The Federal Trade Commission (FTC) has taken legal action against MGM Resorts International, filing a petition in the U.S. District Court in Nevada. The petition aims to compel MGM Resorts to respond to an investigative demand related to a cyberattack that occurred in September. MGM Resorts has been reluctant to comply with the civil investigative demand (CID) issued by the FTC.

FTC’s assertion and request:

In its petition, the FTC emphasized the necessity of judicial enforcement to conduct a thorough and prompt investigation. The agency stated, “Judicial enforcement is necessary so that FTC staff may thoroughly and expeditiously conduct its investigation.” The FTC has requested the court to issue an order requiring MGM Resorts to appear and justify its refusal to comply with the CID. Subsequently, the FTC seeks an order compelling MGM Resorts to produce the documents and information specified in the CID.

The FTC highlighted MGM Resorts’ history of data security breaches, including incidents compromising consumers’ personal information since 2019. The agency noted that the most recent breach occurred in September 2023, with an earlier breach reported in February 2019. These incidents underscore the FTC’s concern and the need for a comprehensive investigation.

Moreover, the FTC has demanded that MGM Resorts respond to the CID within 10 days of the court order it intends to secure. This timeframe underscores the urgency with which the FTC aims to proceed with its investigation into the cyberattack incident.

MGM’s response and legal challenge:

In response to the FTC’s petition, an MGM Resorts spokesman said: “We’ve worked with federal law enforcement from the outset and followed the government’s guidance by refusing to pay a ransom and reward criminals for their horrendous actions,” the spokesman stated. MGM Resorts emphasized that their actions were in line with protecting consumer data and national security, criticizing the FTC’s approach as potentially emboldening criminals.

The legal dispute between MGM Resorts and the FTC extends beyond the compliance issue. MGM Resorts has a pending lawsuit against the FTC and its chairwoman, Lina Khan, in the District of Columbia District Court. The lawsuit challenges the involvement of Chairwoman Khan in the investigation, citing her presence at MGM Grand during the cyberattack incident. MGM Resorts seeks Khan’s disqualification from participating in the investigation, arguing for the protection of their due process rights.

Additionally, MGM Resorts has contested the applicability of certain FTC rules, specifically the “Red Flag Rule” and the “Safeguards Rule,” typically imposed on financial institutions. These rules require companies to implement identity theft prevention programs and maintain information security protocols. MGM Resorts argues that its operations, including the issuance of markers to high-rolling gamblers, do not fall under the scope of these rules.

According to the Las Vegas Review-Journal, MGM Resorts’ lawsuit against the FTC requests a reasonable deadline extension to respond to the CID if the investigation proceeds. The company asserts that many of the information categories requested by the FTC are irrelevant to the cyberattack incident, advocating for a more focused approach to the investigation.

The cyberattack on MGM Resorts’ systems in September disrupted various operations, including slot machines, room access via smartphones, and credit card payment systems. Federal investigators directed MGM Resorts not to pay a ransom demanded by hackers believed to have domestic ties. The incident led to manual processing of credit card transactions and posed significant operational challenges for the company.