WASHINGTON — Among the many policy riders House Republicans placed in their fiscal 2025 Financial Services spending bill is one that would curtail a Federal Trade Commission probe of a cyberattack last year at MGM Resorts.
Though the bill’s language doesn’t name the company directly, the item could stem from an incident last year involving FTC Chair Lina Khan.
The House had planned to vote this week on the Financial Services bill, which would also cut the FTC’s budget by 27% from its requested amount, though that plan was postponed as of Monday.
The rider would quash a civil investigative demand, a type of subpoena, issued by the FTC on Jan. 25 that asks MGM Resorts International, one of the world’s largest casino companies, for details of its data security practices after the company suffered a ransomware attack in September 2023.
The attack took down online reservation systems and disabled digital room keys, slot machines and websites, according to an examination by the cybersecurity experts at the University of Hawaii.
MGM said in news release that the attack resulted in the breach of personal information including names; contact information, such as phone numbers, email addresses, and postal addresses; gender; date of birth; and driver’s license numbers.
“For a limited number of customers, Social Security number and/or passport number was also affected,” MGM said. “The types of impacted information varied by individual.”
As the cyberattack shut down computer networks and reservation systems, leaving dozens of guests waiting to check in at MGM resort hotel in Las Vegas, one of the guests happened to be Khan, according to a Bloomberg News report of the incident. Unable to access computers, the hotel’s staff asked Khan to fill out her credit card information on a piece of paper, Bloomberg reported.
Khan asked the hotel clerk how the company was handling data security and the clerk “shrugged and said he didn’t know,” Bloomberg reported, citing an aide traveling with Khan who witnessed the transaction.
In a petition to quash the information sought by the FTC, filed by MGM in February, the company said that the agency was seeking “the production of more than one hundred different categories of information, [spanning] multiple years with no relevance to the attack, and, perhaps most problematic of all, represents an unprecedented attempt by Staff to invoke the Safe Guards Rule and the Red Flags Rule, which do not apply to MGM’s operations.” The petition was referencing two FTC rules dealing with consumer data privacy.
That language is similar to what’s in the spending bill, listed as Sec. 539: “None of the funds made available by this Act may be used for the Federal Trade Commission to pursue or continue a Civil Investigative Demand against a gaming or hospitality company if the action utilizes authority from the Safe Guards Rule … or the Red Flags Rule.”
A spokeswoman for the FTC said the agency had no comment on the case or the congressional language. Spokespersons for the Republican majority on the House Appropriations Committee did not respond to an email seeking comment.
A familiar play
Congressional attempts to restrain FTC actions are nothing new.
The MGM provision in the spending bill — as well as several other policy riders that prohibit the FTC from enforcing rules relating to retail scams or antitrust matters — match decades-old efforts to clip the FTC’s wings, noted Nina Frant, special counsel focusing on consumer protection and data, privacy, and cybersecurity at Freshfields, a multinational law firm.
“The last time the FTC engaged in a tidal wave of rulemaking and aggressive enforcement tactics in the 1980s, Congress responded by refusing to fund the agency for several days and eventually adopted legislation to impose controls over the agency’s agenda,” Frant said in an interview. “There are parallel concerns about overreach by today’s FTC, so it is not surprising to see Congress attempt to curb the FTC’s agenda through funding limits.”
In 1980 Congress passed a law that gave lawmakers the power to exercise a legislative veto over FTC’s actions, and limited the agency’s use of administrative subpoenas, after concerns arose over the amount of information the agency could demand before filing a complaint.
The legislation emerged during an FTC campaign in the late 1970s to rein in advertising aimed at children, which resulted in a pushback from advertisers, according to a history of congressional action by Berkeley Law professor Chris Hoofnagle.
The FTC’s Safeguards Rule requires financial institutions to protect the security of customer information, while the Red Flags Rule imposes anti-identity theft requirements on financial institutions and credit issuing companies.
“Both rules have narrow and specifically delineated reach,” MGM said in its petition. “They apply to companies providing financial services, not to gaming and hospitality companies like MGM.”
Based on information contained in the petition that refers to the agency’s subpoena, the “FTC appears to be looking at potential violations of these rules as well as potential violations of Section 5 of the FTC Act,” Frant said. That section prohibits unfair or deceptive acts or practices that affect commerce.
MGM also filed a case in the U.S. District Court for the District of Columbia seeking injunctive relief, alleging that its due process rights were violated because Khan had a personal involvement in the case, yet refused to recuse herself or be disqualified from participating in the investigation.
In June the FTC filed a lawsuit in the U.S. District Court for the District of Nevada asking the court to compel MGM to comply with the agency’s investigation.
The FTC said in that suit that while MGM may argue that it’s not a financial institution and therefore not subject to the Safeguards Rule and Red Flags Rule, the company is nevertheless subject to FTC investigations under the agency’s Sec. 5 authority.
Separately in a filing in the U.S. District Court for the District of Columbia, the FTC said Khan should be allowed to continue investigating MGM’s data protection practices even though she was a guest at the hotel during the cyberattack.
Wyndham precedent
The FTC has prevailed in a previous case involving its authority under Sec. 5 to probe data security failures, Frant said, citing the case of FTC v. Wyndham.
In that case the FTC sued the global hotel chain Wyndham Worldwide Corp. in 2012 for “data security failures that led to three data breaches at Wyndham hotels in less than two years.” In 2015, the U.S. Court of Appeals for the Third Circuit affirmed a lower court’s decision upholding the FTC’s data protection authority in this case.
At MGM, several class-action lawsuits from customers seek damages for the breach. The attack was carried out by hacker groups called ALPHV and Scattered Spider, the University of Hawaii’s investigation found. It reported details on how the hackers revealed they used LinkedIn to identify an MGM Resorts employee and then assumed that person’s identity to call the MGM’s information technology help desk asking for assistance to log into a company account.
MGM has suffered from other cyberattacks, the university said. In 2019, hackers stole personally identifiable information of about 10.6 million guests and posted them online. BetMGM, a betting platform owned by the company, suffered a data breach in 2022 that led to the theft of personal information of 1.5 million customers, the university said.