Opinion
Case No.: PWG-19-654 Case No.: 19-2879
12-13-2019
CITY OF CHICAGO, Plaintiff, v. MARRIOTT INTERNATIONAL, INC., et al., Defendants.
MEMORANDUM OPINION AND ORDER
Pending before me is a Multidistrict Litigation ("MDL") action against Marriott International, Inc. and related entities concerning a data breach incident. In re Marriott, No. PWG-19-2879. One of the Plaintiffs in the MDL is the City of Chicago ("Chicago" or "City"), which seeks relief under a local consumer protection ordinance "for harm and injuries arising from" Marriott's data security incident. First Am. Compl. 1, ECF No. 294.
Chicago brought this action against two defendants: Marriott International, Inc. and Starwood Hotels & Resorts Worldwide, LLC. They will be referred to collectively as "Marriott" unless otherwise indicated. First Am. Compl. 1, ECF No. 294.
All citations are to the MDL, PWG-19-2879 unless otherwise indicated.
Before this Court is Marriott's motion to dismiss Chicago's first amended complaint ("FAC"). Defs.' Mot. to Dismiss, ECF No. 331. Marriott seeks to dismiss arguing that, as applied to this data breach, Chicago's local ordinance is unconstitutional under the Illinois Constitution. Id. at 6-8. The motion to dismiss the FAC is fully briefed, ECF Nos. 331-1, 384, 425. A hearing is not necessary. See Loc. R. 105.6. Chicago's ordinance is constitutional as applied to these facts because, as alleged, Chicago has standing to request an injunction and monitoring fund as relief for its own injuries. And under the facts pleaded in the FAC, the municipal ordinance under which Chicago has filed suit addresses a local problem, making it a legitimate exercise of the City's home rule authority as granted by the Illinois Constitution. Finally, in the event that Chicago establishes liability for breach of its ordinance, relief could be fashioned that would prevent the ordinance from having an extraterritorial effect. Therefore, the motion to dismiss is denied.
Factual Background
Marriott International, Inc. ("Marriott") is a global hotel chain, operating more than 7,000 properties across 131 countries, including 33 hotels throughout the City of Chicago. First Am. Compl. ¶ 17. In 2016, Marriott acquired Starwood Hotels & Resorts Worldwide, LLC ("Starwood"), making Marriott the world's largest hotel chain. Id. ¶ 18.
On November 30, 2018, Marriott announced that it was the subject of the second largest data breach in history. Id. ¶ 1. Marriott revealed that hackers had obtained access to the Starwood reservation database for four years, which it failed to detect until September 8, 2018. Id. ¶¶ 35-36. The breached database contained information about approximately 500 million guests. Id. ¶ 38. For an estimated 327 million guests, the compromised information includes some or all of the following personal information: full names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences. Id. ¶ 39. Additionally, the hackers stole about 8.6 million guests' encrypted payment card numbers and expiration dates, and, possibly, the information needed to decrypt those numbers. Id. ¶ 43.
On June 20, 2019, Chicago filed its first amended complaint against Marriott. Chicago contends that Marriott violated its municipal ordinance, MCC § 2-25-090(a), because it failed to protect Chicago residents' personal information, failed to detect the data breach promptly, inadequately responded to the breach, and failed to implement reasonable safeguards that would have prevented the breach and/or detected it sooner. Id. ¶¶ 83-86, 95. The City also alleges that Marriott mispresented to Chicago residents that it had reasonable security safeguards in place. Id. ¶¶ 100-02. Chicago alleges these acts or omissions occurred in the City, and that the breach affected Chicago residents, thus empowering the City to sue on its own and their behalf.
Chicago states that it does not need to allege injury or causation to state a claim for violations of its Municipal Code. Id. ¶ 54. Nonetheless, the City alleges that Marriott injured Chicago residents, "who make reservations at Marriott properties from Chicago and stay in Marriott's Chicago hotels and throughout the country." Id. Chicago alleges its residents have been injured in two ways: first, "had consumers known the truth about Marriott's data security practices . . . they would not have purchased rooms or otherwise stayed at Marriott hotels;" and second, "Marriott's misconduct has substantially increased the risk that the affected Marriott customers will be, or already have become, victims of identity theft or financial fraud." Id. ¶¶ 60, 67.
Chicago is seeking declaratory relief that Marriott violated MCC § 2-25-090(a); an injunction requiring Marriott "to adopt and implement reasonable safeguards to prevent, detect, and mitigate the effects of data breaches;" a monetary fine of up to $10,000 for each day a violation continues; a fund "to pay for adequate monitoring of this data breach, as well as for all precautions now necessary;" attorneys' fees and costs, pre- and post-judgment interest; and any other relief the Court deems reasonable. Id. at 28.
Marriott moves to dismiss pursuant to Fed. R. Civ. P. 12(b)(1), arguing that the City of Chicago lacks standing. The Illinois Constitution permits "home-rule" units, like the City of Chicago, to regulate conduct that is of local concern, rather than statewide or national. Kalomidos v. Vill. of Morton Grove, 470 N.E.2d 266, 275 (Ill. 1984). Accordingly, Marriott also moves to dismiss pursuant to Fed. R. Civ. P. 12(b)(6), arguing that MCC § 2-25-090(a)'s application here is unconstitutional due to its extraterritorial effect and because it views the data breach as a national, as opposed to a local, problem. Defs.' Mem. 3.
Standard of Review
To survive a motion to dismiss, a complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). Specifically, Marriott must establish "facial plausibility" by pleading "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). However, "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. I must accept the well pleaded facts as alleged in Chicago's complaint as true. See Aziz v. Alcolac, 658 F.3d 388, 390 (4th Cir. 2011). And, I must construe the factual allegations "in the light most favorable to [the] plaintiff." Adcock v. Freightliner LLC, 550 F.3d 369, 374 (4th Cir. 2008) (quoting Battlefield Builders, Inc. v. Swango, 743 F.2d 1060, 1062 (4th Cir. 1984)).
Discussion
Chicago brings this law suit under § 2-25-090(a) of its Municipal Code, which forbids any person from engaging in "consumer fraud, unfair method[s] of competition, or deceptive practices[s] while conducting a trade or business within the city." Chi. Ill. Mun. Code § 2-25- 090(a). The Chicago code defines "unlawful practice" by reference to the Illinois Consumer Fraud and Deceptive Business Practices Act ("ICFA"). 815 Ill. Comp. Stat. 505/2 (1961); Id. In addition to the specific definitions of unlawful practices set forth in the ICFA, it also incorporates as prohibited conduct knowing violations of certain state statutes, including the Illinois Personal Information Protection Act ("IPIPA"). 815 Ill. Comp. Stat. 530/1 (2006). Chicago alleges that Marriott's data security practices were unfair, deceptive, and unlawful under its ordinance, the ICFA, and the IPIPA.
Marriott argues that the action should be dismissed because: (1) Chicago lacks Article III standing to obtain the relief it seeks on behalf of Chicago residents; and (2) under the Illinois Constitution, application of MCC § 2-25-090(a) to the data breach is unconstitutional. Defs.' Mem. 3, ECF No. 331-1. Marriott's constitutional argument is twofold—that Chicago's ordinance in this context exceeds its home rule authority under the Illinois Constitution because it seeks to solve a statewide or national problem rather than one of local concern, and because it is attempting to regulate conduct beyond its borders. Id. at 4.
Chicago Has Standing to Sue
To satisfy constitutional standing requirements, a plaintiff must have suffered an "injury in fact," that has a causal connection to the conduct complained of and can be "redressed by a favorable decision." Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992). Article III standing must be found to exist before a court may address the merits. Steel Co. v. Citizens for a Better Environment, 523 U.S. 83, 94 (1998). Marriott challenges Chicago's standing to sue on behalf of its citizens because its alleged "injury in fact" is insufficient to obtain the injunctive and equitable relief it requests, specifically, requiring Marriott to implement reasonable security measures and requiring Marriott to create a fund that helps Chicago residents mitigate the impact of the data breach, respectively. Because Chicago has sufficiently alleged a concrete injury to its own proprietary interests, it has standing to sue.
States may, under certain conditions, sue on behalf of their citizens. Massachusetts v. EPA, 549 U.S. 497 (2007). But this authority generally does not extend to subordinate governmental units, like counties or cities, to sue to vindicate the rights of their residents. Prince George's Cty. v. Levi, 79 F.R.D. 1, 4 (D. Md. 1977) ("However, this right enjoyed by the State of Maryland, to sue on behalf of its citizens does not give [Prince George's County] standing to represent its residents. The power of a political subdivision of a state is 'derivative and not sovereign' and it may only sue to vindicate its own interests."); see also Bd. of Supervisors of Fairfax Cty., Virginia v. United States, 408 F. Supp. 556 (E.D. Va. 1976) (holding that a county may not sue on behalf of its residents by exercising parens patriae authority). For Chicago to have standing, it must rest upon its own injury—not its residents' injuries.
Although this case was originally filed in the Northern District of Illinois, Compl. 1, ECF No. 1 in PWG-19-654, for questions concerning federal law in multidistrict litigation cases I must apply the law that would be binding had it been filed in this court. In re Temporomandibular Joint (TMJ) Implants Prods. Liab. Litig., 97 F.3d 1050, 1055 (8th Cir. 1996) ("When analyzing questions of federal law in multidistrict litigation, transferee court should apply law of the circuit in which it is located."); Poole v. Ethicon, Inc., No. 2:12-CV-01978, 2013 WL 6164078 at *2 (S.D.W. Va. Nov. 25, 2013) (using the Fourth Circuit's standard for reconsideration in a multidistrict litigation case because it was a question of federal procedural law). For questions concerning Chicago's home rule authority, of course, I must look to Illinois law.
Marriott argues that Chicago does not have standing to seek the injunctive and equitable relief it requested. Davis v. Fed. Election Comm'n, 554 U.S. 724, 734 (2008) ("a plaintiff must demonstrate standing separately . . . for each form of relief that is sought") (internal quotation marks omitted); Defs.' Reply 11, ECF No. 425. Because municipalities, such as Chicago, cannot assert parens patriae standing, Marriott argues that Chicago cannot demand the above relief because they are both requested "not to address its own injuries but those of its residents." Defs.' Mem., 13. Marriott contends that Chicago's effort to force it to adopt additional data security measures is intended to protect "its residents' personal information, not any information belonging to the city," and that the monitoring fund is not meant to benefit Chicago, but to "mitigate a wave of identity theft and financial fraud it predicts will hit Chicago residents." Id. at 14. Chicago counters that it is seeking to enforce its municipal code on its own behalf, and therefore it is not exercising parens patriae standing. Pl.'s Opp. 5.
Both Chicago and Marriott cite a Ninth Circuit case that holds that a municipality must establish concrete injury to its proprietary interests to have standing. City of Sausalito v. O'Neil, 386 F.3d 1186, 1198 (9th Cir. 2004). There, the court explained that a municipality's proprietary interests may be "congruent with those of its citizens," and gave examples of sufficient proprietary interests to confer standing: "its ability to enforce land-use and health regulations," "its powers of revenue collections and taxation," "protecting its natural resources," and "land management." Id. In that case, Sausalito sought to prevent the National Park Service from developing Fort Baker, a nearby former military base. Id. at 1194. The court held that Sausalito had alleged injury to its proprietary interest because the Fort Baker Plan, if implemented, would "result in detrimental increase in traffic and crowds . . . affecting public safety," cause aesthetic injury with congestion, and would cause harm to "natural resources" with increased noise, trash, and impaired air quality that affect its "marina, parks, trails, and shoreline." Id. at 1198-99.
Chicago adequately has alleged injury to its municipal interests. It argues that, as applied to the facts alleged in the FAC, MCC § 2-25-090(a) protects its proprietary interests in the "tourism industry and dependent property and sales tax revenues" since Marriott operates hotels in Chicago, and that a decline in patronage at Marriott's hotels due to the data breach will diminish the revenue Chicago receives by way of hotel accommodation. Pl.'s Opp. 6 (quoting City of Sausalito, 386 F.3d at 1198). Chicago also alleged that "consumers place value in data privacy and security, and they consider that when making purchasing decisions," and that consumers "would not have purchased rooms or otherwise stayed at Marriott hotels" if they had "known the truth about Marriott's data security practices." First Am. Compl. ¶¶ 55, 59-60; Pl.'s Opp. 6-7. Therefore, the facts as pleaded (which must be taken as true at the motion to dismiss stage), plausibly alleged injury to Chicago's proprietary interests.
Chicago is correct that injury in fact can stem from a loss in tax revenue. Gladstone Realtors v. Village of Bellwood, 441 U.S. 91, 110 (1979) (holding that the harm of loss of tax revenue was sufficient injury when there was a reduction in the number of buyers in the housing market, leading to a decrease in property values). And while discovery may reveal facts that would meaningfully distinguish Gladstone Realtors if Chicago is unable to provide admissible evidence that the data breach caused an actual reduction in hotel reservations in Chicago (and a corresponding loss of tax revenue owed to the City), I am bound by the allegations in the complaint at this stage of the litigation. Id.
Chicago's Ordinance is a Valid Exercise of Home Rule Authority
Preliminarily, Marriott challenges the application of MCC § 2-25-090(a) as applied to them on the basis that its enforcement is beyond the City's home rule authority, as granted by the Illinois Constitution, Article VII § 6 (1970) (hereinafter "1970 Constitution"). Adoption of Section 6 represented a dramatic shift in power between the State of Illinois and its local governments. City of Chicago v. StubHub, Inc., 979 N.E.2d 844, 850 (Ill. 2011) ("Under the 1870 Illinois Constitution, the balance of power between our state and local governments was heavily weighted towards the state. The 1970 Illinois Constitution drastically altered that balance, giving local governments more autonomy."). A review of the opinions of the Illinois Supreme Court and Court of Appeals since 1970 reveals a progression in their analysis of the scope of the home rule authority of a "local unit" (city, or municipality), and, over time, that scope has broadened and become more refined. Id. at 852 ("Essentially, the framers saw our role [in restricting home rule authority] under section 6(a) as narrow, and over time we developed an analytical framework consistent with that view."). Accordingly, care must be taken not to focus too narrowly on what may appear to be more restrictive statements about the scope of home rule authority in early court decisions, without keeping in mind later developments in the law that viewed that authority more expansively.
In the course of nearly fifty years of analysis of home rule authority by Illinois courts, the following overview emerges. First, home rule authority was intended to be broad in scope, and it allows concurrent local and state regulation of the same problem, unless the Illinois General Assembly explicitly has preempted home rule authority or made findings in enacting legislation that make it clear that statewide, as opposed to local, authority to legislate was intended. Park Pet Shop, Inc. v. City of Chicago, 872 F.3d 495, 500 (7th Cir. 2017) ("In areas of concurrent authority, the Illinois Constitution expressly requires a clear statement from the state legislature to oust a municipality's home-rule power."); Scadron v. City of Des Plaines, 606 N.E.2d 1154, 1158 (Ill. 1992) (Section 6(a) "was written with the intention that home rule units be given the broadest powers possible."). Second, reviewing courts have been cautioned not to find implied preemption of home rule authority where neither the express language of state legislation nor its legislative history evidences the clear intent of the General Assembly to preempt local home rule units from regulating a particular problem. Park Pet Shop, Inc., 872 F.3d at 500 (holding home rule legislation valid where "[s]tate government never had an exclusive role in addressing animal control issues," and "[n]o state animal-control statute explicitly ousts or limits Chicago's power to regulate in this area"); Blanchard v. Berrios, 72 N.E.3d 309, 318 (Ill. 2016) ("[S]ection 6 as a whole was intended to prevent implied preemption, or preemption by judicial interpretation."). Third, as a general matter, local home rule units may not regulate beyond their borders. Accel Entm't Gaming, LLC v. Vill. of Elmwood Park, 46 N.E.3d 1151, 1160 (Ill. App. Ct. 2015) (holding that an ordinance requiring licensing of video game terminals was a valid exercise of home rule authority because "the Village's concern is not video-gaming regulation generally but regulation of video gaming within the boundaries of the Village"). And, finally, Illinois courts have acknowledged that determining whether home rule authority exists in a particular case may be hard to do at times, requiring case-by-case analysis of the underlying facts. StubHub, Inc., 979 N.E.2d at 851 ("The framers, however, understood that further interpretation of section 6(a)'s intentionally imprecise language would fall to the judicial branch."); Kalodimos v. Village of Morton Grove, 470 N.E.2d 266, 274 (Ill. 1984) ("Whether a particular problem is of statewide rather than local dimension must be decided not on the basis of a specific formula or listing set forth in the Constitution."). But, however challenging the analysis may be to apply in a particular case, the Illinois courts have given a clear analytical framework for courts to follow when undertaking to do so.
The first step is to determine whether the ordinance enacted by a local home rule unit is within the express scope of authority granted by Article VII § 6 of the 1970 Constitution. It states, relevantly: A home rule unit "may exercise any power and perform any function pertaining to its government and affairs including, but not limited to, the power to regulate for the protection of the public health, safety, morals and welfare; to license; to tax; and to incur debt." Ill. CONST. art. VII, § 6(a). Additionally, "[h]ome rule units may exercise and perform concurrently with the State any power or function of a home rule unit to the extent that the General Assembly by law does not specifically limit the concurrent exercise or specifically declare the State's exercise to be exclusive." Ill. CONST. art. VII, § 6(i). And lastly, the "[p]owers and functions of home rule units shall be construed liberally." Ill. CONST. art. VII, § 6(m).
The key is to determine whether the challenged home rule unit's ordinance pertains to its own government and affairs. It does if it regulates for the protection of the public health, safety, morals and welfare of its residents. In order to correctly answer this question, it is important to define the problem sought to be addressed by the home rule unit's ordinance. StubHub, Inc., 979 N.E.2d at 853 (acknowledging that the City has explicit home rule authority to tax, but "the problem [solved by the ordinance] is not the tax, but its collection by internet auction listing services, whose users created a new market in online ticket resales."). As applicable to this case, the problem that Chicago attempts to reach through MCC § 2-25-090(a) is the protection of personal identifying information of Chicago residents who provide it to data holders such as Marriott who do business within Chicago. The problem is not fairly characterized as regulating online data security at large or in the abstract, as Marriott suggests. Defs.' Reply 3-4, ECF No. 425 ("The city is purporting to regulate data security practices that took place beyond its borders and that allegedly affected individuals in cities and states throughout the country.").
Once the problem that the home rule unit's ordinance seeks to address properly has been defined, the court must determine whether it pertains to the local home rule unit's own government and affairs. Vill. of Bolingbrook v. Citizens Utilities Co. of Ill., 632 N.E.2d 1000, 1001 (Ill. 1994). As the Illinois Supreme Court put it, "[a]n ordinance pertains to the government and affairs of a home rule unit where the ordinance relates to problems that are local in nature rather than State or national." Id. at 1002; see also People ex rel. Bernardi v. City of Highland Park, 520 N.E.2d 316, 320 (Ill. 1988); Kalodimos, 470 N.E.2d at 274; Ampersand, Inc. v. Finley, 338 N.E.2d 15, 18 (Ill. 1975); Cty. of Cook v. Vill. of Bridgeview, 8 N.E.3d 1275, 1279 (Ill. App. Ct. 2014). This seemingly simple distinction is anything but. Problems can be local, regional, statewide, or national. See, e.g., City of Des Plaines v. Chicago & N. W. Ry. Co., 357 N.E.2d 433, 435 (Ill. 1976) (noise caused by single automobile honking louder than allowed by municipal noise control ordinance of local concern; noise caused by train travelling interstate across municipal boundaries is not); Metro. Sanitary Dist. of Greater Chicago v. City of Des Plaines, 347 N.E.2d 716, 718 (Ill. 1976) (environmental regulation of sewage plant serving multiple municipalities of regional concern); Cty. of Cook, 8 N.E.3d at 1279 (spread of rabies by overpopulation of feral cats statewide or national issue)). "Extreme cases are clear. . . [d]ifficulty arises, however, when a problem has a local as well as a statewide or national impact." Vill. of Bolingbrook, 632 N.E.2d at 1002.
When problems are both local and statewide, Illinois courts use a three factor test to determine which level of government has regulatory primacy: "[w]hether a particular problem is of statewide rather than local dimension must be decided not on the basis of a specific formula or listing set forth in the Constitution but with regard for the nature and extent of the problem, the units of government which have the most vital interest in its solution, and the role traditionally played by local and statewide authorities in dealing with it." Kalodimos, 470 N.E.2d at 274; Cty. of Cook, 8 N.E.3d at 1279.
First Factor
Chicago has alleged that the nature and extent of the problem is local. The nature of the problem is the protection of personal identifying information of Chicago residents. Illinois courts assess the extent of the problem by determining whether the problem is pervasive throughout the state or nation, or merely within the home rule body's geographical borders. If the ordinance seeks to rectify a problem that persists beyond its borders, it is not of local concern. For example, in Vill. of Bolingbrook, the court held that the extent of the problem, sewage discharges, was local in nature because the Village suffered the main impact of the problem, not the state, and because the problem amounted to isolated incidents in the Village and was not common in other localities. 632 N.E.2d at 1003 ("Where the impact of a problem is confined to an isolated area, and there is no evidence that the particular problem is common throughout the State, the 'nature and extent of the problem' are local in dimension."). Chicago has argued that it seeks to rectify only "Marriott's misrepresentations to Chicagoans regarding its data security practices, its failure to protect Chicagoans' data, and its delayed notice to Chicagoans about the breach—all while operating within City limits." Pl.'s Opp. 13. As pleaded, the extent of the problem—protection of personal identifying information provided to businesses doing business in Chicago by Chicago residents who will feel the impact of that data breach within Chicago—is local.
Further, at this stage in the proceedings there are insufficient facts known to determine whether the extent of the problem is statewide or national. Marriott's argument that Chicago was not affected differently than any other city in the United States by this incident is just that—argument. Its ipse dixit pronouncements are not facts. Cf. Cty. of Cook v. Vill. of Bridgeview, 8 N.E.3d 1275, 1279 (Ill. App. Ct. 2014) (holding, on appeal from cross motions of summary judgment, that the extent of the problem—the spread of rabies—was not local based entirely upon expert testimony that the feral cat problem was of national concern.).
For this reason, given the record as it now stands, the first Kalodimos factor favors the City.
Second Factor
The second Kalodimos factor focuses on which unit of government has the most vital interest in resolving the problem. Here, Illinois courts have been informed by the text of the state legislation (whether it expressly preempts local regulation), as well as legislative history of the state statute enacted by the General Assembly that addresses the same problem that the local home rule unit has sought to regulate. In particular, the focus has been on whether the Illinois General Assembly has made legislative findings or otherwise clearly stated a preference for statewide as opposed to local regulation of a problem. City of Des Plaines, 357 N.E.2d at 436 (referencing the legislative findings made by the General Assembly when enacting the Illinois Environmental Protection Act which demonstrated a need for "a unified, state-wide program," as well as the comments of the Local Government Committee in its report to the Illinois Constitutional Convention).
Here, the parties have not cited, nor has my own research revealed, any legislative history regarding the passage of the ICFA or IPIPA that would suggest that the Illinois General Assembly considered consumer protection at large and the protection of personal information privacy in particular to be uniquely within the purview of the state, as opposed to local, regulation. Nor is there any language in either the ICFA or IPIPA that expressly preempts or restricts local consumer protection and personal information privacy protection regulation. City of Chicago v. Roman, 705 N.E.2d 81, 90 (Ill. 1998) ("[T]he General Assembly must specifically so limit a home rule unit's concurrent exercise of power.").
The original passage of the ICFA was in 1961 and there is "little legislative history that exists." In re Facebook, Inc. v. Consumer Privacy User Profile Litig., 354 F. Supp. 3d 1122, 1133 (N.D. Cal. 2019). In looking through the legislative history that is available, I found nothing in the House or Senate Transcripts that evinces an intent of the General Assembly that the law should operate on an exclusively statewide basis. Therefore, "[t]he plain language of the Consumer Fraud and Deceptive Business Practices Act is the best indicator of the legislature's intent," and there is nothing explicit in the text of the law concerning an intent to preempt local law. Bank One Milwaukee v. Sanchez, 783 N.E.2d 217, 221 (Ill. App. Ct. 2003). Similarly, in looking through the legislative history for the passage of IPIPA, I found nothing bearing on the intent of the General Assembly to preempt local legislation on the subject.
For evidence that the Illinois General Assembly knew how to limit home rule authority, but chose not to, I look to another provision in the ICFA that specifically preempts home rule authority with respect to the regulation of immigration assistance services:
No unit of local government, including any home rule unit, shall have the authority to regulate immigration assistance services unless such regulations are at least as stringent as those contained in this amendatory Act of 1992. It is declared to be a law of this State pursuant to paragraph (i) of Section 6 of Article VII of the Illinois Constitution of 1970, that this amendatory Act of 1992 is a limitation on the authority of a home rule unit to exercise powers concurrently with the State.815 Ill. Comp. Stat. 505/2AA(n) (1961) (amendment added by P.A. 87,1211, Art. 2, § 1, eff. Jan. 1, 1993). The narrow scope of this limitation supports a view that the Illinois General Assembly did not intend to foreclose any other aspects of local consumer protection regulation.
Again focusing on the second factor, Illinois courts have also looked to see whether the local ordinance and state statute are complementary, such that they are capable of being enforced together, or whether they are incompatible, such that the enforcement of the home rule unit's ordinance would hinder or undermine the state's enforcement of a statute enacted by the General Assembly. Cty. of Cook, 8 N.E.3d at 1277-79 (reasoning that because there was an incompatible conflict between the regulation of feral cats by the Village, a home rule municipality, and the County's regulation of the same problem, the court had to decide which had a more vital role in regulating rabies control and ruled that the County's ordinance prevailed, because the municipal ordinance prohibited conduct that the County regulations specifically allowed); Accel Entm't Gaming, LLC, 46 N.E.3d at 1161 (holding that the Video Gaming Act did not evidence such a vital state interest in regulating video games that home rule units cannot concurrently regulate because "plaintiff has not demonstrated that the Village under its Ordinance will interfere with the interests of the State in the adoption and application of its Ordinance"). When a local home rule unit's ordinance operates in harmony with state statutes regulating the same problem, Illinois courts have found that the local regulation is within the home rule authority granted by the Illinois Constitution. Id. When they clash, and the local home rule unit's ordinance interferes with the state's enforcement of a statute, Illinois courts have found that the home rule unit exceeded its authority under Article VII, § 6 of the 1970 Constitution. City of Des Plaines, 357 N.E.2d at 436 (holding that the fact that the legislature intended to establish a "unified, state-wide program" that the Des Plaines' ordinance conflicted with, "provide[d] further evidence of the recognition of noise pollution as a matter of statewide concern").
Under the facts as pleaded in the FAC, it is difficult to imagine a more harmonious relationship between Chicago's MCC § 2-25-090(a) and the consumer protection and personal information privacy protection legislation enacted by the Illinois General Assembly. This is because Chicago's ordinance expressly incorporates the provisions of the ICFA and through it, the IPIPA. There simply is no basis for concluding that Chicago's interest in protecting the integrity of its residents' personal identifying information disclosed in connection with their transactions with businesses that do business in Chicago is subordinate to the State of Illinois' interests in protecting citizens statewide from the same risks associated with data security breaches, especially when the vehicle for doing so exactly mirrors the protections afforded by the state statutes. Nor is there any indication here that the ability of Illinois to enforce the ICFA and IPIPA is in any way undermined by MCC § 2-25-090(a).
For these reasons, the second Kalodimdos factor militates in favor of finding that MCC § 2-25-090(a) (as applied to the facts alleged in the FAC) does not exceed Chicago's home rule authority.
Third Factor
The third Kalodimos factor focuses on whether the local government unit or the state traditionally has played the dominant role in dealing with the problem regulated by the local home rule unit ordinance. The Illinois Supreme Court recently summarized this factor as follows: "The mere existence of comprehensive state regulation is insufficient to preclude the exercise home rule by a local governmental entity. Instead, courts will 'declare a subject off-limits to local government control only where the state has a vital interest and a traditionally exclusive role.'" Blanchard v. Berrios, 72 N.E. 3d 313,319 (Ill. 2016) (internal citations omitted); City of Chicago v. StubHub, Inc., 979 N.E. 2d 844, 852 (Ill. 2012).
It is true that Illinois "has a long history of protecting consumers, dating back to 1961 with the criminalization of deceptive practices . . . and the enactment of the [ICFA]." Stubhub, 979 N.E.2d at 855. Similarly, it cannot be disputed that the State of Illinois has played an important role in the regulation of data collectors that store the personal information of Illinois residents, through its enactment of IPIPA in 2006. But, considering that this statute is only thirteen years old, it is difficult to describe the state's role as "traditional," given that regulatory concerns about the protection of personal data is of relatively recent vintage. Accel Entm't Gaming, LLC, 46 N.E.3d at 1162 (holding that although the state has a traditional role regulating commercial gambling, the local ordinance regulates video gaming, which has only been "permitted within the State for less than a decade," rendering this factor "not particularly strong with respect to the video gaming context specifically"). Id. Nor is there anything in the sparse text of the IPIPA itself that reflects an intent on the part of the Illinois General Assembly that this authority be exclusive to the state, to the exclusion of local regulation. And, finally, as discussed above, the parties have not cited, nor has my research disclosed, any findings in the legislative history of the IPIPA that reflects an intent on the part of the General Assembly that the IPIPA preempted home rule units from passing ordinances to protect their residents from the effects of data breaches that jeopardize the protection of their personal information. Therefore, the third Kalomidos factor also militates against a finding that the protection of personal information is a matter of exclusive statewide regulation.
In sum, the City's application of MCC § 2-25-090(a) to the data security breach that underlies this case does not violate the home rule provisions of Article VII § 6 of the 1970 Constitution. The next issue that must be addressed is whether the City impermissibly seeks to enforce this ordinance extraterritorially.
Chicago's Ordinance Can be Enforced in a Non-Extraterritorial Fashion
In addition to the requirement that home rule units may only legislate to address local, as opposed to regional, state, or national problems, the Illinois Supreme Court ruled, not long after the Illinois Constitutional Convention adopted home rule authority, that home rule regulations could not be applied extraterritorially. In City of Carbondale v. Van Natta, the court observed "an examination of the proceedings of the [Illinois Sixth Constitutional] convention shows that the intention was not to confer extraterritorial sovereign or governmental powers directly on home rule units. The intendment shown is that whatever extraterritorial governmental powers home rule units may exercise were to be granted by the legislature." 338 N.E.2d 19, 20 (Ill. 1975).
Section 2-25-090(a) of the Municipal Code of Chicago ("MCC"), enacted in 2008, prohibits any person from engaging "in any act of consumer fraud, unfair method of competition, or deceptive practice while conducting any trade or business in the city. Any conduct constituting an unlawful practice under the [ICFA], as now or hereafter amended . . . relating to business operations or consumer protection shall be a violation of this section." MCC § 2-25-090(a). As both Chicago and Marriott agree, the ICFA itself incorporates as part of its consumer protection provisions IPIPA. As relevant to this case, IPIPA requires data collectors such as Marriott to "implement and maintain reasonable security measures to protect [personal information ("PI") concerning Illinois residents] . . . from unauthorized access, acquisition, destruction, use, modification, or disclosure," to notify Illinois residents on a timely basis of any breach of their data system that may have compromised the integrity of the PI of Illinois residents, and to take further actions to ameliorate the breach. First Am. Compl. ¶¶ 93, 107. Thus, the City alleges that Marriott's data security breach violated the MCC, standing alone, as well as the ICFA, as incorporated into the MCC, and the IPIPA, as incorporated into the ICFA. Specifically, Chicago alleges that "Marriott's failure to secure its servers" where PI is stored "has injured Chicago residents, who make reservations at Marriott properties from Chicago and stay in Marriott's Chicago hotels and throughout the country." Id. at ¶ 54. As a consequence, the City has pleaded that "Marriott has subjected Chicago residents whose personal information was in [Defendant] Starwood's guest reservation database . . . to potential identify theft, financial fraud, tax return scams, and other potential ongoing harm. At the very least, Chicago Victims will be forced to spend time and money in an attempt to protect themselves against the substantially increased risk of injury caused by Marriott's misconduct." Id. at ¶ 7. As part of the relief the City seeks, it asks this Court to order that Marriott create "a fund in the amount required to pay for adequate monitoring of this data breach as well as for all precautions now necessary as a result of the Defendants' conduct," and to impose monetary fines up to $10,000.00 per day for each offense. Id. at 28, ¶¶ C, D.
The parties have not cited, nor has my research located, any explicit language in any legislation enacted by the Illinois General Assembly granting the City of Chicago authority to enforce MCC § 2-25-090(a) beyond the city limits, nor does the City claim that such authority exists. Rather, Chicago argues that the relief they seek in this case involves no extraterritorial application of the MCC, because the transactions giving rise to their claims occurred "primarily within Chicago." Pl.'s Opp. 17. Unsurprisingly, Marriott strongly disagrees. Defs.' Mem. 4-6, 11 (arguing that the conduct being regulated, data security practices, occurs outside of Chicago's borders in places like Maryland, Marriott's headquarters).
Fortunately, by analogy, the Illinois Supreme Court has provided the analytical framework for determining whether the conduct the City alleges against Marriott falls within the scope of the MCC, as it incorporates the ICFA (and, through it, the IPIPA). In Avery v. State Farm Mut. Auto. Ins. Co., the court was asked to decide whether a nationwide class action could be brought on behalf of Illinois residents as well as residents of other states for violations of the ICFA. 835 N.E.2d 801, 849 (Ill. 2005). The defendant, State Farm Automobile Insurance Company, challenged the Illinois Circuit Court's "application of the [ICFA] to policyholders across the country . . . because the Act, by its own terms does not apply to consumer transactions involving nonresidents that occur outside Illinois." Id. The court began its analysis with the text of § 2 of the ICFA, which "provides that 'deceptive acts or practices . . . or the concealment, suppression or omission of any material fact, with intent that others rely upon the concealment, suppression or omission of such material fact . . . in the conduct of any trade or commerce are hereby declared unlawful.'" Id. Section 1(f) of the ICFA defined "trade" and "commerce" as:
The terms 'trade' and 'commerce' mean the advertising, offering for sale, sale, or distribution of any services and any property, tangible or intangible, real, personal or mixed, and any other article, commodity, or thing of value wherever situated, and shall include any trade or commerce directly or indirectly affecting the people of this State. [emphasis added]
The Plaintiffs in Avery argued that section 1(f) applied to transactions "wherever situated," whether within or outside of Illinois. Id. at 850. Not so, the court concluded, holding instead that:
The words 'wherever situated' do not refer to fraudulent transactions, but to the nouns 'any property, tangible or intangible, real, personal or mixed and any other article, commodity, or thing of value.' The words 'wherever situated' do not expand the scope of the [ICFA] to apply to consumer transactions that take place out-of-state.Id. (internal citations omitted). State Farm argued that the use of the words "the people of this state" in section 1(f) of the ICFA restricted its application to transactions that took place within Illinois. But the Plaintiffs countered that the use of the words "directly or indirectly" in section 1(f) broadened the scope of the words "the people of this state" so that trade or commerce that took place outside of Illinois, but which had an impact on Illinois residents, was within the reach of the ICFA. Id.
The Illinois Supreme Court observed that section 1(f) of the ICFA had been interpreted inconsistently by both Illinois Federal Courts and the Illinois Appellate Court, some decisions imposing a geographical limitation, while others rejected such a limit. 835 N.E.2d at 851-52. Left with this inconclusive interpretive history, the court observed:
It is not clear from the plain language of section 1(f) which, if any, of the many interpretations noted above accurately captures the meaning of that provision. Indeed, the wealth of competing interpretations of section 1(f) is a compelling indication of the statute's ambiguity . . . Because the language of section 1(f) is ambiguous it is appropriate for us to consider other sources, including legislative history, in order to discern the statute's meaning.Id. at 852 (internal citations omitted).
Drawing from the statement of Senator Sours, the sponsor of the bill that added the private cause of action remedy to the ICFA, that "[w]e're talking about trade and commerce that is not included within the interstate concept," and the "long-standing rule of construction in Illinois which holds that a 'statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute,'" the Illinois Supreme Court concluded that "the General Assembly did not intend the Consumer Fraud Act to apply to fraudulent transactions which take place outside of Illinois." Id. at 852-53 (internal citations omitted).
But that was not the end of the matter, because as the court observed "it can be difficult to identify the situs of a consumer transaction when, as plaintiffs in this case allege, the transaction is made up of components that occur in more than one state." Id. at 853. The Illinois Supreme Court looked to the analysis of the Court of Appeals of New York in its interpretation of the New York consumer fraud statute in Goshen v. Mutual Life Insurance Co., 774 N.E.2d 1190 (N.Y. 2002). In Goshen, the Court of Appeals of New York concluded that the "origin of any advertising or promotional conduct is irrelevant if the deception itself—that is, the advertisement or promotional package—did not result in a transaction in which the consumer was harmed." Id. at 1196. This led that court to conclude that the location of the deception, rather than the location of the origin of the misleading or fraudulent conduct, was the controlling factor in determining whether a consumer protection violation had occurred. Id.
But the Illinois Supreme Court reasoned that the issue was more complex than simply identifying the place where the consumer was located at the time that he or she was deceived or mislead. Rather, the court observed:
In a misrepresentation case, there is no fraudulent transaction until the misrepresentation has been communicated. But the Goshen court's view of the situs of a consumer transaction is a narrow one. The place of injury or deception is only one of the circumstances that make up a fraudulent transaction and focusing solely on that fact can create questionable results. If, for example, the bulk of the circumstances that make up a fraudulent transaction occur within Illinois, and the only thing that occurs out-of-state is the injury or deception, it seems to make little sense to say that the fraudulent transaction has occurred outside Illinois. Stated otherwise, we believe that there is a broader alternative to the position taken by the Goshen court, namely, that a fraudulent transaction may be said to take place within a state if the circumstances relating to the transaction occur primarily and substantially within that state.Avery, 835 N.E.2d at 853. Importantly, the Illinois Supreme Court added:
The General Assembly has stated that the Consumer Fraud Act "shall be liberally construed to effect" its purposes. Given this fact, we believe that the General Assembly intended the broader understanding of an in-state transaction noted
above. Accordingly, we hold that a plaintiff may pursue a private cause of action under the Consumer Fraud Act if the circumstances that relate to the disputed transaction occur primarily and substantially in Illinois. In adopting this holding, we recognize that there is no single formula or bright-line test for determining whether a transaction occurs within this state. Rather, each case must be decided on its own facts. Accordingly, the critical question in this case becomes whether the circumstances relating to plaintiffs' disputed transactions with State Farm occurred primarily and substantially in Illinois.Id. at 853-54 (internal citations omitted).
I am persuaded that the approach taken by the Illinois Supreme Court in Avery provides the proper framework for determining whether the alleged violations of the MCC occurred "primarily or substantially" within Chicago.
Both Chicago and Marriott argue that the Avery test, in this context, dictates that the Chicago ordinance (as it incorporates the ICFA) must only relate to transactions that occur primarily and substantially in Illinois. However, because home rule units cannot apply their regulations outside of their geographic borders, the Avery analysis limits the application of the MCC to transactions that occurred primarily and substantially within Chicago. See City of Evanston v. Create, Inc., 421 N.E.2d 196, 203 (Ill. 1981).
At the motion to dismiss stage, the focus must be the City's First Amended Complaint. Avery suggested that courts should consider factors such as plaintiff's residence, where the deceptive conduct occurred, where the damage to plaintiff occurred, and whether plaintiff communicated with the defendant or its agents in Illinois (here, Chicago). Rivera v. Google, Inc., 238 F. Supp. 3d 1088, 1101 (N.D. Ill. 2017) (citing Avery, 835 N.E.2d at 823-24). When we look at the FAC, we see that the City was quite surgical in its pleadings. First, the FAC defines the "Chicago Victims" as "Chicago residents whose personal information was in Starwood's guest reservation database." First Am. Compl. ¶ 7 (emphasis added). Second, it alleges that Chicago residents were misled or deceived by representations on Marriott's website that it uses "reasonable physical, electronic and administrative safeguards to protect your Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and the risks involved in processing that information." Id. at ¶ 24. Third, it alleges that "Marriott's misconduct has injured Chicago residents, who make reservations at Marriott's properties from Chicago and stay in Marriott's Chicago hotels and throughout the country." Id. at ¶ 54 (emphasis added).
At a minimum, the City adequately has alleged that some of its residents, while located within Chicago, made on-line reservations (and provided their PI in the process of doing so) to stay in a Marriott hotel located within Chicago. And, it has alleged that some portion of those yet unidentified City residents had their PI compromised by the alleged failure of Marriott to live up to its online representations that it took reasonable precautions to protect the security of consumers who registered online to stay in a Chicago Marriott property, subjecting them to actual or foreseeable future injuries caused by the data breach, the effects of which will be felt in Chicago. Surely, that is enough to plead that "the circumstances relating to the [City's] . . . disputed transactions with [Marriott] . . . occurred primarily and substantially in [Chicago]. Avery, 835 N.E.2d at 854. For that reason, Marriott's request that I dismiss in a single coup de main the City's entire lawsuit because it seeks to apply the MCC in an extraterritorial fashion goes too far.
The resolution of these facts matters. See Shaw v. Hyatt Intern. Corp., No. 05-C-5022, 2005 WL 3088438 (N.D. Ill. Nov. 15, 2005) (holding that the ICFA did not apply to the disputed transaction because it involved a London resident who booked a room in Russia, even though the hotel's principal place of business was in Illinois). There are any number of possible iterations given the allegations of the FAC. Compare: Chicago resident booked a hotel while using the website in Chicago to stay at a Marriott within Chicago; Chicago resident booked a hotel while using the website in Chicago to stay at a Marriott outside of Chicago; and Chicago resident booked a hotel while using the website outside of Chicago to stay at a Marriot located outside of Chicago. It is not necessary at this phase of the case to do more than determine whether the FAC alleges that the circumstances surrounding some portion of Chicago residents had sufficient connection with Chicago such that they primarily and substantially occurred within the City. It does.
The FAC alleges four separate causes of action: Unfair practice—failure to safeguard personal information (Count 1); Unlawful Practice—failure to implement and maintain reasonable security measures (Count 2); Deceptive practice—misrepresentations and material omissions (Count 3); and Unlawful Practice—failure to give prompt notice of data breach (Count 4), all of which are alleged to violate MCC § 2-25-090(a). While discovery may reveal facts to show that some of the circumstances relating to alleged injuries to Chicago residents did not occur "primarily and substantially" in Chicago, thereby limiting the relief to which the City, suing on its own behalf to enforce the MCC, may be entitled to recover, or limiting the scope of any remedial order this court could impose on Marriott to redress any proven violations of the MCC, it is premature to dismiss the entire suit. Nemet Chevrolet, Ltd. v. Consumeraffairs.com, Inc., 591 F.3d 250 (4th Cir. 2009) (holding that all reasonable inferences at this stage must be made in favor of the plaintiff). Similarly, discovery may show that the number of identifiable Chicago residents who, while located in Chicago, registered online to stay in a Marriott property (in or outside Chicago) who were provably injured by the data breach is so small as not to justify some or all of the non-declaratory or injunctive relief that it seeks to recover. But those determinations are for another day, not on a motion to dismiss. Cosmetique, Inc. v. ValueClick, Inc., 753 F. Supp. 2d 716, 723 (N.D. Ill. 2010) ("[W]hether there is other evidence to show that the disputed transaction occurred primarily or substantially in [Chicago] can be properly assessed at the summary judgment stage, but it is premature to engage in such a factual analysis at the pleadings stage."). As the Illinois Supreme Court wisely has counseled "there is no single formula or bright-line test for determining whether a transaction occurs within this state. Rather, each case must be decided on its own facts." Avery, 835 N.E.2d at 854. What is necessary at this time is to develop those facts during discovery.
Facts developed during discovery may limit the scope of relief requested by Chicago, including, for example, the injunction. LG Electronics U.S.A., Inc. v. Whirlpool Corp., 809 F. Supp. 2d 857 (N.D. Ill. 2011) (holding that defendant's nationwide advertising of its dryers did not occur primarily and substantially in Illinois, and therefore denied a nationwide injunction). I am unable to assume that implementation of an injunction necessarily will have extraterritorial effect; factual development is needed.
Conclusion
In sum, Marriott's motion to dismiss is denied. Chicago has standing to request an injunction and monitoring fund as relief for its own injuries. As applied here to the facts pled in Chicago's complaint, MCC § 2-25-090(a) is a legitimate exercise of the City's home rule authority and does not violate the Illinois Constitution. Finally, if Chicago establishes liability for breach of the ordinance, relief could be fashioned that would prevent the ordinance from having an unconstitutional extraterritorial effect.
ORDER
Accordingly, on this thirteenth day of December, by the United States District Court for the District of Maryland, hereby ORDERED that the Defendant's motion to dismiss, ECF No. 331, IS DENIED. I will issue a scheduling order and set in a telephone conference to discuss further pretrial proceedings.
/S/_________
Paul W. Grimm
United States District Judge