Federal Trade Commission Hits Back at MGM Resorts in Cyberattack Investigation Spat

Photo by PHOTOCREO Michal Bednarek/Shutterstock

The Federal Trade Commission (FTC) has petitioned the Nevada District Court to force MGM Resorts International (MGM) to answer a civil investigation demand (CID). The move relates to MGM’s refusal to comply with the FTC’s investigation into recent data breaches, including the attack that temporarily shuttered many MGM operations late last year.

In the petition filed on June 17, the FTC argues that enforcement is required to allow FTC staff to “thoroughly and expeditiously conduct its investigation.”

Since 2019, the FTC says MGM has “experienced at least three publicly reported data security breaches implicating consumers’ personal information.”

For this reason, the FTC argues an investigation is necessary. However, the commission says it can only do its job correctly with MGM’s cooperation. With its petition, the FTC asks the court to force MGM to comply within ten days of the requested court order.

From the filing:

The FTC respectfully asks this court to issue an order requiring MGM to appear and show cause why it should not comply with the CID and thereafter grant the FTC’s petition and enter an order compelling MGM to produce the documents and information specified in the CID.

FTC: Repeated Data Breaches Warrant Deeper Look

The FTC’s petition follows a lawsuit filed earlier this year in Columbia District Court by MGM targeting the commission and its chairwoman, Lina Khan.

With that filing, MGM argues Khan’s personal experiences as an MGM guest during the latest cyberattack make her involvement in the investigation inappropriate. Further, MGM argues it’s not subject to the FTC’s Red Flag and Safeguard rules, which puts the investigation outside FTC jurisdiction.

The Red Flag and Safeguard rules generally apply to financial institutions. However, the FTC argues that MGM’s practice of issuing credit “markers” to high-rollers may subject it and other retail casino companies to the same rules as other lenders.

Via its petition, the FTC says that MGM’s history of data breaches necessitates an investigation, despite MGM’s claims to the contrary.

MGM experienced its third publicly known data breach in four years. Thereafter, the Commission opened an investigation and issued a CID to MGM seeking information regarding whether MGM’s data security and privacy practices constitute “unfair or deceptive acts or practices in or affecting commerce” in violation of Section 5 of the FTC Act and violate the Safeguard Rule or Red Flags Rule.

The FTC continues, arguing that nothing MGM claims in its attempt to derail the FTC investigation impacts the latter’s authority to investigate.

To impede the Commission’s investigation, MGM has refused to comply with the CID and filed a declaratory judgment lawsuit attempting a preemptive strike against an FTC action to enforce the CID. The FTC will respond to that filing in due course and show why MGM’s suit is improper. But nothing that MGM alleges in that complaint or that MGM might claim here undermines the FTC’s authority to obtain in this proceeding the information it needs for its investigation.

Commission Claims MGM’s Opposition Lacks Merit

Further, the FTC argues that an investigation is required to determine whether the Red Flag and Safeguard rules apply to MGM.

Per the filing:

The FTC’s broad authority to investigate and enforce the Rules necessarily includes the authority to investigate whether MGM is a “financial institution” or a “creditor” under the Rules.

Additionally, as the Commission further found, there is ample reason to doubt MGM’s claim that it is not covered by the Safeguards and Red Flags Rules.

Further, the FTC argues it has met the requirements to enforce the administrative subpoena. As a result, the court “must enforce administrative subpoenas unless the evidence sought by the subpoena is plainly incompetent or irrelevant.”

In that light, the FTC argues that the court should promptly enforce CID.

The Commission has satisfied the requirements for judicial enforcement of its CID: the Commission has the authority to conduct the investigation, it has complied with all procedural requirements, and the CID seeks documents and information relevant to the investigation. Accordingly, the CID should be enforced without delay.

As a remedy, the FTC seeks an “immediate issuance of an order” directing MGM to “show cause why it should not comply in full.” The commission has also requested “prompt determination” of the matter, compelling MGM’s response within ten days and any “other and further relief” deemed proper.

The FTC declined Bonus’s request for further comment. MGM did not immediately respond to our request.

About the Author

Robyn McNeil

Robyn McNeil

Robyn McNeil (she/they) is a Nova Scotia-based writer and editor, and a lead writer at Bonus. Here she focuses on news relevant to online casinos, while specializing in responsible gambling coverage, legislative developments, gambling regulations, and industry-related legal fights.
Back To Top

Get connected with us on Social Media