Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

City of Chicago v. Marriott International, Inc.

United States District Court, D. Maryland, Southern Division

December 13, 2019



          Paul W. Grimm United States District Judge

         Pending before me is a Multidistrict Litigation (“MDL”) action against Marriott International, Inc. and related entities concerning a data breach incident. In re Marriott, No. PWG-19-2879. One of the Plaintiffs in the MDL is the City of Chicago (“Chicago” or “City”), which seeks relief under a local consumer protection ordinance “for harm and injuries arising from” Marriott's[1] data security incident. First Am. Compl. 1, ECF No. 294.[2]

         Before this Court is Marriott's motion to dismiss Chicago's first amended complaint (“FAC”). Defs.' Mot. to Dismiss, ECF No. 331. Marriott seeks to dismiss arguing that, as applied to this data breach, Chicago's local ordinance is unconstitutional under the Illinois Constitution. Id. at 6-8. The motion to dismiss the FAC is fully briefed, ECF Nos. 331-1, 384, 425. A hearing is not necessary. See Loc. R. 105.6. Chicago's ordinance is constitutional as applied to these facts because, as alleged, Chicago has standing to request an injunction and monitoring fund as relief for its own injuries. And under the facts pleaded in the FAC, the municipal ordinance under which Chicago has filed suit addresses a local problem, making it a legitimate exercise of the City's home rule authority as granted by the Illinois Constitution. Finally, in the event that Chicago establishes liability for breach of its ordinance, relief could be fashioned that would prevent the ordinance from having an extraterritorial effect. Therefore, the motion to dismiss is denied.

         Factual Background

         Marriott International, Inc. (“Marriott”) is a global hotel chain, operating more than 7, 000 properties across 131 countries, including 33 hotels throughout the City of Chicago. First Am. Compl. ¶ 17. In 2016, Marriott acquired Starwood Hotels & Resorts Worldwide, LLC (“Starwood”), making Marriott the world's largest hotel chain. Id. ¶ 18.

         On November 30, 2018, Marriott announced that it was the subject of the second largest data breach in history. Id. ¶ 1. Marriott revealed that hackers had obtained access to the Starwood reservation database for four years, which it failed to detect until September 8, 2018. Id. ¶¶ 35-36. The breached database contained information about approximately 500 million guests. Id. ¶ 38. For an estimated 327 million guests, the compromised information includes some or all of the following personal information: full names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences. Id. ¶ 39. Additionally, the hackers stole about 8.6 million guests' encrypted payment card numbers and expiration dates, and, possibly, the information needed to decrypt those numbers. Id. ¶ 43.

         On June 20, 2019, Chicago filed its first amended complaint against Marriott. Chicago contends that Marriott violated its municipal ordinance, MCC § 2-25-090(a), because it failed to protect Chicago residents' personal information, failed to detect the data breach promptly, inadequately responded to the breach, and failed to implement reasonable safeguards that would have prevented the breach and/or detected it sooner. Id. ¶¶ 83-86, 95. The City also alleges that Marriott mispresented to Chicago residents that it had reasonable security safeguards in place. Id. ¶¶ 100-02. Chicago alleges these acts or omissions occurred in the City, and that the breach affected Chicago residents, thus empowering the City to sue on its own and their behalf.

         Chicago states that it does not need to allege injury or causation to state a claim for violations of its Municipal Code. Id. ¶ 54. Nonetheless, the City alleges that Marriott injured Chicago residents, “who make reservations at Marriott properties from Chicago and stay in Marriott's Chicago hotels and throughout the country.” Id. Chicago alleges its residents have been injured in two ways: first, “had consumers known the truth about Marriott's data security practices . . . they would not have purchased rooms or otherwise stayed at Marriott hotels;” and second, “Marriott's misconduct has substantially increased the risk that the affected Marriott customers will be, or already have become, victims of identity theft or financial fraud.” Id. ¶¶ 60, 67.

         Chicago is seeking declaratory relief that Marriott violated MCC § 2-25-090(a); an injunction requiring Marriott “to adopt and implement reasonable safeguards to prevent, detect, and mitigate the effects of data breaches;” a monetary fine of up to $10, 000 for each day a violation continues; a fund “to pay for adequate monitoring of this data breach, as well as for all precautions now necessary;” attorneys' fees and costs, pre- and post-judgment interest; and any other relief the Court deems reasonable. Id. at 28.

         Marriott moves to dismiss pursuant to Fed.R.Civ.P. 12(b)(1), arguing that the City of Chicago lacks standing. The Illinois Constitution permits “home-rule” units, like the City of Chicago, to regulate conduct that is of local concern, rather than statewide or national. Kalomidos v. Vill. of Morton Grove, 470 N.E.2d 266, 275 (Ill. 1984). Accordingly, Marriott also moves to dismiss pursuant to Fed.R.Civ.P. 12(b)(6), arguing that MCC § 2-25-090(a)'s application here is unconstitutional due to its extraterritorial effect and because it views the data breach as a national, as opposed to a local, problem. Defs.' Mem. 3.

         Standard of Review

         To survive a motion to dismiss, a complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). Specifically, Marriott must establish “facial plausibility” by pleading “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). However, “[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.” Id. I must accept the well pleaded facts as alleged in Chicago's complaint as true. See Aziz v. Alcolac, 658 F.3d 388, 390 (4th Cir. 2011). And, I must construe the factual allegations “in the light most favorable to [the] plaintiff.” Adcock v. Freightliner LLC, 550 F.3d 369, 374 (4th Cir. 2008) (quoting Battlefield Builders, Inc. v. Swango, 743 F.2d 1060, 1062 (4th Cir. 1984)).


         Chicago brings this law suit under § 2-25-090(a) of its Municipal Code, which forbids any person from engaging in “consumer fraud, unfair method[s] of competition, or deceptive practices[s] while conducting a trade or business within the city.” Chi. Ill. Mun. Code § 2-25- 090(a). The Chicago code defines “unlawful practice” by reference to the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”). 815 Ill. Comp. Stat. 505/2 (1961); Id. In addition to the specific definitions of unlawful practices set forth in the ICFA, it also incorporates as prohibited conduct knowing violations of certain state statutes, including the Illinois Personal Information Protection Act (“IPIPA”). 815 Ill. Comp. Stat. 530/1 (2006). Chicago alleges that Marriott's data security practices were unfair, deceptive, and unlawful under its ordinance, the ICFA, and the IPIPA.

         Marriott argues that the action should be dismissed because: (1) Chicago lacks Article III standing to obtain the relief it seeks on behalf of Chicago residents; and (2) under the Illinois Constitution, application of MCC § 2-25-090(a) to the data breach is unconstitutional. Defs.' Mem. 3, ECF No. 331-1. Marriott's constitutional argument is twofold-that Chicago's ordinance in this context exceeds its home rule authority under the Illinois Constitution because it seeks to solve a statewide or national problem rather than one of local concern, and because it is attempting to regulate conduct beyond its borders. Id. at 4.

         Chicago Has Standing to Sue

         To satisfy constitutional standing requirements, a plaintiff must have suffered an “injury in fact, ” that has a causal connection to the conduct complained of and can be “redressed by a favorable decision.” Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992). Article III standing must be found to exist before a court may address the merits. Steel Co. v. Citizens for a Better Environment, 523 U.S. 83, 94 (1998). Marriott challenges Chicago's standing to sue on behalf of its citizens because its alleged “injury in fact” is insufficient to obtain the injunctive and equitable relief it requests, specifically, requiring Marriott to implement reasonable security measures and requiring Marriott to create a fund that helps Chicago residents mitigate the impact of the data breach, respectively. Because Chicago has sufficiently alleged a concrete injury to its own proprietary interests, it has standing to sue.

         States may, under certain conditions, sue on behalf of their citizens. Massachusetts v. EPA, 549 U.S. 497 (2007). But this authority generally does not extend to subordinate governmental units, like counties or cities, to sue to vindicate the rights of their residents. Prince George's Cty. v. Levi, 79 F.R.D. 1, 4 (D. Md. 1977) (“However, this right enjoyed by the State of Maryland, to sue on behalf of its citizens does not give [Prince George's County] standing to represent its residents. The power of a political subdivision of a state is ‘derivative and not sovereign' and it may only sue to vindicate its own interests.”); see also Bd. of Supervisors of Fairfax Cty., Virginia v. United States, 408 F.Supp. 556 (E.D. Va. 1976) (holding that a county may not sue on behalf of its residents by exercising parens patriae authority).[3] For Chicago to have standing, it must rest upon its own injury-not its residents' injuries.

         Marriott argues that Chicago does not have standing to seek the injunctive and equitable relief it requested. Davis v. Fed. Election Comm'n, 554 U.S. 724, 734 (2008) (“a plaintiff must demonstrate standing separately . . . for each form of relief that is sought”) (internal quotation marks omitted); Defs.' Reply 11, ECF No. 425. Because municipalities, such as Chicago, cannot assert parens patriae standing, Marriott argues that Chicago cannot demand the above relief because they are both requested “not to address its own injuries but those of its residents.” Defs.' Mem., 13. Marriott contends that Chicago's effort to force it to adopt additional data security measures is intended to protect “its residents' personal information, not any information belonging to the city, ” and that the monitoring fund is not meant to benefit Chicago, but to “mitigate a wave of identity theft and financial fraud it predicts will hit Chicago residents.” Id. at 14. Chicago counters that it is seeking to enforce its municipal code on its own behalf, and therefore it is not exercising parens patriae standing. Pl.'s Opp. 5.

         Both Chicago and Marriott cite a Ninth Circuit case that holds that a municipality must establish concrete injury to its proprietary interests to have standing. City of Sausalito v. O'Neil, 386 F.3d 1186, 1198 (9th Cir. 2004). There, the court explained that a municipality's proprietary interests may be “congruent with those of its citizens, ” and gave examples of sufficient proprietary interests to confer standing: “its ability to enforce land-use and health regulations, ” “its powers of revenue collections and taxation, ” “protecting its natural resources, ” and “land management.” Id. In that case, Sausalito sought to prevent the National Park Service from developing Fort Baker, a nearby former military base. Id. at 1194. The court held that Sausalito had alleged injury to its proprietary interest because the Fort Baker Plan, if implemented, would “result in detrimental increase in traffic and crowds . . . affecting public safety, ” cause aesthetic injury with congestion, and would cause harm to “natural resources” with increased noise, trash, and impaired air quality that affect its “marina, parks, trails, and shoreline.” Id. at 1198-99.

         Chicago adequately has alleged injury to its municipal interests. It argues that, as applied to the facts alleged in the FAC, MCC § 2-25-090(a) protects its proprietary interests in the “tourism industry and dependent property and sales tax revenues” since Marriott operates hotels in Chicago, and that a decline in patronage at Marriott's hotels due to the data breach will diminish the revenue Chicago receives by way of hotel accommodation. Pl.'s Opp. 6 (quoting City of Sausalito, 386 F.3d at 1198). Chicago also alleged that “consumers place value in data privacy and security, and they consider that when making purchasing decisions, ” and that consumers “would not have purchased rooms or otherwise stayed at Marriott hotels” if they had “known the truth about Marriott's data security practices.” First Am. Compl. ¶¶ 55, 59-60; Pl.'s Opp. 6-7. Therefore, the facts as pleaded (which must be taken as true at the motion to dismiss stage), plausibly alleged injury to Chicago's proprietary interests.[4]

         Chicago's Ordinance is a Valid Exercise of Home Rule Authority

         Preliminarily, Marriott challenges the application of MCC § 2-25-090(a) as applied to them on the basis that its enforcement is beyond the City's home rule authority, as granted by the Illinois Constitution, Article VII § 6 (1970) (hereinafter “1970 Constitution”). Adoption of Section 6 represented a dramatic shift in power between the State of Illinois and its local governments. City of Chicago v. StubHub, Inc., 979 N.E.2d 844, 850 (Ill. 2011) (“Under the 1870 Illinois Constitution, the balance of power between our state and local governments was heavily weighted towards the state. The 1970 Illinois Constitution drastically altered that balance, giving local governments more autonomy.”). A review of the opinions of the Illinois Supreme Court and Court of Appeals since 1970 reveals a progression in their analysis of the scope of the home rule authority of a “local unit” (city, or municipality), and, over time, that scope has broadened and become more refined. Id. at 852 (“Essentially, the framers saw our role [in restricting home rule authority] under section 6(a) as narrow, and over time we developed an analytical framework consistent with that view.”). Accordingly, care must be taken not to focus too narrowly on what may appear to be more restrictive statements about the scope of home rule authority in early court decisions, without keeping in mind later developments in the law that viewed that authority more expansively.

         In the course of nearly fifty years of analysis of home rule authority by Illinois courts, the following overview emerges. First, home rule authority was intended to be broad in scope, and it allows concurrent local and state regulation of the same problem, unless the Illinois General Assembly explicitly has preempted home rule authority or made findings in enacting legislation that make it clear that statewide, as opposed to local, authority to legislate was intended. Park Pet Shop, Inc. v. City of Chicago, 872 F.3d 495, 500 (7th Cir. 2017) (“In areas of concurrent authority, the Illinois Constitution expressly requires a clear statement from the state legislature to oust a municipality's home-rule power.”); Scadron v. City of Des Plaines, 606 N.E.2d 1154, 1158 (Ill. 1992) (Section 6(a) “was written with the intention that home rule units be given the broadest powers possible.”). Second, reviewing courts have been cautioned not to find implied preemption of home rule authority where neither the express language of state legislation nor its legislative history evidences the clear intent of the General Assembly to preempt local home rule units from regulating a particular problem. Park Pet Shop, Inc., 872 F.3d at 500 (holding home rule legislation valid where “[s]tate government never had an exclusive role in addressing animal control issues, ” and “[n]o state animal-control statute explicitly ousts or limits Chicago's power to regulate in this area”); Blanchard v. Berrios, 72 N.E.3d 309, 318 (Ill. 2016) (“[S]ection 6 as a whole was intended to prevent implied preemption, or preemption by judicial interpretation.”). Third, as a general matter, local home rule units may not regulate beyond their borders. Accel Entm't Gaming, LLC v. Vill. of Elmwood Park, 46 N.E.3d 1151, 1160 (Ill.App.Ct. 2015) (holding that an ordinance requiring licensing of video game terminals was a valid exercise of home rule authority because “the Village's concern is not video-gaming regulation generally but regulation of video gaming within the boundaries of the Village”). And, finally, Illinois courts have acknowledged that determining whether home rule authority exists in a particular case may be hard to do at times, requiring case-by-case analysis of the underlying facts. StubHub, Inc., 979 N.E.2d at 851 ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.