It has been more than six months since MGM Resorts experienced a devastating cyberattack but the company is still feeling the ramifications of the incident.
In addition to serving as the defendant in a number of lawsuits, MGM is also taking its own legal action, suing the Federal Trade Commission (FTC) and FTC Chair Lina M. Khan.
Khan and an aide were actually on site in Las Vegas when the incident took place. When they went to the registration desk to check in, Khan and the aide were asked to write down personal information including credit card numbers and Khan inquired what the company would be doing procedurally to ensure that personal information remained safe.
After the incident, the FTC subsequently issued a Civil Investigation Demand (CID) to MGM Resorts in January. Within the CID, the agency requested answers and information not dissimilar to Khan’s questions at the reception desk. MGM was given an 11-day deadline to produce over 100 categories of information requested in the CID.
In its complaint filed in the DC District Court, MGM said it responded by filing both a Petition to Quash the CID request and a petition asking Khan to recuse herself. Per MGM, the FTC denied both requests, noting that one was improperly filed but that, even if it were in order, it would be denied.
In the suit, MGM argues that the laws the CID was requested under do not apply to casinos and are specifically for “financial institutions” and “certain types of credit-extending institutions”. Per the filing, these types of data privacy laws have, to date, never been enforced on a casino resort. MGM says this pursuit is a violation of the company’s right to due process as well as the Fifth Amendment.
MGM seeks for the court to remove Khan from the FTC inquiry, deem the FTC rules around the inquiry unconstitutional, and explicitly state that Red Flag and Safeguard rules are not applicable to MGM.