United States District Court, D. Maryland, Southern Division
MEMORANDUM OPINION AND ORDER
W. Grimm United States District Judge
before me is a Multidistrict Litigation (“MDL”)
action against Marriott International, Inc. and related
entities concerning a data breach incident. In re
Marriott, No. PWG-19-2879. One of the Plaintiffs in the
MDL is the City of Chicago (“Chicago” or
“City”), which seeks relief under a local
consumer protection ordinance “for harm and injuries
arising from” Marriott's data security incident.
First Am. Compl. 1, ECF No. 294.
this Court is Marriott's motion to dismiss Chicago's
first amended complaint (“FAC”). Defs.' Mot.
to Dismiss, ECF No. 331. Marriott seeks to dismiss arguing
that, as applied to this data breach, Chicago's local
ordinance is unconstitutional under the Illinois
Constitution. Id. at 6-8. The motion to dismiss the
FAC is fully briefed, ECF Nos. 331-1, 384, 425. A hearing is
not necessary. See Loc. R. 105.6. Chicago's
ordinance is constitutional as applied to these facts
because, as alleged, Chicago has standing to request an
injunction and monitoring fund as relief for its own
injuries. And under the facts pleaded in the FAC, the
municipal ordinance under which Chicago has filed suit
addresses a local problem, making it a legitimate exercise of
the City's home rule authority as granted by the Illinois
Constitution. Finally, in the event that Chicago establishes
liability for breach of its ordinance, relief could be
fashioned that would prevent the ordinance from having an
extraterritorial effect. Therefore, the motion to dismiss is
International, Inc. (“Marriott”) is a global
hotel chain, operating more than 7, 000 properties across 131
countries, including 33 hotels throughout the City of
Chicago. First Am. Compl. ¶ 17. In 2016, Marriott
acquired Starwood Hotels & Resorts Worldwide, LLC
(“Starwood”), making Marriott the world's
largest hotel chain. Id. ¶ 18.
November 30, 2018, Marriott announced that it was the subject
of the second largest data breach in history. Id.
¶ 1. Marriott revealed that hackers had obtained access
to the Starwood reservation database for four years, which it
failed to detect until September 8, 2018. Id.
¶¶ 35-36. The breached database contained
information about approximately 500 million guests.
Id. ¶ 38. For an estimated 327 million guests,
the compromised information includes some or all of the
following personal information: full names, mailing
addresses, phone numbers, email addresses, passport numbers,
Starwood Preferred Guest account information, dates of birth,
gender, arrival and departure information, reservation dates,
and communication preferences. Id. ¶ 39.
Additionally, the hackers stole about 8.6 million guests'
encrypted payment card numbers and expiration dates, and,
possibly, the information needed to decrypt those numbers.
Id. ¶ 43.
20, 2019, Chicago filed its first amended complaint against
Marriott. Chicago contends that Marriott violated its
municipal ordinance, MCC § 2-25-090(a), because it
failed to protect Chicago residents' personal
information, failed to detect the data breach promptly,
inadequately responded to the breach, and failed to implement
reasonable safeguards that would have prevented the breach
and/or detected it sooner. Id. ¶¶ 83-86,
95. The City also alleges that Marriott mispresented to
Chicago residents that it had reasonable security safeguards
in place. Id. ¶¶ 100-02. Chicago alleges
these acts or omissions occurred in the City, and that the
breach affected Chicago residents, thus empowering the City
to sue on its own and their behalf.
states that it does not need to allege injury or causation to
state a claim for violations of its Municipal Code.
Id. ¶ 54. Nonetheless, the City alleges that
Marriott injured Chicago residents, “who make
reservations at Marriott properties from Chicago and stay in
Marriott's Chicago hotels and throughout the
country.” Id. Chicago alleges its residents
have been injured in two ways: first, “had consumers
known the truth about Marriott's data security practices
. . . they would not have purchased rooms or otherwise stayed
at Marriott hotels;” and second, “Marriott's
misconduct has substantially increased the risk that the
affected Marriott customers will be, or already have become,
victims of identity theft or financial fraud.”
Id. ¶¶ 60, 67.
is seeking declaratory relief that Marriott violated MCC
§ 2-25-090(a); an injunction requiring Marriott
“to adopt and implement reasonable safeguards to
prevent, detect, and mitigate the effects of data
breaches;” a monetary fine of up to $10, 000 for each
day a violation continues; a fund “to pay for adequate
monitoring of this data breach, as well as for all
precautions now necessary;” attorneys' fees and
costs, pre- and post-judgment interest; and any other relief
the Court deems reasonable. Id. at 28.
moves to dismiss pursuant to Fed.R.Civ.P. 12(b)(1), arguing
that the City of Chicago lacks standing. The Illinois
Constitution permits “home-rule” units, like the
City of Chicago, to regulate conduct that is of local
concern, rather than statewide or national. Kalomidos v.
Vill. of Morton Grove, 470 N.E.2d 266, 275 (Ill. 1984).
Accordingly, Marriott also moves to dismiss pursuant to
Fed.R.Civ.P. 12(b)(6), arguing that MCC §
2-25-090(a)'s application here is unconstitutional due to
its extraterritorial effect and because it views the data
breach as a national, as opposed to a local, problem.
Defs.' Mem. 3.
survive a motion to dismiss, a complaint must contain
“a short and plain statement of the claim showing that
the pleader is entitled to relief.” Fed.R.Civ.P.
8(a)(2). Specifically, Marriott must establish “facial
plausibility” by pleading “factual content that
allows the court to draw the reasonable inference that the
defendant is liable for the misconduct alleged.”
Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009).
However, “[t]hreadbare recitals of the elements of a
cause of action, supported by mere conclusory statements, do
not suffice.” Id. I must accept the well
pleaded facts as alleged in Chicago's complaint as true.
See Aziz v. Alcolac, 658 F.3d 388, 390 (4th Cir.
2011). And, I must construe the factual allegations “in
the light most favorable to [the] plaintiff.”
Adcock v. Freightliner LLC, 550 F.3d 369, 374 (4th
Cir. 2008) (quoting Battlefield Builders, Inc. v.
Swango, 743 F.2d 1060, 1062 (4th Cir. 1984)).
brings this law suit under § 2-25-090(a) of its
Municipal Code, which forbids any person from engaging in
“consumer fraud, unfair method[s] of competition, or
deceptive practices[s] while conducting a trade or business
within the city.” Chi. Ill. Mun. Code § 2-25-
090(a). The Chicago code defines “unlawful
practice” by reference to the Illinois Consumer Fraud
and Deceptive Business Practices Act (“ICFA”).
815 Ill. Comp. Stat. 505/2 (1961); Id. In addition
to the specific definitions of unlawful practices set forth
in the ICFA, it also incorporates as prohibited conduct
knowing violations of certain state statutes, including the
Illinois Personal Information Protection Act
(“IPIPA”). 815 Ill. Comp. Stat. 530/1 (2006).
Chicago alleges that Marriott's data security practices
were unfair, deceptive, and unlawful under its ordinance, the
ICFA, and the IPIPA.
argues that the action should be dismissed because: (1)
Chicago lacks Article III standing to obtain the relief it
seeks on behalf of Chicago residents; and (2) under the
Illinois Constitution, application of MCC § 2-25-090(a)
to the data breach is unconstitutional. Defs.' Mem. 3,
ECF No. 331-1. Marriott's constitutional argument is
twofold-that Chicago's ordinance in this context exceeds
its home rule authority under the Illinois Constitution
because it seeks to solve a statewide or national problem
rather than one of local concern, and because it is
attempting to regulate conduct beyond its borders.
Id. at 4.
Has Standing to Sue
satisfy constitutional standing requirements, a plaintiff
must have suffered an “injury in fact, ” that has
a causal connection to the conduct complained of and can be
“redressed by a favorable decision.” Lujan v.
Defenders of Wildlife, 504 U.S. 555, 560-61 (1992).
Article III standing must be found to exist before a court
may address the merits. Steel Co. v. Citizens for a
Better Environment, 523 U.S. 83, 94 (1998). Marriott
challenges Chicago's standing to sue on behalf of its
citizens because its alleged “injury in fact” is
insufficient to obtain the injunctive and equitable relief it
requests, specifically, requiring Marriott to implement
reasonable security measures and requiring Marriott to create
a fund that helps Chicago residents mitigate the impact of
the data breach, respectively. Because Chicago has
sufficiently alleged a concrete injury to its own proprietary
interests, it has standing to sue.
may, under certain conditions, sue on behalf of their
citizens. Massachusetts v. EPA, 549 U.S. 497 (2007).
But this authority generally does not extend to subordinate
governmental units, like counties or cities, to sue to
vindicate the rights of their residents. Prince
George's Cty. v. Levi, 79 F.R.D. 1, 4 (D. Md. 1977)
(“However, this right enjoyed by the State of Maryland,
to sue on behalf of its citizens does not give [Prince
George's County] standing to represent its residents. The
power of a political subdivision of a state is
‘derivative and not sovereign' and it may only sue
to vindicate its own interests.”); see also Bd. of
Supervisors of Fairfax Cty., Virginia v. United States,
408 F.Supp. 556 (E.D. Va. 1976) (holding that a county may
not sue on behalf of its residents by exercising parens
patriae authority). For Chicago to have standing, it must
rest upon its own injury-not its residents' injuries.
argues that Chicago does not have standing to seek the
injunctive and equitable relief it requested. Davis v.
Fed. Election Comm'n, 554 U.S. 724, 734 (2008)
(“a plaintiff must demonstrate standing separately . .
. for each form of relief that is sought”) (internal
quotation marks omitted); Defs.' Reply 11, ECF No. 425.
Because municipalities, such as Chicago, cannot assert
parens patriae standing, Marriott argues that
Chicago cannot demand the above relief because they are both
requested “not to address its own injuries but those of
its residents.” Defs.' Mem., 13. Marriott contends
that Chicago's effort to force it to adopt additional
data security measures is intended to protect “its
residents' personal information, not any information
belonging to the city, ” and that the monitoring fund
is not meant to benefit Chicago, but to “mitigate a
wave of identity theft and financial fraud it predicts will
hit Chicago residents.” Id. at 14. Chicago
counters that it is seeking to enforce its municipal code on
its own behalf, and therefore it is not exercising parens
patriae standing. Pl.'s Opp. 5.
Chicago and Marriott cite a Ninth Circuit case that holds
that a municipality must establish concrete injury to its
proprietary interests to have standing. City of Sausalito
v. O'Neil, 386 F.3d 1186, 1198 (9th Cir. 2004).
There, the court explained that a municipality's
proprietary interests may be “congruent with those of
its citizens, ” and gave examples of sufficient
proprietary interests to confer standing: “its ability
to enforce land-use and health regulations, ”
“its powers of revenue collections and taxation,
” “protecting its natural resources, ” and
“land management.” Id. In that case,
Sausalito sought to prevent the National Park Service from
developing Fort Baker, a nearby former military base.
Id. at 1194. The court held that Sausalito had
alleged injury to its proprietary interest because the Fort
Baker Plan, if implemented, would “result in
detrimental increase in traffic and crowds . . . affecting
public safety, ” cause aesthetic injury with
congestion, and would cause harm to “natural
resources” with increased noise, trash, and impaired
air quality that affect its “marina, parks, trails, and
shoreline.” Id. at 1198-99.
adequately has alleged injury to its municipal interests. It
argues that, as applied to the facts alleged in the FAC, MCC
§ 2-25-090(a) protects its proprietary interests in the
“tourism industry and dependent property and sales tax
revenues” since Marriott operates hotels in Chicago,
and that a decline in patronage at Marriott's hotels due
to the data breach will diminish the revenue Chicago receives
by way of hotel accommodation. Pl.'s Opp. 6 (quoting
City of Sausalito, 386 F.3d at 1198). Chicago also
alleged that “consumers place value in data privacy and
security, and they consider that when making purchasing
decisions, ” and that consumers “would not have
purchased rooms or otherwise stayed at Marriott hotels”
if they had “known the truth about Marriott's data
security practices.” First Am. Compl. ¶¶ 55,
59-60; Pl.'s Opp. 6-7. Therefore, the facts as pleaded
(which must be taken as true at the motion to dismiss stage),
plausibly alleged injury to Chicago's proprietary
Ordinance is a Valid Exercise of Home Rule Authority
Marriott challenges the application of MCC § 2-25-090(a)
as applied to them on the basis that its enforcement is
beyond the City's home rule authority, as granted by the
Illinois Constitution, Article VII § 6 (1970)
(hereinafter “1970 Constitution”). Adoption of
Section 6 represented a dramatic shift in power between the
State of Illinois and its local governments. City of
Chicago v. StubHub, Inc., 979 N.E.2d 844, 850 (Ill.
2011) (“Under the 1870 Illinois Constitution, the
balance of power between our state and local governments was
heavily weighted towards the state. The 1970 Illinois
Constitution drastically altered that balance, giving local
governments more autonomy.”). A review of the opinions
of the Illinois Supreme Court and Court of Appeals since 1970
reveals a progression in their analysis of the scope of the
home rule authority of a “local unit” (city, or
municipality), and, over time, that scope has broadened and
become more refined. Id. at 852 (“Essentially,
the framers saw our role [in restricting home rule authority]
under section 6(a) as narrow, and over time we developed an
analytical framework consistent with that view.”).
Accordingly, care must be taken not to focus too narrowly on
what may appear to be more restrictive statements about the
scope of home rule authority in early court decisions,
without keeping in mind later developments in the law that
viewed that authority more expansively.
course of nearly fifty years of analysis of home rule
authority by Illinois courts, the following overview emerges.
First, home rule authority was intended to be broad in scope,
and it allows concurrent local and state regulation of the
same problem, unless the Illinois General Assembly explicitly
has preempted home rule authority or made findings in
enacting legislation that make it clear that statewide, as
opposed to local, authority to legislate was intended.
Park Pet Shop, Inc. v. City of Chicago, 872 F.3d
495, 500 (7th Cir. 2017) (“In areas of concurrent
authority, the Illinois Constitution expressly requires a
clear statement from the state legislature to oust a
municipality's home-rule power.”); Scadron v.
City of Des Plaines, 606 N.E.2d 1154, 1158 (Ill. 1992)
(Section 6(a) “was written with the intention that home
rule units be given the broadest powers possible.”).
Second, reviewing courts have been cautioned not to find
implied preemption of home rule authority where neither the
express language of state legislation nor its legislative
history evidences the clear intent of the General Assembly to
preempt local home rule units from regulating a particular
problem. Park Pet Shop, Inc., 872 F.3d at 500
(holding home rule legislation valid where “[s]tate
government never had an exclusive role in addressing animal
control issues, ” and “[n]o state animal-control
statute explicitly ousts or limits Chicago's power to
regulate in this area”); Blanchard v. Berrios,
72 N.E.3d 309, 318 (Ill. 2016) (“[S]ection 6 as a whole
was intended to prevent implied preemption, or preemption by
judicial interpretation.”). Third, as a general matter,
local home rule units may not regulate beyond their borders.
Accel Entm't Gaming, LLC v. Vill. of Elmwood
Park, 46 N.E.3d 1151, 1160 (Ill.App.Ct. 2015) (holding
that an ordinance requiring licensing of video game terminals
was a valid exercise of home rule authority because
“the Village's concern is not video-gaming
regulation generally but regulation of video gaming within
the boundaries of the Village”). And, finally, Illinois
courts have acknowledged that determining whether home rule
authority exists in a particular case may be hard to do at
times, requiring case-by-case analysis of the underlying
facts. StubHub, Inc., 979 N.E.2d at 851 ...