CHICAGO — A federal judge in Maryland has ruled the city of Chicago can continue using a local ordinance to sue the Marriott hotel chain regarding a data breach.
U.S. District Judge Paul Grimm issued an opinion Dec. 13 in a multidistrict litigation formally rejecting Marriott’s request to dismiss Chicago’s lawsuit. Marriott had claimed the city’s consumer protection ordinance violates the Illinois state constitution. The chain argued the city is attempting to solve a national problem, rather than just address a local concern, as well as overstepping its constitutional authority and use the ordinance to regulate conduct outside the city.
Marriott announced the data breach on Nov. 30, 2018, when it said hackers obtained access to records of about 500 million guests in the Starwood Hotels & Resorts reservation database for four years, a fact not learned until Sept. 8, 2018. The city sued in June, seeking an injunction forcing Marriott to implement data breach safeguards, a fine of up to $10,000 per day the ordinance violation continues, and the establishment of a fund to pay for monitoring of affected customers.
While states may sue on behalf of residents, Grimm said, smaller governmental units must have their own injuries to pursue recovery in court. Chicago did so, Grimm continued, by arguing a judgment in its favor would protect the city’s “proprietary interests in the ‘tourism industry and dependent property and sales tax revenues’ since Marriott operates hotels in Chicago, and that a decline in patronage at Marriott’s hotels due to the data breach will diminish the revenue Chicago receives by way of hotel accommodation.”
Turning to the city’s home rule powers, Grimm said that “in the course of nearly 50 years of analysis of home rule authority by Illinois courts,” municipal ordinances generally are pre-empted only by explicit language in state laws.
The issue then becomes whether the city is extending its reach beyond its own border.
“The problem is not fairly characterized as regulating online data security at large or in the abstract, as Marriott suggests,” Grimm wrote, but whether Chicago residents are protected.
Marriott argued Chicagoans weren’t affected differently than any other city, but Grimm said, at this stage of proceedings, that constitutes opinion, not fact. Further, Grimm found nothing suggesting state lawmakers wanted exclusive rights to regulate consumer protection and said it's “difficult to imagine a more harmonious relationship” than the one between the city ordinance and the state’s privacy laws.
Marriott insisted Chicago is attempting to regulate conduct outside the city, but Grimm said the 2005 Illinois Supreme Court opinion in Avery v. State Farm Mutual Automobile Insurance Company established a framework for determining if the alleged ordinance violations occurred “primarily or substantially” in the city.
“The city was quite surgical in its pleadings,” Grimm wrote, noting references in the complaint to Chicago residents as victims who relied on the Marriott website for a presumption of safety and suffered injuries by booking hotels while at home in the city — including for Marriott stays in Chicago — in addition to patronizing properties elsewhere.
While discovery may tip the argument in Marriott’s favor, Grimm added, “those determinations are for another day, not on a motion to dismiss.” Further, if the city does establish Marriott’s liability, “relief could be fashioned that would prevent the ordinance from having an unconstitutional extraterritorial effect.”
In a separate lawsuit pending in Cook County Circuit Court in Chicago, the city is suing Uber for a data breach, as well, asserting violations of the same ordinance.
In both cases, the city is represented by attorneys from the firm of Edelson P.C., of Chicago.
Marriott and Starwood are defended by attorneys Daniel R. Warren, Lisa M. Ghannoum and Gilbert S. Keteltas, of Baker and Hostetler LLP, of Cleveland and Washington, D.C.