CYBER SECURITY
bearing upon online gambling and gaming, they provide a network of protections which operators must have regard to. The Children’s Online Privacy Protection Act (COPPA), for example, outlaws the collection of personal information from children without verifiable parental consent. As a consequence, many gaming apps directed at children avoid any potential infringement of child privacy stipulations by creating a “zero- data” environment that does not collect any information, either directly or anonymously, from users. In addition to federal laws, hundreds of bills have been passed at state level which address privacy, cybersecurity, data breaches and consumer protection. There are also numerous state laws relating to data disposal. An international dimension Gaming companies that suffer data breaches in the USA may feel their responsibilities extend only as far as US federal and state laws. However, the increasing numbers of operators with interests in Europe and elsewhere mean they are often impacted internationally too, irrespective of whether they are physically located in those territories. US companies with customers in the UK are required to register with the Information Commissioner’s Office (ICO) and to notify the authorities if a breach has occurred whether or not UK customers have been impacted. Similar requirements apply in mainland Europe where companies are obliged to liaise with authorities in the country where most of their data processing occurs. Since Brexit EU companies with UK customers also have to register with the ICO. The penalties for non-compliance can be sizeable: up to €20 million or four percent of annual
global earnings whichever is the larger. Although not a gambling industry case, Marriott International, Inc (“Marriott”) was fined £18.4 million by the UK ICO over GDPR violations relating to its subsidiary Starwood Hotels and Resorts Worldwide (“Starwood”). The case has some notable features namely: • that the breach pre-dated Marriott’s 2016 acquisition of Starwood although was not discovered until after the acquisition was complete • Marriott notified the ICO when it discovered the attack in 2018 • that it was the US Parent company’s systems which were deemed to have failed and a fine levied accordingly on its worldwide operation. The size of the penalties (£18.4 million was a reduction from an initial proposal of a £99 million fine) and evidence that regulators are willing to adopt them should serve as a wake- up call to operators who sometimes act as if the inconvenient laws enacted by countries where they do business don’t apply to them. A question of confidence Regulators will always be playing catchup as hackers and fraudsters use sophisticated and rapidly changing technology. However, operators often have access to the technical expertise needed to take action and can make the business case for doing so. When news of the DraftKings hacking incident came through, the company’s share price tumbled 10 percent. 11 Whilst much of the lost ground was quickly made up it wasn’t
11 https://seekingalpha.com/news/3910083-draftkings-stock-dips-on-report-of-hack-that-drained-customer-accounts
PAGE 25
IMGL MAGAZINE | JANUARY 2023
Made with FlippingBook flipbook maker