The headline misled me into thinking that MGM tried to stop the FTC from investigating. In reality, MGM asked Lina Khan (FTC Chair and one of the five Commissioners) to recuse herself from the investigation due to her apparent conflict of interest:
> After being notified about the FTC's investigation into the matter, MGM requested that Khan recuse herself because of her personal involvement in the case. The FTC denied this request.
On the surface, it looks like the investigation might come from personal interest in the case from Mrs. Khan. Wtf does the FTC have to do with corporate hacking anyway?
I think that the FTC's authority has less to do with the corporate hacking part and more to do with whether the hacked company had followed bare minimum data security practices before the ransomware attack [1]. What the bare minimum is, I'm not sure myself. If I had been in Lina Khan's place as a customer at MGM's hotel on that day, I would've had some expectation that MGM would, after having suffered a ransomware attack, be extra careful with the credit card information that MGM tells me to write on paper. I would want MGM to be clear about "Who will have access to this info or paper?", "where and how will you store this info?", "how when will you destroy this info?"
If you read their case, it sure seems compelling. It seems like Lina Khan had to write down her CC on a piece of paper, questioned how they will store her info, and a week later promptly launch a CID once she went back to DC.
The whole thing is quite funny. If I had that power, I would probably launch an investigation too. In the same time, kudos to the lawyers.
The MGM filing seems as legally flimsy as their network security and privacy practices. Sure they're not a financial institution but Section 5 of the FTC Act is investigating if they have an unfair competitive advantage over their peers by misrepresenting or underinvesting in the security of their customers.
Is it compelling? If a cop comes into my shop and I tell him I only take payment in illegal drugs, and he decides to investigate my shop as a result, that seems legitimate.
To be fair, there is a clear conflict of interest. Lina Khan should recuse herself, at least, because the case certainly looks like a personal project or petty vendetta against MGM. I question what the FTC has to do with ransomware attacks anyway.
Matt Stoller covers this pretty well, it's become a more common tactic now for corporations to go after prosecutors and enforcers personally. Lina Khan is (unfairly in my mind) despised by monopolists for her role in tackling the pro-inflationary, collussion friendly environment that persisted for decades until the last few years.
> After being notified about the FTC's investigation into the matter, MGM requested that Khan recuse herself because of her personal involvement in the case. The FTC denied this request.