cyberattack
Credit: CC0 Public Domain

MGM Resorts International filed a lawsuit April 15 against the Federal Trade Commission and its top officer, Chairwoman Lina M. Khan, claiming the agency violated the company's Fifth Amendment right to due process while investigating a September cyberattack against the company.

In the four-count action, MGM also alleges the FTC failed to follow its own conflict-of-interest guidelines.

The , filed in U.S. District Court for the District of Columbia, seeks an injunction to stop the FTC from seeking a civil investigative demand in its investigation of MGM related to the cyberattack unless Khan disqualifies herself from the matter. The demand is an administrative subpoena that allows federal agencies to request large amounts of information from private companies without going through court procedures.

A representative of the FTC said the agency had no comment about the lawsuit.

The lawsuit alleges Khan and a senior aide have a conflict of interest because they were guests at the MGM Grand as the cyberattack, which cost the company an estimated $100 million, was unfolding last year.

MGM says the publicity of Khan's experience triggered 15 consumer class-action lawsuits against MGM. The company wants Khan disqualified because she could be a witness in the matter.

MGM also has asked the court to find the FTC's rules on recusal unconstitutional and rule the company isn't a and therefore shouldn't be subject to the FTC's rules for them related to identity theft and keeping customer information safe.

Rules and 'markers'

The FTC considers MGM subject to those rules because the company issues "markers" to high-rolling gamblers. Gambling with markers represents a small percentage of casino play, and gaming companies say it's the equivalent of a gambler playing on a tab and not on credit.

The lawsuit also seeks a reasonable deadline to file the CID if the FTC is allowed to continue its investigation. The company wrote a letter to the agency unsuccessfully seeking a deadline extension because the agency is asking for the production of more than 100 different categories of information spanning multiple years. MGM believes much of the information sought is irrelevant to the cyberattack, according to a letter sent to the FTC in February.

The lawsuit also seeks reimbursement of court costs and other damages the court identifies.

MGM's computer systems were attacked in September by hackers seeking a ransom payment. At the direction of federal investigators, MGM refused to pay the ransom.

During the cyberattack, hundreds of were inoperative, guests could not access their rooms with smartphones and credit-card payment systems were disrupted, leading to the manual processing of credit-card transactions.

Among the guests were Khan and an aide, who were in Las Vegas for a conference.

On Sept. 15, Bloomberg reported Khan and the aide questioned MGM's procedures during the cyberattack.

"When Khan and her staff got to the front of the line, an employee at the desk asked them to write down their credit card information on a piece of paper," the lawsuit says, citing the Bloomberg report.

"As the leader of the federal agency that, among other things, ensures companies protect consumer data wrote down her details, Khan asked the worker: How exactly was MGM managing the data security around this situation? The desk agent shrugged and said he didn't know, according to a senior aide who was traveling with Khan and described the experience to Bloomberg as surreal."

CID filed in January

Four months later, on Jan. 25, the FTC filed its civil investigative demand.

To MGM, the information requested mirrored Khan's experience in Las Vegas.

"The voluminous requests posed by the CID closely track the events involving Chair Khan, with certain requests seemingly derived directly from Chair Khan's personal experience in transacting business with MGM during the attack," the lawsuit says.

MGM had telephone conferences with the FTC's Los Angeles field office in the weeks ahead, and on Feb. 20 MGM filed a petition to quash or modify the CID. The company was given 11 days to compile the requested data.

The company then filed a petition seeking the recusal of Khan from the proceedings.

On April 1, the commission issued a single order denying both petitions. The commission says its Rules of Practice do not allow the recusal of commissioners except from administrative litigation.

"This categorical refusal to hear petitions to recuse or disqualify—even in extreme cases like this one—violates the Due Process Clause of the Fifth Amendment," the lawsuit says.

2024 Las Vegas Review-Journal. Distributed by Tribune Content Agency, LLC.

Citation: MGM Resorts sues FTC, agency chair over cyberattack investigation (2024, April 16) retrieved 16 April 2024 from https://techxplore.com/news/2024-04-mgm-resorts-sues-ftc-agency.html

This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.