The legal dispute between MGM Resorts International (MGM) and the Federal Trade Commission (FTC) could be close to reaching a resolution. According to a Joint Status Report from February 28, the FTC is withdrawing its Civil Investigative Demand (CID) to MGM seeking information about the September 2023 cyberattack, which triggered system-wide outages and cost MGM an estimated $100 million.
The case is not over, but it is getting closer
Despite the development, the dispute is not officially over. While both parties have agreed to dismiss the case, the FTC has yet to withdraw its separate petition in the Nevada District Court, which sought Nevada courts to force MGM to answer the CID. However, the latest filing suggests that could change soon.
The parties expect to meet and confer about the status of the investigation and the Nevada action in the very near future.
A final resolution may be near as the two parties plan to release another update in the coming weeks.
The parties are actively discussing the impact of these developments on the case at bar, and respectfully request that they be permitted to submit another joint status report on or before March 21, 2025, to provide a further update to the Court on whether this case is moot.
The FTC issued a CID following the 2023 cyberattack
In September 2023, MGM Resorts suffered a cyberattack, which the company later revealed cost it $100 million in lost profit. As a precautionary measure, MGM shut down the computer systems across multiple properties. That led to system-wide outages that affected many aspects of the business, including slot machines, hotel check-ins, internal servers, ATMs, phone systems, and online payment systems.
Coincidentally, former FTC chair Lina Khan was staying at an MGM property during the cyberattack and witnessed the outages. Unimpressed with how the operator handled customer data during the blackout, the FTC launched an investigation. In January 2024, the commission issued a CID, citing that MGM might have violated consumer protection laws regarding security procedures.
The FTC requested extensive information on the company’s data security practices, requesting data across 100 categories spanning multiple years. MGM resisted, believing much of that information was irrelevant, and requested an extension, which the FTC refused.
MGM sued the FTC, and the commission countersued
After receiving a denial of an extension, MGM filed a lawsuit against the FTC and Khan in April 2024. In the lawsuit, MGM argued that the commission violated its Fifth Amendment rights to due process. The lawsuit also claimed that Khan’s involvement was inappropriate and that her refusal to recite herself from the CID breached the FTC’s ethics policy.
Furthermore, MGM argued that the investigation was outside the FTC’s jurisdiction. It claimed that as a casino resort operator, it is not subject to the FTC’s Red Flag and Safeguard rules, which typically apply to financial institutions. The lawsuit sought an injunction to block the CID or a reasonable extension in case the commission was allowed to proceed with the investigation.
In June 2024, the FTC responded with a countersuit in Nevada. It petitioned the Nevada District Court to compel MGM to answer the CID. The commission argued that enforcement is required to allow its staff to “thoroughly and expeditiously conduct its investigation.” The FTC cited that MGM experienced at least three publicly reported security breaches involving consumer data. The commission argued that an investigation is necessary, but it’s possible only with MGM’s cooperation.
About the Author
