MGM Resorts sues FTC, agency chair over cyberattack investigation
Updated April 15, 2024 - 3:02 pm
MGM Resorts International filed a lawsuit Monday against the Federal Trade Commission and its top officer, Chairwoman Lina M. Khan, claiming the agency violated the company’s Fifth Amendment right to due process while investigating a September cyberattack against the company.
In the four-count action, MGM also alleges the FTC failed to follow its own conflict-of-interest guidelines.
The lawsuit, filed in U.S. District Court for the District of Columbia, seeks an injunction to stop the FTC from seeking a civil investigative demand in its investigation of MGM related to the cyberattack unless Khan disqualifies herself from the matter. The demand is an administrative subpoena that allows federal agencies to request large amounts of information from private companies without going through court procedures.
“The Due Process Clause of the Fifth Amendment affords parties subject to government enforcement actions a fair hearing before an impartial tribunal and guarantees them equal treatment under the law,” the lawsuit states. “MGM brings this case to challenge actions by the FTC and its Chair and FTC regulations that have deprived, and continue to deprive, MGM of these fundamental rights.”
A representative of the FTC on Monday said the agency had no comment about the lawsuit.
The lawsuit alleges Khan and a senior aide have a conflict of interest because they were guests at the MGM Grand on Sept. 12 as the cyberattack, which cost the company an estimated $100 million, was unfolding last year.
“MGM’s misfortune that day was compounded by the presence of a powerful public figure at its Las Vegas hotel during the attack,” the lawsuit states.
MGM said the publicity of Khan’s experience triggered 15 consumer class-action lawsuits against MGM. The company wants Khan disqualified because she could be a witness in the matter.
MGM also has asked the court to find the FTC’s rules on recusal unconstitutional and rule the company isn’t a financial institution and therefore shouldn’t be subject to the FTC’s rules for them related to identity theft and keeping customer information safe.
Rules and ‘markers’
The FTC considers MGM subject to those rules because the company issues “markers” to high-rolling gamblers. Gambling with markers represents a small percentage of casino play, and gaming companies say it’s the equivalent of a gambler playing on a tab and not on credit.
The lawsuit also seeks a reasonable deadline to file the CID if the FTC is allowed to continue its investigation. The company wrote a letter to the agency unsuccessfully seeking a deadline extension because the agency is asking for the production of more than 100 different categories of information spanning multiple years. MGM believes much of the information sought is irrelevant to the cyberattack, according to a letter sent to the FTC in February.
The lawsuit also seeks reimbursement of court costs and other damages the court identifies.
MGM’s computer systems were attacked in September by hackers seeking a ransom payment. At the direction of federal investigators, MGM refused to pay the ransom. During the cyberattack, hundreds of slot machines were inoperative, guests could not access their rooms with smartphones and credit-card payment systems were disrupted, leading to the manual processing of credit-card transactions.
Among the guests were Khan and an aide, who were in Las Vegas for a conference.
On Sept. 15, Bloomberg reported Khan and the aide questioned MGM’s procedures during the cyberattack.
“When Khan and her staff got to the front of the line, an employee at the desk asked them to write down their credit card information on a piece of paper,” the lawsuit said, citing the Bloomberg report. “As the leader of the federal agency that, among other things, ensures companies protect consumer data wrote down her details, Khan asked the worker: How exactly was MGM managing the data security around this situation? The desk agent shrugged and said he didn’t know, according to a senior aide who was traveling with Khan and described the experience to Bloomberg as surreal.”
CID filed in January
Four months later, on Jan. 25, the FTC filed its civil investigative demand.
To MGM, the information requested mirrored Khan’s experience in Las Vegas.
“The voluminous requests posed by the CID closely track the events involving Chair Khan, with certain requests seemingly derived directly from Chair Khan’s personal experience in transacting business with MGM during the attack,” the lawsuit states.
MGM had telephone conferences with the FTC’s Los Angeles field office in the weeks ahead, and on Feb. 20 MGM filed a petition to quash or modify the CID. The company was given 11 days to compile the requested data.
The company then filed a petition seeking the recusal of Khan from the proceedings.
On April 1, the commission issued a single order denying both petitions. The commission said its Rules of Practice do not allow the recusal of commissioners except from administrative litigation.
“This categorical refusal to hear petitions to recuse or disqualify — even in extreme cases like this one — violates the Due Process Clause of the Fifth Amendment,” the lawsuit states.
Contact Richard N. Velotta at rvelotta@reviewjournal.com or 702-477-3893. Follow @RickVelotta on X.