The recent firings of Federal Trade Commissioners (FTC) prove that no federal agency that cracks down on corporate misconduct is immune to President Trump’s ire. After a century of working to protect consumers and small businesses through a five person bipartisan commission, the FTC is unquestionably under attack. Even before the president’s attempts to dismantle the agency that remarkably returns $14 to consumers for every $1 of its costs, the new FTC under Chair Andrew Ferguson has begun to walk back its critical work to protect Americans’ sensitive personal data.
In September 2023, MGM Resorts experienced a massive data breach that exposed its customers’ social security numbers, drivers license information, home addresses and other sensitive personal data to criminal hackers. This was the third time in four years that MGM had experienced a data breach—that we know about.
This breach originated with a phone call to MGM’s help desk. A hacker pretending to be an employee claimed they had forgotten their password, provided some personal information, and was granted access by the MGM employee. Within minutes, the hackers had deployed ransomware that resulted in a shutdown of the casino’s operations in multiple locations across the country. MGM’s resulting notice about the data breach informed consumers that their personal data had been exposed to cybercriminals. There are numerous outstanding questions about MGM’s data security protocols, how it failed to prevent this cyberattack, and how MGM reacted to take corrective action and stop the damage from spreading.
Shortly after the breach, the Federal Trade Commission notified MGM that it was investigating the incident, specifically in light of MGM’s years-long record of exposure to hacks and breaches. The FTC served MGM with a civil investigative demand (CID) asking for documents and information about MGM’s data security protocols and potential legal violations that may have created a perfect storm for this massive hack. Rather than complying with the demand, MGM sued the FTC in an attempt not to have to provide any answers at all. FTC leadership at that time pushed forward with their own lawsuit to compel MGM to respond to the CID and provide complete information so that the FTC could evaluate whether any violations of law occurred and hold them accountable.
While the lawsuit was pending, MGM did not sit idly by and hope for a favorable outcome. Instead, MGM lobbied Congress to prohibit the FTC from investigating its role in the cyberattack. In June 2024, Republican lawmakers introduced a measure (p. 6) through appropriations legislation that prohibited the FTC from using any funding toward this investigation. Unsurprisingly, MGM paid these Republican lawmakers who introduced this bill $20,000 in 2024 (David Joyce and Mark Amodei).
During the pendency of these lawsuits, America elected President Donald Trump who installed Andrew Ferguson as Chair of the FTC. Ferguson’s primary policy agenda has been to cozy up to MAGA Republicans by distancing himself from former Chair Lina Khan (albeit with limited success). But, in a play straight from the Trump-led CFPB, Ferguson dropped the MGM investigation, granting a corporate pardon to MGM for any role it may have played in failing to safeguard sensitive data by dismissing this investigation and allowing MGM to flagrantly violate a mandatory investigative demand.
The FTC is the primary law enforcement agency for numerous laws designed to shield our data–yet one of this administration’s first actions in this realm was to pardon MGM, letting them off the hook for the data breach. But the pardon for MGM is one part of a bigger story about the current administration’s waning approach to data privacy protections.
Another one of Chair Ferguson’s first orders of business was to wipe out a public comment opportunity about consumers’ experiences with “surveillance pricing”–secretly using your data to price a product based on your willingness to pay. Last week, the FTC mysteriously deleted four years of guidance for businesses about how to comply with FTC law from its website. While some of that guidance was returned to the website following media attention, many of those blogs are still missing. Notably, multiple business guidance blogs related to data breach enforcement enforcement actions have not returned to the website, which calls into question whether the new administration is prioritizing its mission to protect consumers’ data. These include business guidance blogs titled:
- “Multiple data breaches suggest ed tech company Chegg didn’t do its homework, alleges FTC,”
- “Data breach prevention and response: Lessons from the CafePress case,”
- “What we have here is a failure to communicate…among other things,” regarding a data breach enforcement action against Global Tel Link, and which included a graphic with the phrase “RESPONDING TO DATA BREACHES,”
- “FTC says Blackbaud’s lax security allowed hacker to steal sensitive data – and that’s just the beginning of the story,”
- “FTC announces new Safeguards Rule provision: Is your company up on what’s required?”
Americans care more than ever about their sensitive data being disclosed, and particularly about the risks inherent in data breaches like the one experienced by MGM. Cyberattacks through social engineering are a rapidly growing problem, but almost a year after this notorious attack, MGM has not answered these questions or provided this information to the FTC. Gambling with Americans’ data by letting MGM off the hook without providing answers harms the individuals who may have to reconcile with the long-term consequences of this breach. It also is a wasted opportunity to learn from MGM’s experience in order to strengthen cybersecurity protocols across the marketplace.