U.S. Gambling Regulators Evaluate Data Protection, Cybersecurity Challenges

October 10, 2023
State gambling regulators have stressed that they are focused on protecting consumers from cyber threats following recent cyberattacks that impacted an undetermined number of customers of MGM Resorts and Caesars Entertainment.

State gambling regulators are focused on protecting consumers from cyber threats following recent cyberattacks that impacted an undetermined number of customers of MGM Resorts and Caesars Entertainment. 

The two casino giants were the victims of social engineering attacks during September, but prominent gaming regulators on Monday (October 9) said they believe that data protection and cybersecurity regulations that are in place are beneficial to the industry.

“In Nevada, we already have a statute for data privacy, like most states due, and last year (state) regulators decided all non-restricted licensees had to make sure they have a cybersecurity plan in place by December 31 this year,” said Kirk Hendrick, chairman of the Nevada Gaming Control Board (NGCB).

Hendrick said larger operators have to have their cybersecurity plans audited every year and every other non-restricted gaming licensee must have a plan in place, maintain it and update best practices.

In New Jersey, it is similar to what exists in Nevada, with regulators implementing significant changes some ten years ago to establish requirements for casino licensees.

“One thing we’ve kind of done differently is we’ve built upon the requirements that were already in play for every commercial entity in the U.S. and laws that were already passed by other states to protect their consumers,” said David Rebuck, director of the New Jersey Division of Gaming Enforcement (DGE).

Rebuck said that going in that direction was what made sense for New Jersey, and it has worked very well. He said the DGE has also established a requirement that all casino and internet gaming licensees have an information security officer.

“That itself is easy,” Rebuck said. “Most companies already have an information security officer. What we did differently is that we mandated that officers would not report to the information technology vice president (and) that they report to the audit committee.”

Rebuck said the DGE's expectation was that the information security officer (ISO) would be an independent officer to drive home best practices and messages to a company structuring its information protections. The ISO position was designed to have a powerful role within a company in order to protect the business, customers and everyone else.

Hacking group Scattered Spider claimed responsibility for the cyberattack on MGM, which caused widespread disruption across the company’s properties, shutting down ATMs and slot machines, while pulling its website and online reservation systems offline.

Rebuck said Scattered Spider has been pretty active for the last two years. He added that social engineering was something that was not even around ten years ago as New Jersey updated its regulations. 

“The second thing we’ve done, as we have other licensees coming in, such as iGaming, sports betting, vendors and (business to business) operators is that they have an ISO, because if a company like Caesars Entertainment uses a vendor and provides them with consumer data, those vendors have the same standard of protection that exists for Caesars.”

Rebuck noted the last thing that New Jersey has mandated, although many in the industry do not like it, is two-factor authentication for players to access their online casino or sports-betting accounts.

“My staff won’t like me saying this,” he added. “The industry is about eliminating friction and our desire is to make sure the consumer is adequately protected. These authentications were mandated, and I think they have been very successful in New Jersey.”

Rebuck stressed that the industry “needs to stay on its toes because there will be other changes and actions that have to be made.”

Rebuck and Hendrick were joined by Cathy Judd-Stein, chair of the Massachusetts Gaming Commission, and Marcus Fruchter, administrator for the Illinois Gaming Board, for a panel discussion on gaming regulations in North America at the Global Gaming Expo (G2E) at the Venetian Expo in Las Vegas.

Fruchter said: "You have an obligation to conduct your gaming operations in a way that doesn’t jeopardize public trust and confidence in Illinois and doesn’t jeopardize gaming integrity and public safety."

Moderator Bill Downey of law firm Brownstein Hyatt Farber Schreck asked Judd-Stein and Hendrick if they had run into any concerns about recently approved regulations governing data privacy and cybersecurity regulations.

In Massachusetts, commissioners recently approved data privacy rules that were supposed to go into effect in September to govern the use of customer information and allow patrons to request that operators erase their data.

Judd-Stein said the greatest challenge regulators have run into was companies implementing the data privacy regulation by the deadline, especially the provision that requires customers to opt-in to use of their data for any non-essential purposes.

She said the Massachusetts commission wants to make sure that consumers know how their data is being used.

The regulation requires consumers to opt into individual uses of data one-by-one, which gaming companies argue could mean that every individual has their own menu for individual uses that would be extraordinarily difficult to implement.

With respect to cybersecurity, Judd-Stein said the data privacy regulation expects operators to adopt best practices, train their employees about privacy and cybersecurity, monitor for any type of suspicious activity, and require licensees to have cybersecurity insurance.

On August 24, the commission approved a temporary waiver until November 17 for sports-betting operators to implement the data privacy rules. Judd-Stein expects those waivers to be extended next month.

“I haven’t heard any concerns or hurdles from any licensees saying they can’t make our deadline of December 31,” Hendrick said of Nevada’s cybersecurity regulations.

“I think most major operators … in the state of Nevada they already have cybersecurity plans in place,” Hendrick said. “It is really about asking them to pull it together. I think the industry has embraced it. It is not just happening in the gaming industry. It is happening in every industry.

“These guys go where the money is,” Hendrick added.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

To find out more about Vixio, contact us today
No items found.