Sign Up For Card Player's Newsletter And Free Bi-Monthly Online Magazine

MGM Files Lawsuit To Block FTC Investigation

Agency Demands Information About Cyber Attacks


The Federal Trade Commission has opened an investigation into MGM Resorts regarding the cyberattack that left many of the company’s casino computer systems shut down last year. The investigation concerns several of MGM’s data security practices and is asking the company to produce information regarding procedures, previous security incidents, identity theft measures, key personnel involved in data security, and more.

MGM responded by filing a lawsuit on Monday against the agency and FTC Chairwoman Lina Khan to protect that information, charging that the agency’s requests violate the company’s Fifth Amendment right to due process.

In previous responses to the FTC, MGM noted that the “CID (Civil Investigative Demand) calls for the production of more than one hundred different categories of information, spans multiple years with no relevance to the attack, and, perhaps most problematic of all, represents an unprecedented attempt by (FTC) Staff to invoke the Safeguards Rule and the Red Flags Rule, which do not apply to MGM’s operations.”

Facing Off In Court Filings

The Safeguards and Red Flag rules usually apply to financial institutions and MGM attorneys argue that the company doesn’t fall under those. The FTC has argued that because the company’s casinos use “markers” to high-stakes gamblers, the rules should apply to MGM.

MGM also alleges the FTC violated its own conflict-of-interest guidelines because Khan and a senior aide were staying at the MGM Grand during the cyberattack issues.

“MGM says the publicity of Khan’s experience triggered 15 consumer class-action lawsuits against MGM,” the Las Vegas Review-Journal reported. “The company wants Khan disqualified because she could be a witness in the matter.”

The lawsuit also seeks more time to file the CID if courts allow the investigation to continue along with payment of court costs and other damages.

The FTC hasn’t commented on the lawsuit, and some have been critical about how the agency has handled the MGM situation. The Wall Street Journal recently reported that the company took federal law enforcement’s advice to not pay the ransom demanded by the cyber attackers.

The decision cost the company an estimated $100 million to fight the attacks, even though the hackers weren’t able to get what they hoped. Meanwhile, Caesars Entertainment paid roughly half of a $30 million ransom to avoid the same shutdown issues.

“The FTC investigation of MGM raises serious questions about what message the government wishes to send to ransomware victims,” the Journal notes. “Even as law-enforcement authorities counsel resistance, the FTC threatens to burden resisters with the disincentive of a federal investigation.”