MGMResorts Challenges FTC Overreach in Landmark Lawsuit Following Cyberattack

Resorts International has initiated a groundbreaking lawsuit against the U.S. Federal Trade Commission (FTC), alleging that the regulatory body’s investigation into their handling of a significant cyberattack oversteps legal boundaries and infringes upon the
company’s due process rights. This legal battle highlights a significant escalation between the corporate giant and federal regulators after a data breach that exposed sensitive customer information and disrupted operations across MGM’s properties.

Points of Contention and MGM’s Legal Arguments

The crux of MGM’s legal challenge centers on the FTC’s investigative approach, which MGM claims is excessively punitive and suggests predetermined conclusions about the company’s fault in the breach. Specifically, MGM is contesting the FTC’s Civil Investigative
Demand, arguing that it is overly broad and intrusive, thus violating the Constitutional rights to due process. Additionally, MGM has raised concerns about potential bias from FTC Chair Lina Khan, calling for her recusal from the investigation.

Stance on Data Breach Notifications and Cybersecurity Enforcement

The FTC has been vocal about the need for companies to not only comply with breach notification laws but to also ensure that such notifications are timely and sufficiently protect affected individuals from harm. This stance has been reflected in several enforcement
actions, such as those against CafePress and Uber, where the FTC imposed penalties not just for the breaches themselves but for the companies’ delayed and inadequate responses to those breaches.

Broader Implications for Cybersecurity Regulation

This lawsuit could have far-reaching implications for how regulatory bodies like the FTC enforce cybersecurity measures and conduct breach investigations. It underscores the complex challenges that businesses face in maintaining operational integrity while navigating
stringent regulatory landscapes in an increasingly digital world.

Looking Ahead: Industry and Legal Perspectives

The legal community and cybersecurity experts are keenly watching this case, as its outcome could set important precedents for the relationship between regulatory authorities and businesses in the realm of data security. It also raises significant questions about
the balance of power between these entities and the rights of businesses when subjected to federal investigations.

more in-depth details on the FTC’s policies and previous enforcement actions related to data breaches, you can view resources from Orrick on data breach notifications​
– Homepage)​
and BNN Bloomberg’s coverage of the lawsuit​