LAS VEGAS (Legal Newsline) - A Nevada federal judge has somewhat stepped away from a dispute between MGM Resorts and the Federal Trade Commission over a data breach FTC commissioner Lina Khan was personally involved in.
Judge James Mahan will leave it up to a D.C. federal judge to determine whether MGM must turn over certain records to the FTC. MGM filed a motion to quash the FTC's civil investigative demand there, which was followed by the FTC's petition to enforce it in Nevada.
Because MGM was the first to file, Mahan stayed the Nevada case and said he not disturb any findings of the D.C. judge John Bates. He stopped short of sending the FTC's case to the D.C. court.
"Here, the first-to-file rule applies," Mahan wrote. "It cannot be disputed that MGM filed its complaint first; the parties are the same in both actions; and the issue in both suits is the FTC's CID."
MGM says the FTC is violating its fundamental rights with a probe of its responses to cyberattacks, one of which occurred while Khan was a guest at one of its Las Vegas properties.
MGM's motion to quash a civil investigative demand from the FTC says Khan must recuse herself, as she is both a potential civil plaintiff and a potential witness. It has refused to comply with the CID, leading the FTC to file its own petition June 17.
The FTC asked the Nevada court to force MGM to respond to its questions as it seeks to find out whether it violated the FTC Act, the Safeguard Rule and the Red Flags Rule.
The CID seeks information about MGM's corporate structure, operational control and information security practices. For the Red Flags Rule, it asks whether MGM obtains consumer reports with credit transactions, advances funds and has developed a trained staff on identity theft prevention measures.
The cyberattack occurred in September 2023 and has had significant financial implications for MGM, the company says. It is cooperating with the FBI to bring those responsible to justice, it adds.
The situation was exacerbated when Khan and an unnamed senior aide were guests at one of MGM's Las Vegas properties during the attack.
Reports claim that Khan was asked to write her credit card information on paper due to the incapacitated IT systems.
Following this incident, the FTC launched an investigation into MGM's data security practices. The FTC issued a CID, seeking more than 100 categories of information from MGM.
The casino operator alleges that some requests appear directly derived from Khan's personal experience during the attack.
"As the most high-profile person involved in the events at issue - and the only such person widely identified by name in press reports - Chair Khan is both a potential civil plaintiff and a potential witness," MGM's motion says.
The company said in February it faces 15 private class actions and asks to disqualify Khan because of her personal involvement.
The FTC denied both MGM's motion to quash and disqualify Khan, which MGM says deprived it of its Fifth Amendment rights.
"The order relies on the Commission's position that its Rules of Practice do not allow for recusal of Commissioners except from administrative litigation," the motion says.
"As a result, in cases like this one, the Commission refuses to entertain petitions to recuse Commissioners from other aspects of FTC proceedings, such as ruling on Petitions to Quash.
"This categorical refusal to hear petitions to recuse or disqualify - even in extreme cases like this one - violates the Due Process Clause of the Fifth Amendment."
MGM calls it a "pattern of unconstitutional conduct."
Judge Bates is currently weighing the FTC's motion to dismiss MGM's case. The docket has been quiet since Oct. 9.