A Safe Bet? Privacy and Security Law for Online Sports Wagering in New York State
Mobile sports wagering may be new to New York state, but privacy and security threats are not. After the law in New York changed in 2021 to permit mobile sports betting, New York sportsbook apps launched early this year and have set records for total sports betting volume. When gambling occurs online, it creates a perfect storm for privacy and security risks. Online betting companies store an immense amount of personal data, some of it very sensitive. Huge amounts of money are transacted. Hackers are drawn by the data, but also by the opportunity to impact the integrity of the betting to rig wagers in their favor or increase their own notoriety in the dark web community. As mobile betting platforms and operators enjoy the influx of New York state bettors, they must be aware of the unique privacy and security challenges they face and of the federal and state regulations that apply to the various categories of data that they process.
Intrastate Transactions
The state constitution does not permit gambling except in licensed casinos located in New York state. Accordingly, the law passed in 2021 to allow mobile sports betting (S.B. S2509, 2021 Leg., 2021-2022 Sess., Part Y, §2 (N.Y. 2021)) provides that it is legal so long as the bettor is physically present in New York state at the time of the transaction and all servers of the sports betting platform are physically located in a licensed casino in New York. So, the law limits mobile sports wagering to intrastate transactions. Given the nature of the online ecosystem and the mobility of data, privacy and security laws typically cross state lines. But, somewhat unique to mobile sports betting, the privacy and security laws of New York are the primary compliance focus for operators and platform providers and for the New York state regulators scrutinizing them.
Who Is Regulated?
New York has created a complex regulatory framework for mobile sports wagering which regulates “platform providers” and “operators,” each of which must satisfy compliance requirements as conditions of licensure. The platform itself is the combination of hardware, software, and data networks used to administer sports wagering and any associated wagers accessible by electronic means. The “platform provider” is the entity responsible for managing the platform that the operators then use to facilitate thousands of wagers per day. An “operator” is the mobile sports wagering skin which has been licensed by the Commission to operate a sports pool through a mobile sports wagering platform.
The New York State Gaming Commission has issued conditional mobile sports betting licenses to nine operators. Several of them are also approved as platform providers. Each platform provider then enters into agreements with casinos (some of which are affiliated with the platform provider) to house their servers onsite in New York state.
A Lot of Data
Given its population of sports-crazed fans, the volume of mobile betting in New York is enormous. Over the first 16 days of mobile sports betting in New York, bettors wagered more than $1.1 billion. The regulations applicable to sports betting apps mandate collection of significant amounts of sensitive data about bettors to authenticate individuals, establish accounts, ensure wagers are made from inside New York’s geographic boundaries, and provide for financial transactions. As a result, operators collect users’ date of birth, Social Security number, physical and email address, financial and banking information, biometric information, geolocation data, wagering information, username and password, and financial transactions, which may occur through credit and debit cards, wire transfers, e-wallets, and the use of promotional credits. On top of that, as explained in their own online privacy policies, operators combine data from their affiliated casinos and resorts and other sources, along with data collected from online analytics.
How Is All This Data Protected?
New York regulators have various data protection oversight tools at their disposal.
The Commission regulations applicable to licensed platform providers and operators, located at 9 NYCRR Part 5329 and 5330, contain relatively comprehensive security obligations. The regulations provide that licensed skins must use “systems that maintain the security of authorized sports bettors’ accounts and information from tampering or unauthorized access, using the minimum standard encryption of AES 256 or other NIST standards.” Among other things, operators must implement a monitoring system that identifies and reports suspected structured sports wagers and unusual or suspicious wagering activity. Licensed sportsbooks must report to the Commission any criminal activity, financial irresponsibility, fraud, misrepresentation, security breaches, or breach of confidentiality of an authorized sports bettor’s personal information. Further, each licensee must annually perform a system integrity and security assessment using an independent professional subject to the approval of the Commission.
In addition to the obligation to notify the Commission in the event of a data breach, New York’s data breach notification law (N.Y. Gen. Bus. Law §899-aa) requires notification to state residents when their “private information” is acquired without authorization, and applies to any organization that handles New York residents’ information regardless of whether that organization conducts business in New York. Because mobile sports betting must be conducted in New York state, the breach notification law applies. If platforms or operators transfer data about New York residents to vendors or otherwise across state lines, the breach notification law still applies to the data.
New York has been on the forefront of strict security requirements having enacted the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), which includes security obligations that apply to mobile betting apps. The SHIELD Act requires any organization processing the personal data of New York residents to “develop, implement, and maintain reasonable safeguards to protect the security, confidentiality, and integrity of the private information.” The SHIELD Act provides that a business is deemed to be in compliance with the requirement to implement reasonable security measures if it maintains a data security program that incorporates a detailed series of administrative, technical, and physical controls set forth in the law, including conducting risk assessments, regularly testing and monitoring the effectiveness of key controls, selecting service providers capable of maintaining appropriate safeguards and requiring those safeguards by contract, and disposing of private information within a reasonable timeframe after it is no longer needed. Failure to establish reasonable safeguards could lead to action by the New York Attorney General, who has been very active in enforcing the SHIELD Act.
Further, sportsbooks that are operating pursuant to state casino licenses may be “financial institutions” under the Bank Secrecy Act (BSA). While there is little guidance regarding how anti-money laundering laws apply to mobile sports wagering, FinCen’s director in August 2019 remarked that FinCen expects that casinos are monitoring sports betting programs for potentially suspicious activity, including mobile gaming services which run through the casinos. Accordingly, operators may be required to file suspicious activity reports (SARs) with FinCen when they detect suspicious activity regarding financial transactions, including cyber-related indicators collected from mobile betting apps.
While the legal cybersecurity framework for licensed platforms and operators in New York is fairly comprehensive, the laws that apply to the privacy of bettor information are somewhat lacking. New York has not yet implemented a broad privacy law such as those adopted in California, Virginia, and Colorado. The New York Privacy Act has been on the horizon for some time and has the potential to be stricter than the privacy laws in California, but it is still pending. Without such a law, users of betting apps do not have the legal right to access, amend, or delete profile information maintained by operators and platforms, to understand information sharing, or to opt in or out of uses or disclosures. (Though it should be noted that gaming regulations in New York do allow bettors to opt out of future direct advertisements.)
How Can Risks Be Mitigated?
Regulators and the public are beginning to scrutinize data use by mobile betting platforms. Last year, Sky Bet, a popular gambling app in the UK, drew the attention of major news outlets globally, which reported that data held by the company and third party data providers was being used to identify bettors as “high value” and to try to lure the users back during periods of time when they had given up gambling. News reports detailed the pervasive data analytics in the online gaming environment that profiles and targets bettors. Sky Bet was subject to a £1 million fine for failing to protect potentially vulnerable people from its targeting.
To avoid publicity nightmares and the ire of regulators, even without comprehensive legal privacy obligations, mobile betting operators would be wise to be transparent with users about their uses and disclosures of personal information and to follow privacy best practices for mobile applications, including providing understandable, complete, and accurate notices of privacy practices, and allowing users to exercise rights with respect to their data, including the right to access and delete their data, subject to typical exceptions (including as required by gaming regulations). Of course, once a privacy promise is made to a user, New York unfair trade practice laws require that operators keep those promises.
Since a great deal of data sharing occurs among operators, platforms, casinos, and sports teams, putting in place a strong data management strategy and framework is also key. This includes evaluating applicable laws and privacy promises made to consumers when the data was first collected to ensure that restrictions on data use are minded by all parties to a data sharing arrangement. By implementing standardized, centralized processes around ingesting, classifying, storing, and sharing data, organizations are able to ensure that they can extract value from data while maintaining compliance and respecting consumer privacy preferences.
Vendor management is also crucial for maintaining security compliance and containing cyber risks. To deliver a mobile betting platform, operators must engage a series of third parties. Obligations as to privacy and security of data must flow through all of these third-party contracts. The platform operators may be mature in their security but may be exposed through third-party vendors on whom they depend to execute wagers. For example, in 2020, SBTech, an online betting platform, suffered a ransomware attack that caused 50 sportsbooks powered by the platform supplier to be disconnected over the course of a week. These incidents highlight the importance of monitoring vendor compliance and implementing contractual protections and remedies with suppliers and business partners.
Multiple regulatory regimes dealing with online sports betting, websites and online security and privacy are at play here. It is important for operators and platforms to monitor regulatory developments to avoid regulatory fines and penalties, business disruption, and brand damage.
“A Safe Bet? Privacy and Security Law for Online Sports Wagering in New York State,” by Sharon R. Klein and Jennifer J. Daniels was published in the New York Law Journal on March 4, 2022.
Reprinted with permission from the March 4, 2022, edition of the New York Law Journal © 2022 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 or reprints@alm.com or visit www.almreprints.com.