MGM Resorts International and the Federal Trade Commission have jointly agreed to end the legal dispute that resulted in a $100 million loss for MGM. The dispute was the result of a cyberattack that happened in September of 2023, and the data breach led to the temporary shutting down of MGM Resorts' gaming floors, website, and other operational systems, including its biggest Las Vegas resort.

In a significant legal development, the Federal Trade Commission and MGM Resorts International have agreed to dismiss a lawsuit stemming from a high-profile cyberattack that cost the hospitality giant an estimated $100 million. The resolution brings an end to a contentious dispute over regulatory oversight and consumer data protection.

Background of the dispute

The legal battle originated in the wake of a cyberattack on MGM Resorts in September of 2023, which severely disrupted the company's operations. The breach led to temporary shutdowns of key services, including its gaming floors, website, and operational systems across multiple locations, including Las Vegas. The attack not only caused significant financial losses but also raised substantial concerns about data security and consumer protection.

The FTC quickly took notice of the incident and launched an investigation into the breach's impact on consumer data. The commission issued a Civil Investigation Demand to MGM Resorts, seeking information on how the company handled the personal information of affected customers and whether it had complied with consumer protection laws. The FTC’s scrutiny was further intensified by the firsthand experience of then-FTC Chair Lina M. Khan, who was staying at an MGM property during the cyberattack. Khan and her aide were reportedly asked to provide personal information, including responses to security questions, to gain access to services during the breach.

MGM Resorts' legal challenge

MGM Resorts responded to the FTC's demands by filing petitions to dismiss the Civil Investigation Demand, arguing that the commission lacked the authority to regulate casinos in this context. The FTC denied these petitions, prompting MGM Resorts to escalate the matter to the US District Court for the District of Columbia.

The core of MGM Resorts' legal argument was that the CID applied only to credit-extending entities and financial institutions, rather than casino operators. The company also claimed that Khan's direct experience during the breach created a conflict of interest, further complicating the FTC's investigation.

Resolution of the case

But after months of legal wrangling, both parties have now agreed to dismiss the lawsuit. According to court filings in the US District Court for the District of Nevada, the FTC and MGM Resorts reached a mutual decision to withdraw their respective claims, effectively ending the dispute. The terms of the agreement have not been publicly disclosed, but the decision marks a turning point in the ongoing debate over regulatory authority in the gaming and hospitality industry.

While MGM Resorts has successfully challenged the FTC's jurisdiction in this instance, the cyberattack has demonstrated the growing threats facing the casino industry. The breach not only resulted in substantial financial losses but also raised questions about the industry's preparedness for cyber threats and data breaches.

The case has broader implications for regulatory oversight in the casino sector. While the FTC has authority over consumer protection and data security, its jurisdiction over casino operators remains a contentious issue. MGM Resorts' successful pushback against the FTC's investigation may set a precedent for other gaming and hospitality companies facing similar scrutiny.

At the same time, the cyberattack has reignited concerns over cybersecurity vulnerabilities within the gaming industry. With casinos increasingly relying on digital systems for operations, loyalty programs, and other customer transactions, protecting consumer data has become a critical priority. Industry experts warn that regulatory bodies, including the FTC, may seek new avenues to ensure stricter cybersecurity compliance in the future.