On August 4, 2021, Cohen Milstein filed Plaintiffs' response to Defendant's motion to dismiss of Plaintiffs' consolidated class action complaint, filed on April 2, 2021, in In re MGM Resorts International Data Breach Litigation, Case No. 2:20-cv-00376, United States District Court for the District of Nevada, a consolidated data breach class action against MGM Resorts for failing to implement reasonable data security practices, thereby allowing the personal information of between 10.6 million and 142 million MGM hotel guests and customers to be stolen on or about July 7, 2019 in a massive data breach.

Plaintiffs’ data breach lawsuit charges MGM with negligence, breach of contract, and unjust enrichment, as well as violations of state consumer protection laws. The class action seeks to certify a nationwide class of all individuals whose personal information was compromised; to recover damages, costs and expenses; and to secure a mandatory injunction directing MGM to implement improved security measures. 

On February 1, 2021, Cohen Milstein’s Douglas J. McNamara was court-appointed Co-Lead Interim Class Counsel 

Case Background

Originally filed on March 13, 2020, Cohen Milstein’s clients and other plaintiffs allege that MGM Resorts International, a global hospitality, entertainment, and resort company, which operates properties across the U.S. including the Bellagio, Mandalay Bay and MGM Grand, failed to implement reasonable data security practices to protect MGM customer personally identifiable information (PII), including addresses, driver’s license numbers, passport numbers, phone numbers, email addresses, and dates of birth, and other information.

On or about July 7, 2019, an unauthorized individual gained access to MGM’s computer network and proceeded to exfiltrate the PII of MGM’s customers. In February 2020, it was reported that PII of 10.6 million guests was stolen. In July 2020, ZDNet reported that the PII of more than 142 million guests was stolen. On more than two separate occasions, the stolen PII has been posted for sale on online forums.

MGM’s Privacy Policy informed customers that MGM would protect their data. Moreover, the hotel industry is a particularly desirable target for hackers given the types of PII that hotels acquire from guests. Despite those facts, Plaintiffs claim, MGM failed to implement reasonable security practices. As a result, Plaintiffs claim, they and similarly situated individuals are at imminent, immediate, and continuing risk of harm from identity theft and fraud.

On March 30, 2020, Cohen Milstein’s case Delores Scott and Ryan Bohlim v. MGM, Case No. 2:20-cv-00522-JAD-NJK,. and six other class actions were consolidated into: Smallman v. MGM Resorts, Case No. 2:20-cv-00376-GMN-NJK. This case was renamed to: In re MGM Resorts International Data Breach Litigation, Case No. 2:20-cv-00376, United States District Court for the District of Nevada.