26-Dec-19 – A federal judge in Maryland has ruled the City of Chicago can continue using a local ordinance to sue Marriott International over a data breach.

The hotel chain announced the data breach on November 30, 2018, when it said there had been “unauthorized access,” over four years, of about 500 million guest records in the Starwood Hotels & Resorts reservation database. The city sued in June 2019, seeking an injunction forcing Marriott to implement data breach safeguards, a fine of up to $10,000 per day the ordinance violation continues, and the establishment of a fund to pay for monitoring of affected customers.

(Left) Moxy Chicago Downtown, a Marriott hotel at LaSalle & Grand in River North.

United States District Judge Paul Grimm issued an opinion on December 13, 2019, in a multidistrict lawsuit, formally rejecting Marriott’s request to dismiss Chicago’s lawsuit. Marriott had claimed the city’s consumer protection ordinance violates the Illinois state constitution. The company argued the city is attempting to solve a national problem rather than just address a local concern, as well as overstepping its constitutional authority and using the ordinance to regulate conduct outside the city.

While states may sue on behalf of residents, Grimm said, smaller governmental units must have their own injuries to pursue recovery in court. Chicago did so, Grimm continued, by arguing a judgment in its favor would protect the city’s “proprietary interests in the tourism industry and dependent property and sales tax revenues, since Marriott operates hotels in Chicago, and that a decline in patronage at Marriott’s hotels due to the data breach will diminish the revenue Chicago receives by way of hotel accommodation.”

Turning to the city’s home rule powers, Grimm said that “in the course of nearly 50 years of analysis of home rule authority by Illinois courts,” municipal ordinances generally are pre-empted only by explicit language in state laws. The issue then becomes whether the city is extending its reach beyond its own border.

“The problem is not fairly characterized as regulating online data security at large or in the abstract, as Marriott suggests,” wrote Grimm (right), but whether Chicago residents are protected.

Marriott argued Chicagoans were not affected differently than any other city, but Grimm said at this stage of the proceedings that constitutes opinion, not fact. Further, Grimm found nothing suggesting state lawmakers wanted exclusive rights to regulate consumer protection and said it is “difficult to imagine a more harmonious relationship” than the one between the city ordinance and the state’s privacy laws.

Marriott insisted Chicago is attempting to regulate conduct outside the city, but Grimm said the 2005 Illinois Supreme Court opinion in Avery v. State Farm Mutual Automobile Insurance Company established a framework for determining if the alleged ordinance violations occurred “primarily or substantially” in the city.

“The city was quite surgical in its pleadings,” Grimm wrote, noting references in the complaint to Chicago residents as victims who relied on the Marriott website for a presumption of safety and suffered injuries by booking hotels while at home in the city – including for Marriott stays in Chicago – in addition to patronizing properties elsewhere. (Left) Marriott’s Sheraton Grand Chicago at 301 East North Water Street in Streeterville.

While discovery may tip the argument in Marriott’s favor, Grimm added, “those determinations are for another day, not on a motion to dismiss.”

Further, if the city does establish Marriott’s liability, “relief could be fashioned that would prevent the ordinance from having an unconstitutional extraterritorial effect.”

In a separate lawsuit pending in Cook County Circuit Court, the City of Chicago is suing Uber for a data breach, as well, asserting violations of the same ordinance. In both cases, the city is represented by Edelson PC of Chicago. Marriott and Starwood are defended by BakerHostetler of Cleveland and Washington, D.C.