Maydeen Merino reports:
The Federal Trade Commission this week defended its investigation of MGM Resort International’s data security practices as the Las Vegas-based casino is seeking a court order to block the agency’s probe.
Following a cyberattack that disclosed the personal information MGM guests in September, the FTC issued a civil investigative demand (CID) in January, seeking information regarding the company’s security, cyber risk management and identity theft prevention measures. The agency also requested detailed information about the September cyberattack.
MGM responded by petitioning the agency to limit or halt its investigation. The company also asked the FTC to disqualify Chair Lina Khan from participating in the inquiry as she was staying at the hotel during the cyberattack.
When the FTC denied the petition, MGM filed suit in the U.S. District Court for the District of Columbia, claiming the agency’s investigation exceeds its authority and that the Federal Bureau of Investigation was already on the job.
Read more at Law.com.
Comment
Some of MGM’s constitutional challenges to the FTC’s authority seem similar to issues raised in FTC v. Wyndham, when that hotel chain challenged the FTC’s authority under Section 5 of the FTC Act for failure to first promote rules and regulations, etc. Their argument did not prevail. As to MGM’s claims that the FBI is already on the job to investigate, that seems somewhat ridiculous as an argument. The FBI’s investigation does not have the goal of protecting consumers. Its goal is to catch the criminals.
When a major hotel chain has a massive data breach, why shouldn’t a federal regulator take a serious look at whether the chain had appropriate and industry-standard data security in place prior to the breach? Don’t we want them to?