SAUNDERS: After fighting off hackers, MGM takes on federal bureaucracy

WASHINGTON — When MGM Resorts International fell victim to a cyberattack in September 2023, Nevada’s largest employer responded the way you’d want a big corporation to respond.

MGM cooperated with the FBI and did not pay ransom to the hackers even as its systems — including slot machines and hotel room keys — went down for days.

Alas, the feds did something you wouldn’t want your government to do. The Federal Trade Commission launched an investigation into MGM — the victim of the cyberattack — and demanded that MGM, which suffered an estimated $100 million loss from the hack, provide information about the breach.

In a saner world, the regulatory agency’s move would be slammed as blaming the victim. In this world, MGM filed a lawsuit against the FTC in U.S. District Court for the District of Columbia to stop the investigation.

The FTC can maintain that it is working to protect consumers, whose data was breached during the cyberattack. Except that it appears the agency is not investigating MGM competitors, such as Caesars Entertainment, which was hacked last summer but paid a ransom to prevent system outages and the release of company data.

Then there’s the issue of FTC chairwoman Lina Khan, one of President Joe Biden’s more controversial hires.

Americans for Tax Reform President Grover Norquist has called Khan “the avatar of Bidenomics.” In the Washington Examiner last year, Norquist accused Khan of believing “regulators should disregard consumer welfare and sue businesses large and small whenever they wish and for any reason.”

It so happens that Khan was checking into an MGM property in Las Vegas when the cyberattack and resulting systems crash occurred.

As Bloomberg reported, “When Khan and her staff got to the front of the line, an employee at the desk asked them to write down their credit card information on a piece of paper. As the leader of the federal agency that, among other things, ensures companies protect consumer data wrote down her details, Khan asked the worker: How exactly was MGM managing the data security around this situation?”

Later, the FTC put MGM under its microscope.

It’s personal, the lawsuit argues, and Khan should recuse herself from the probe.

As evidence that Khan is personally invested in the outcome, MGM’s lawyers note that Khan participated in the FTC’s decision to not disqualify her. That’s not what you do when you want the public to believe you have no interest in an investigation.

MGM’s lawsuit against the FTC argues that MGM is not a “financial institution” and hence doesn’t fall under the FTC’s bailiwick. The lawsuit also claims the agency violated the company’s Fifth Amendment right to due process.

I reached out to the FTC press office with questions. What prompted the investigation? Has the FTC ever investigated this type of business in the past? What is the status of the probe?

The FTC responded, “We have no comment.”

I reached out to Nevada Sens. Catherine Cortez Masto and Jacky Rosen and Rep. Dina Titus for their take on this.

Titus was the only Democrat among the three to respond by my deadline. Here is her statement:

“Since the cyberattack on MGM last fall, I have been focused on ensuring that federal agencies and companies work together to protect consumer and employee data and prevent future cyberattacks.” She has been in contact with the FTC, Titus added, which she asked to keep her informed.

I have a comment: MGM worked with the FBI and refused to give in to the extortionate practices of the dark web. But after irritating Khan, the FTC put MGM under investigation.

It’s just wrong.

Contact Review-Journal Washington columnist Debra J. Saunders at dsaunders@reviewjournal.com. Follow @debrajsaunders on X.