From Casetext: Smarter Legal Research

In re Marriott Int'l Customer Data Sec. Breach Litig.

United States District Court, District of Maryland
Sep 8, 2022
MDL 19-md-2879 (D. Md. Sep. 8, 2022)

Opinion

MDL 19-md-2879

09-08-2022

IN RE MARRIOTT INTERNATIONAL, INC., CUSTOMER DATA SECURITY BREACH LITIGATION v. Marriott Int'l, Inc., et. al., No. 19-cv-654 City of Chicago


MEMORANDUM OPINION

Paul W. Grimm, United States District Judge

Pending before me is a Multidistrict Litigation (“MDL”) action against Marriott (and related entities) concerning a data breach. One of the Plaintiffs in the MDL is the City of Chicago (“Chicago” or “City”), which seeks relief under a local consumer protection ordinance “for harm and injuries arising from” the data security incident. First Am. Compl., ECF Nos. 294 (redacted), 296 (sealed). Presently before this Court is Marriott's motion to exclude the opinions of Plaintiffs' standing expert (“Daubert motion”), Marriott's Federal Rule of Civil Procedure 12(b)(1) motion to dismiss for lack of standing, and Marriott's Federal Rule of Civil Procedure 56 motion for summary judgment. For the reasons discussed below, Marriott's Daubert motion is DENIED, Marriott's Rule 12(b)(1) motion to dismiss is GRANTED IN PART and DENIED IN PART, and Marriott's summary judgment motion is DENIED.

Chicago brought this action against two defendants: Marriott International, Inc., and Starwood Hotels and Resorts Worldwide, LLC. They will be referred to collectively as “Marriott” unless otherwise indicated. First Am. Compl., ECF Nos. 294 (redacted), 296 (sealed).

These motions are fully briefed. See Defs.' Mot. to Exclude (“Defs.' Daubert Mot.”), ECF Nos. 944 (sealed), 946 (redacted); Pls.' Daubert Opp'n, ECF Nos. 974 (sealed), 976 (redacted); Defs.' Mot. for Summary Judgment (“Defs.' S.J. Mot.”), ECF Nos. 943 (sealed), 945 (redacted); Pls.' S.J. Opp'n, ECF Nos. 975 (sealed), 977 (redacted); Defs.' S.J. Reply, ECF Nos. 989 (sealed), 990 (redacted). Defendants' motion to dismiss for lack of standing (and related briefing) is included alongside their motion for summary judgment (and related briefing). A hearing is not necessary. See Loc. R. 105.6 (D. Md. 2021).

FACTUAL BACKGROUND

Marriott is a global hotel chain currently operating more than 8,000 properties across 139 countries and territories, including over 30 properties in Chicago, see Pls.' Ex. 2. In 2016, Marriott acquired Starwood Hotels and Resorts, making Marriott the largest hotel chain in the world. On November 30, 2018, Marriott announced that it was the target of one of the largest data breaches in history. See Defs.' Ex. 28; Pls.' Ex. 26. The breach took place in its Starwood guest reservation database. Defs.' Ex. 28.

Marriott Int'l, https://www.marriott.com/marriott/aboutmarriott.mi (last visited Aug. 26, 2022).

During the relevant time frame for this lawsuit, Marriott operated between 27 and 29 properties in Chicago. See Pls.' Ex. 2.

Marriott buys Starwood, becoming world's largest hotel chain, CNBC (Sept. 23, 2016), https://www.cnbc.com/2016/09/23/marriott-buys-starwood-becoming-worlds-largest-hotel-chain.html.

When guests make a reservation to stay at a Marriott property, they must provide personal information including their name, home address, email address, phone number, and payment card information. Pls.' Ex. 2. In some instances, Marriott also collects passport information, room preferences, travel destinations, and other personal information. Id.; see also Defs.' Ex. 28. Both Marriott and Starwood had privacy statements concerning their collection and use of this personal information and touting their ability to protect the security of this sensitive information. Pls.' Exs. 3, 4. Investigations into the data breach indicated that for over four years, from July 2014 to September 2018, hackers had access to Starwood's guest information database-the “New” Data Storage (“NDS”) database-that contained this personal information. Defs.' Ex. 28. In other words, the data breach was ongoing before and after Marriott's acquisition of Starwood. During the data breach, the hackers exported customers' personal information. Id. In total, the breach impacted approximately 133.7 million guest records associated with the United States, including an estimated 2.4 million records associated with Chicago. Pls.' Ex. 2.

Chicago contends that Marriott's conduct with respect to the data breach violated the City's consumer protection ordinance, MCC § 2-25-090(a). First Am. Compl. Specifically, Chicago argues that Marriott failed to safeguard the personal information of Chicago residents, failed to implement and maintain reasonable security measures for that information, misrepresented to Chicago residents that it had reasonable security safeguards in place, and failed to give prompt notice of the data breach to Chicago residents. First Am. Compl. at ¶¶ 80-108. Chicago asserts that it has standing to bring this lawsuit against Marriott because the City itself suffered a loss in tax revenue as a result of the data breach. Pls.' Opp'n at 4. Chicago provided the expert opinions of Dr. Coleman Bazelon, Ph.D., to demonstrate that the breach caused a tax loss for the City. Id. Marriott brings a Daubert challenge, arguing that Dr. Bazelon's opinions are inadmissible. Defs.' Daubert Mot. In addition to challenging the admissibility of Dr. Bazelon's opinions, Marriott brings a Rule 12(b)(1) factual challenge, arguing that the Court lacks subject matter jurisdiction (at least as to aspects of Chicago's action) because Chicago has failed to provide evidence of standing to seek equitable relief-even if Dr. Bazelon's expert opinions are admitted under Daubert. Defs.' S.J. Mot. at 21-35. Marriott also has filed a summary judgment motion, arguing that Chicago's enforcement of its consumer protection ordinance in this case would exceed the City's home rule authority under the Illinois Constitution. Defs.' S.J. Mot. at 4-13. In filing that motion, Marriott also contends that Chicago's action constitutes an impermissible extraterritorial application of the ordinance. Defs.' S.J. Mot. at 13-21. I will address each of these motions in turn, starting with the Daubert motion.

DAUBERT MOTION

Marriott challenges the admissibility of Dr. Bazelon's expert opinions that the City of Chicago experienced a loss in tax revenue and that the data breach caused that loss. Marriott styles its motion as a Daubert challenge, based on the now-famous case of Daubert v. Merrell Dow Pharm. Inc., 509 U.S. 579 (1993) and its progeny, Kumho Tire Co. v. Carmichael, 526 U.S. 137 (1999) and Gen. Elec. Co. v. Joiner, 522 U.S. 136 (1997) (collectively, “Daubert”).

I. Standard of Review

I already explained-at some length-the proper standard of review for a Daubert challenge in the Consumer Track of this MDL. See In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., No. 19-md-2879, 2022 WL 1323139, at *3-6 (D. Md., May 3, 2022). I will repeat an abbreviated version of that explanation here:

The starting place for any Daubert analysis is Federal Rule of Evidence 702, as amended in 2000 to incorporate the teachings of Daubert and its progeny. [Rule] 702 states:
A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:
(a) the expert's scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue;
(b) the testimony is based on sufficient facts or data;
(c) the testimony is the product of reliable principles and methods; and
(d) the expert has reliably applied the principles and methods to the facts of the case.
Fed. R. Evid. 702. The advisory note to the 2000 amendments to Rule 702 (“2000 Advisory Note”) is essential reading for judges and lawyers who undertake a Daubert analysis. There are several key takeaways that should be kept in mind. First, Rule 702 was amended in 2000 for the express purpose of incorporating the teachings of Daubert and its progeny, to fulfill their requirement that trial judges act “as gatekeepers to exclude unreliable expert testimony” with regard to all expert testimony, not just that which is science-based. 2000 Advisory Note (case citations omitted).
Second, the 2000 amendment to Rule 702 “provides some general standards that the trial court must use to assess the reliability and helpfulness of proffered expert testimony.” Id. In making this assessment, the trial court must apply Federal Rule of Evidence 104(a), which states that the “proponent [of the expert testimony] has the burden of establishing that the pertinent admissibility requirements are met by a preponderance of the evidence.” Id.
Third, the 2000 Advisory Note observes that:
Daubert set forth a non-exclusive checklist for trial courts to use in assessing the reliability of scientific [or any other] expert testimony. The specific factors explicated by the Daubert Court are (1) whether the expert's technique or theory can or has been tested-that is, whether the expert's theory can be challenged in some objective sense, or whether it is instead simply a subjective, conclusory approach that cannot reasonably be assessed for reliability; (2) whether the technique or theory has been subject to peer review and publication; (3) the known or potential rate of error of the technique or theory when applied; (4) the existence and maintenance of standards and controls; and (5) whether the technique or theory has been generally accepted in the scientific community.
Id.
Fourth, the so-called “Daubert factors” “were neither exclusive nor dispositive. Other cases have recognized that not all of the specific Daubert factors can apply to every type of expert testimony.” Id. And, additional factors may be relevant to the inquiry, such as: whether the expert will be testifying about matters that grow “naturally and directly out of research they have conducted independent of litigation, or whether they have developed their opinions expressly for purposes of testifying”; whether “the expert has unjustifiably extrapolated from an accepted premise to an unfounded conclusion”; whether “the expert has adequately accounted for obvious alternative explanations”; whether “the expert ‘is being as careful as he would be in his regular professional work outside his paid litigation consulting”; and whether “the field of expertise claimed by the expert is known to reach reliable results for the type of opinion the expert would give.” Id.
Fifth, “[a] review of the case law after Daubert shows that the rejection of expert testimony is the exception rather than the rule.
Daubert did not work a ‘seachange over federal evidence law,' and ‘the trial court's role of gatekeeper is not intended to serve as a replacement for the adversary system'”-where “[v]igorous crossexamination, presentation of contrary evidence, and careful instruction on the burden of proof are the traditional and appropriate means of attacking shaky but admissible evidence.” Id. (internal citations omitted). “Likewise, this amendment is not intended to provide an excuse for an automatic challenge to the testimony of every expert.” Id.
If the foregoing Daubert factors provide “up-close” guidance about how a challenge to expert testimony should be addressed by the trial judge, Daubert itself provides a helpful “birdseye” view, to make sure the court does not overlook the evidentiary forest for the many scientific and technical “trees.” As Justice Blackmun helpfully observed in Daubert, there are four related and sometimes overlapping concepts that help guide a trial judge in deciding a Daubert challenge. The expert evidence must be relevant (tending to prove or disprove facts that are consequential to the determination of the case), reliable (sufficiently accurate to be counted on, elsewise it is of no relevance), helpful to the factfinder (otherwise it is entirely unnecessary, as experts are only allowed to offer opinion testimony when the factfinders lack the knowledge and expertise to evaluate the scientific or technical evidence on their own), and must “fit” the facts and issues of the specific case (otherwise it is irrelevant, and unhelpful). Daubert, 509 U.S. at 591-93 (emphasis added).
[. . .]
The post-Daubert case law largely tracks the requirements of Rule 702, as amended in 2000. For example, in Hickerson v. Yamaha Motor Corp., 882 F.3d 476 (4th Cir. 2018), the Fourth Circuit summarized the standards governing a Daubert challenge. The court noted that in fulfilling their gatekeeping duty, trial judges “‘have considerable leeway' in excluding evidence,” and are required to ensure that “[e]xpert testimony must be ‘based on sufficient facts or data,' and the expert must arrive at his opinions by properly applying ‘reliable principles and methods' to the facts.” Id. at 480 (internal citations omitted). As for determining the reliability of expert evidence, the court referenced the well-known Daubert factors, namely, whether the methodology: has been tested; has been subjected to peer review; when employed, produces an ascertainable potential error rate (that is not excessively high); is governed by standards controlling its operation; and enjoys general acceptance within the relevant scientific or technical community. Id. at 480-81 (citing Cooper v. Smith Nephew, Inc., 259 F.3d 194, 199 (4th Cir. 2001)
and Daubert, 509 U.S. at 592-94). Further, the Rule 702 inquiry is intended to be a “flexible” one, which means that the Daubert factors are “helpful, not definitive.” Hickerson, 882 F.3d at 481 (citing Kumho Tire, 526 U.S. at 150-51 and Daubert, 509 U.S. at 593). Finally, when applying these standards “courts ‘should be conscious of two guiding, and sometimes competing principles[:] Rule 702 was intended to liberalize the introduction of relevant expert evidence [and] expert witnesses have the potential to be both powerful and quite misleading.'” Hickerson, 882 F.3d at 481 (citing Westberry v. Gislaved Gummi AB, 178 F.3d 257, 261 (4th Cir. 1999)).
In Cooper, the court stated that “a trial judge, faced with a proffer of expert scientific testimony, must conduct ‘a preliminary assessment of whether the reasoning or methodology underlying the testimony is scientifically [or technically valid and of whether that reasoning or methodology properly can be applied to the facts in issue.'” Cooper, 259 F.3d at 199 (citing Daubert, 509 U.S. at 59293, n.10). Additionally, the proponent of expert evidence must make these required showings by “a preponderance of proof.” Id. Because the Rule 702/Daubert analysis is intended to be flexible, “particular [Daubert] factors may or may not be pertinent in assessing reliability, depending on the nature of the issue, the expert's particular expertise, and the subject of his testimony.” Cooper, 259 F.3d at 200 (citing Kumho Tire, 526 U.S. at 150). And, importantly, the “trial judge must have considerable leeway in deciding in a particular case how to go about determining whether particular expert testimony is reliable.” Cooper, 259 F.3d at 200 (citing Kumho Tire, 526 U.S. at 152).
[. . .]
In re Marriott Int'l, Inc., Customer Data Sec. Breach Litig., 2022 WL 1323139, at *3-6.

Marriott does not challenge Dr. Bazelon's qualifications.

While the focus of Daubert was scientific evidence, Kumho Tire made it clear that Rule 702 and the Daubert standards applied to all expert evidence within the scope of Rule 702, whether scientific, technical, or specialized. Kumho Tire, 526 U.S. at 149-50.

II. Discussion

In his initial report, Dr. Bazelon explored “whether or not the tax revenue that the City [of Chicago] collected during the period after [the Starwood data breach] was higher or lower than what it would have collected in the same period but for the breach.” Expert Rep. of Coleman Bazelon, Ph.D. (“Bazelon Rep.”), ECF Nos. 944-8-944-10 (sealed) at ¶ 36. To answer this question, Dr. Bazelon employed an Autoregressive Integrated Moving Average (“ARIMA”) model-a type of time series model-that used “historical observations of tax revenues, together with data on . . . macroeconomic variables related to the tourism industry in Chicago . . . to produce a forecast” estimating what tax revenues would have been for each of the 12 months following the data breach announcement had the breach not occurred. Id. at ¶¶ 39-40. Then, Dr. Bazelon compared this forecast with the actual tax revenues collected by the City. See id. at ¶ 40. This analysis showed that “actual tax revenues were $1.4 million (23.5 percent) lower than forecast in December 2018, the month after the Breach” and that the cumulative difference between actual and forecasted revenue remained significant for several months after the data breach became public. Id. at ¶ 44, Table 4. The December shortfall and the cumulative difference over the immediate months following the breach announcement were “significant both in statistical terms (i.e., the difference is large enough to be distinguished from normal variation in the data) and in economic magnitude (i.e., the size of the difference is not trivial).” Id. at ¶ 40. Moreover, “the losses in the months following the Breach were not offset by higher [tax revenue] later in the year.” Id. at 56. In short, Dr. Bazelon found that Chicago had suffered a loss in tax revenue.

When Dr. Bazelon uses “Breach,” he typically means the announcement of the data breach to the public on November 30, 2018. See Bazelon Rep. at ¶ 5. I will keep that language when quoting Dr. Bazelon.

Dr. Bazelon then took steps to show that the data breach actually caused this tax loss. Id. at ¶ 50. First, he employed “a number of ‘placebo' or ‘falsification' tests' that explore if other dates, not related to the Breach, used in [his] empirical analysis would show similar losses to the City.” Id. Those tests “corroborate[d] [that] the effect captured by the model is actually the effect from the Breach date, as opposed to some other not-accounted-for factors.” Id. at ¶ 51. Second, Dr. Bazelon examined whether “relevant covariates-variables that we would expect to be correlated with Hotel Taxes-changed significantly around the date of the Breach,” and thus may account for the tax loss instead of the data breach. See id., App'x D, at ¶ 1. Dr. Bazelon found “no indication” that these variables explained the tax loss. See id. at ¶ 53. Finally, Dr. Bazelon conducted “a systematic news analysis to identify any events that occurred around the date of the Breach that could have theoretically affected hotel revenues.” Id. at ¶ 54. He concluded that no other news event could explain the tax loss. See id. Accordingly, Dr. Bazelon “accounted for obvious alternative explanations” for the City's lower than expected tax revenues.

Those variables included macroeconomic variables such as quarterly U.S. gross domestic product, monthly U.S. personal consumption expenditures, monthly U.S. unemployment rates, monthly Chicago Metropolitan Statistical Area (“MSA”) unemployment rates, monthly Chicago MSA employment in leisure and hospitality, monthly Chicago MSA employment in travel services, monthly load factors for U.S. air carriers, and monthly revenue for U.S. air carriers. Dr. Bazelon also examined changes in weather and conventions/conferences.

Those contemporaneous events included citywide hotel strikes, the “polar vortex,” and the federal government shutdown.

While the Daubert opinion specifically identified five non-exclusive factors courts should consider when evaluating the admissibility of expert witness opinion testimony, the advisory notes to Rule 702 provide additional examples of factors that courts have found persuasive in undertaking this evaluation, including “[w]hether the expert has adequately accounted for obvious alternative explanations.” 2000 Advisory Note (citing Claar v. Burlington N.R.R., 29 F.3d 499 (9th Cir. 1994)).

Marriott levels a number of criticisms against Dr. Bazelon's forecasting model. First, Marriott contends that the model is unreliable because Dr. Bazelon applies an ARIMA model in a new context-namely, to establish a causal connection between a data breach and tax revenue loss. See Defs.' Daubert Mot. at 5. Because of this new context, Marriott believes the specific model that Dr. Bazelon used in his report should have been subject to peer review. Id. Marriott misconstrues the role of the “peer review” factor in Daubert analysis. What matters is whether the expert's technique or theory has been subject to peer review, not his or her specific model applying that technique or theory in the litigation. See LidoChem, Inc. v. Stoller Enters. Inc., No. 9-cv-204, 2013 WL 12224209, at *5 (W.D. Mich. May 7, 2013) (“Of course, [the] application of [time-series forecasting] methodology to the facts of this particular case have not been subject to peer review, but that is not what is meant by peer review. It is the methodology and principles that are peer reviewed, not the given case.”). Dr. Bazelon's specific model incorporating the facts of this case is so “unique” that “the Court would not expect it to be published or peer reviewed ....” See Casey v. Geek Squad Subsidiary Best Buy Stores, 823 F.Supp.2d 334, 345-46 (D. Md. 2011) (Grimm, J.) (quoting Fireman's Fund Ins. Co. v. Tecumseh Prods. Co., 767 F.Supp.2d 549, 554 (D. Md. 2011)). The ARIMA model more generally is the relevant technique for analyzing this Daubert factor, and it has been subject to peer review. See Bazelon Rep. at ¶ 38 n. 87. In fact, ARIMA models are “widely used,” according to Marriott's expert, Dr. Divya Mathur, notwithstanding her assertion that she would have used a different technique in this situation. See Deposition of Divya Mathur, Ph.D. (“Mathur Dep.”), ECF No. 944-13 (sealed) at 119:16-17.

Next, Marriott argues that Dr. Bazelon's model had too high an error rate when applied. See Defs.' Daubert Mot. at 5-6. Marriott bases this argument on the placebo tests that Dr. Bazelon employed. See id. Marriott argues that the tests show statistically significant discrepancies between Dr. Bazelon's forecasts and the actual tax revenue collected in the period before the data breach became public, suggesting that the model is unreliable. See id. However, Dr. Bazelon counters that the placebo tests were not designed to measure the forecasts against past tax revenue collected, i.e., forecast accuracy. See Deposition of Coleman Bazelon, Ph.D. (“Bazelon Dep.”), ECF No. 944-14 (sealed) at 207:4-208:9, 225:16-227:16. Rather, the tests were designed to examine causation by exploring if other dates, not related to the breach, would show similar losses to dates related to the breach when plugged into Dr. Bazelon's model. See Bazelon Rep. at ¶ 50. If similar losses were shown using these unrelated dates, then one would doubt whether the breach caused the tax loss. See id. Given that 19 of the 20 placebo tests resulted in losses that were “meaningfully different” than the loss associated with the actual breach, Dr. Bazelon asserts that the placebo tests demonstrate the strength of the model (i.e., absence of error). See Reply Expert Rep. of Coleman Bazelon, Ph.D. (“Bazelon Reply”), ECF No. 974-3 (sealed) at ¶ 24.

Furthermore, even as he notes that these placebo tests were designed to check robustness and not forecast accuracy, see id. at ¶ 50 n. 101; Bazelon Dep. at 221:15-223:8, Dr. Bazelon argues that the discrepancies highlighted by Marriott do not undermine his model. See Bazelon Reply at ¶¶ 24-29. Specifically, Dr. Bazelon notes that the majority of the placebo tests at issue underpredicted tax revenue. See id. at ¶¶ 26-27. Therefore, if anything, the model may underestimate the harm to Chicago, making the model conservative, but not unreliable, according to Dr. Bazelon. See id. Further, Dr. Bazelon explained that two tests underpredicting tax revenue in a statistically significant way could be explained by “record-setting tourism” in Chicago during the months following the “placebo breach” involved in those tests. See id. at ¶ 27. Dr. Bazelon has adequately addressed the possibility of error in his model to clear the hurdle of admissibility on this point. Marriott's arguments challenging Dr. Bazelon's placebo tests, informed by Dr. Mathur's expertise, speak to weight, not admissibility.

These two tests were the only ones to show a statistically significant cumulative increase in each of the three months following the “placebo breach,” see Bazelon Reply at ¶ 27, so they may be the most important tests to explain.

In addition to this error rate criticism, Marriott claims that Dr. Bazelon's model did not account for a drop in convention business in the three months immediately following the breach announcement. See Defs.' Daubert Mot. at 9-11. As noted, whether an expert “has adequately accounted for obvious alternative explanations” is indeed a relevant factor in Daubert analysis. However, Marriott's criticism is overstated. Dr. Bazelon did consider how convention-related business would affect his model and concluded that it did not have a significant effect. See Bazelon Rep., App'x D, at ¶ 6. Dr. Mathur interpreted Chicago's convention data differently and argued that a drop in convention-related hotel bookings, in fact, undermined Dr. Bazelon's model. See Expert Rep. of Divya Mathur, Ph.D. (“Mathur Rep.”), ECF No. 944-11 (sealed) at ¶ 63-78. But Dr. Bazelon's initial consideration of the convention data, along with his more thorough evaluation of convention attendance (including a re-estimation of his ARIMA model) in his reply, see Bazelon Reply at ¶¶ 38-49, demonstrates that Dr. Bazelon adequately accounted for this alternative explanation. The interpretive dispute between the two experts regarding the convention data, again, speaks to weight, not admissibility.

Both Dr. Mathur and Dr. Bazelon agree that convention-related hotel bookings dropped in the three months immediately following the breach announcement, see Mathur Rep. at Figure 10, Bazelon Reply at Table 2, but Dr. Bazelon provides data showing that convention attendance ever so slightly increased, see Bazelon Reply at Table 2.

Dr. Mathur and Dr. Bazelon disagreed as to whether one should use convention-related hotel bookings or convention attendance as a control variable in the model. Dr. Mathur pointed to convention-related hotel bookings as the appropriate variable, while Dr. Bazelon, worried about the interaction between that variable and the dependent variable (hotel taxes), argued that convention attendance was the best control variable to use. See Bazelon Reply at ¶¶ 38-44, Table 3.

Another interpretive dispute emerged between the parties regarding the model's estimation that Marriott's competitor hotels also experienced a statistically significant shortfall in hotel taxes paid in the months following the breach announcement-and in some months, a greater shortfall than Marriott. See Defs.' Daubert Mot. at 6-8; Bazelon Rep. at ¶¶ 45-46, Tables 5-6. Dr. Mathur believes this fact undermines the reliability of Dr. Bazelon's model. “[B]ased on economic theory,” she contends that Marriott's data breach would have impacted Marriott “more substantially” than any of its competitors and may have increased demand for those competitors' hotel rooms as customers shifted away from Marriott in response to the breach. See Mathur Rep. at ¶ 49. According to Dr. Bazelon, however, Dr. Mathur only gives credence to one of two viable- and competing-economic theories related to this issue. See Bazelon Reply at ¶¶ 19-22. While some economists such as Dr. Mathur hypothesize that a data breach of a specific firm “could help [that firm's] competitors by allowing them to capture more market share from the firm that experienced” the breach, others posit that a data breach “creates a more general lack of trust for the specific type of [firms]” that harms both the firm that experienced the breach and its competitors. See id. at ¶ 19. Dr. Bazelon maintains that his model is simply empirically consistent with that latter theory. See id. at ¶¶ 19-22. And with respect to the allegedly greater shortfall in hotel taxes paid by Marriott's competitors as compared to Marriott, Dr. Bazelon disputes Dr. Mathur's characterization of the data. See Bazelon Reply at ¶ 17. As with the convention data issue, this dispute is one that goes towards weight and not admissibility. Dr. Bazelon has adequately considered this issue and, as explained previously, taken several steps to test the robustness of his model and consider alternative explanations for his results.

Finally, Marriott contends that Dr. Bazelon's model is inadmissible because he did not sufficiently vet the sample of non-Marriott hotels he used to analyze the hotel tax revenue generated from Marriott's competitors to ensure its representativeness of the market. See Defs.' Daubert Mot. at 11-14. Yet, the facts indicate that the sample is indeed appropriately representative. Dr. Bazelon used an independent third-party industry publication, CBRE's “Hotel Horizons,” to create his sample. See Bazelon Rep. at ¶ 17 n. 30. CBRE is a firm that “specializes[] in analyzing the hotel industry” and is viewed as sufficiently authoritative such that Marriott's own expert, Dr. Mathur, relied on CBRE's data-specifically its revenue forecasts-to support her opinions in this litigation. See Mathur Rep. at ¶ 18. Dr. Bazelon did not cherry pick hotels to add into his sample; instead, he used an evidently well-respected publication to guide the creation of a sufficiently large and diverse sample for the purposes of his analysis. Dr. Bazelon's cautious responses to Marriott's counsel's questions regarding the representativeness of the sample do not undermine these facts. See Bazelon Dep. at 169:14-170:4.

The competitor hotels in the sample represent approximately 65% of the non-Marriott hotel tax revenue in the relevant period. See Bazelon Rep. at ¶ 17. They include a broad cross-section of hotel competitors by brand and tier. See Bazelon Rep., App'x C.

After accounting for Marriott's criticisms, I conclude that Dr. Bazelon's model satisfies Rule 702. Dr. Bazelon, a well-qualified economist, see Bazelon Rep., App'x A, created an ARIMA model-a technique widely used by economists-based on historical observations of tax revenue and macroeconomic data and applied that model to the facts of this case. Dr. Bazelon reliably applied his model to the facts of this case, as the foregoing discussion demonstrates. That Marriott presents potentially persuasive arguments that may diminish the weight that one may assign to Dr. Bazelon's model does not make Dr. Bazelon's expert opinions inadmissible. Marriott's motion to exclude Dr. Bazelon's expert opinions is therefore DENIED.

RULE 12(B)(1) FACTUAL CHALLENGE

Having addressed Marriott's Daubert challenge, I now will address its motion to dismiss Chicago's action (at least as to its pursuit of equitable relief) for lack of standing pursuant to Federal Rule of Civil Procedure 12(b)(1). Marriott styles this motion as a “factual challenge.” See Kerns v. United States, 585 F.3d 187, 192 (4th Cir. 2009).

I. Standard of Review

“The district courts of the United States are courts of limited subject matter jurisdiction.” United States ex rel. Vuyyuru v. Jadhav, 555 F.3d 337, 347 (4th Cir. 2009) (citing Exxon Mobil Corp. v. Allapattah Servs., Inc., 545 U.S. 546, 552 (2005)). “They possess only the jurisdiction authorized them by the United States Constitution and by federal statute.” Id. (citing Bowles v. Russell, 551 U.S. 205, 212 (2007); Kokkonen v. Guardian Life Ins. Co. of Am., 511 U.S. 375, 377 (1994)). Accordingly, when a federal district court lacks subject matter jurisdiction over an action, it must dismiss that action. Arbaugh v. Y & H Corp., 546 U.S. 500, 502 (2006). Because subject matter jurisdiction involves the court's power to hear a case, it cannot be waived or forfeited, and courts have an independent obligation to ensure that subject matter jurisdiction exists. Id. at 514.

Rule 12(b)(1) allows a defendant to move for dismissal of a plaintiff's complaint due to lack of subject matter jurisdiction, asserting, in effect, that the plaintiff lacks any “right to be in the district court at all.” Holloway v. Pagan River Dockside Seafood, Inc., 669 F.3d 448, 452 (4th Cir. 2012). A defendant may challenge the district court's subject matter jurisdiction in two ways. See Kerns, 585 F.3d at 192. First, a defendant may raise a facial challenge, alleging “that a complaint simply fails to allege facts upon which subject matter jurisdiction can be based.” Adams v. Bain, 697 F.2d 1213, 1219 (4th Cir. 1982). Under such a challenge, the court takes the complaint's allegations as true. Kerns, 585 F.3d at 192. Alternatively, a defendant may raise a factual challenge-as Marriott does here, see Defs.' S.J. Mot. at 22-asserting that the jurisdictional allegations in the complaint are untrue. See id.

With a factual challenge, “the presumption of truthfulness normally accorded a complaint's allegations does not apply.” Kerns, 585 F.3d at 192. The district court “is to regard the pleadings' allegations as mere evidence on the issue,” Richmond, Fredericksburg & Potomac R.R. Co. v. United States, 945 F.2d 765, 768 (4th Cir. 1991), and “the plaintiff bears the burden of proving the truth of [jurisdictional] facts by a preponderance of the evidence.” Vuyyuru, 555 F.3d at 347-48 (citing Adams, 697 F.2d at 1219). To determine whether a plaintiff has met this burden, the district court may “go beyond the allegations of the complaint and resolve the jurisdictional facts in dispute by considering evidence outside the pleadings ....” Id. (quoting Adams, 697 F.2d at 1219). The court should refrain from taking this step, however, if “the jurisdictional facts are intertwined with the facts central to the merits of the dispute,” as those intertwined factual disputes are better reserved for a jury. Adams, 697 F.2d at 1219; see also Arbaugh, 546 U.S. at 514 (“[I]n some instances, if subject-matter jurisdiction turns on contested facts, the trial judge may be authorized to review the evidence and resolve the dispute on her own. If satisfaction of an essential element of a claim for relief is at issue, however, the jury is the proper trier of contested facts.”).

A formal evidentiary hearing is not required for a court to resolve a Rule 12(b)(1) motion as long as the non-moving party has been given the opportunity to be heard. See 5B Charles Alan Wright, Arthur R. Miller, and A. Benjamin Spencer, Federal Practice and Procedure § 1350 (3d ed. 2022). Declarations, deposition transcripts, and other materials in the record may satisfy this “opportunity to be heard” requirement-in addition to serving as the basis for the factual resolution. See Kennedy v. Floridian Hotel, Inc., 998 F.3d 1221, 1232 (11th Cir. 2021) (ruling that the district court did not abuse its discretion in declining to hold an evidentiary hearing when nonmoving party “submitted three declarations in which she presented facts concerning standing, and the district court had before it her two complete deposition transcripts”).

II. Discussion

In its Rule 12(b)(1) factual challenge, Marriott argues that Chicago does not have standing for the forward-looking equitable relief it seeks, which includes (1) an injunction requiring Marriott to adopt and implement reasonable safeguards to prevent, detect, and mitigate the effects of the data breach, and (2) the creation of a monitoring fund for this data breach. Specifically, Marriott contends that the evidence, including Dr. Bazelon's expert opinions, does not provide the facts necessary to establish standing. To satisfy the Article III standing requirement, a plaintiff must have (1) “suffered an ‘injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury must be “fairly traceable to the challenged action of the defendant”; and (3) it must be “likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Bishop v. Bartlett, 575 F.3d 419, 423 (4th Cir. 2009)); see also Lujan v. Defs. of Wildlife, 504 U.S. 555, 560-61 (1992) (same). Without standing, the court would lack subject matter jurisdiction over the action.

As outlined above, I may weigh the evidence concerning jurisdictional facts in dispute- and resolve that dispute-when those facts are not intertwined with merits-related facts. As Dr. Bazelon's expert opinions and the related evidence concern standing specifically and do not speak to the merits of the case, I may proceed with an evaluation of the evidence related to the jurisdictional dispute. There is no need for an evidentiary hearing on this issue. The record here- consisting of an expert report, deposition transcript, and reply report-reflects that Chicago has been granted ample opportunity to be heard on the factual dispute that is the subject of Marriott's motion.

Marriott puts forward arguments related to each standing element, but I will start by analyzing its contention that Chicago has not proven an injury that forward-looking equitable relief would redress. “Past exposure to illegal conduct” does not provide standing for equitable relief “if unaccompanied by any continuing, present adverse effects.” O'Shea v. Littleton, 414 U.S. 488, 495-96 (1974); see also City of Los Angeles v. Lyons, 461 U.S. 95, 111 (1983). Therefore, Chicago must show an “ongoing injury” or a “sufficient likelihood that it will be wronged again in a similar way” to obtain equitable relief. See Artiga Carrero v. Farrelly, 270 F.Supp.3d 851, 878-79 (D. Md. 2017) (citations omitted); see also NAACP v. Brackett, 130 Fed.Appx. 648, 652 (4th Cir. 2005); Jarvis v. FedEx Office and Print Servs., Inc., No. DKC-08-1694, 2011 WL 826796, at *9 (D. Md. Mar. 7, 2011).

However, Chicago has not demonstrated an ongoing or sufficiently likely future harm that would permit equitable (as distinguished from monetary) relief under its tax loss theory of standing. Dr. Bazelon did not demonstrate, or even attempt to demonstrate, that Chicago continues to suffer losses in tax revenue as a result of the Starwood data breach: “Q: Do you have an opinion about whether or not the [data breach] incident continues to cause the City of Chicago to lose tax revenue today? A: I have not provided an opinion on that matter.” Bazelon Dep. at 133:12-16. Dr. Bazelon examined the 12 months following the data breach announcement to evaluate whether Chicago experienced a loss in tax revenue as a result of the data breach in those months, but he did not look beyond that time period. See Bazelon Rep. at ¶ 40. It is true that Dr. Bazelon asserts that the tax revenue harm would continue “for quite a long time, although likely at diminishing amounts,” but he did not test whether that harm would continue longer than a year using the facts of this case. Bazelon Dep. at 133:17-134:19.

Chicago tries to use Marriott's acknowledgment that this data breach (or others) could reduce consumer demand and confidence as evidence of an ongoing injury. See Pls.' S.J. Opp'n at 6-7 (citing Exs. 10-11). These speculative, perfunctory statements, however, make no empirical claim regarding the existence of ongoing harm, or the sufficient likelihood of future harm. Chicago additionally contends that subsequent data security incidents at Marriott mean that the tax revenue harm endures, see id., but, again, this too is speculation, as there is no empirical evidence backing up that argument. Chicago has not shown by a preponderance of the evidence that it continues to lose tax revenue or that it may lose tax revenue in the future, for purposes of determining whether it has standing to seek equitable relief related to its tax revenue loss claims.

Other than the tax revenue injury to the City itself, the only other injury that Chicago has identified as “ongoing” is the time and money that Chicago residents are allegedly spending monitoring their data. See Pls.' S.J. Opp'n at 7-8. But I have already ruled that “[f]or Chicago to have standing, it must rest upon its own injury-not its residents' injuries.” Mot. to Dismiss Mem. Op., ECF No. 517 at 6. Accordingly, this injury cannot support standing for the requested relief.

Finally, Chicago asserts that it has standing to seek the injunction and monitoring fund because the ordinance itself authorizes such actions. But even if this is the case, Chicago would still need to show “some cognizable danger” of future harm in order to secure such equitable relief from the Court. NLRB v. Greensboro News & Recs., Inc., 843 F.2d 795, 798 (4th Cir. 1988) (quoting United States v. W.T. Grant Co., 345 U.S. 629, 633 (1953)). Chicago has not done that here. Therefore, Chicago does not have Article III standing to obtain the injunction or monitoring fund. This component of Chicago's action is DISMISSED WITHOUT PREJUDICE and WITHOUT LEAVE TO AMEND. See S. Walk at Broadlands Homeowner's Ass'n v. OpenBand at Broadlands, LLC, 713 F.3d 175, 185 (4th Cir. 2013) (citations omitted) (“A dismissal for lack of standing-or any other defect in subject matter jurisdiction-must be one without prejudice, because a court that lacks jurisdiction has no power to adjudicate and dispose of a claim on the merits.”).

Chicago's request for “a declaration that Defendants violated MCC § 2-25-090(a)” is tied up in its request for the injunction and monitoring fund. See First Am. Compl. at A (citing MCC § 2-25-090(f)(4) (authorizing “an action for injunctive relief”) as the authority for requesting the declaration). Accordingly, the declaration would serve no purpose if unattached to equitable relief, which has been denied here. Therefore, I also DISMISS WITHOUT PREJUDICE and WITHOUT LEAVE TO AMEND Chicago's request for a declaration.

But Chicago does not put all its eggs in the equitable relief basket. It also seeks monetary fines. Given that monetary relief would redress past harm related to the data breach, it does not have the same redressability issues as the forward-looking forms of equitable relief. Obviously, Marriott does not argue that monetary relief would not redress past harms. In fact, Marriott does not directly challenge Chicago's standing with respect to seeking monetary fines at all. See Defs.' S.J. Mot. at 21 (“THE CITY LACKS STANDING TO PURSUE ANY OF ITS EQUITABLE RELIEF.”) (emphasis added). Even so, as stated previously, courts have an independent obligation to ensure that subject matter jurisdiction exists. Arbaugh, 546 U.S. at 514. Accordingly, I must ensure that Chicago has standing to seek the monetary fines. While Chicago provided Dr. Bazelon's report (and reply), in part, to show standing for equitable relief-and it failed on that score-the City also submitted the report to establish standing for monetary fines: “[T]he evidence [i.e., Dr. Bazelon's report and related materials] demonstrates the City's standing for the fines [] it seeks . . . .” Pls.' S.J. Opp'n at 4. Therefore, I first look to that report to see if it established Chicago's standing to seek monetary fines. In examining this report, I think it is appropriate to consider Marriott's criticisms that still apply in this context-namely Marriott's argument that Dr. Bazelon's report failed to establish injury-in-fact and traceability.

Marriott does not appear to challenge Chicago's request for attorneys' fees and costs and pre-and post-judgment interest either.

Should Chicago establish standing through the report (i.e., by establishing a concrete injury to Chicago's proprietary interests that was fairly traceable to the data breach), I need not address Chicago's separate argument that it has standing based on the violation of the ordinance alone. See Pls.' S.J. Opp'n at 3-4.

As I stated in the motion to dismiss opinion, “injury in fact can stem from a loss in tax revenue.” Mot. to Dismiss Mem. Op. at 8 n. 4 (citing Gladstone Realtors v. Village of Bellwood, 441 U.S. 91, 110 (1979) (holding that the harm of loss of tax revenue was sufficient injury when there was a reduction in the number of buyers in the housing market, leading to a decrease in property values)). In his report, Dr. Bazelon produced forecasts estimating what tax revenues would have been for each of the 12 months following the data breach announcement had the breach not occurred and compared those forecasts with the actual tax revenue generated during that time period. Bazelon Rep. at ¶¶ 39-40. He found a statistically significant-and economically nontrivial-difference between the forecasted tax revenue and the actual tax revenue collected by Chicago, i.e., a loss in tax revenue, in the immediate aftermath of the data breach becoming public. Id. at ¶¶ 40, 44. Further, there is no indication that Chicago recouped that lost revenue in later months. Id. at ¶¶ 44, 56. So, Dr. Bazelon has established injury-in-fact as long as I accept the credibility of Dr. Bazelon's forecasts and the conclusions he draws from them, which I do at this juncture.

Marriott offers a number of arguments challenging the credibility of Dr. Bazelon's forecasting, but I find them unpersuasive. First, Marriott argues that Chicago should have used its annual budgets' hotel accommodation tax revenue projections as a baseline for approximating any tax loss. See Defs.' S.J. Mot. at 22-23. If it had, Marriott contends, the lack of harm to Chicago would be clear: after all, Chicago exceeded its budgets' revenue projections each relevant year. Pls.' Ex. 15. In Marriott's eyes, Chicago's decision not to use those projections casts doubt on Dr. Bazelon's entire endeavor. See id. However, because Chicago's annual budgets are “planning document[s] to determine the amount of money the City will have to allocate for various expenditures each year,” they are “inherently conservative.” Pls.' Ex. 15. Indeed, that Chicago exceeds its hotel accommodation tax revenue projections each year shows the conservative nature of the documents. Thus, these projections would not serve as a particularly helpful baseline for measuring potential tax revenue loss in this case. Further, I would note that merely showing that Chicago exceeded its revenue projections would not indicate a lack of harm. As Plaintiffs state, “[t]he City could have enjoyed a year-over-year increase in tax revenue for any number of reasons, such as additional taxes levied . . . or the opening of additional properties.” Pls.' Opp'n at 9-10 (citing Pls.' Exs. 14-16). What matters is whether Chicago would have received more revenue had the data breach not occurred-exactly what Dr. Bazelon set out to measure.

Second, Marriott repeats the argument it made in the Daubert context regarding the sample Dr. Bazelon used to measure tax revenue loss. Compare Defs.' S.J. Mot. at 24-27, with Defs.' Daubert Mot. at 11-14. I explained above why I found Dr. Bazelon's sample to be appropriately representative in that context, and I need not address that argument again. It fares no better here.

Third, Marriott argues that Dr. Bazelon “fails to show a statistically significant cumulative shortfall in aggregate revenues for the 12-month period following the announcement,” and that this failure undermines his forecasting's credibility. Defs.' S.J. Mot. at 27. But this criticism overstates what Dr. Bazelon needed to show to establish injury-in-fact. Dr. Bazelon did not need to show that the effect of the data breach lasted for a full year, cumulatively measured. Instead, Dr. Bazelon was required to show an overall loss; the distribution of that loss does not matter. See Bazelon Dep. at 132:6-9. Dr. Bazelon cleared this threshold. He showed a non-trivial, statistically significant cumulative difference in tax revenue generated over the first several months following the data breach announcement, and this loss in tax revenue was not recouped by Chicago later in the year. Bazelon Rep. at ¶ 44. Accordingly, I am unpersuaded by this additional credibility argument made by Marriott.

Concluding that Dr. Bazelon has established injury-in-fact, I now turn to his causation, or traceability, work. To show that the data breach caused the loss in tax revenue (and that the timing of the tax loss was not merely coincidental), Dr. Bazelon performed two types of analysis: (1) he used “placebo” or “falsification” tests, running his model using dates not related to the data breach, to determine whether the breach announcement date was in fact unique in yielding a loss in tax revenue; and (2) he evaluated whether contemporaneous factors could have conceivably caused the tax loss by looking at changes in covariates around the breach announcement date and by conducting a systematic news and events analysis around that date. Id. at ¶¶ 50-54. According to Dr. Bazelon, both these sets of analyses (which I describe in greater detail in the Daubert section) confirmed that the data breach caused Chicago's tax revenue loss. Id. at ¶ 50.

As it did with Dr. Bazelon's conclusions related to injury-in-fact, Marriott challenges the credibility of Dr. Bazelon's causation conclusion. Marriott characterizes Dr. Bazelon's causation analysis as “illogical, implausible, and counterfactual,” Defs.' S.J. Reply at 15, arguing that the (perhaps counterintuitive) shortfall that Dr. Bazelon observed in Marriott's competitors and Dr. Bazelon's alleged failure to account for a drop in convention-related hotel bookings undermined his credibility, see Defs.' S.J. Mot. at 28-32. But Dr. Bazelon's response to Marriott on these two primary issues is logical, plausible, and factual.

Raising an issue that it also brought up in the Daubert context, Marriott argues that the model's observed drop in demand for Marriott's competitor hotels (as evidenced by a shortfall in tax revenue generated from these competitors) undermines Dr. Bazelon's credibility. Id. at 28-30. To start, Marriott believes that economic theory would dictate that these competitors would have benefitted from Marriott's data breach as consumers shifted away from Marriott and towards these competitors. Id. That these competitors did not see an increase in demand raises doubts about the model, according to Marriott. However, I have already explained in the Daubert section that an alternative economic theory exists that would be consistent with Marriott and its competitor hotels both experiencing a drop in demand as a result of Marriott's data breach-i.e., a data breach “creates a more general lack of trust for the specific type of [firms]” that harms both the firm that experienced the breach and its competitors. See Bazelon Reply at ¶ 19. While this alternative economic theory has been specifically examined in the context of the stock market, see id. at ¶¶ 19-22, and not in the tax revenue context, it is certainly logical to contend that the theory may be relevant here based on what Dr. Bazelon has presented. I do not see why Dr. Bazelon's credibility would be undermined by his model supporting one plausible economic theory over another plausible economic theory.

Of course, this alternative theory does not suggest that Marriott's competitor hotels should experience a greater tax shortfall than Marriott itself. But Marriott contends that Dr. Bazelon's model shows exactly that. Such a result would undermine Dr. Bazelon's credibility, according to Marriott. However, Marriott overstates its case here. First, in the month immediately following the data breach announcement, December 2018-arguably the most important month in Dr. Bazelon's analysis-Marriott experienced a larger shortfall in taxes than did its competitors in percentage terms. See Bazelon Rep. at Tables 5, 6; Bazelon Reply at ¶ 17. Second, as Dr. Bazelon notes, the cumulative effects for Marriott and Competitor Hotels, in percentage terms, are not meaningfully different in other months.” Bazelon Reply at ¶ 17. Yes, there is a difference in cumulative losses (as measured by month) between Marriott and its competitor hotels for multiple months, but the discrepancy is not significant enough to discredit Dr. Bazelon's entire model-especially given the indicia of reliability surrounding the model overall.

In criticizing Dr. Bazelon's causation work, Marriott asserted that he failed to consider the effect of a drop in Chicago's convention business in the three months immediately following the breach announcement. Even if one found Dr. Bazelon consideration of convention-related business as a variable to be inadequate in his initial report, he certainly considered this issue in his reply. See id. at ¶¶ 38-45, Table 3. No, he did not add convention-related hotel bookings as a control variable as Dr. Mathur urged, see Mathur Rep. at ¶¶ 63-80-Dr. Bazelon explained his concerns that such a variable would be “endogenous” and could bias the model, see Bazelon Reply at ¶ 42- but he did add convention attendance as a control variable and re-ran his model, see id. at ¶ 45, Table 3. His results were “qualitatively the same” when he included this new control variable. See id. I find that this issue does not discredit Dr. Bazelon's work.

As I stated previously in footnote 13, both Dr. Mathur and Dr. Bazelon agree that convention-related hotel bookings dropped in the three months immediately following the breach announcement, see Mathur Rep. at Figure 10, Bazelon Reply at Table 2, but Dr. Bazelon provides data showing that convention attendance ever so slightly increased, see Bazelon Reply at Table 2.

Dr. Bazelon arguably accounted for convention-related activity in his initial report by controlling for seasonal variability. See Bazelon Reply at ¶ 44.

For the reasons outlined, I agree with Chicago that Dr. Bazelon's opinions establish standing for the monetary fines. Dr. Bazelon's expert opinions establish, by a preponderance of the evidence, that Chicago suffered an “injury-in-fact”-the loss of tax revenue-that was traceable to the data breach, and that can be redressed by monetary fines paid by Marriott. Accordingly, to the extent that Marriott's Rule 12(b)(1) motion to dismiss was directed at Chicago's pursuit of monetary fines, that motion is DENIED.

Chicago may ultimately pursue attorneys' fees and costs and pre- and post-judgment interest as well.

SUMMARY JUDGMENT MOTION

In addition to its Daubert motion and Rule 12(b)(1) factual challenge, Marriott asks the Court to grant summary judgment in the company's favor.

I. Standard of Review

Federal Rule of Civil Procedure 56(a) provides for the judgment in favor of the movant “if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.” In reviewing the evidence related to a motion for summary judgment, the Court considers undisputed facts, as well as the disputed facts viewed in the light most favorable to the non-moving party. Ricci v. DeStefano, 557 U.S. 557, 586 (2009); George & Co., LLC v. Imagination Entm't Ltd., 575 F.3d 383, 391-92 (4th Cir. 2009); Dean v. Martinez, 336 F.Supp.2d 477, 480 (D. Md. 2004). Only factual disputes that “might affect the outcome of the suit under governing law will properly preclude the entry of summary judgment.” Anderson v. Liberty Lobby, Inc., 477 U.S. 242, 248 (1986). Additionally, the factual dispute must be genuine to defeat a motion for summary judgment, in that “the evidence is such that a reasonable jury could return a verdict for the nonmoving party.” Id.; Scott v. Harris, 550 U.S. 372, 380 (2007) (“When opposing parties tell two different stories, one of which is blatantly contradicted by the record . . . a court should not adopt that version.”). It is the nonmoving party's burden to confront a motion for summary judgment with affirmative evidence to show that a genuine dispute of material fact exists. Anderson, 477 U.S. at 256. A plaintiff nonmovant, “to survive the defendant's motion, need only present evidence from which a jury might return a verdict in his favor.” Id.

II. Discussion

In its motion for summary judgment, Marriott argues that Chicago's action exceeds the limits of the City's authority under the Illinois Constitution. Specifically, Marriott argues that (1) the action exceeds Chicago's home rule authority, and (2) the action represents an impermissible extraterritorial application of a Chicago ordinance. I will address the home rule issue first.

a. Home Rule Authority Under the Illinois Constitution

While “the doctrinal lines” of home rule authority under the Illinois Constitution “have not always been clear,” municipalities “may exercise their power” if (1) the subject over which they exercise power “pertains to [their respective] local government and affairs,” and (2) “the legislature has not expressly preempted home rule” with regards to that subject. City of Chicago v. StubHub, Inc., 979 N.E.2d 844, 851 n. 2 (2011); see also Ill. Const. 1970, art. VII, § 6.Marriott's summary judgment motion concerns this first condition-whether the subject over which Chicago is exercising power “pertains to its local government and affairs.” See Defs.' S.J. Reply at 1-2. As for the second condition, Marriott concedes that the General Assembly has neither expressly preempted home rule authority in the field of data security, nor made legislative findings indicating that statewide, as opposed to local, authority to legislate data security was intended. See id. (rejecting idea that case is about statutory preemption and stating that “Marriott is not contending that Chicago is barred from responding to local data-security incidents”). Thus, concurrent local and state authority over the subject at issue here will pass constitutional muster if the Court determines the first condition is met. See Mot. to Dismiss Mem. Op. at 9 (“[H]ome rule authority allows concurrent local and state regulation of [a] problem, unless the Illinois General Assembly explicitly has preempted home rule authority or made findings in enacting legislation that makes it clear that statewide, as opposed to local, authority to legislate was intended.” (citing Park Pet Shop, Inc. v. City of Chicago, 872 F.3d 495, 500 (7th Cir. 2017))).

This first condition is set out in Section 6(a), while the second condition is set out in Section 6(i).

Marriott argues that Chicago's “attempt to apply its ordinance to the specific data-security incident at issue here” does not pertain to the City's government and affairs as Article VII, § 6 of the Illinois Constitution requires. Article VII § 6 provides in relevant part:

(a) . . . Except as limited by this Section, a home rule unit may exercise any power and perform any function pertaining to its government and affairs, including, but not limited to, the power to regulate for the protection of public health, safety, morals, and welfare; ....
Ill. Const. 1970, art. VII, § 6 (emphasis added).“Pertaining to its government and affairs” is a “general and uncertain” constitutional limitation that “leaves some leeway for judicial intervention,” as Marriott calls for here. StubHub, Inc., 979 N.E.2d at 851 (2011) (quoting David Baum, A Tentative Survey of Illinois Home Rule (Part I): Powers and Limitations, 1972 U. ILL. L.F. 137, 152-157). However, in order to respect “the constitutional design” granting broad home rule authority and permitting concurrent local and state authority, “the courts should step in to compensate for legislative inaction or oversight only in the clearest cases of oppression, injustice, or interference by local ordinances with vital state policies.” Id. (quoting Baum, Part I at 156-57). “That is, because the legislature can always vindicate state interests by express preemption, only vital state interests would allow a court to decide that an exercise of home rule power does not pertain to local government and affairs.” Id. (quoting Baum, A Tentative Survey of Illinois Home Rule (Part II): Legislative Control, Transition Problems, and Intergovernmental Conflict, 1972 U. Ill. L.F. 559, 573).

In its City of Chicago v. StubHub, Inc., opinion, the Illinois Supreme Court heavily relied upon Professor David Baum, counsel to the Committee on Local Government at the Sixth Illinois Constitutional Convention, to inform its home rule analysis.

Within this context, Illinois courts have developed a framework for determining whether a municipal ordinance, or the application of that ordinance, relates to a municipality's own government and affairs (i.e., its “own problems”) and not to those of the state or the nation. See Kalodimos v. Vill. of Morton Grove, 470 N.E.2d 266, 274 (Ill. 1984) (quoting City of Des Plaines v. Chicago & N.W. Ry. Co., 357 N.E.2d 433, 435 (Ill. 1976)). “Whether a particular problem is of statewide rather than local dimension must be decided not on the basis of a specific formula or listing set forth in the Constitution but with regard for (1) the nature and extent of the problem, (2) the units of government which have the most vital interest in its solution, and (3) the role traditionally played by local and statewide authorities in dealing with it.” Id. These three “factors” are referred to as the Kalodimos factors.

With this backdrop in mind, I now analyze the first Kalodimos factor. It is helpful to start where my opinion denying the motion to dismiss left off. In that opinion, I defined the problem that Chicago attempts to reach as “the protection of personal identifying information [“PII”] of Chicago residents who provide it to data holders such as Marriott who do business in Chicago.” Mot. to Dismiss Mem. Op. at 11. If Chicago had been unable to present evidence showing a substantial connection to, and effect on, Chicago residents, I may have revisited this definition, perhaps accepting Marriott's implicit argument that Chicago has invented an ostensibly local problem as cover to regulate data security statewide (or even nationwide). See Defs.' S.J. Mot. at 6-10. However, Chicago has presented evidence that supports that a local problem exists. Over 2.4 million guest records involved in the data breach are affiliated with Chicago addresses; Chicagoans made nearly 3 million reservations at Starwood properties from June 1, 2014 to September 7, 2018, including over 116,000 reservations at Chicago hotels; and nearly 100,000 of the payment card numbers involved in the breach are associated with Chicago. See Pls.' Ex. 2. The magnitude of this evidence indicates that a Chicago-specific problem exists, and the City is attempting to address it through the application of its ordinance. This case is readily distinguishable from City of Des Plaines, in which the municipality admittedly sought to regulate conduct beyond its borders. See City of Chicago v. Grubhub Holdings, Inc., et al., No. 2021 CH 04327 (Cir. Ct. Cook Cty. Aug. 5, 2022) Transcript of Proceedings at 15, ECF No. 1055-2 (citing 357 N.E.2d at 435).

This time period is over-inclusive for the purposes of this litigation as the data breach began on or around July 28, 2014. See Defs.' Ex. 28 - Part 1. However, one can reasonably infer that these figures would not change substantially by subtracting approximately two months from this window.

Most (but not all) of these card numbers were encrypted, see Pls.' Ex. 2, but Chicago contends that the hackers may have been able to decrypt payment card numbers, see Pls.' S.J. Opp'n at 21 (citing ECF No. 859-2, Expert Report of Mary Frantz at ¶¶ 23, 210-227). Marriott points to the Verizon PFI Report to argue that payment card numbers were not decrypted. See Defs.' Ex. 28.

Of course, it is hard to disentangle these Chicago-specific facts from the nationwide scope of this data breach. After all, the Starwood data breach did not just affect Chicago residents. Only 1.8 percent of the 133.7 million guest records affected were affiliated with Chicago addresses; only 4 percent of reservations made by Chicago residents for Starwood hotels from 2014-2018 were for Chicago hotels; and Chicago-associated payment card numbers account for less than 1 percent of the total payment card numbers involved in the data breach. See Defs.' Exs. 10-12. But it is entirely unsurprising that this data breach, like most data breaches affecting a large corporation such as Marriott, has local, state, and national effects beyond Chicago, i.e., other governmental units will have their own problems related to this issue.

However, to treat Chicago's specific problem with the data breach as inseparable from the overlapping problems facing the state and other municipalities as a result of the Starwood data breach is inconsistent with Illinois home rule authority precedent. Kalodimos itself rejects the idea that a home rule unit may not address a problem when it is of “significant concern to the State or whenever a uniform statewide solution . . . might arguably be more manageable than individual control by local units of government.” Kalodimos, 470 N.E.2d at 274. “Home rule . . . is predicated on the assumption that problems in which local governments have a legitimate and substantial interest should be open to local solution and reasonable experimentation to meet local needs ....” Id. Consequently, Illinois courts have upheld home rule units' efforts to regulate conduct related to guns, see id. at 277, video gaming, see Accel Entm't Gaming, LLC v. Vill. of Elmwood Park, 46 N.E.3d 1151, 1160 (Ill.App.Ct. 2015), and puppy mills, see Park Pet Shop, Inc., 872 F.3d at 501, that occurs within the municipality's boundaries-even though guns, video gaming, and puppy mills are issues of significant concern to the State, as well as other municipalities, and may very well be better managed via a uniform statewide regime. The logical extension of Marriott's argument is that large corporations should be shielded from local regulation in cases where the allegedly actionable conduct is connected to larger issues that extend beyond the geographical confines of a municipality. After all, most of the business practices of such organizations will be consistent across the state and country, and when and if a business practice is unfair or deceptive, that practice would not be isolated to one city. But Illinois' home rule jurisprudence has not erected such a shield.

Marriott argues that the wide reach of this data breach precludes home rule authority here. Marriott points to analysis in Village of Bolingbrook v. Citizen Utilities Co. of Illinois to make its point. In that case, the Illinois Supreme Court stated: “Where the impact of a problem is confined to an isolated area, and there is no evidence that the particular problem is common throughout the State, the ‘nature and extent of the problem' are local in dimension.” 158 Ill.2d 133, 140 (1994). Marriott argues that the inverse of this statement must also be true: where the impact of a problem is not confined to an isolated area, and there is evidence that the particular problem is common throughout the State (and nation), the “nature and extent of the problem” is statewide (or national) in dimension. See Defs.' S.J. Mot. at 6. This interpretation of home rule authority explains Marriott's effort to show that Chicago was not uniquely affected by the data breach. Marriott's argument, however, presupposes that the real problem cannot actually be “the protection of [PII] of Chicago residents who provide it to data holders such as Marriott who do business in Chicago,” and that it must be something broader. Yet, I have already accepted the narrower definition of the problem that Chicago seeks to address with its ordinance. Furthermore, Marriott's belief that it can apply Village of Bolingbrook's reasoning in an inverse fashion is incompatible with the aforementioned rulings upholding home rule authority in areas that were of significant concern to both the State and municipalities. See Kalodimos, 470 N.E.2d (guns); Accel Entm't Gaming., 46 N.E.3d at 1160 (video gaming); Park Pet Shop, 872 F.3d at 501 (puppy mills). Ultimately, the first Kalodimos factor weighs in favor of Chicago.

Further, Marriott seems to be following up on a couple sentences on this issue in the opinion denying the motion to dismiss: “[A]t this stage of the proceedings there are insufficient facts known to determine whether the extent of the problem is statewide or national. Marriott's argument that Chicago was not affected differently than any other city in the United States by this incident is just that-argument.” Mot. to Dismiss Mem. Op. at 13. Marriott may have read this statement to mean that showing Chicago was not uniquely affected would aid its case, but that statement did not indicate that such facts would be determinative of the outcome.

Turning to the second and third Kalodimos factors, Marriott claims that it has put forward evidence showing that Chicago “neither has a vital interest nor traditional role in regulating data breaches.” Defs.' S.J. Mot. at 10. Primarily, Marriott marshals evidence purportedly demonstrating that the Department of Business Affairs and Consumer Protection (BACP) Commissioner and/or the Deputy Commissioner were “unfamiliar[]” with and “indifferen[t]” toward the regulation of data security and/or responding to data breaches. See Defs.' S.J. Reply at 7-10. Marriott highlighted deposition testimony showing that (1) the Commissioner and Deputy Commissioner could not recall reviewing, or advocating for, a draft ordinance concerning data privacy in 2018, see Defs.' Ex. 18 at 125:17-127:2; Ex. 21 at 251:8-259:9, 261:7-263:19; (2) the Commissioner could not recall her actions related to the major data breach lawsuits that the City had filed against Equifax and Uber, see Defs.' Ex. 21 at 117:5-118:5, 281:7-291:21; and (3) the Commissioner could not recall details about this litigation, see Defs.' Ex. 21 at 91:19-98:10, 110:22-111:18, 155:14-22, 268:5-18, 271:16-274:11, 276:16-277:4. Marriott also argues that BACP's failure to exercise its administrative authority to challenge businesses' data security practices and the nature of its investigation into the Starwood data breach demonstrates the City's “indifference toward regulating data breaches.” See id. at 12 (citing Defs.' Exs. 18, 21).

While the Commissioner's excessively cautious deposition testimony may indicate unfamiliarity with the specific details of her department's work regulating data breaches (after all, as she noted during the deposition, she superintended a 180-employee department that addressed a wide variety of consumer protection initiatives, see Pls.' Ex. 38 at 197:7-15; Ex. 39), neither her testimony, nor the other evidence offered by Marriott, prove Chicago's indifference towards this regulation, especially when weighed alongside all the facts in this case. As Chicago notes, it has filed three significant lawsuits (including this one) since 2017 in response to major data security incidents affecting its residents. See Pls.' S.J. Opp'n at 26-27 (citing Exs. 23, 24). That Chicago chose to pursue these lawsuits, instead of exercising administrative authority for instance, does not show indifference; it merely shows that Chicago chose one legal tool over another in its effort to regulate data security. In addition to the major lawsuits, Chicago has sponsored community outreach efforts, such as workshops and webinars, to inform the public of issues related to data security. See, e.g., Pls.' Ex. 33.

See, e.g., Defs.' Ex. 21 at 281:7-291:21 (“. . . I don't recall the specific details, so I'd rather not speak out of turn[] because I don't . . . recollect every single detail, so I'd rather not speak out of turn[] .... I don't recall all the specific details, so I'd rather not provide you with incorrect information or respond to incorrect information .... I do not feel comfortable responding, not really understanding all the details of that particular issue and where it sits and where it stands because I just don't recall the specifics at this time ....”)

Ultimately, Marriott presents no evidence that undermines my prior analysis of, and conclusions regarding, the second and third Kalodimos factors. See id. at 13-18. There is no reason to doubt Chicago's vital interest in regulating data breaches as the City has shown its commitment to taking governmental action in this area. And while it is difficult to characterize any entity's role in regulating data breaches as “traditional” given the relative newness of this problem, Chicago has played a substantial role in responding to data breaches affecting Chicago residents in recent years. Accordingly, the second and third Kalodimos factors still militate in favor of finding that MCC § 2-25-090(a), as applied in this case, does not exceed Chicago's home rule authority.

This conclusion is further strengthened when one considers that regulating data breaches is really part and parcel of consumer protection writ-large. After all, the Illinois Consumer Fraud Act (ICFA) “incorporates as part of its consumer protection provisions” the Illinois Personal Information Protection Act (IPIPA). Mot. to Dismiss Mem. Op. at 18 (emphasis added). And one would be hard-pressed to argue that Chicago has not demonstrated a vital interest in, or played a traditional role in, consumer protection generally. See City of Chicago v. Grubhub Holdings, Inc., et al., No. 2021 CH 04327 (Cir. Ct. Cook Cty. Aug. 5, 2022) Transcript of Proceedings at 19-20, ECF No. 1055-2.

Given that “courts should step in to compensate for legislative inaction or oversight only in the clearest cases of oppression, injustice, or interference by local ordinances with vital state policies,” StubHub, Inc., 979 N.E.2d at 851 (2011) (quoting Baum, Part I at 156-57), Marriott would have needed to show that regulating the Starwood data breach was a vital state policy with which the application of Chicago's ordinance interfered. Yet, Marriott did not clear this bar.

b. Extraterritoriality

As discussed in my opinion denying Marriott's motion to dismiss, Avery v. State Farm Mutual Automobile Insurance Co., 835 N.E.2d 801 (Ill. 2005) provides the appropriate framework for resolving whether Chicago's action is an impermissible extraterritorial application of MCC § 2-25-090(a). See Mot. to Dismiss Mem. Op. at 23. Avery limits the scope of the Illinois Consumer Fraud and Deceptive Business Practices Act (“ICFA”) to disputed transactions that take place “primarily and substantially” in Illinois. See 835 N.E.2d at 853-54. Because Chicago's ordinance incorporates the ICFA, Avery's limitation applies here, and because “home rule units cannot apply their regulations outside of their geographic borders,” Avery restricts the reach of Chicago's ordinance to transactions that take place “primarily and substantially” in Chicago. See Mot. To Dismiss Mem. Op. at 23 n. 7 (citing City of Evanston v. Create, Inc., 421 N.E.2d 196, 203 (Ill. 1981).

To determine whether a transaction occurred primarily and substantially in Illinois (or Chicago, in this case), courts consider the totality of the circumstances surrounding the transaction, focusing on at least the following four factors: (1) plaintiff's residence, (2) where the unfair, unlawful, or deceptive conduct occurred, (3) where the damage to the plaintiff occurred, and (4) whether plaintiff communicated with the defendant or its agents in Chicago. See Rivera v. Google, Inc., 238 F.Supp.3d 1088, 1101 (N.D. Ill. 2017) (citing Avery, 835 N.E.2d at 854). While the City of Chicago is the plaintiff here, the disputed transactions involve Chicago's residents, so it is relevant where Chicago residents incurred damages, whether Chicago residents communicated with Marriott in Chicago, etc., for the purposes of this Avery analysis. I will weigh the totality of the circumstances for each of the four causes of action that Chicago alleges: (1) unfair practice -failure to safeguard personal information, (2) unlawful practice - failure to implement and maintain reasonable security measures, (3) deceptive practice - misrepresentations and material omissions, and (4) unlawful practice - failure to give prompt notice of data breach. See First Am. Compl.; Mot. to Dismiss Mem. Op. at 25. While “this case revolves around conduct occurring online,” and “Avery's totality-of-the-circumstances standard has not yet produced much guidance in the context of online conduct,” there is sufficient precedent to apply in this analysis. See Rivera, 238 F.Supp.3d at 1101.

Because “there is no single formula or bright-line test for determining whether a transaction occurs within this state,” see Avery, 835 N.E.2d at 854, courts are not limited to these four factors and may consider other circumstances. These factors do provide helpful guidance, though, for the Avery analysis.

Naturally, there are substantial similarities in the analysis for each cause of action, and the analysis is nearly identical for the first two causes of action.

For each cause of action, residency weighs in favor of Chicago. Chicago residents obviously live in Chicago, and evidence has shown that Chicago residents were indeed party to the transactions in dispute. See Pls.' Ex. 2 (stating that 2.4 million guest records involved in the data breach were affiliated with a Chicago address); see also Pls.' Ex. 26 (documenting breach notices received by City employees, all of whom must live in Chicago per MCC § 2-152-050). That the extraterritoriality dispute here involves Chicago residents distinguishes this case from others where out-of-state plaintiffs were suing under the ICFA. See, e.g., Avery, 835 N.E.2d at 188; Van Tassell v. United Mktg. Group, LLC, 795 F.Supp.2d 770, 782 (N.D. Ill. 2011); Haught v. Motorola, No. 2-C-2515, 2012 WL 3643831, at *3 (N.D. Ill. Aug. 23, 2012); Miche Bag, LLC v. BeYou, LLC, No. 11-cv-720, 2011 WL 4449683, at *6 (N.D. Ill. Sept. 26, 2011); Shaw v. Hyatt Int'l. Corp., No. 05-C-5022, 2005 WL 3088438, at *2 (N.D. Ill. Nov. 15, 2005). Indeed, one cannot understate the importance of the “residency factor” weighing in Chicago's favor here because residency has implications for other factors as well. For example, “where the damage to the plaintiff occurred” weighs in favor of Chicago, as one can readily infer that Chicagoans bore the consequences of the data breach where they resided. See Van Tassell, 795 F.Supp.2d at 782 (“Any damage suffered by Plaintiffs did not occur in Illinois, but rather in their home states” where Plaintiffs made online purchases.); see also Specht v. Google, Inc., 660 F.Supp.2d 858, 866 (N.D. Ill. 2009) (“Specht resides and runs his businesses in Illinois, and [Specht's co-plaintiffs] ADC and ADI are both Illinois corporations. Plaintiffs, therefore, suffered any damage from the alleged [patent] infringement [that took place on the Internet] in Illinois.”). Nevertheless, residency alone cannot establish that a disputed transaction took place primarily and substantially in Chicago, and I will consider the remaining factors outlined above that I have not already discussed. See Walker v. S.W.I.F.T. SCRL, 491 F.Supp.2d 781, 795 (N.D. Ill. 2007); see also McGoveran v. Amazon Web Servs., Inc., No. 20-1399-LPS, 2021 WL 4502089, at *4 (D. Del. Sept. 30, 2021).

The parties devote substantial time to disputing (1) where the unfair, unlawful, or deceptive conduct occurred, and (2) whether Chicago residents communicated with Marriott in Chicago. These two factors are somewhat overlapping in this context. In arguing that the first two causes of action (what Marriott refers to collectively as Chicago's “failure-to-protect” claim) lack a primary and substantial nexus to Chicago, Marriott notes that its data security operations, personnel, and equipment were located outside of Chicago. See Defs.' Exs. 5, 8 (stating that, pre-merger, Starwood's data security operations and security leaders were located in Connecticut); Exs. 5, 9 (stating that, post-merger, Starwood/Marriott's data security operations and security leaders were located in Maryland); Exs. 5, 8 (stating that Starwood's main data center, which housed the NDS database, was located in Arizona, and the company's other data centers were located in Massachusetts, Connecticut, and foreign countries). Given these facts, the actual breach of the data must have occurred outside of Chicago, and decisions related to securing the data, both before and after the breach, clearly happened outside of Chicago.

However, the submission of at least some (if not nearly all) of residents' PII to Marriott happened in Chicago. Marriott strenuously argues that one cannot reach this conclusion regarding the location of the data submission based on the evidence, see Defs.' S.J. Mot. at 16-17, but I disagree. Chicago has shown that millions of its residents made nearly 3 million reservations at Starwood properties from June 1, 2014 to September 7, 2018, including over 116,000 reservations at Chicago hotels. See Pls.' Ex. 2. Without a doubt, some (likely most) Chicagoans made these reservations from their homes, or elsewhere in Chicago. When the reservations (by which individuals submitted their PII to Marriott) number in the thousands, this inference is reasonable and supported by the evidence showing the reservation totals., The inference is especially reasonable as Marriott does not track where customers are located when reserving a hotel room. See Defs.' Ex. 29.

As stated previously, over 2.4 million guest records involved in the data breach are affiliated with Chicago addresses. See Pls.' Ex. 2.

This time period is over-inclusive for the purposes of this litigation as the data breach began on or around July 28, 2014. See Defs.' Ex. 28 - Part 1. However, one can reasonably infer that these figures would not change substantially by subtracting approximately two months from this window.

This inference holds true whether one considers the universe of “nearly 3 million reservations,” or “116,000 reservations” as relevant here.

If the sheer reservation volume involving Chicagoans were not convincing on its own, consider that Chicago has presented the data breach notification emails received by Chicago employees. See Pls.' Ex. 26. These notifications confirm that Chicago employees had booked hotel rooms with Starwood, providing their PII in the process. Because Chicago employees are required to live in the City per MCC § 2-152-50 and, obviously, work in Chicago, it is entirely reasonable to infer that at least most of these individuals made their hotel reservations from Chicago-at their homes, their workplaces, or on their commute.

One can make a similar inference with regards to Chicago residents' receipt of Starwood's34 and Marriott's privacy statements in the context of the misrepresentation cause of action. Every time a customer used the Starwood or Marriott websites to make a hotel reservation, he or she was provided with the respective privacy statements. Defs.' Ex. 23. Of the over 116,000 reservations made at Chicago hotels by Chicago residents, over 51,000 reservations were made through a Starwood website-where the privacy statement was provided. See Defs.' Exs. 29, 30. Based on the sheer number of these reservations-some (likely most) of those residents making online reservations directly through Starwood received the statements at their homes, or elsewhere in Chicago. An even more straightforward inference can be made with respect to Chicago residents' receipt of the data breach notification in the context of the delayed notification cause of action. Chicago has shown that some of its employees-who are required to live in the City by MCC § 2-152-50-received these notifications in the wake of the data breach. Pls.' Ex. 26. Given that these individuals live and work in Chicago, it is eminently reasonable to infer that some (if not nearly all) received these notifications in Chicago.

Marriott could not confirm the format in which the Marriott privacy statement was provided on marriott.com from 2014 to 2016, but the website did at least include the privacy statement in those years. Defs.' Ex. 23. Marriott was able to confirm the inclusion and format of the Starwood privacy statement on starwood.com from 2014 to 2018. Id.

An extra note on the delayed notification cause of action: Marriott argues that the delayed notification cause of action is available only in relation to those Chicago residents whose “personal information,” as defined by the Illinois Personal Information Protection Act (“IPIPA”), was breached. See Defs.' S.J. Mot. at 20-21. The IPIPA defines “personal information” narrowly, and guests' names in combination with payment card numbers are the only IPIPA-covered data elements obviously implicated here. See 815 ILCS 530/5. The IPIPA further limits whether such data elements are indeed “personal information” by making the following qualification: an individual's name in combination with a payment card number is only “personal information” when the payment card number is “not encrypted or redacted or [is] encrypted or redacted but the keys to unencrypt or unredact or otherwise read [the payment card number] have been acquired” through the data breach. Id. Marriott admits that 45 unencrypted, Chicago-affiliated payment card numbers may have been accessed by the hackers, and this counts as personal information under the IPIPA that can support the delayed notification cause of action. See Defs.' S.J. Mot. at 20-21 (citing Defs.' Ex. 12). But Marriott contends that these unencrypted card numbers (in combination with names) are the only “personal information” that was ultimately breached per the IPIPA. See Defs.' S.J. Mot. at 20-21 (citing Exs. 12, 28 - Part 2, 28 - Part 3, 42). Relying upon the Verizon PFI Report, Marriott claims that there is “no evidence that either of the two encryption keys necessary to decrypt payment-card numbers in [the Starwood NDS database] were obtained by the attacker.” Defs.' S.J. Mot. at 21 (citing Defs.' Ex. 28 - Part 3, 42). Therefore, per Marriott, the 89,000 encrypted, Chicago-affiliated payment card numbers involved in the data breach, Defs.' Ex 12, do not count as “personal information” under the IPIPA. Accordingly, only the small number of notifications related to the 45 unencrypted cards would be relevant for the delayed notification cause of action and the extraterritoriality analysis stemming from that claim. Limiting the extraterritoriality analysis in this way could materially weaken Chicago's claim. In narrowing the universe of payment cards at issue, however, Marriott relies upon a material fact that is in dispute-namely whether the hackers were able to decrypt the encrypted payment cards that were accessed during the breach. While Marriott presents the Verizon PFI Report, Defs.' Ex. 28, as evidence for its position, Chicago points to a report written by cybersecurity expert Mary Frantz that indicates that hackers may have been able to decrypt payment card numbers. See Pls.' S.J. Opp'n at 21 (citing ECF No. 859-2, Expert Report of Mary Frantz at ¶¶ 23, 210-227). Given the standard of review at the summary judgment stage, I will not rule out that the 89,000 encrypted, Chicago-affiliated payment card numbers (in combination with names) could have been decrypted. For the purposes of this analysis, I will consider those card numbers as “personal information” under the IPIPA. Thus, the delayed notification cause of action is available in relation to many thousands of Chicago residents, and so the extraterritoriality analysis will account for the thousands of notifications that went to those residents. Given the high number, it is reasonable to infer that at least some of these notifications went to Chicago residents who booked reservations at Chicago hotels while located in Chicago.

While Chicago residents received these communications-which are central to the disputed transactions-in Chicago, it is important to consider that the privacy statements and data breach notification were not necessarily issued from or initiated there. The privacy statements were issued from Maryland and Connecticut, where Marriott and Starwood's data security operations and leadership were based, respectively. See Defs.' Exs. 5, 8, 9, 31. It is not clear where Marriott technically initiated the data breach notification, but the decision to notify customers of the breach was made in Maryland, and the investigation that informed that decision took place in Maryland as well. See Defs.' Ex. 9.

Marriott also notes that the privacy statements directed customers with questions or complaints regarding data security to its offices in Maryland and Connecticut. See Defs.' Exs. 33-37, 38-41.

Having laid out the circumstances that relate to the disputed transactions, it is striking how analogous this case is to Sweet v. BJC Health Sys., No. 3:20-CV-00947-NJR, 2021 WL 2661569, at *6 (N.D. Ill. June 29, 2021), which also concerned a data breach. As in Sweet, this case involves an in-state (or in-municipality, here) plaintiff and an out-of-state defendant. See 2021 WL 2661569, at *6. As in Sweet, the data breach itself occurred out-of-state where the defendants' server was located, and decisions relevant to data security were made out-of-state where the defendants' employees were located. See id. As in Sweet-at least with respect to the transactions in which Chicago residents reserved rooms at Chicago hotels-the plaintiff's (i.e., residents') contact with the defendants was through the purchase and planned or actual use of a product (a hotel room in this case) that occurred wholly within the municipality. See id. And as in Sweet, the residents provided their PII to the defendants and received representations from the defendants about the security of that PII within the municipality. See id. Presented with these analogous circumstances, the court in Sweet determined that the disputed transaction occurred primarily and substantially in Illinois: “Thus, even though the actual [i]ncident occurred in Missouri, the bulk of the ‘transaction' as it relates to [Plaintiff Taylor] . . . will have occurred in Illinois.” Id.

The instant case is analogous to Sweet with respect to Plaintiff Taylor's circumstances in that case. Sweet v. BJC Health Sys., No. 3:20-CV-00947-NJR, 2021 WL 2661569, at *6 (N.D. Ill. June 29, 2021).

This in-state/out-of-state distinction stands in contrast to cases like Avery that involved an out-of-state plaintiff and in-state defendant. Id.

Of the over 116,000 reservations made by Chicago residents for Chicago hotels, over 84,000 stays were completed. Pls.' Ex. 2. Finding nothing to suggest that this completion ratio would differ for those reservations booked online, one can surmise that tens of thousands of stays were completed by those guests who booked reservations online.

Now, the Sweet opinion involved a motion to dismiss, and not summary judgment, so the circumstances that related to the disputed transaction were merely allegations. Nevertheless, the way the court weighed these analogous circumstances is still informative in the summary judgment context where the parties have provided evidence documenting the circumstances here.

It bears highlighting the “as it relates to [Plaintiff]” language here. The instant case involves disputed transactions as they relate to Chicago and its residents. Chicago is not attempting to enforce its ordinance as to Marriott's transactions with customers outside of Chicago-even though those transactions would look very similar.

For the reasons that the court in Sweet found that the disputed transaction occurred primarily and substantially in Illinois, I conclude that the disputed transaction-as to each cause of action-occurred primarily and substantially in Chicago. I reach this conclusion specifically based on the evidence showing Chicago residents making reservations for Chicago hotels while located in Chicago. These transactions have an especially strong connection to Chicago. The strength of this connection is underscored by comparing it to the relative weakness of connection in cases where courts found that a transaction did not occur primarily and substantially in Illinois. See, e.g., Shaw, 2005 WL 3088438, at *2 (holding that the ICFA did not apply to the disputed transaction, in part, because it involved a London resident using Defendant's website to book a room in Russia). The “Chicago residents booking Chicago hotel rooms while located in Chicago” transactions alone provide a sufficient basis for Chicago to enforce its ordinance, and those transactions occurred primarily and substantially in Chicago.

Because Chicago has put forward evidence related to Chicago residents making reservations for Chicago hotels while located in Chicago, I need not determine whether other scenarios such as Chicago residents making reservations for hotels outside of Chicago while located in Chicago would clear the “primarily and substantially” bar.

CONCLUSION

In sum, Marriott's summary judgment motion is DENIED, as is Marriott's Daubert motion. Marriott's Rule 12(b)(1) motion to dismiss for lack of standing is GRANTED IN PART and DENIED IN PART. Dr. Bazelon's expert opinions are admissible, and, by a preponderance of the evidence, they establish standing for Chicago to pursue the monetary fines it seeks. In bringing this action, Chicago has not exceeded its home rule authority, nor is it applying its consumer protection ordinance in an extraterritorial fashion.

It appears to the Court that the resolution of these motions represents the conclusion of pretrial proceedings. Accordingly, I plan to submit a recommendation to the Judicial Panel on Multidistrict Litigation, see JPML Rule 10.1(b), that the Government Track of the MDL, i.e., City of Chicago v. Marriott Int'l, Inc., et. al., Case No. 19-cv-654, be transferred back to the transferor court for trial. See 28 U.S.C. § 1407(a); Lexecon Inc. v. Milberg Weiss Bershad Hynes & Lerach, 523 U.S. 26, 36-37 (1998). Before taking this action, however, I will convene an on-the-record status conference with the parties to discuss next steps. That conference will take place over Zoom on Wednesday, September 14, 2022, at 4:00 p.m. ET. During the conference, I will ask the parties to share their support for, or opposition to, transferring this case back to the transferor court for trial. If the parties wish to have this Court conduct the trial, they shall note that desire-and share the authority that would support proceeding in such a manner-at the status conference.

A separate ORDER memorializing this opinion follows.


Summaries of

In re Marriott Int'l Customer Data Sec. Breach Litig.

United States District Court, District of Maryland
Sep 8, 2022
MDL 19-md-2879 (D. Md. Sep. 8, 2022)
Case details for

In re Marriott Int'l Customer Data Sec. Breach Litig.

Case Details

Full title:IN RE MARRIOTT INTERNATIONAL, INC., CUSTOMER DATA SECURITY BREACH…

Court:United States District Court, District of Maryland

Date published: Sep 8, 2022

Citations

MDL 19-md-2879 (D. Md. Sep. 8, 2022)