States Rush to Protect Consumers from Cyber Threats as Gaming Legislation Moves Across All States

Sep 23, 2022

By Jake Gray

In the four years since the Supreme Court struck down the federal ban on sports betting, more than 36 states and the District of Columbia have launched legal sports betting markets, with more than half of legalized states offering online and mobile options. [1] In most markets that offer online and mobile sports betting, the offerings are responsible for more than 70% of the total handle, and in states where online betting is particularly popular, online wagers account for more than 90% of the total. [2] The New York total handle in May 2022, for instance, was $1.269 billion with the mobile and online handle comprising $1.263 billion, and New Jersey’s mobile and online handle was $708 million of $766 million total. Such drastic differences in handle percentages between online and retail sports betting evince the extent to which online and mobile gaming are the preferred wagering method in today’s market.

However, as online and mobile sports betting options become more prevalent, so do the potential risks of data and information privacy breaches for companies and consumers alike, and the associated need to protect data the operators collect. The online gaming industry is heavily regulated. Alongside a careful vetting process prior to licensure by state regulators, gaming operators are subject to extensive regulatory mandates covering many obligations. State regulators require gaming operators to collect and maintain the personal identifying information of patrons at the time of account creation with the operator. Robust customer disclosures of this sort are part of what is known as Know Your Customer (KYC) regulations, which are enacted in order to verify consumers’ identities and to prevent fraudulent activity. States also enact such requirements in the regulated gaming industry in order to:

  • comply with existing state or federal law, such as the Unlawful Internet Gambling Enforcement Act, the Wire Act, and the Bank Secrecy Act of 1970
  • ensure that all bettors are of legal age
  • prevent identity theft and fraud
  • combat money laundering
  • prevent access by impermissible bettors such as employees of professional sports leagues, problem gamblers, or those located outside a licensed jurisdiction

For these purposes, operators are generally mandated to collect and maintain the following patron information: (1) legal name, (2) date of birth, (3) an identifier such as a social security number (4) e-mail address, (5) residence, and (6) current geo-location. In some cases, answers to security questions are also required for purposes of account security, although such answers may also be considered sensitive personal information. After account creation, operators continually verify a patron’s geolocation (with the patron’s consent) throughout the gaming session and prior to the placement of wagers to prevent location fraud. Additionally, an electronic deposit method may be required to fund a patron’s account, which entails either providing online banking details, or credit or debit card information. [3]

State Data Security Laws and Regulations

Typical state sports betting statutes lay the onus on gaming regulators to develop rules over customer data privacy and cybersecurity. For instance, the recently passed Massachusetts sports wagering bill S269 states:

“Prior to the allowance of sports wagering in the commonwealth, in order to provide robust protections for all patrons engaged in sports wagering, the commission shall promulgate regulations to: (1) Maintain the security of wagering data, customer data and other confidential information from unauthorized access and dissemination. Nothing in this chapter shall preclude the use of internet or cloud-based hosting of such data and information or disclosure as required by court order, other law or this chapter.”

State gaming regulators generally mandate compliance with all applicable state and federal requirements for data security and information privacy as well as the use of minimum encryption standards to secure data. New York’s sports wagering rules and regulations, for instance, state that a mobile sports wagering operator is responsible for, at minimum, the “employment of systems and procedures to maintain the security of authorized sports bettors’ accounts and information from tampering or unauthorized access, using the minimum standard encryption of AES 256 or other [National Institute of Standards and Technology of the Department of Commerce] NIST standards.” [4] Without a comprehensive federal privacy law, five states have now enacted their own data privacy laws—California, Virginia, Colorado, Connecticut, and Utah. All but one of these state laws (the exception being the Utah Consumer Privacy Act) require covered entities to conduct data security assessments for processing activities that present a “heightened” risk of harm such as the processing of sensitive personal identifying information, the sale of personal data, or targeted advertising. [5]

Heightened Data Security Concerns in the Gaming Industry

Gaming operators collect this information because they are required to by law. However, possessing such information presents the need for operators to be especially vigilant when it comes to data security, as bad actors have targeted the gaming industry, alongside other industries such as banking and healthcare, for sensitive consumer data. Indeed, the number of reported personal data breach incidents have generally gone up; they rose from 45,330 in 2020 to 51,829 in 2021—an increase of 14 percent—according to the FBI’s annual Internet Crime Report. [6] Paired with its wealth of users and user information, the numbers of which will continue to rise, the burgeoning online and mobile sports betting industry in the United States may appear as a high-value target for cyber-attacks and data thefts. Indeed, gaming operators and affiliates have been a target historically for their consumer records.

For example, in early 2020, MGM Resorts confirmed a data breach from summer 2019 when 10.6 million records of MGM customers’ personal information were leaked on a Russian hacking forum. The records included customers’ full names, home addresses, phone numbers, emails, and dates of birth. [7] In May 2022, the incident resurfaced, when a data dump was discovered containing 142 million of the same records from the MGM Resorts incident. While no financial, payment card, or password data was stolen, all 142 million records went on sale on the dark web for US $2,900. [8] The information was originally retrieved by hackers through unauthorized access to a cloud server.

In another instance, in March 2020, an attempt was made to access the consumer data of more than 50 sportsbooks powered by SBTech, a sports betting platform provider which was acquired by DraftKings in April 2020. Luckily, the matter was resolved before any information was compromised, as SBTech’s monitoring system flagged the potential security threat and SBTech accordingly shut off its data centers. [9] Two such sportsbook platforms affected by the server shutdown were Churchill Downs’ BetAmerica-branded sportsbooks in Indiana, New Jersey, and Pennsylvania and the Oregon Lottery’s sports betting application, Scoreboard. At the time, SBTech set aside $30m in cash and stock to settle any lawsuits relating to the incident, though it’s unclear if any actions came about from the incident. [10]

On occasion, cybersecurity vulnerabilities may be less straightforward to identify and many attacks can go unreported. In 2018, for instance, an unnamed Las Vegas casino’s system was breached through a smart thermostat in its fish tank, by which hackers retrieved customer data through the cloud. [11] In addition, hackers stole cardholder names, credit card numbers, and CVV codes from Hard Rock Las Vegas customers on three different occasions.

In general, gaming operators tend to rely on encryption and authentication technology licensed from third-party specialists to securely transmit confidential and sensitive information, but such specialists and malicious actors are in a perpetual arms race against one another. Certain gaming operators have publicly stated that they have been and expect to continue to be subject to attempts to gain unauthorized access to information systems and databases in which sensitive customer data is stored. Despite such instances, the secure maintenance and transmission of sensitive customer data is a critical element of any gaming operators’ operations. As such, they should devote a significant amount of resources to ensure that their systems are secure in order to minimize the risk of breaches affecting customers, lest their customers as well as their reputation and business be harmed in the process. 

[1] https://www.americangaming.org/research/state-gaming-map/

[2] https://www.gamingtoday.com/revenue/

[3] Other commonly accepted deposit methods include gift cards or PayPal, although online banking is recommended in most cases.

[4] https://www.gaming.ny.gov/pdf/legal/SGC-35-21-00010%20Sports%20wagering%20and%20mobile%20sports%20wagering%20rule%20text.pdf. For more on NIST standards and AES 256 encryption, see the following, respectively:

https://www.nist.gov/standards.

[5] https://www.ncsl.org/research/telecommunications-and-information-technology/state-laws-related-to-internet-privacy.aspx

[6] https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf

[7] https://www.zdnet.com/article/exclusive-details-of-10-6-million-of-mgm-hotel-guests-posted-on-a-hacking-forum/

[8] https://www.casino.org/news/mgm-resorts-data-hack-customer-info-stolen-in-2019-now-on-telegram/

[9] https://igamingbusiness.com/sports-betting/sbtech-powered-sites-taken-offline-by-cyberattack/

[10] https://www.igbnorthamerica.com/sbtech-ordered-to-set-aside-30m-to-settle-cyberattack-claims/

[11] https://www.casino.org/news/hackers-stole-las-vegas-casino-high-roller-database-via-its-fish-tank/