Goodwin Gaming
November 10, 2014

Hold Your Cards Close: Data Protection and the Gaming Industry

Prepared by Alicia Rubio 

Increased cybercrimes and data security threats have recently made headline news with reports of massive data security breaches at major U.S. companies, including Target and more recently, The Home Depot. Risks of data breaches affect any company engaged in collecting and storing consumer data. To protect themselves and their consumers, companies must balance their business needs which use consumer data with implementation of adequate and cost-effective security practices.

The gaming industry is not immune from these risks. Just this summer, Paddy Power, which runs the largest online platform for sports betting in the U.K. and Ireland, issued a press release regarding a breach that exposed the personal information of almost 650,000 Paddy Power customers. The Data Protection Commission, the agency charged with enforcing privacy protection laws in Ireland, admonished Paddy Power for the significant delay in disclosing the threat of malicious activity that was identified four years earlier, in 2010. However, the Data Protection Commission has no legal authority to fine Paddy Power for the failure to adhere to the Irish agency’s voluntary code of practice regarding breach notification.

FTC Authority to Regulate Privacy and Data Security

In the United States, the Federal Trade Commission (“FTC”) has taken the lead in enforcing consumer protection laws, including those related to privacy, as well as offering generalized guidance on data security practices. The FTC interprets Section 5 of the FTC Act, which authorizes it to regulate unfair and deceptive trade practices, to require companies to employ reasonable information security, which includes accounting for the sensitivity of the underlying information. Using this standard, the agency routinely investigates whether businesses are keeping their express and implied privacy promises to consumers and whether a company’s privacy policies and procedures adequately mitigate the risk of unauthorized access or disclosure in light of the scope and nature of the data collected and the necessary business use.

FTC Guidance on Data Security

Many recent FTC enforcement actions have alleged that the companies at issue failed to take reasonable security measures to safeguard confidential personal information and/or to adequately inform consumers of the scope and nature of the data collected and stored by the company. In 2011, the FTC issued Protecting Personal Information: A Guide for Business, which lists 36 recommendations for companies’ data security practices.

Beyond the Corporation:  Personal Liability (including Officers & Directors)

While companies have borne the brunt of FTC enforcement actions in recent years, the individuals leading them can be on the hook, too. In February, the U.S. Fourth Circuit Court of Appeals affirmed a $163 million judgment brought by the FTC against the vice president of a company that operated a deceptive “scareware” scheme. Notably, the three judge panel upheld the district court’s authority under the FTC’s 1914 enabling act to both impose a monetary judgment and to do so against an individual. As a senior FTC attorney quipped in September, the “Inc.” that follows a “corporate name will not necessarily shield [executives] from liability under the FTC Act.”

While worrisome for corporate leaders, this is far from breaking news. In the 1996 Caremark decision, the Delaware Chancery Court cautioned that directors have a fiduciary duty to “appropriately monitor and supervise the enterprise.” Caremark duties have since spread to cover corporate officers, including general counsel. While the Caremark case did not directly confront information assets and duties to protect them, recent litigation involving security breaches at both Target and Wyndham highlights the efforts of the plaintiffs’ bar to seek to hold directors personally accountable for oversight of organizational efforts to safeguard information.  As a result, data security and information governance discussions are increasingly part of the board-level communications as the centrality of information to enterprises continues to grow.

Reconciling the needs of the business with appropriate data security measures is no easy undertaking for the gaming industry in particular. Collection and use of consumer data has enabled casinos to increase revenues by capitalizing on the wealth of data collected from each customer’s gaming and non-gaming history, thereby allowing casinos to craft more effective rewards programs based on individual preferences and drive more business through their doors.

Given that collection and use of massive amounts of personal information by the gaming industry will undoubtedly increase in coming years (including through the rise of the Internet of Things), establishing strong data security measures and internal controls in line with best practices will go a long way towards mitigating the inherent risks associated with collecting and handling consumer data. The FTC recommends creating a comprehensive privacy and information security program with policies and procedures reasonably tailored to meet the needs of the industry while adequately protecting personal data.

Goodwin Procter’s Privacy & Data Security Practice provides strategic counseling, advisory, and litigation expertise to emerging enterprises as well as Fortune 100 companies across a wide range of industries on Internet strategy, privacy, and data security. We have assisted numerous enterprises, founders, investors, and advisors with product launches and strategy, corporate and data licensing transactions, disclosures and marketing, regulatory compliance, litigation avoidance, and risk management. Comprised of legal professionals from our Litigation, Financial Services and IP Transactions & Strategies Practices, our privacy and data security team is uniquely positioned to address client needs in an integrated, cross-disciplinary manner.