The Federal Trade Commission’s ongoing investigation into data security issues at Las Vegas-based MGM Resorts International could be blocked by proposed new federal legislation.
The wide-ranging 2025 Financial Services bill seeks to curtail the FTC’s power in various ways. Although it doesn’t directly name MGM, it does have a clause pertaining to specific contentions about the existing law as it relates to the FTC’s investigation into the casino operator’s practices.
The FTC has been investigating MGM over allegations the largest U.S. casino operator did not have appropriate emergency data procedures in place in case of a systems outage. That was demonstrated by the 10-day cyberattack it suffered in September 2023.
MGM has since argued that it is not a financial institution, and thus should be exempt from “Red Flag” and “Safeguards Rules” that the FTC used as justification to open its investigation. The FTC says because MGM offers credit to high-limit gamblers, it qualifies under the regulator’s remit.
The proposed amendment to the Financial Services bill would outlaw the use of those rules against hospitality or gambling operators. The main parts of the bill concern the FTC’s annual budget, which could be cut by 27%.
“None of the funds made available by this Act may be used for the Federal Trade Commission to pursue or continue a Civil Investigative Demand against a gaming or hospitality company if the action utilizes authority from the Safe Guards Rule … or the Red Flags Rule,” says section .539 of the proposed bill.
FTC head Lina Khan happened to be visiting MGM Grand in Las Vegas at the time of the cyberattack in September 2023. She was reportedly not impressed with MGM employee’s data security protocols after the company IT systems went down.
The Investigation
The FTC launched an investigation into MGM’s handling of customer data after the attack. The 10-day incident, perpetrated by hacking group Scattered Spider, cost the operator some $100 million in overall damages.
On September 15, 2023, Khan was among thousands of MGM customers required to enter their credit card details and other personal information on pen and paper at the check-in desk of the MGM Grand in Las Vegas.
When Khan asked the desk staff about data privacy, given the old-school methods being used during the outage, they reportedly shrugged and told her they had no idea.
In January of 2024, the FTC obtained a Civil Investigative Demand order (CID) against MGM, forcing the operator to hand over the months of various data logs. MGM has since filed a petition to quash the investigation.
“The CID calls for the production of more than one hundred different categories of information, spans multiple years with no relevance to the attack, and perhaps most problematic of all, represents an unprecedented attempt by Staff to invoke the SafeGuards Rule and the Red Flags Rule, which do not apply to MGM’s operations,” said lawyers for the gambling operator.
This month also saw several updates in the criminal investigation into the hackers allegedly behind the attack. A global investigation, including the UK’s National Crime Agency and the Federal Bureau of Investigation, tracked down one of the suspected hackers to Walsall, England. A local teenager, 17, was arrested in connection with the hacking attack after a raid at his residence.
The Proposed Law Change
The amendment regarding this part of the FTC’s power may or may not pass with the overall bill. The 2025 Financial Services bill will need to be approved by the federal budget due on October 1.
It was scheduled for a vote this month, but the Republican leadership decided to hold out on putting it to vote. That leaves it unclear when exactly it will return.
The amendment pertaining to the FTC’s power to investigate generic gambling and hospitality companies is what is known as a rider clause. That is seemingly less-popular or important legislative changes tacked onto a bigger, semi-related bill to give them more chance of passing a vote.
“This bill makes cuts to prevent agency overreach by prohibiting funds for dozens of regulating actions, such as blocking the FCC from regulating broadband rates, the FTC from controlling how everyday Americans purchase a car, and the SEC from collecting and surveilling transactions of everyone who invests in the stock market,” said bill proponent and Appropriations committee Chairman Tom Joyce (R-Ohio).
David is an online casino expert who specializes in online slots and boasts over 10 years experience writing about iGaming. He has written for a wide range of notable publications, including eSports Insider and WordPlay Magazine.
David graduated Derby University with a BA Degree in English Literature and Creative Writing.
