FTC Petitions Court to Compel MGM Resorts to Adhere to Cyberattack Directives
Just a few days following MGM Resorts International (NYSE: MGM) filing a lawsuit against the Federal Trade Commission (FTC) to halt their demands for records associated with the 2023 cyberattack that hampered the gaming company, the regulatory body aggressively retaliated, lodging a petition to compelling the casino giant to observe a civil investigative demand (CID).
In a submission to the US District Court for the District of Nevada, the FTC argues that they possess the jurisdiction to conduct an investigation into the September 2023 cyberattack that shaved $100 million off the Bellagio operator's third-quarter earnings before interest, taxes, depreciation, amortization, and restructuring or rent costs (EBITDAR), and an additional $10 million in one-time legal and other expenses.
Las Vegas-based MGM had formerly attempted to thwart the FTC's CID efforts, claiming their compliance could jeopardize ongoing law enforcement inquiries concerning the hack. The gaming company also contends that the FTC's legal tactics violate their Fifth Amendment protections and that the commission's attempts to employ the “Red Flags Rule” and the “Safeguards Rule” are inapplicable in this scenario since MGM isn't a financial services firm.
In acknowledging that MGM has refused to comply with the CID, the FTC asserts that they possess the authority to demand data and records from the gaming related to the cyberattack and requested the court to enforce the CID.
FTC Believes Its Actions to be Legal
The FTC considers its CID request to be well within their authority, and they argue that relevant legal precedent has been satisfied in their pursuit for MGM's cooperation.
The requirement for relevance is easily met. So long as the requested information pertains to a matter under investigation, it will withstand a relevancy challenge, according to the commission's legal filing. The FTC's determination that information is relevant to their investigation should be accepted unless the respondent can prove that it is obviously wrong.
The commission claims that MGM has no legal grounds for their noncompliance, asserting that the gaming company's assertions that they're not subject to the “Red Flags Rule” and the “Safeguards Rule” are unfounded. The FTC states they can investigate whether or not MGM qualifies as a financial institution or creditor under those rules.
“The CID also includes four additional specifications bearing on the Red Flags Rule, which mandates certain businesses to establish a written identity theft prevention program. These four specifications ask for information concerning whether MGM obtains consumer reports in relation to credit transactions, advances funds, and has developed and trained staff on identity theft prevention measures - thus are plainly relevant to that aspect of the investigation,” added the FTC in the court filing.
FTC/MGM Dispute Escalates
The legal dispute between the FTC and MGM now runs into months, and the US District Court filing arrived about two months after the Aria operator requested that FTC Chairwoman Lina Khan recuse herself from the case because she and several FTC employees were guests of MGM Grand on the Las Vegas Strip at the time of the cyberattack.
For now, there are no indications that Khan is contemplating recusal. MGM has also previously argued that the FTC's demand for data and documents are overly broad, burdensome, and could take months to comply with. Predictably, the FTC disagrees.
“However, this argument fails to meet the standard for showing undue burden. Merely causing a distraction from ordinary duties and even substantial effort does not equate to the undue disruption or serious hindrance of normal business operations,” the commission contended in the filing. “The burden imposed on MGM here is the type expected from any form of compulsory process.”