FTC Files Petition to Force MGM Resorts to Comply with Cyberattack Demands

Posted on: June 19, 2024, 05:02h. 

Last updated on: June 20, 2024, 10:08h.

Just days after MGM Resorts International (NYSE: MGM) sued the Federal Trade Commission (FTC) in a bid to block the commission’s demands for records pertaining to the 2023 cyberattack that crippled the gaming company, the regulator fired back, filing a petition to compel the casino giant to comply with a civil investigative demand (CID).

The Federal Trade Commission (FTC) building in Washington, DC. The commission is petitioning a federal court to force MGM to comply with investigative demands. (Image: ABC News)

In a filing with the US District Court for the District of Nevada, the FTC argued it’s within its jurisdiction to investigate the September 2023 cyberbreach that cost the Bellagio operator $100 million in third-quarter earnings before interest, taxes, depreciation, amortization, and restructuring or rent costs (EBITDAR), and $10 million in one-off legal and other expenses.

Las Vegas-based MGM has previously attempted to quash the FTC’s CID efforts, noting compliance with the commission could jeopardize law enforcement investigations into the hack. The gaming company has also said the FTC’s legal maneuvering violates the operator’s Fifth Amendment protections, and that the commission’s attempts to employ the “Red Flags Rule” and the “Safeguards Rule” aren’t applicable in this case because MGM isn’t a financial services firm.

In noting that MGM has refused to comply with the CID, the FTC claims it has the authority to demand data and records from the gaming company pertaining to the cyberattack, and asked the court to enforce the CID.

FTC Believes it Met Legal Bars for MGM Compliance

The FTC believes the CID request is firmly within its authority and that relevant legal precedent has been met in its requests for MGM’s cooperation.

The threshold for relevance is easily met. So long as the requested information ‘touches a matter under investigation,’ it will survive a relevancy challenge,” according to the commission’s legal filing. “The FTC’s determination that information is relevant to its investigation should be accepted unless the Respondent can prove that it is ‘obviously wrong.’”

The commission added that MGM has no legal basis for its noncompliance, asserting that the gaming company’s claims that it’s not subject to the “Red Flags Rule” and the “Safeguards Rule” lack merit. The FTC said it can investigate whether or not MGM qualifies as a financial institution or creditor under those rules.

“The CID includes four additional specifications bearing on the Red Flags Rule, which requires certain businesses to implement a written identity theft prevention program,” added the FTC in the court filing. “Tracking the provisions of that Rule, these four specifications seek information concerning whether MGM obtains consumer reports in connection with credit transactions, advances funds, and has developed and trained staff on identity theft prevention measures—and thus are plainly relevant to that aspect of the investigation.”

FTC/MGM Rift Intensifies

The legal rift between the FTC and MGM is now measured in months, and the US District Court filing arrived about two months after the Aria operator demanded that FTC Chairwoman Lina Khan recuse herself from the case because she and several FTC employees were guests of the MGM Grand on the Las Vegas Strip at the time of the cyberbreach.

For now, there are no signs that Khan is considering recusal. MGM has also previously argued that the FTC’s demand for data and documents are overly broad, burdensome, and could take months with which to comply. Not surprisingly, the FTC doesn’t see things that way.

“This argument falls short of the standard for showing undue burden. Mere distraction from ordinary duties and even substantial effort does not amount to the undue disruption or serious hindrance of normal business operations,” the commission claimed in the filing. “The burden imposed here on MGM is the kind expected from any form of compulsory process.”