InfoBytes Blog
District Court denies defendant summary judgment in data breach suit
On September 8, the U.S. District Court for the District of Maryland denied a defendant hotel corporation’s summary judgment motion, concluding that an economic expert’s opinion that the City of Chicago (plaintiff) experienced a loss in tax revenue due to a security breach of the defendant’s guest information database—and that the breach caused that loss—should be admissible. As previously covered by InfoBytes, a consolidated class action suit was filed by consumers after they allegedly learned that the defendant took more than four years to discover the data breach and took nearly three months to notify customers of their exposed information. The defendant discovered the breach in September 2018 when a consulting company contracted to provide data security services reported an anomaly pertaining to the defendant’s guest information database. In total, the breach impacted approximately 133.7 million guest records.
Last May, the court granted in part and denied in part certification of eight class actions against the defendant, noting that the plaintiffs did not need to demonstrate that every class member has standing at the class certification stage. The size of the certified classes based on an overpayment theory was decreased, because the court agreed with the defendant’s argument that the plaintiffs were too broad in seeking to include all customers who were affected by the breach, rather than those who only “bore the economic burden.” The court also declined to certify one class seeking only injunctive or declaratory relief, stating that “[w]ithout any direction as to the nature of the injunction sought, besides a request for further discovery, plaintiffs’ motion goes no further than requesting that defendants discontinue their current practices with respect to the [personally identifiable information] at issue.”
According to the recent opinion, the City of Chicago alleged that the defendant violated the city’s consumer protection ordinance by failing to safeguard the personal information of city residents and misrepresented that it had reasonable security safeguards in place. The defendant argued that the City of Chicago’s claims exceeded the limit of the city’s authority under the Illinois Constitution, because it attempted to apply its ordinance to a specific data-security incident. The court found that the Illinois Constitution permits the City of Chicago, a “home-rule unit,” to enforce its consumer protection ordinance against the defendant for harm and injuries arising from the data security incident. Additionally, the court found “in order to respect ’the constitutional design’ granting broad home rule authority and permitting concurrent local and state authority, ‘the courts should step in to compensate for legislative inaction or oversight only in the clearest cases of oppression, injustice, or interference by local ordinances with vital state policies.’” The court also found that the City of Chicago has standing to bring claims for monetary fines, citing that “expert opinions establish, by a preponderance of the evidence, that Chicago suffered an injury-in-fact—the loss of tax revenue—that was traceable to the data breach, and that can be redressed by monetary fines paid by [the defendant].”