Pending legislation could block FTC cyberattack probe of MGM

A House appropriations bill currently under consideration has a provision that could prevent the Federal Trade Commission from seeking cyberattack information from MGM.

FILE - Lina Khan, the nominee for Commissioner of the Federal Trade Commission (FTC), speaks du ...

A provision in U.S. House legislation could block the Federal Trade Commission investigation into the September cyberattack that temporarily crippled MGM Resorts International properties.

The Republican spending bill includes a provision that would block a Jan. 25 FTC civil investigative demand of MGM to provide details of its data security practices after the company suffered a ransomware attack by hackers believed to be an international group with domestic ties. The bill also slashes the FTC budget by 27 percent.

The MGM cyberattack affected several MGM computer systems, including telephones, email, credit card transactions, reservation systems, hotel check-ins and slot machines, for nine days beginning Sept. 10. FTC chair Lina Khan and an aide were staying at an MGM hotel in Las Vegas for a conference during the incident.

“The core mission of this bill is to protect the integrity of America’s financial and judicial systems,” Appropriations committee Chairman Tom Joyce, R-Ohio, said in a release.

“In order to fulfill that mission, this bill makes cuts to prevent agency overreach by prohibiting funds for dozens of regulating actions such as blocking the FCC from regulating broadband rates, the FTC from controlling how everyday Americans purchase a car, and the SEC from collecting and surveilling transactions of everyone who invests in the stock market,” Joyce said. “With these key priorities in the bill, I am proud we were able to advance it out of committee and to the House floor.”

It’s unclear when the spending bill, which was approved by the House Appropriations committee in June, will go to the full House for consideration. Committee Republicans rejected a proposed Democratic amendment that would have enabled the FTC chair to take unilateral action that exceeds the commission’s statutory authority.

The bill was scheduled for a vote this week, but the Republican leadership withheld it. Appropriations legislation is required for approval of the federal budget by Oct. 1.

MGM cyberattack

British law enforcement authorities working with the FBI arrested a 17-year-old boy last week in connection with the attack. The unidentified teen was released on bond after being apprehended by the Regional Organised Crime Unit for the West Midlands in Wallsal, a small city in central England.

MGM has pushed back against the FTC’s request for information, known as a CID, with a lawsuit filed April 15.

The four-count action, filed in U.S. District Court for the District of Columbia, seeks an injunction to stop the FTC from seeking a CID unless FTC Chairwoman Lina Khan disqualifies herself from the matter.

The lawsuit is based on the conflict of Khan and a senior aide being guests at the MGM Grand as the cyberattack — that cost the company an estimated $100 million — was unfolding in September.

The FTC countered June 14 with a petition in U.S. District Court in Nevada to force MGM to respond to the CID.

Concerns about FTC

MGM has been concerned about the FTC’s involvement in the cyberattack case since the federal agency first requested a CID in January. The company tried to negotiate a deadline extension, but on April 1, the FTC rejected the company’s requests, which led to the filing of the lawsuit.

In its lawsuit, MGM also asked the court to declare the FTC’s Rules of Practice with respect to Petitions to Recuse Commissioners unconstitutional and to say the company is not subject to two rules imposed on financial institutions — the so-called “Red Flag Rule” and the “Safeguards Rule.”

The “Red Flags Rule” requires companies to create a written identity theft prevention program designed to identify, detect and respond to “red flags” indicating possible identity theft. The “Safeguards Rule” requires covered companies to develop, implement and maintain an information security program.

The FTC considers MGM subject to those rules because they issue “markers” to high-rolling gamblers. While gambling with markers represents a small percentage of casino play, gaming companies say it’s the equivalent of a gambler playing on a tab but not on credit.

The lawsuit also sought a reasonable deadline to file the CID if the FTC is allowed to continue its investigation. The company wrote a letter to the agency unsuccessfully seeking a deadline extension because the agency is asking for the production of more than 100 different categories of information spanning multiple years. MGM believes much of the information sought is irrelevant to the cyberattack.

Khan was a guest

On Sept. 15, Bloomberg reported Khan and the aide questioned the procedures MGM was taking during the cyberattack.  

“When Khan and her staff got to the front of the line, an employee at the desk asked them to write down their credit card information on a piece of paper,” the lawsuit said. “As the leader of the federal agency that, among other things, ensures companies protect consumer data wrote down her details, Khan asked the worker: How exactly was MGM managing the data security around this situation? The desk agent shrugged and said he didn’t know, according to a senior aide who was traveling with Khan and described the experience to Bloomberg as surreal.”

To MGM, the information requested in the CID mirrored Khan’s experience.

“The voluminous requests posed by the CID closely track the events involving Chair Khan, with certain requests seemingly derived directly from Chair Khan’s personal experience in transacting business with MGM during the attack,” MGM’s lawsuit said.

MGM says the publicity of Khan’s experience triggered 15 consumer class-action lawsuits against MGM.

MGM wants Khan disqualified because she could possibly be a witness in the matter.

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *