the action because the complaint addressed only the alleged conduct of a distinct Wyndham corporate entity. While this opinion is not the subject of the interlocutory appeal, it nonetheless has very significant implications for data security practices and other matters the FTC seeks to regulate through enforcement.
It is a bedrock principle that a parent corporation is not liable for the acts of its subsidiaries. The law recognizes only very limited exceptions to this rule. Indeed, as countless courts have explained—including the US Supreme Court in United States v. Bestfoods—the “corporate veil” generally will be pierced only when “the corporate form would otherwise be misused to accomplish certain wrongful purposes, most notably fraud, on the shareholder’s behalf.” That rule has particular force when, as in Bestfoods, Congress has not spoken to the contrary: courts should not assume that “the entire corpus of state corporation law is to be replaced simply because a plaintiff’s cause of action is based upon a federal statute.”
To escape this general rule, the FTC invoked the “common enterprise” doctrine, which has been “developed” (according to the FTC) in FTC enforcement actions and is largely based in pre-Bestfoods case law and a scattershot of federal district court opinions. This doctrine can be understood in one of two ways: (i) as a gloss on the FTC Act that replaces the veil-piercing test under state corporate law—and thus, in our view, conflicts with Bestfoods—or (ii) as a test for evaluating whether the parent company itself directly participated in the alleged misconduct and thus is subject to liability independent of any veil piercing—a theory that is arguably consistent with Bestfoods, but would impose a standard that is very difficult for the plaintiff to meet.
The district court’s opinion provides little guidance as to which theory controlled the outcome. In support of the first theory, it cites decisions that speak of “disregard[ing]” the “corporate entity,” but then asserts that the common enterprise inquiry “is not an alter ego analysis.” It also relies on allegations by the FTC that are consistent with either theory. For example, the opinion cites allegations that the defendants operated “an interrelated network of companies that have common ownership, business functions, employees, and office locations” (i.e., suggesting an alter-ego theory). At the same time, however, the opinion cites allegations by the FTC that the parent company itself “has been responsible for creating information security policies for itself and its subsidiaries” and for “providing oversight of their information security programs” (i.e., suggesting a direct participation theory rather than a veil-piercing approach).
This lack of clarity makes it easier for FTC actions to survive motions to dismiss. On the one hand, a theory that supplants state corporate law would contradict Bestfoods’ rule against assuming that Congress silently overruled fundamental principles of state corporate law. On the other hand, a theory based exclusively on the actions of a parent company would require pleading and proof based exclusively on that specific company’s actions. Observers may wonder whether, by relying instead on a blurry common enterprise theory, the FTC seeks to allege a range of misconduct, generally assert that various corporate entities were involved, and then move on to discovery and trial with maximum leverage.
Speculation aside, neither the text of the FTC Act nor longstanding principles of corporate law support providing the FTC such an advantage at the pleading stage. More important, this approach does not make for good data security policy. Information sharing and informed risk management are widely recognized as keys to effective data security. Public policy should encourage related corporations to share threat information among one another, as well as to establish and maintain consistently high data security standards within a corporate family. But the threat of an FTC enforcement action that will use any such collaboration as a basis for piercing the corporate veil—in effect, if not in name—will surely chill effective coordination and cooperation on data security practices. The predictable effect will be that corporate affiliates hesitate to talk to each other about data security, with greater vulnerability the perverse result.