FTC petitions to compel MGM to comply with cyberattack probe
Days after MGM Resorts filed a lawsuit against the Federal Trade Commission (FTC) to prevent the agency from obtaining documents related to the 2023 cyberattack that brought down the gaming company, the FTC retaliated by filing a petition to order the casino operator to submit to a civil investigative demand (CID).
The Federal Trade Commission asserted its jurisdiction to investigate the September 2023 cyberbreach that cost the Bellagio operator $100 million in third-quarter earnings before interest, taxes, depreciation, amortization, and restructuring or rent costs (EBITDAR) and $10 million in one-time legal and other expenses. The filing was submitted with the US District Court for the District of Nevada. The FTC’s CID attempts have been opposed by Las Vegas-based MGM in the past, citing concerns that cooperating with the commission might undermine law enforcement’s probe into the attack.
Additionally, the gaming corporation has claimed that the operator’s Fifth Amendment rights are violated by the FTC’s legal wrangling and that the commission’s attempts to apply the “Safeguards Rule” and the “Red Flags Rule” are inapplicable in this instance because MGM isn’t a financial services company. The FTC asserts that it has the right to request information and documentation from the gambling industry related to the incident, adding that MGM has declined to abide by the CID. The FTC has also requested that the court enforce the CID. The FTC feels that MGM’s cooperation has been requested in accordance with applicable legal precedent, and that the CID request is well within its authority.
According to the commission’s legal filing:
“The threshold for relevance is easily met. So long as the requested information touches a matter under investigation, it will survive a relevancy challenge. The FTC’s determination that information is relevant to its investigation should be accepted unless the Respondent can prove that it is obviously wrong.”
The commission further stated that MGM’s noncompliance has no legal basis and that the gaming company’s arguments that it is exempt from the “Safeguards Rule” and the “Red Flags Rule” are baseless. The FTC stated that it is authorized to look into whether MGM meets the requirements of those regulations as a financial institution or creditor.
The FTC added in the court filing:
“And the CID includes four additional specifications bearing on the Red Flags Rule, which requires certain businesses to implement a written identity theft prevention program. Tracking the provisions of that Rule, these four specifications seek information concerning whether MGM obtains consumer reports in connection with credit transactions, advances funds, and has developed and trained staff on identity theft prevention measures—and thus are plainly relevant to that aspect of the investigation.”
The US District Court filing came about two months after the Aria operator demanded that FTC Chairwoman Lina Khan recuse herself from the case due to her and several FTC employees being guests of MGM Grand on the Las Vegas Strip at the time of the cyberbreach. The legal rift between the FTC and MGM is now measured in months. There are currently no indications that Khan is thinking about resigning. Additionally, MGM has previously maintained that the FTC’s demands for information and documentation are excessively detailed, challenging, and may need months to comply with. Clearly, that’s not how the FTC sees it.
The commission claimed in the filing:
“But, this argument falls short of the standard for showing undue burden. Mere distraction from ordinary duties and even substantial effort does not amount to the undue disruption or serious hindrance of normal business operations. The burden imposed here on MGM is the kind expected from any form of compulsory process.”