by David Vialpando
In a world of near effortless digital information access, rampant identity theft, and all manner of identity-related scams, it has never been more important for casinos to protect the personal identifying information (PII) of casino gaming patrons. It is crucial for tribal gaming regulators and casino compliance professionals to understand the risks associated with PII breeches and the steps required to protect casino patrons’ personal information to ensure that their identifying information remain secure.
Tribal gaming regulatory agencies (TGRAs) are very familiar with the restrictions and information security requirements in accessing criminal history record information (CHRI) from state and federal agencies for the purpose of assessing licensing suitability of casino employees. Many TGRAs have extended CHRI security and access requirements to license applicants’ PII to ensure the protection of employee identifying information.
Casino patrons voluntarily provide their identifying information to casinos for any number of purposes, such as: receiving jackpots over prescribed thresholds for tax reporting and Bank Secrecy Act/Anti-Money Laundering compliance; receiving marketing and promotional material; establishing casino player accounts; transferring winnings to personal financial accounts; and providing credit card information for hotel stays and casino purchases. A patron’s PII may include their name, date of birth, driver’s license, passport, and/or other government-issued identification, social security number, taxpayer identification number, physical and/or mailing address, email address, telephone numbers, photograph and personal financial information such as bank account numbers and credit card information.
In 2018, the European Union enacted the General Data Protection Regulations (GDPR), which requires casinos to obtain patron consent for data collection, securely store and process collected data, notify government regulators and patrons of any data breech within 72 hours, and allow patrons to access, correct, or request that collected data be deleted. While no similar federal legislation currently exists in the U.S., several states have enacted requirements on businesses and casinos similar to GDPR. Examples are the California Consumer Privacy Act (CCPA) and Nevada Privacy Law SB220.
TGRAs might consider enacting regulations and require casino internal controls that provide the following:
- A secure firewalled IT framework containing an intrusion detection system, updated software and current patches for all systems that record, store, process, share, transmit or retrieve patron PII.
- End-to-end encryption of patron data in transit and at rest.
- Robust role-based access controls to stored patron PII.
- Periodic technical security testing, information security management system (ISMS) audits, penetration testing, and vulnerability assessments of systems containing patron PII against standards such as ISO/IEC 27001, the NIST Cybersecurity Framework (CSF), or equivalent.
- Employee training in data privacy best practices – from collecting patron information on the gaming floor and at the cash cage, to prohibitions on sharing PII over the telephone or the internet, and the security of documents containing patron PII.
- Establish an Incident Response Plan to react decisively to data breeches, attempted hacks, and initiate required notifications.
- Secure storage and defined access controls for stored hard-copy documents containing PII.
- Established purge criteria for inactive digital and hard-copy PII employing industry-standard destruction processes.
- Online casinos and digital gaming platforms require even greater concentration on integrated cybersecurity systems, two-factor authentication, the use of data tokens, critical component monitoring involving more frequent penetration testing, technical security testing, vulnerability assessment, and anomaly detection protocols.
- Requiring third-party contractors accessing patron PII to comply with TGRA regulations and casino internal controls outlined above as appropriate.
Guidelines for TGRA regulations related to patron PII protection can be found in technical standards published by Gaming Labs International (GLI), specifically GLI-16 v3 Standards for Cashless Systems and Technologies and GLI-19 v3 Standards for Interactive Gaming Systems.
GLI-16 specifies that, “player identification components shall be electronically-based and be constructed in a manner that ensures proper handling of inputs and that protects against vandalism, abuse, or fraudulent activity.”
GLI-19 recommends establishment of a patron PII privacy policy, which includes the following:
- The personally identifiable information (PII) required to be collected.
- The purpose and legal basis for PII collection and of every processing activity for which consent is being sought including, where required by the TGRA, the “legitimate interest” pursued by the operator (or third-party service provider(s)) if this is the legal basis chosen (i.e., identification of the specific interest in question).
- The period in which the PII is stored, or, if no period can possibly be set, the criteria used to set this. It is not sufficient for the operator to state that the PII will be kept for as long as necessary for the legitimate purposes of the processing.
- The conditions under which PII may be disclosed.
- An affirmation that measures are in place to prevent the unauthorized or unnecessary disclosure of the PII.
- The identity and contact details of the operator who is seeking the consent, including any third-party service provider(s) which may access and or use this PII.
- Where required by the TGRA, that the player has a right to:
a. Access, export, or transfer their PII
b. Rectify, erase, or restrict access to their PII
c. Object to the PII processing
d. Withdraw consent, if the processing is based on consent
e. File a complaint with the TGRA
Section A.3.5 of the GLI-19 standard states, “Any information obtained in respect to the player account, including personally identifiable information (PII) and authentication credentials, shall be done in compliance with the privacy policy and local privacy regulations and standards observed by the regulatory body (TGRA).”
In addition to the potential harm patrons may experience resulting from a PII data breech, the casino is likely to sustain potential loss of revenue from customers who have lost trust and take their business elsewhere, negative publicity, higher cyber liability insurance costs, and substantial remediation costs from legal defense, settlements, and system overhauls.
Our current digital universe and the looming risk of AI-facilitated scams requires casinos to treat patron personal identifying information as sacrosanct. Casino patrons have a right to expect nothing less.
David Vialpando is Executive Director of the Pala Gaming Commission and Vice-Chairman of Tribal Gaming Protection Network. He can be reached by calling (760) 510-4559 or email [email protected].
