In May 2018, the U.S Supreme Court paved the way for sports gambling expansion in its Murphy v. National Collegiate Athletic Association decision. Therein, Supreme Court held that the Professional and Amateur Sports Protection Act (commonly referred to as “PASPA”) was unconstitutional because it impermissibly commandeered power from the states by prohibiting them from legalizing gambling on professional and collegiate sports.
Since 2018, over 30 states have established legal sports betting markets, with over half of these states offering online and mobile betting options. “Sports betting has grown in recent years, thanks to the Supreme Court decision that paved the way for state-by-state legalization,” says Jeff Ifrah of Ifrah Law.
However, as online sports betting options increase, so do the risks of data privacy breaches for operators and customers. Hence, the concomitant need to safeguard the information operators gather.
State Requirements in the Regulated Gaming Sector
The online gaming industry is thoroughly regulated. Gaming operators are subject to comprehensive regulatory mandates which span many areas and a thorough vetting process granted a license by state regulators. With respect to data privacy, for instance, state regulators mandate that the operators collect and maintain the Personal Identifying Information (PII) data of customers when they create accounts with gaming operators.
Rigorous customer disclosures of this sort are part of the so-called Know Your Customer (KYC) regulations, which verify customer identities to prevent fraudulent activity. States also enact such rules in the regulated gaming sector for the following reasons:
- To ensure that every gambler is of legal age
- Adhere to the current state or federal laws like the Wire Act, the Bank Secrecy Act of 1970, and the Unlawful Internet Gambling Enforcement Act
- Prevent access by unauthorized bettors like those who work for professional sports leagues, have gambling issues, or are not in a country where gambling is legal
- Prevent fraud and identity theft
- Stop money laundering
The Personal Identifying Information (PII)
Gaming operators typically collect the following PII from customers:
- Legal name
- Age or date of birth
- An identifier (for instance, Social Security Number)
- E-mail address
- Residence and current geolocation
- Phone number
Further, depending on the nature and prevalence of security questions required for account security purposes, answers to such questions may also be considered sensitive personal information (e.g. mother’s maiden name). Data collection also continues beyond account creation, as operators are mandated to continually verify the geolocation of a bettor (with their consent) throughout a gaming session. Additionally, operators may require bettors to provide sensitive financial information through the use an electronic deposit method (i.e. credit or debit card information, or online banking details) to fund the bettors’ accounts.
Why Sports Betting Platforms are At Risk of Cyber Attacks
Gaming operators collect bettors’ Personal Identifying Information (PII) because they are required to do so by law. Unfortunately, cybercriminals see sports betting operators as a gold mine because a significant portion of valuable customer data is stored in a single source. Indeed, such criminals have uniquely targeted the gaming sector and others such as banking and healthcare to obtain sensitive customer data because companies in those industries are generally required to collect exceedingly vulnerable personal information of patrons in order to verify their identities and prevent fraud.
The number of reported incidents of personal data breaches has increased considerably in recent years. According to the annual Internet Crime Report by the FBI, such occurrences increased by 14 percent from 45,330 in 2020 to 51,829 in 2021.
Because the online and mobile sports betting market in the United States is growing rapidly, the industry appears to be a potentially high-value target for cyber-attacks and data theft. As such, the regulations mandating operators to possess valuable information evince a need for operators to be especially vigilant when it comes to their data security practices.
The Data Security Laws and Regulations by States and State Gaming Regulators
Generally, state sports betting statutes place the responsibility of creating rules concerning customer data privacy and cybersecurity on the relevant gaming regulatory body. For instance, the recently approved S269 Massachusetts sports betting bill states that the Massachusetts Gaming Commission must issue regulations before sports betting is allowed in the state. According to the statute, the regulations must work to ensure the protection of customer data, wagering data, as well as other sensitive information from unauthorized access and disclosure.
The General Mandates by State Gaming Regulators
In general, state gaming regulators require adherence to all applicable federal and state laws governing information privacy and data security in addition to their own prescriptions. State gaming regulators typically mandate the use of minimum encryption standards to protect data such as the widely adopted AES 256 standard or some other standard developed by the National Institute of Standards and Technology (NIST) of the Department of Commerce.
Five states—California, Virginia, Colorado, Connecticut, and Utah—have also passed their own data privacy laws despite the lack of a comprehensive federal data privacy law. These state laws mandate covered entities to carry out data security assessments, With the exception of Utah’s Consumer Privacy Act, these laws mandate covered entities to conduct security assessments for activities that present a “heightened” risk of harm, such as processing sensitive customer PII, the sale of customer personal data, or targeted advertising.
Additional Security Measures for Sports Betting Platforms
Implementation of effective cybersecurity measures are a priority for many sports betting operators. There are a variety of different mechanisms that operators invest in to secure customers’ data from unauthorized access and disclosure. As a preliminary measure, many gaming platform operators use a risk-flagging system to identify suspicious user activity and transactions. In regard to ensuring that customers securely fund and withdraw from their accounts, many employ Secure Payment Systems (SPS), a payment processing company which is used by federal government agencies for the same purpose.
When it comes to basic website security and authentication, many operators use the Secure Socket Layer (SSL) protocol, which provides an encrypted connection between the operators’ websites and their customers’ device so data can be transferred safely between the two. To further safeguard users, many gaming operators also ensure that their platforms use multi-factor authentication, such as Two-Factor Authentication (2FA), to protect users’ accounts from unwarranted access.
In some cases, operators employ specialized cybersecurity service providers, called a Managed Service Provider (MSP), to maximize cybersecurity to the best extent possible. An MSP is solely responsible for the protection and surveillance of data servers to safeguard valuable data on behalf of the operator.
Bottom Line
Of critical importance to any gaming operator’s operation is the secure transmission and storage of sensitive customer data. By ensuring that effective cybersecurity measures are in place, operators not only protect the reputation of their businesses but also minimize the risks imposed on their customers in collecting and verifying their personal identifying information.
