PAUL W. GRIMM, District Judge.
Pending before me is a Multidistrict Litigation ("MDL") action against Marriott International, Inc. and related entities concerning a data breach incident. In re Marriott, No. PWG-19-2879. One of the Plaintiffs in the MDL is the City of Chicago ("Chicago" or "City"), which seeks relief under a local consumer protection ordinance "for harm and injuries arising from" Marriott's
Before this Court is Marriott's motion to dismiss Chicago's first amended complaint ("FAC"). Defs.' Mot. to Dismiss, ECF No. 331. Marriott seeks to dismiss arguing that, as applied to this data breach, Chicago's local ordinance is unconstitutional under the Illinois Constitution. Id. at 6-8. The motion to dismiss the FAC is fully briefed, ECF Nos. 331-1, 384, 425. A hearing is not necessary. See Loc. R. 105.6. Chicago's ordinance is constitutional as applied to these facts because, as alleged, Chicago has standing to request an injunction and monitoring fund as relief for its own injuries. And under the facts pleaded in the FAC, the municipal ordinance under which Chicago has filed suit addresses a local problem, making it a legitimate exercise of the City's home rule authority as granted by the Illinois Constitution. Finally, in the event that Chicago establishes liability for breach of its ordinance, relief could be fashioned that would prevent the ordinance from having an extraterritorial effect. Therefore, the motion to dismiss is denied.
Marriott International, Inc. ("Marriott") is a global hotel chain, operating more than 7,000 properties across 131 countries, including 33 hotels throughout the City of Chicago. First Am. Compl. ¶ 17. In 2016, Marriott acquired Starwood Hotels & Resorts Worldwide, LLC ("Starwood"), making Marriott the world's largest hotel chain. Id. ¶ 18.
On November 30, 2018, Marriott announced that it was the subject of the second largest data breach in history. Id. ¶ 1. Marriott revealed that hackers had obtained access to the Starwood reservation database for four years, which it failed to detect until September 8, 2018. Id. ¶¶ 35-36. The breached database contained information about approximately 500 million guests. Id. ¶ 38. For an estimated 327 million guests, the compromised information includes some or all of the following personal information: full names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences. Id. ¶ 39. Additionally, the hackers stole about 8.6 million guests' encrypted payment card numbers and expiration dates, and, possibly, the information needed to decrypt those numbers. Id. ¶ 43.
On June 20, 2019, Chicago filed its first amended complaint against Marriott. Chicago contends that Marriott violated its municipal ordinance, MCC § 2-25-090(a), because it failed to protect Chicago residents' personal information, failed to detect the data breach promptly, inadequately responded to the breach, and failed to implement reasonable safeguards that would have prevented the breach and/or detected it sooner. Id. ¶¶ 83-86, 95. The City also alleges that Marriott mispresented to Chicago residents that it had reasonable security safeguards in place. Id. ¶¶ 100-02. Chicago alleges these acts or omissions occurred in the City, and that the breach affected Chicago residents, thus empowering the City to sue on its own and their behalf.
Chicago states that it does not need to allege injury or causation to state a claim for violations of its Municipal Code. Id. ¶ 54. Nonetheless, the City alleges that Marriott injured Chicago residents, "who make reservations at Marriott properties from Chicago and stay in Marriott's Chicago hotels and throughout the country." Id. Chicago alleges its residents have been injured in two ways: first, "had consumers known the truth about Marriott's data security practices . . . they would not have purchased rooms or otherwise stayed at Marriott hotels;" and second, "Marriott's misconduct has substantially increased the risk that the affected Marriott customers will be, or already have become, victims of identity theft or financial fraud." Id. ¶¶ 60, 67.
Chicago is seeking declaratory relief that Marriott violated MCC § 2-25-090(a); an injunction requiring Marriott "to adopt and implement reasonable safeguards to prevent, detect, and mitigate the effects of data breaches;" a monetary fine of up to $10,000 for each day a violation continues; a fund "to pay for adequate monitoring of this data breach, as well as for all precautions now necessary;" attorneys' fees and costs, pre- and post-judgment interest; and any other relief the Court deems reasonable. Id. at 28.
Marriott moves to dismiss pursuant to Fed. R. Civ. P. 12(b)(1), arguing that the City of Chicago lacks standing. The Illinois Constitution permits "home-rule" units, like the City of Chicago, to regulate conduct that is of local concern, rather than statewide or national. Kalomidos v. Vill. of Morton Grove, 470 N.E.2d 266, 275 (Ill. 1984). Accordingly, Marriott also moves to dismiss pursuant to Fed. R. Civ. P. 12(b)(6), arguing that MCC § 2-25-090(a)'s application here is unconstitutional due to its extraterritorial effect and because it views the data breach as a national, as opposed to a local, problem. Defs.' Mem. 3.
To survive a motion to dismiss, a complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." Fed. R. Civ. P. 8(a)(2). Specifically, Marriott must establish "facial plausibility" by pleading "factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). However, "[t]hreadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. I must accept the well pleaded facts as alleged in Chicago's complaint as true. See Aziz v. Alcolac, 658 F.3d 388, 390 (4th Cir. 2011). And, I must construe the factual allegations "in the light most favorable to [the] plaintiff." Adcock v. Freightliner LLC, 550 F.3d 369, 374 (4th Cir. 2008) (quoting Battlefield Builders, Inc. v. Swango, 743 F.2d 1060, 1062 (4th Cir. 1984)).
Chicago brings this law suit under § 2-25-090(a) of its Municipal Code, which forbids any person from engaging in "consumer fraud, unfair method[s] of competition, or deceptive practices[s] while conducting a trade or business within the city." Chi. Ill. Mun. Code § 2-25-090(a). The Chicago code defines "unlawful practice" by reference to the Illinois Consumer Fraud and Deceptive Business Practices Act ("ICFA"). 815 Ill. Comp. Stat. 505/2 (1961); Id. In addition to the specific definitions of unlawful practices set forth in the ICFA, it also incorporates as prohibited conduct knowing violations of certain state statutes, including the Illinois Personal Information Protection Act ("IPIPA"). 815 Ill. Comp. Stat. 530/1 (2006). Chicago alleges that Marriott's data security practices were unfair, deceptive, and unlawful under its ordinance, the ICFA, and the IPIPA.
Marriott argues that the action should be dismissed because: (1) Chicago lacks Article III standing to obtain the relief it seeks on behalf of Chicago residents; and (2) under the Illinois Constitution, application of MCC § 2-25-090(a) to the data breach is unconstitutional. Defs.' Mem. 3, ECF No. 331-1. Marriott's constitutional argument is twofold—that Chicago's ordinance in this context exceeds its home rule authority under the Illinois Constitution because it seeks to solve a statewide or national problem rather than one of local concern, and because it is attempting to regulate conduct beyond its borders. Id. at 4.
To satisfy constitutional standing requirements, a plaintiff must have suffered an "injury in fact," that has a causal connection to the conduct complained of and can be "redressed by a favorable decision." Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992). Article III standing must be found to exist before a court may address the merits. Steel Co. v. Citizens for a Better Environment, 523 U.S. 83, 94 (1998). Marriott challenges Chicago's standing to sue on behalf of its citizens because its alleged "injury in fact" is insufficient to obtain the injunctive and equitable relief it requests, specifically, requiring Marriott to implement reasonable security measures and requiring Marriott to create a fund that helps Chicago residents mitigate the impact of the data breach, respectively. Because Chicago has sufficiently alleged a concrete injury to its own proprietary interests, it has standing to sue.
States may, under certain conditions, sue on behalf of their citizens. Massachusetts v. EPA, 549 U.S. 497 (2007). But this authority generally does not extend to subordinate governmental units, like counties or cities, to sue to vindicate the rights of their residents. Prince George's Cty. v. Levi, 79 F.R.D. 1, 4 (D. Md. 1977) ("However, this right enjoyed by the State of Maryland, to sue on behalf of its citizens does not give [Prince George's County] standing to represent its residents. The power of a political subdivision of a state is `derivative and not sovereign' and it may only sue to vindicate its own interests."); see also Bd. of Supervisors of Fairfax Cty., Virginia v. United States, 408 F.Supp. 556 (E.D. Va. 1976) (holding that a county may not sue on behalf of its residents by exercising parens patriae authority).
Marriott argues that Chicago does not have standing to seek the injunctive and equitable relief it requested. Davis v. Fed. Election Comm'n, 554 U.S. 724, 734 (2008) ("a plaintiff must demonstrate standing separately . . . for each form of relief that is sought") (internal quotation marks omitted); Defs.' Reply 11, ECF No. 425. Because municipalities, such as Chicago, cannot assert parens patriae standing, Marriott argues that Chicago cannot demand the above relief because they are both requested "not to address its own injuries but those of its residents." Defs.' Mem., 13. Marriott contends that Chicago's effort to force it to adopt additional data security measures is intended to protect "its residents' personal information, not any information belonging to the city," and that the monitoring fund is not meant to benefit Chicago, but to "mitigate a wave of identity theft and financial fraud it predicts will hit Chicago residents." Id. at 14. Chicago counters that it is seeking to enforce its municipal code on its own behalf, and therefore it is not exercising parens patriae standing. Pl.'s Opp. 5.
Both Chicago and Marriott cite a Ninth Circuit case that holds that a municipality must establish concrete injury to its proprietary interests to have standing. City of Sausalito v. O'Neil, 386 F.3d 1186, 1198 (9th Cir. 2004). There, the court explained that a municipality's proprietary interests may be "congruent with those of its citizens," and gave examples of sufficient proprietary interests to confer standing: "its ability to enforce land-use and health regulations," "its powers of revenue collections and taxation," "protecting its natural resources," and "land management." Id. In that case, Sausalito sought to prevent the National Park Service from developing Fort Baker, a nearby former military base. Id. at 1194. The court held that Sausalito had alleged injury to its proprietary interest because the Fort Baker Plan, if implemented, would "result in detrimental increase in traffic and crowds . . . affecting public safety," cause aesthetic injury with congestion, and would cause harm to "natural resources" with increased noise, trash, and impaired air quality that affect its "marina, parks, trails, and shoreline." Id. at 1198-99.
Chicago adequately has alleged injury to its municipal interests. It argues that, as applied to the facts alleged in the FAC, MCC § 2-25-090(a) protects its proprietary interests in the "tourism industry and dependent property and sales tax revenues" since Marriott operates hotels in Chicago, and that a decline in patronage at Marriott's hotels due to the data breach will diminish the revenue Chicago receives by way of hotel accommodation. Pl.'s Opp. 6 (quoting City of Sausalito, 386 F.3d at 1198). Chicago also alleged that "consumers place value in data privacy and security, and they consider that when making purchasing decisions," and that consumers "would not have purchased rooms or otherwise stayed at Marriott hotels" if they had "known the truth about Marriott's data security practices." First Am. Compl. ¶¶ 55, 59-60; Pl.'s Opp. 6-7. Therefore, the facts as pleaded (which must be taken as true at the motion to dismiss stage), plausibly alleged injury to Chicago's proprietary interests.
Preliminarily, Marriott challenges the application of MCC § 2-25-090(a) as applied to them on the basis that its enforcement is beyond the City's home rule authority, as granted by the Illinois Constitution, Article VII § 6 (1970) (hereinafter "1970 Constitution"). Adoption of Section 6 represented a dramatic shift in power between the State of Illinois and its local governments. City of Chicago v. StubHub, Inc., 979 N.E.2d 844, 850 (Ill. 2011) ("Under the 1870 Illinois Constitution, the balance of power between our state and local governments was heavily weighted towards the state. The 1970 Illinois Constitution drastically altered that balance, giving local governments more autonomy."). A review of the opinions of the Illinois Supreme Court and Court of Appeals since 1970 reveals a progression in their analysis of the scope of the home rule authority of a "local unit" (city, or municipality), and, over time, that scope has broadened and become more refined. Id. at 852 ("Essentially, the framers saw our role [in restricting home rule authority] under section 6(a) as narrow, and over time we developed an analytical framework consistent with that view."). Accordingly, care must be taken not to focus too narrowly on what may appear to be more restrictive statements about the scope of home rule authority in early court decisions, without keeping in mind later developments in the law that viewed that authority more expansively.
In the course of nearly fifty years of analysis of home rule authority by Illinois courts, the following overview emerges. First, home rule authority was intended to be broad in scope, and it allows concurrent local and state regulation of the same problem, unless the Illinois General Assembly explicitly has preempted home rule authority or made findings in enacting legislation that make it clear that statewide, as opposed to local, authority to legislate was intended. Park Pet Shop, Inc. v. City of Chicago, 872 F.3d 495, 500 (7th Cir. 2017) ("In areas of concurrent authority, the Illinois Constitution expressly requires a clear statement from the state legislature to oust a municipality's home-rule power."); Scadron v. City of Des Plaines, 606 N.E.2d 1154, 1158 (Ill. 1992) (Section 6(a) "was written with the intention that home rule units be given the broadest powers possible."). Second, reviewing courts have been cautioned not to find implied preemption of home rule authority where neither the express language of state legislation nor its legislative history evidences the clear intent of the General Assembly to preempt local home rule units from regulating a particular problem. Park Pet Shop, Inc., 872 F.3d at 500 (holding home rule legislation valid where "[s]tate government never had an exclusive role in addressing animal control issues," and "[n]o state animal-control statute explicitly ousts or limits Chicago's power to regulate in this area"); Blanchard v. Berrios, 72 N.E.3d 309, 318 (Ill. 2016) ("[S]ection 6 as a whole was intended to prevent implied preemption, or preemption by judicial interpretation."). Third, as a general matter, local home rule units may not regulate beyond their borders. Accel Entm't Gaming, LLC v. Vill. of Elmwood Park, 46 N.E.3d 1151, 1160 (Ill. App. Ct. 2015) (holding that an ordinance requiring licensing of video game terminals was a valid exercise of home rule authority because "the Village's concern is not video-gaming regulation generally but regulation of video gaming within the boundaries of the Village"). And, finally, Illinois courts have acknowledged that determining whether home rule authority exists in a particular case may be hard to do at times, requiring case-by-case analysis of the underlying facts. StubHub, Inc., 979 N.E.2d at 851 ("The framers, however, understood that further interpretation of section 6(a)'s intentionally imprecise language would fall to the judicial branch."); Kalodimos v. Village of Morton Grove, 470 N.E.2d 266, 274 (Ill. 1984) ("Whether a particular problem is of statewide rather than local dimension must be decided not on the basis of a specific formula or listing set forth in the Constitution."). But, however challenging the analysis may be to apply in a particular case, the Illinois courts have given a clear analytical framework for courts to follow when undertaking to do so.
The first step is to determine whether the ordinance enacted by a local home rule unit is within the express scope of authority granted by Article VII § 6 of the 1970 Constitution. It states, relevantly: A home rule unit "may exercise any power and perform any function pertaining to its government and affairs including, but not limited to, the power to regulate for the protection of the public health, safety, morals and welfare; to license; to tax; and to incur debt." Ill. CONST. art. VII, § 6(a). Additionally, "[h]ome rule units may exercise and perform concurrently with the State any power or function of a home rule unit to the extent that the General Assembly by law does not specifically limit the concurrent exercise or specifically declare the State's exercise to be exclusive." Ill. CONST. art. VII, § 6(i). And lastly, the "[p]owers and functions of home rule units shall be construed liberally." Ill. CONST. art. VII, § 6(m).
The key is to determine whether the challenged home rule unit's ordinance pertains to its own government and affairs. It does if it regulates for the protection of the public health, safety, morals and welfare of its residents. In order to correctly answer this question, it is important to define the problem sought to be addressed by the home rule unit's ordinance. StubHub, Inc., 979 N.E.2d at 853 (acknowledging that the City has explicit home rule authority to tax, but "the problem [solved by the ordinance] is not the tax, but its collection by internet auction listing services, whose users created a new market in online ticket resales."). As applicable to this case, the problem that Chicago attempts to reach through MCC § 2-25-090(a) is the protection of personal identifying information of Chicago residents who provide it to data holders such as Marriott who do business within Chicago. The problem is not fairly characterized as regulating online data security at large or in the abstract, as Marriott suggests. Defs.' Reply 3-4, ECF No. 425 ("The city is purporting to regulate data security practices that took place beyond its borders and that allegedly affected individuals in cities and states throughout the country.").
Once the problem that the home rule unit's ordinance seeks to address properly has been defined, the court must determine whether it pertains to the local home rule unit's own government and affairs. Vill. of Bolingbrook v. Citizens Utilities Co. of Ill., 632 N.E.2d 1000, 1001 (Ill. 1994). As the Illinois Supreme Court put it, "[a]n ordinance pertains to the government and affairs of a home rule unit where the ordinance relates to problems that are local in nature rather than State or national." Id. at 1002; see also People ex rel. Bernardi v. City of Highland Park, 520 N.E.2d 316, 320 (Ill. 1988); Kalodimos, 470 N.E.2d at 274; Ampersand, Inc. v. Finley, 338 N.E.2d 15, 18 (Ill. 1975); Cty. of Cook v. Vill. of Bridgeview, 8 N.E.3d 1275, 1279 (Ill. App. Ct. 2014). This seemingly simple distinction is anything but. Problems can be local, regional, statewide, or national. See, e.g., City of Des Plaines v. Chicago & N. W. Ry. Co., 357 N.E.2d 433, 435 (Ill. 1976) (noise caused by single automobile honking louder than allowed by municipal noise control ordinance of local concern; noise caused by train travelling interstate across municipal boundaries is not); Metro. Sanitary Dist. of Greater Chicago v. City of Des Plaines, 347 N.E.2d 716, 718 (Ill. 1976) (environmental regulation of sewage plant serving multiple municipalities of regional concern); Cty. of Cook, 8 N.E.3d at 1279 (spread of rabies by overpopulation of feral cats statewide or national issue)). "Extreme cases are clear. . . [d]ifficulty arises, however, when a problem has a local as well as a statewide or national impact." Vill. of Bolingbrook, 632 N.E.2d at 1002.
When problems are both local and statewide, Illinois courts use a three factor test to determine which level of government has regulatory primacy: "[w]hether a particular problem is of statewide rather than local dimension must be decided not on the basis of a specific formula or listing set forth in the Constitution but with regard for the nature and extent of the problem, the units of government which have the most vital interest in its solution, and the role traditionally played by local and statewide authorities in dealing with it." Kalodimos, 470 N.E.2d at 274; Cty. of Cook, 8 N.E.3d at 1279.
Chicago has alleged that the nature and extent of the problem is local. The nature of the problem is the protection of personal identifying information of Chicago residents. Illinois courts assess the extent of the problem by determining whether the problem is pervasive throughout the state or nation, or merely within the home rule body's geographical borders. If the ordinance seeks to rectify a problem that persists beyond its borders, it is not of local concern. For example, in Vill. of Bolingbrook, the court held that the extent of the problem, sewage discharges, was local in nature because the Village suffered the main impact of the problem, not the state, and because the problem amounted to isolated incidents in the Village and was not common in other localities. 632 N.E.2d at 1003 ("Where the impact of a problem is confined to an isolated area, and there is no evidence that the particular problem is common throughout the State, the `nature and extent of the problem' are local in dimension."). Chicago has argued that it seeks to rectify only "Marriott's misrepresentations to Chicagoans regarding its data security practices, its failure to protect Chicagoans' data, and its delayed notice to Chicagoans about the breach—all while operating within City limits." Pl.'s Opp. 13. As pleaded, the extent of the problem—protection of personal identifying information provided to businesses doing business in Chicago by Chicago residents who will feel the impact of that data breach within Chicago—is local.
Further, at this stage in the proceedings there are insufficient facts known to determine whether the extent of the problem is statewide or national. Marriott's argument that Chicago was not affected differently than any other city in the United States by this incident is just that— argument. Its ipse dixit pronouncements are not facts. Cf. Cty. of Cook v. Vill. of Bridgeview, 8 N.E.3d 1275, 1279 (Ill. App. Ct. 2014) (holding, on appeal from cross motions of summary judgment, that the extent of the problem—the spread of rabies—was not local based entirely upon expert testimony that the feral cat problem was of national concern.).
For this reason, given the record as it now stands, the first Kalodimos factor favors the City.
The second Kalodimos factor focuses on which unit of government has the most vital interest in resolving the problem. Here, Illinois courts have been informed by the text of the state legislation (whether it expressly preempts local regulation), as well as legislative history of the state statute enacted by the General Assembly that addresses the same problem that the local home rule unit has sought to regulate. In particular, the focus has been on whether the Illinois General Assembly has made legislative findings or otherwise clearly stated a preference for statewide as opposed to local regulation of a problem. City of Des Plaines, 357 N.E.2d at 436 (referencing the legislative findings made by the General Assembly when enacting the Illinois Environmental Protection Act which demonstrated a need for "a unified, state-wide program," as well as the comments of the Local Government Committee in its report to the Illinois Constitutional Convention).
Here, the parties have not cited, nor has my own research revealed, any legislative history regarding the passage of the ICFA or IPIPA that would suggest that the Illinois General Assembly considered consumer protection at large and the protection of personal information privacy in particular to be uniquely within the purview of the state, as opposed to local, regulation.
Again focusing on the second factor, Illinois courts have also looked to see whether the local ordinance and state statute are complementary, such that they are capable of being enforced together, or whether they are incompatible, such that the enforcement of the home rule unit's ordinance would hinder or undermine the state's enforcement of a statute enacted by the General Assembly. Cty. of Cook, 8 N.E.3d at 1277-79 (reasoning that because there was an incompatible conflict between the regulation of feral cats by the Village, a home rule municipality, and the County's regulation of the same problem, the court had to decide which had a more vital role in regulating rabies control and ruled that the County's ordinance prevailed, because the municipal ordinance prohibited conduct that the County regulations specifically allowed); Accel Entm't Gaming, LLC, 46 N.E.3d at 1161 (holding that the Video Gaming Act did not evidence such a vital state interest in regulating video games that home rule units cannot concurrently regulate because "plaintiff has not demonstrated that the Village under its Ordinance will interfere with the interests of the State in the adoption and application of its Ordinance"). When a local home rule unit's ordinance operates in harmony with state statutes regulating the same problem, Illinois courts have found that the local regulation is within the home rule authority granted by the Illinois Constitution. Id. When they clash, and the local home rule unit's ordinance interferes with the state's enforcement of a statute, Illinois courts have found that the home rule unit exceeded its authority under Article VII, § 6 of the 1970 Constitution. City of Des Plaines, 357 N.E.2d at 436 (holding that the fact that the legislature intended to establish a "unified, state-wide program" that the Des Plaines' ordinance conflicted with, "provide[d] further evidence of the recognition of noise pollution as a matter of statewide concern").
Under the facts as pleaded in the FAC, it is difficult to imagine a more harmonious relationship between Chicago's MCC § 2-25-090(a) and the consumer protection and personal information privacy protection legislation enacted by the Illinois General Assembly. This is because Chicago's ordinance expressly incorporates the provisions of the ICFA and through it, the IPIPA. There simply is no basis for concluding that Chicago's interest in protecting the integrity of its residents' personal identifying information disclosed in connection with their transactions with businesses that do business in Chicago is subordinate to the State of Illinois' interests in protecting citizens statewide from the same risks associated with data security breaches, especially when the vehicle for doing so exactly mirrors the protections afforded by the state statutes. Nor is there any indication here that the ability of Illinois to enforce the ICFA and IPIPA is in any way undermined by MCC § 2-25-090(a).
For these reasons, the second Kalodimdos factor militates in favor of finding that MCC § 2-25-090(a) (as applied to the facts alleged in the FAC) does not exceed Chicago's home rule authority.
The third Kalodimos factor focuses on whether the local government unit or the state traditionally has played the dominant role in dealing with the problem regulated by the local home rule unit ordinance. The Illinois Supreme Court recently summarized this factor as follows: "The mere existence of comprehensive state regulation is insufficient to preclude the exercise home rule by a local governmental entity. Instead, courts will `declare a subject off-limits to local government control only where the state has a vital interest and a traditionally exclusive role.'" Blanchard v. Berrios, 72 N.E.3d 313,319 (Ill. 2016) (internal citations omitted); City of Chicago v. StubHub, Inc., 979 N.E.2d 844, 852 (Ill. 2012).
It is true that Illinois "has a long history of protecting consumers, dating back to 1961 with the criminalization of deceptive practices . . . and the enactment of the [ICFA]." Stubhub, 979 N.E.2d at 855. Similarly, it cannot be disputed that the State of Illinois has played an important role in the regulation of data collectors that store the personal information of Illinois residents, through its enactment of IPIPA in 2006. But, considering that this statute is only thirteen years old, it is difficult to describe the state's role as "traditional," given that regulatory concerns about the protection of personal data is of relatively recent vintage. Accel Entm't Gaming, LLC, 46 N.E.3d at 1162 (holding that although the state has a traditional role regulating commercial gambling, the local ordinance regulates video gaming, which has only been "permitted within the State for less than a decade," rendering this factor "not particularly strong with respect to the video gaming context specifically"). Id. Nor is there anything in the sparse text of the IPIPA itself that reflects an intent on the part of the Illinois General Assembly that this authority be exclusive to the state, to the exclusion of local regulation. And, finally, as discussed above, the parties have not cited, nor has my research disclosed, any findings in the legislative history of the IPIPA that reflects an intent on the part of the General Assembly that the IPIPA preempted home rule units from passing ordinances to protect their residents from the effects of data breaches that jeopardize the protection of their personal information. Therefore, the third Kalomidos factor also militates against a finding that the protection of personal information is a matter of exclusive statewide regulation.
In sum, the City's application of MCC § 2-25-090(a) to the data security breach that underlies this case does not violate the home rule provisions of Article VII § 6 of the 1970 Constitution. The next issue that must be addressed is whether the City impermissibly seeks to enforce this ordinance extraterritorially.
In addition to the requirement that home rule units may only legislate to address local, as opposed to regional, state, or national problems, the Illinois Supreme Court ruled, not long after the Illinois Constitutional Convention adopted home rule authority, that home rule regulations could not be applied extraterritorially. In City of Carbondale v. Van Natta, the court observed "an examination of the proceedings of the [Illinois Sixth Constitutional] convention shows that the intention was not to confer extraterritorial sovereign or governmental powers directly on home rule units. The intendment shown is that whatever extraterritorial governmental powers home rule units may exercise were to be granted by the legislature." 338 N.E.2d 19, 20 (Ill. 1975).
Section 2-25-090(a) of the Municipal Code of Chicago ("MCC"), enacted in 2008, prohibits any person from engaging "in any act of consumer fraud, unfair method of competition, or deceptive practice while conducting any trade or business in the city. Any conduct constituting an unlawful practice under the [ICFA], as now or hereafter amended . . . relating to business operations or consumer protection shall be a violation of this section." MCC § 2-25-090(a). As both Chicago and Marriott agree, the ICFA itself incorporates as part of its consumer protection provisions IPIPA. As relevant to this case, IPIPA requires data collectors such as Marriott to "implement and maintain reasonable security measures to protect [personal information ("PI") concerning Illinois residents] . . . from unauthorized access, acquisition, destruction, use, modification, or disclosure," to notify Illinois residents on a timely basis of any breach of their data system that may have compromised the integrity of the PI of Illinois residents, and to take further actions to ameliorate the breach. First Am. Compl. ¶¶ 93, 107. Thus, the City alleges that Marriott's data security breach violated the MCC, standing alone, as well as the ICFA, as incorporated into the MCC, and the IPIPA, as incorporated into the ICFA. Specifically, Chicago alleges that "Marriott's failure to secure its servers" where PI is stored "has injured Chicago residents, who make reservations at Marriott properties from Chicago and stay in Marriott's Chicago hotels and throughout the country." Id. at ¶ 54. As a consequence, the City has pleaded that "Marriott has subjected Chicago residents whose personal information was in [Defendant] Starwood's guest reservation database . . . to potential identify theft, financial fraud, tax return scams, and other potential ongoing harm. At the very least, Chicago Victims will be forced to spend time and money in an attempt to protect themselves against the substantially increased risk of injury caused by Marriott's misconduct." Id. at ¶ 7. As part of the relief the City seeks, it asks this Court to order that Marriott create "a fund in the amount required to pay for adequate monitoring of this data breach as well as for all precautions now necessary as a result of the Defendants' conduct," and to impose monetary fines up to $10,000.00 per day for each offense. Id. at 28, ¶¶ C, D.
The parties have not cited, nor has my research located, any explicit language in any legislation enacted by the Illinois General Assembly granting the City of Chicago authority to enforce MCC § 2-25-090(a) beyond the city limits, nor does the City claim that such authority exists. Rather, Chicago argues that the relief they seek in this case involves no extraterritorial application of the MCC, because the transactions giving rise to their claims occurred "primarily within Chicago." Pl.'s Opp. 17. Unsurprisingly, Marriott strongly disagrees. Defs.' Mem. 4-6, 11 (arguing that the conduct being regulated, data security practices, occurs outside of Chicago's borders in places like Maryland, Marriott's headquarters).
Fortunately, by analogy, the Illinois Supreme Court has provided the analytical framework for determining whether the conduct the City alleges against Marriott falls within the scope of the MCC, as it incorporates the ICFA (and, through it, the IPIPA). In Avery v. State Farm Mut. Auto. Ins. Co., the court was asked to decide whether a nationwide class action could be brought on behalf of Illinois residents as well as residents of other states for violations of the ICFA. 835 N.E.2d 801, 849 (Ill. 2005). The defendant, State Farm Automobile Insurance Company, challenged the Illinois Circuit Court's "application of the [ICFA] to policyholders across the country . . . because the Act, by its own terms does not apply to consumer transactions involving nonresidents that occur outside Illinois." Id. The court began its analysis with the text of § 2 of the ICFA, which "provides that `deceptive acts or practices . . . or the concealment, suppression or omission of any material fact, with intent that others rely upon the concealment, suppression or omission of such material fact . . . in the conduct of any trade or commerce are hereby declared unlawful.'" Id. Section 1(f) of the ICFA defined "trade" and "commerce" as:
The Plaintiffs in Avery argued that section 1(f) applied to transactions "wherever situated," whether within or outside of Illinois. Id. at 850. Not so, the court concluded, holding instead that:
Id. (internal citations omitted). State Farm argued that the use of the words "the people of this state" in section 1(f) of the ICFA restricted its application to transactions that took place within Illinois. But the Plaintiffs countered that the use of the words "directly or indirectly" in section 1(f) broadened the scope of the words "the people of this state" so that trade or commerce that took place outside of Illinois, but which had an impact on Illinois residents, was within the reach of the ICFA. Id.
The Illinois Supreme Court observed that section 1(f) of the ICFA had been interpreted inconsistently by both Illinois Federal Courts and the Illinois Appellate Court, some decisions imposing a geographical limitation, while others rejected such a limit. 835 N.E.2d at 851-52. Left with this inconclusive interpretive history, the court observed:
Id. at 852 (internal citations omitted).
Drawing from the statement of Senator Sours, the sponsor of the bill that added the private cause of action remedy to the ICFA, that "[w]e're talking about trade and commerce that is not included within the interstate concept," and the "long-standing rule of construction in Illinois which holds that a `statute is without extraterritorial effect unless a clear intent in this respect appears from the express provisions of the statute,'" the Illinois Supreme Court concluded that "the General Assembly did not intend the Consumer Fraud Act to apply to fraudulent transactions which take place outside of Illinois." Id. at 852-53 (internal citations omitted).
But that was not the end of the matter, because as the court observed "it can be difficult to identify the situs of a consumer transaction when, as plaintiffs in this case allege, the transaction is made up of components that occur in more than one state." Id. at 853. The Illinois Supreme Court looked to the analysis of the Court of Appeals of New York in its interpretation of the New York consumer fraud statute in Goshen v. Mutual Life Insurance Co., 774 N.E.2d 1190 (N.Y. 2002). In Goshen, the Court of Appeals of New York concluded that the "origin of any advertising or promotional conduct is irrelevant if the deception itself—that is, the advertisement or promotional package—did not result in a transaction in which the consumer was harmed." Id. at 1196. This led that court to conclude that the location of the deception, rather than the location of the origin of the misleading or fraudulent conduct, was the controlling factor in determining whether a consumer protection violation had occurred. Id.
But the Illinois Supreme Court reasoned that the issue was more complex than simply identifying the place where the consumer was located at the time that he or she was deceived or mislead. Rather, the court observed:
Avery, 835 N.E.2d at 853. Importantly, the Illinois Supreme Court added:
Id. at 853-54 (internal citations omitted).
I am persuaded that the approach taken by the Illinois Supreme Court in Avery provides the proper framework for determining whether the alleged violations of the MCC occurred "primarily or substantially" within Chicago.
At the motion to dismiss stage, the focus must be the City's First Amended Complaint. Avery suggested that courts should consider factors such as plaintiff's residence, where the deceptive conduct occurred, where the damage to plaintiff occurred, and whether plaintiff communicated with the defendant or its agents in Illinois (here, Chicago). Rivera v. Google, Inc., 238 F.Supp.3d 1088, 1101 (N.D. Ill. 2017) (citing Avery, 835 N.E.2d at 823-24). When we look at the FAC, we see that the City was quite surgical in its pleadings. First, the FAC defines the "Chicago Victims" as "Chicago residents whose personal information was in Starwood's guest reservation database." First Am. Compl. ¶ 7 (emphasis added). Second, it alleges that Chicago residents were misled or deceived by representations on Marriott's website that it uses "reasonable physical, electronic and administrative safeguards to protect your Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data and the risks involved in processing that information." Id. at ¶ 24. Third, it alleges that "Marriott's misconduct has injured Chicago residents, who make reservations at Marriott's properties from Chicago and stay in Marriott's Chicago hotels and throughout the country." Id. at ¶ 54 (emphasis added).
At a minimum, the City adequately has alleged that some of its residents, while located within Chicago, made on-line reservations (and provided their PI in the process of doing so) to stay in a Marriott hotel located within Chicago.
The FAC alleges four separate causes of action: Unfair practice—failure to safeguard personal information (Count 1); Unlawful Practice—failure to implement and maintain reasonable security measures (Count 2); Deceptive practice—misrepresentations and material omissions (Count 3); and Unlawful Practice—failure to give prompt notice of data breach (Count 4), all of which are alleged to violate MCC § 2-25-090(a). While discovery may reveal facts to show that some of the circumstances relating to alleged injuries to Chicago residents did not occur "primarily and substantially" in Chicago, thereby limiting the relief to which the City, suing on its own behalf to enforce the MCC, may be entitled to recover, or limiting the scope of any remedial order this court could impose on Marriott to redress any proven violations of the MCC,
In sum, Marriott's motion to dismiss is denied. Chicago has standing to request an injunction and monitoring fund as relief for its own injuries. As applied here to the facts pled in Chicago's complaint, MCC § 2-25-090(a) is a legitimate exercise of the City's home rule authority and does not violate the Illinois Constitution. Finally, if Chicago establishes liability for breach of the ordinance, relief could be fashioned that would prevent the ordinance from having an unconstitutional extraterritorial effect.
Accordingly, on this thirteenth day of December, by the United States District Court for the District of Maryland, hereby ORDERED that the Defendant's motion to dismiss, ECF No. 331, IS DENIED. I will issue a scheduling order and set in a telephone conference to discuss further pretrial proceedings.
