MGM Resorts International has filed a lawsuit against the Federal Trade Commission (FTC) and its chairwoman, Lina M. Khan, claiming the agency overstepped its authority while investigating the September cyberattack that shut down several systems and disrupted operations at MGM properties across the country.
MGM claims the FTC violated its Fifth Amendment right to due process in its civil investigative demand (CID) for information that went well beyond the subject case of the fall cyberattack. The case was filed as a petition to quash the CID.
“The CID calls for the production of more than 100 different categories of information, spans multiple years with no relevance to the attack, and, perhaps most problematic of all, represents an unprecedented attempt by (FTC) staff to invoke the Safeguards Rule and the Red Flags Rule, which do not apply to MGM’s operations,” the lawsuit says.
The “Red Flags Rule” requires financial institutions and creditors to create a written identity theft prevention program designed to identify, detect and respond to “red flags” indicating possible identity theft. The Safeguards Rule requires covered companies to develop, implement and maintain an information security program.
The petition also points out that MGM followed the FTC’s advice in refusing to pay ransom to the cyber gang that instituted the hack, instead working to restore operations in an effort that ended up costing the operator $100 million.
“The CID risks jeopardizing those efforts and unfairly places MGM in a risky and highly prejudicial position because it encompasses information related to these criminal investigations,” the petition says. “Plainly, the request disincentivizes cooperation with law enforcement by companies subject to cyberattacks or other crimes.”
The lawsuit also alleges a conflict of interest, in that Khan, the FTC chairwoman, along with a senior aide, were guests at the MGM Grand in Las Vegas when the cyberattack occurred. The suit asks for an order to disqualify her from the case because she could qualify as a witness.
A September Bloomberg article said Khan had questioned MGM’s procedures during the cyberattack.
“When Khan and her staff got to the front of the line, an employee at the desk asked them to write down their credit card information on a piece of paper,” the lawsuit says, citing the Bloomberg report.
“As the leader of the federal agency that, among other things, ensures companies protect consumer data wrote down her details, Khan asked the worker: How exactly was MGM managing the data security around this situation? The desk agent shrugged and said he didn’t know, according to a senior aide who was traveling with Khan and described the experience to Bloomberg as surreal.”
On January 25, the FTC filed its CID, which, MGM noted, mirrored Khan’s Las Vegas complaints.
“The voluminous requests posed by the CID closely track the events involving Chair Khan, with certain requests seemingly derived directly from Chair Khan’s personal experience in transacting business with MGM during the attack,” the lawsuit says.
The lawsuit was filed after the FTC refused MGM’s request for an extension of the deadline to provide the information, which the agency had demanded with 11 days to comply.
In a statement emailed to the Las Vegas Review-Journal, MGM officials said, “We’ve worked closely with federal law enforcement since the beginning of our cyber incident and, consistent with their guidance, refused to pay a ransom to the international criminal actors who perpetrated this act. We are extremely disappointed to now be the subject of this FTC investigation, which may not have occurred if we had taken the easy road and paid the ransom.”
