MGM Resorts International and Caesars Entertainment are each facing multiple proposed class action lawsuits over the customer data allegedly compromised in the cyberattacks against the two companies earlier this month. To Bonus’s knowledge, there are two such suits against MGM and four against Caesars so far. All are federal suits filed in Nevada District Court, and the complaints make similar accusations against the two companies and demand jury trials.
The lead plaintiffs in the suits targeting Caesars are:
- Miguel Rodriguez of California
- Paul Garcia of Colorado
- Alexis Giuffre of Illinois
- Thomas & Laura McNicholas of Illinois
Those targeting MGM are:
- Tonya Owens of Mississippi
- Emily Kirwan of Louisiana
These plaintiffs seek to become representative of all customers of the companies whose data fell into the attackers’ hands. The attackers themselves claim to have stolen a combined six terabytes of customer data from the two companies.
What Are the MGM & Caesars Class Actions About?
The complaints accuse MGM and Caesars of the following:
- Negligence, i.e., the failure to exercise general due care
- Negligence per se, i.e., the failure to exercise specific duties of care stipulated by laws or regulations
- Breach of implied contract, i.e., failure to hold up their end of the bargain after asking users for their confidential data
- Unjust enrichment, i.e., profiting while failing in those other duties
Rodriguez’s complaint also includes some alleged violations of California laws: the Customer Records Act, the Unfair Competition Act, and the Consumer Legal Remedies Act.
Operations at MGM’s retail properties are back to normal now, following over a week of downtime beginning Sep. 11. Some experts estimate MGM may have lost up to $8 million per day that its business was affected. On the other hand, Caesars suffered no outwardly visible effects but is rumored to have paid a $15 million ransom in the hopes that the attackers would delete the reportedly stolen data.
If the suits end in settlements, they could end up costing the companies more than those direct impacts.
The Question of ‘Reasonable’ Precautions
It’s likely that the various cases will eventually be consolidated into two, one against each company. Central to each will be the question of what degree of cybersecurity is reasonable to expect of corporations entrusted with customer data.
The Rodriguez complaint, for instance, asserts:
When Defendant collects this sensitive information, it promises to use reasonable measures to safeguard the PII from theft and misuse.
That same word, “reasonable,” comes up in similar contexts in each complaint.
It isn’t an entirely subjective concept. Each of the complaints claims that the company in question failed to meet two tests for reasonableness:
- Application of industry standards and best practices,
- Adherence to the guidelines of the Federal Trade Commission
The complaints also allege that the companies had been warned of the imminent danger of such attacks. That accusation is more specific in MGM’s case.
ALPHV, one of the groups behind the attacks, mentioned that it had targeted MGM’s Okta identity management systems. Both complaints against MGM mention that Okta had issued a warning in 2022 of “a consistent pattern of social engineering attacks against […] IT service desk personnel,” which is allegedly how the attackers gained access. ALPHV has reportedly struck at least three other companies outside the gambling space in the past two months alone.
No Harm, No Foul? Not So Fast
None of the complaints alleges that the plaintiff has already suffered from identity theft due to the breach. However, they use several arguments for why unauthorized access to their data is inherently harmful.
Those arguments include, for instance, that:
- Plaintiffs must now spend their valuable time and effort defending pre-emptively against the possibility of identity theft or fraud.
- Personal data has measurable intrinsic value, which has been diminished due to being made available through illicit channels.
- Plaintiffs provided their data in exchange for certain services, which implicitly included a level of data protection that the companies failed to deliver.
Caesars may have attempted to nip that first argument in the bud by offering its affected customers free identity theft protection services while it disclosed the attack. However, Rodriguez’s complaint mentions this specifically and calls it “insufficient”:
Defendant also offered credit monitoring services to some Class Members for one year. Such measures, however, are insufficient to protect Plaintiff and Class Members from the lifetime risks they each now face.
Previous Data Breach Suits Have Ended in Settlement
The history of data breach litigation in the US suggests that it’s not unlikely for these suits to end in settlements. A more interesting question for prospective class members is, if they do, how large those settlements are likely to be.
To date, the most expensive settlement in a data breach case has been that paid by Equifax in 2019. A 2017 attack on the credit bureau had compromised the data of 147 million customers, including their social security and driver’s license numbers, both considered to be of high value by hackers. The data also included 207,000 credit card numbers.
That settlement cost Equifax $700 million. The second most expensive data breach settlement came last year, with T-Mobile agreeing to pay $350 million. It has already suffered two more breaches this year.
Different Responses, Similar Suits
What’s perhaps most interesting about these cases from an industry perspective is that the two companies suffered similar attacks, responded differently, and now face similar lawsuits. The result of each case may shape how other companies respond to such attacks in the future, especially if one company ends up settling for a significantly larger sum than the other.
Caesars apparently left its systems online during the attack and reportedly paid a ransom in the hopes the attackers would delete the data. According to the attackers, MGM’s system-wide outage was the company’s own doing as a “nuclear option” to end the attack. ALPHV also said it believed MGM had no intention of negotiating a ransom.
MGM was sparing with the details it disclosed to the FTC in the wake of the attack. Caesars was somewhat more forthcoming, including the immediate admission that driver’s license and social security numbers had been stolen. However, it said it doesn’t believe any passwords, PINs or financial account details were part of the breach.
It remains to be seen how much those factors matter. The cases focus on what the companies did or didn’t do ahead of time to prepare for such attacks. What’s discovered in that regard during the trials may outweigh what either company did after the fact.