A court has rejected Marriott International, Inc.’s motion to dismiss the City of Chicago’s data breach lawsuit filed in response to Marriott’s data breach. Chicago’s primary claim is that Marriott violated the city’s consumer protection ordinance damaging Chicagoans who relied on safely inputting their information into Marriott’s website. Additionally, the city asserts it has experienced a decline in revenue because residents and tourists refrain from staying at Marriott hotels operated in Chicago due to the breach. Marriott argued that Chicago’s ordinance is preempted by the Illinois state constitution, but the court held that state lawmakers must explicitly include language in state laws to successfully preempt city ordinances. Chicago is seeking an injunction that requires Marriott to increase its data security safeguards and pay a fine of up to $10,000 for each day Marriott violated the ordinance.
Chicago’s lawsuit represents a successful example of a growing trend of municipalities taking action on behalf of their residents in privacy litigation.