MGM Resorts International has initiated legal action against the Federal Trade Commission (FTC) and its chair, Lina M. Khan, seeking to halt an investigation into a cyber attack that disrupted the company’s operations last September. Filed in Washington’s federal court on April 15, the lawsuit emerged just months after the attack forced MGM to shut down key systems and impacted services such as hotel room access and slot machines at their U.S. properties.
The cyber attack’s responsibility was swiftly claimed by a hacker group known as Scattered Spider. The group threatened further assaults on MGM’s infrastructure unless their demands for payment were met. In response to these threats and the repercussions of the attack, MGM is now requesting “injunctive and declaratory relief” against the FTC, arguing that the Commission’s actions, under the leadership of Khan, have infringed upon MGM’s Fifth Amendment rights, specifically the due process clause.
The due process clause stands as a constitutional safeguard, ensuring that individuals or entities facing government action are entitled to a hearing before an impartial tribunal and that they are treated fairly under the law. MGM’s lawsuit underscores these legal protections, claiming that they have been denied a fair process.
Notably, the suit pulls from media reports insinuating that Khan and an unnamed senior aide were personally caught up in the attack’s aftermath during their stay at one of MGM’s Las Vegas properties. When MGM’s IT systems failed, Khan, according to a Bloomberg report, was asked by hotel staff to handwrite her credit card details on paper due to the outage. This incident prompted Khan to inquire about MGM’s data security measures, to which a hotel employee allegedly admitted ignorance.
Following this interaction, the FTC launched a probe, serving MGM with a Civil Investigative Demand (CID) on January 25, 2024. The CID required MGM to furnish information related to over 100 categories of inquiry, some of which predated the cyber attack. In the subsequent month, MGM projected a negative impact of $100 million on its adjusted property EBITDAR for the third quarter due to the attack. Nonetheless, the company reported a record $3.97 billion revenue for Q3, with CEO Bill Hornbuckle remarking that MGM had “went to hell and back” because of the cyber incident.
Parallel to MGM’s woes, Caesars Entertainment also fell victim to a cyber attack around the same period, resulting in a breach of its customer loyalty program database.
MGM sought to quash or at least modify the CID on February 20, 2024, claiming it was based on “inapplicable financial services rules,” specifically the FTC’s Safeguards rule and Red Flags rule. The company argued that these rules should not apply as MGM is not a financial institution. MGM then filed a motion to disqualify or recuse Khan due to her “personal involvement in the subject matter under investigation.” Furthermore, MGM disclosed its status as a defendant in 15 consumer class action lawsuits, naming Khan as a potential civil plaintiff and witness.
However, the FTC dismissed MGM’s motions on April 1, 2024. MGM maintains this rejection undermines its Fifth Amendment rights. The lawsuit conveys that an investigation grounded on regulations that clearly do not apply is a breach of the Fifth Amendment’s assurances of due process and equal protection.
MGM contends that as a casino resort operator, not a financial institution, it should not be subjected to this sort of investigation, emphasizing that the FTC has not previously enforced the Safeguards or the Red Flags rules on a casino resort operator. The unfolding legal battle raises questions about regulatory reach, data security responsibilities, and constitutional protections, setting the stage for what could become a landmark case in the realms of cyber security and regulatory law.
