MGM Resorts International has filed suit against the US's Federal Trade Commission [FTC] in an effort to quash a probe launched by the FTC into the consumer-data-protection measures in place when a notorious 2023 cyberattack occurred. The cyberattack caused $100 million in losses to MGM over four days of system downtime. Among many other impacted services, the attack forced most MGM properties' poker action to be suspended until computer support could be re-activated.
The lawsuit, filed on Monday in the federal district court for the US District of Columbia, asserts that the rules under which the FTC has made demands for information from MGM are applicable only to financial institutions and select other entities that extend credit. In contrast, the FTC purportedly asserts that the occasional casino practice of issuing markers to high rollers qualifies MGM and other casinos as credit-issuing financial institutions.
The suit also names FTC Commissioner Lina Khan in her official capacity with the agency, while also seeking her recusal from the matter. Khan is one of the few individuals who has been identified publicly as a possible victim of the cyberattack. She was attempting to check in at one of MGM's Las Vegas properties soon after the cyberattack forced MGM to take most of their computer systems offline, and was, per Bloomberg, reportedly asked by MGM to write her credit-card information down on a piece of paper in order to be checked into the resort-hotel.
Recusal request asserts Khan is driving force behind FTC probe while being potential litigant
MGM's lawsuit claims that Khan's experience at the Vegas MGM property as the cyberattack began is the driving force behind the probe, in the form of a Civil Investigative Demand [CID] made by the FTC in January. That followed Bloomberg's report that Khan was concerned about the security involved in writing down her credit-card information by hand and other workarounds being used by MGM to keep the business running.
As an unnamed aide told Bloomberg, "When Khan and her staff got to the front of the line, an employee at the desk asked them to write down their credit card information on a piece of paper. As the leader of the federal agency that, among other things, ensures companies protect consumer data wrote down her details, Khan asked the worker: How exactly was MGM managing the data security around this situation? The desk agent shrugged and said he didn’t know, according to a senior aide who was traveling with Khan and described the experience to Bloomberg as surreal."
Yet that's not the only complication involving Khan, according to MGM's filing. MGM has now been targeted in at least 15 class-action lawsuits, some of which could conceivably include Khan as a class member or witness. MGM's filing also asserts that the rush of litigation has been fueled in part by publicity, "undoubtedly enhanced by the reporting about Chair Khan...."
Fifth Amendment defense floated
MGM's filing also asserts that Khan's failure to recuse herself from the matter to date violates the Fifth Amendment, which guarantees due process. MGM initially filed both its protest against the fact-finding CID and its recusal petition regarding Khan with the FTC itself, but the agency denied both petitions earlier this month. That forced MGM to take the matter into the legal system.
The CID, the demand for information about MGM's data-security protocols, has also spurred MGM into its legal action. According to the lawsuit, the FTC's probe demands voluminous and excessive information, some of which is not even relevant to the probe.
MGM claims that the probe and its demand for information, formally based on two FTC data-privacy regulations, are instead being used as a "catchall" for FTC Chairperson Khan's inquiry:
"Although the CID is clearly the result of Chair Khan’s experience at one of MGM’s Las Vegas properties, it was ostensibly issued to investigate MGM’s compliance with the Standards for Safeguarding Customer Information Rule (“Safeguards Rule”), and the Duties Regarding the Detecting, Prevention, and Mitigation of Identity Theft (“Red Flags Rule”), and makes a catchall invocation...."
MGM Resorts continues to cooperate with the FBI's ongoing investigation into the cyberattacks against MGM and Caesar Entertainment. No arrests have been made in connection with the cyberattacks.
