Las Vegas Cyberattacks: What Does this Mean for SEC Data Regulations & State Privacy Laws?
By: James M. Black, Esq. and Christopher Rivera
MGM Resorts recently endured a 10-day cyberattack that disrupted critical operations such as credit card processing, reservation systems, and gaming machines. Hotel guests resorted to using old-fashioned keys as room cards failed, slot machines were down, and gambling ticket systems became inoperable or were conducted manually — resulting in massive delays and significantly slower processing times. Business Insider estimated that the attack cost MGM over $80 million in losses.
Additionally, on September 14, Caesars Entertainment, Inc. confirmed that an “unauthorized actor” had breached their system and pilfered company data. Unlike MGM, Caesars reportedly paid a $15,000,000 ransom to avoid system attacks.
On September 11, 2023, MGM Resorts released a statement that the company identified a cyber security issue and that an investigation with law enforcement had commenced. On the following day, customers started reporting room key issues, slot machine outages, and reservation glitches. By September 13, MGM’s main website had become entirely inaccessible. To exacerbate matters, it is believed that consumer personal data, including that of MGM corporate officers, was exfiltrated from MGM’s databases. These problems persisted until September 20.
The perpetrators reportedly employed social engineering tactics to infiltrate MGM’s system. Social engineering attacks are manipulation techniques that deceive users into divulging sensitive information. Using information posted an MGM employee’s LinkedIn profile, the hackers impersonated the employee in a call to MGM’s third-party IT help desk. During this exchange, trick IT services into giving them access credentials, which then served as an entry point into MGM’s systems and databases.
Just days prior to MGM’s attack, Caesars filed a similar breach with the SEC where data such as driver license numbers and social security numbers were compromised by an unauthorized party. Caesars confirmed that the attack was caused by a social engineering scheme with an outside IT vendor – very similar to MGM’s situation.
The attack is widely attributed to Scattered Spider, a highly disciplined and organized group that gained attention in the cybersecurity sector due to their extraordinary skill at social engineering attacks. It is believe that Scattered Spider has been involved in more than half of a dozen cybersecurity incidents in 2022 alone.
What Does This Mean for SEC Data Regulation?
In July 2023, the SEC released their final rules on cybersecurity breach requiring public companies to report "material" cybersecurity incidents on a Form 8-K within four business days of materiality determination. The 8-K report must describe the scope, nature and timing of the breach and the material impact or reasonably likely material impact on the registrant. The SEC explains that companies should conduct an analysis for materiality of cybersecurity incidents to the same materiality analysis for other security laws, and that the analysis should consider qualitative and quantitative factors. If certain information is unavailable at the time of reporting, the 8-K must be amended subsequently when the information materializes. Although the material disclosure requirements become effective on December 18, 20223, however, MGM and Casers both filed a Form 8-K regarding their respective breaches.
Given that the Las Vegas incidents represent the two largest cyberattacks since the SEC's new rule, these events will likely play a pivotal role in delineating the general procedure companies adopt for reporting data breaches. This is because the contrasting approaches in MGM's and Caesars' filings could set a precedent, especially if the SEC expresses a preference for one over the other, guiding companies on how to act in the wake of a breach.
Two primary distinctions emerge between MGM’s and Caesar’s filings. The first is the time period in which the entities filed. MGM promptly disclosed the attack on September 12th, seemingly well within the four-day time period. Alternatively, Caesars filed their disclosure about 7 days after discovery. While Caesars may not have an issue due to the SEC’s December 18, 2023 effective date, this will not likely be the case for future filings.
The second distinction, and perhaps the most significant, is the difference in details provided by both entities in their filings. Caesar’s provided an in-depth synopsis of the event. The company’s description included details about how their system was breached through a social engineering attack on an outsourced IT vendor, what types of operations were believed to be impacted, and containment steps taken. In addition, Caesar’s included information on how they plan to provide consumer notice of the incident and where consumers can go to ask questions and learn more about how their data may be affected.
In contrast, MGM filed a rather bare Form 8-K and simply attached their press release as their disclosure statement. Even then, their press release only contained 5 sentences, simply stating that a cybersecurity issued occurred and that they are investigating with law enforcement. Here, it will be important to see if MGM ultimately amends their 8-K as more information becomes available, and how the SEC handles the short-comings in their filing description.
What Does this Mean for Privacy Laws?
It’s no secret that states are quickly rolling out their own data privacy laws. Currently, there are over 10 states with passed legislation and dozens of states are proposing their own bills. In 2023 alone, data privacy laws became effective in Virginia, Colorado, and Connecticut. Moreover, Utah’s Consumer Privacy Act begins on December 31.
Interestingly enough, the Las Vegas cyberattacks have coincidentally occurred while the California Privacy Protection Agency (CPPA) is drafting their cybersecurity requirements for companies that process the data of California consumers – potentially the first set of regulations influenced by these attacks. As proposed, the rules would require regular audits that (1) assess, document and summarize each component of a business’s cybersecurity program, (2) identify any security weaknesses, (3) address the status of the identified weaknesses, and (4) identify any security corrections prior to any audits. While the cybersecurity rules do include requirements for employee cybersecurity awareness training, the provision does not list any specific requirements. Instead, the provision broadly mandates that employees be trained in cybersecurity awareness and education but not exactly what they should be trained on. For example, training employees to use complex, randomized passwords that make it much more difficult for malicious actors to gain access to consumer database systems.
Looking forward, it would be interesting to see if the CPPA incorporates more extensive employee training requirements when considering the vast amounts of social engineering schemes occurring, and the increase in ransomware attacks. This is because having robust system access procedures (such as a multi-factor system), and programs that educate employees how to identify malicious activity can in many cases prevent a wide range of cyberattack.
In addition to the CPPA’s new rules, these events will likely have a downward effect on new state legislation. Most notably, it seems probable that states will look towards increasing data security requirements. Especially, when taking into account that a class action law suit was filed in the US District Court in Nevada. The lawsuit alleges that the casino operates with “inadequate data security.” This is because state privacy laws don’t tend to have specific security requirements. Instead, state laws impose legal action against businesses for security measures deemed inappropriate according to the data they collect, process and store. Considering these events, states may require more stringent data security measures.
Lastly, states may opt to join the new trend of prohibiting public entities from pay ransoms. In 2022, North Carolina became the first state to ban government entities from paying ransoms in response to a ransomware attack. The law further restricts government entities from even communicating with hackers and directs entities to report the attack the NC Department of Information Technology. While these types of laws don’t reach private entities, such as those that provide consumer goods and services, they could still have major impact on our day to day lives. For example, if hackers attack government entities that have oversight over critical infrastructure, drawn out cyberattacks could potentially impact transportation, energy, water, or communications.
As cybersecurity challenges continue to evolve it is imperative for businesses to fortify their data protection mechanisms and ensure strict adherence to SEC and data privacy regulations. The substantial financial and reputational risks involved necessitate a commitment to safeguarding sensitive data. Considering the increasingly intricate data privacy and reporting laws, seeking proficient legal counsel can make all the difference. Contact our team today at Falcon Rappaport & Berkman for comprehensive guidance on fortifying your data compliance strategies against the prevalent cyber threats and staying ahead of upcoming compliance standards.
DISCLAIMER: This summary is not legal advice and does not create any attorney-client relationship. This summary does not provide a definitive legal opinion for any factual situation. Before the firm can provide legal advice or opinion to any person or entity, the specific facts at issue must be reviewed by the firm. Before an attorney-client relationship is formed, the firm must have a signed engagement letter with a client setting forth the Firm’s scope and terms of representation. The information contained herein is based upon the law at the time of publication.