• Home
  • News
  • Casino
  • FTC moves to dismiss MGM lawsuit over data breach investigation
igamingnext photo
The Federal Trade Commission (FTC) filed a motion on Monday (24 June) to dismiss MGM Resorts’ challenge to an investigation into its data security practices.

The lawsuit, filed in April 2024, came after the FTC issued a civil investigative demand (CID) to the operator seeking documents related to three data breaches that exposed customer information between 2019 and 2023.

MGM refused to comply with the demand and instead sued the FTC in the DC District Court, alleging due process violations.

In the latest filing the FTC said: “Simply put, MGM has refused to comply with the demand. Instead, MGM preemptively sued the Commission for pre-enforcement declaratory relief.

“MGM’s suit fails, however, both for lack of subject matter jurisdiction and for failure to state a claim for relief.”

It follows the September 2023 cyberattack on the operator, which saw widespread outages in its land-based venues and customer information being compromised.  

MGM’s lawsuit centres on its objections to FTC chair Lina Khan’s participation in the investigation, the deadline for complying with the CID, and the applicability of certain FTC data security rules to MGM’s business.

FTC argument against MGM

In its motion, the FTC argued that the court lacks jurisdiction to hear MGM’s claims.

The agency argued Congress created a special scheme for judicial review of FTC actions in the Federal Trade Commission Act.

This process is set up to channel such claims to federal appeals courts only following final FTC orders.

The FTC maintains that MGM’s claims do not fall under the narrow exception created by the Supreme Court in 2023 for “fundamental, existential” challenges to an agency’s constitutional structure.

Instead, the FTC characterised MGM’s lawsuit as a routine challenge to the application of FTC rules in this particular investigation.

Additionally, the FTC argued MGM failed to state a valid legal claim, noting that the company has not identified an applicable course of action under federal law.

The agency also argued MGM’s allegations, even if true, do not amount to plausible due process violations.

The argument is the latest twist in the mounting legal battle between the agency and the gaming operator.

This month, the FTC itself sued MGM to enforce compliance with its investigative demands.

MGM is also facing several class action lawsuits by consumers who had their personal information stolen in the attack.

The alleged mastermind of the hacking group responsible for the cyberattack, Scattered Spider, was also arrested at the end of May.

The 22-year-old British national was picked up by police in a joint FBI-Spanish operation attempting to board a flight to Naples.

Similar posts