Cybersecurity: You Sold Your Data Without Realizing It

by Andrew Cardno

A gaming facility is something that a tribe clearly owns – it is physical and ever present. When a tribal member walks through the doors, they know who the property belongs to. What tribes may not realize, though, is that they may have lost their data ownership – and data is one of the gaming facility’s largest assets.

Loss of data ownership rights is subtle and can happen with the slip of a pen or a simple mistake about where data is housed. Data flows through a casino like water, including from point-of-sale systems.

What is Data Ownership

Owning data is like owning the rights to a bundle of sticks – each stick represents a different kind of right and use case. These rights include: the right to understand, the right to view, the right to move, the right to update and the right to know

you are being searched by state or federal investigators. Examining each of these data rights in turn shows how each  can operate separately, and how they relate to one another.

The Right to Understand Your Data

Data is like a complex wilderness with rivers, valleys, snow and mountains. Without a map of your data wilderness, it is nearly impossible to find your way around. It is unlikely that your system vendors have provided a landscape, which leaves you lost in the wilderness.

What to Check: Ask for a metadata that clearly explains how your vendor databases work. This metadata will give specific examples of how values are calculated and how underlying data flows. Both facts and dimensions are managed by the system.

The Common Situation: Metadata is normally either non-existent or indecipherable. If it is non-existent then there is simply no description of your data environment. If it is indecipherable, it could be hundreds of pages of computer generated information, but miss critical information on how the data actually works.

The Right to Read (or Query) Your Data

If you have a map of your data, you need to have the right to actually read the data. In some cases, system vendors may be able to lock you out and prevent you from seeing your own data. This can be intentional via encryption, or accidental, meaning there is no practical connection mechanism.

What to Check: Check if you can use database query tools to read all underlying data in your system and that the systems company is supportive of you reading it. In some instances a vendor might say that reading the data invalidates their support agreements, making it essentially unusable. In other cases the data is simply inaccessible and there is no way of connecting to your data flows.

The Common Situation: It is likely that many of your database records are inaccessible to normal query procedures, and it is also remarkably common for the vendor to control the usernames and passwords that give access to this data.

The Right to Update Your Data

In order to take action with data, it often needs to be changed. For example, if you want to issue a coupon to a customer, that coupon needs to be uploaded programmatically. The key here is programmatically ­– without a programmatic interface you may find it is simply not practical to load your marketing offers. In today’s world, gaming resorts consist of dozens of critical systems running everything from player rewards, to hotel, to point-of-sale. In order to create a unified data experience, it needs to be possible to wire these systems together.

What to Check: Ask if your marketing team is able to automatically load their full marketing program without manual processes. Ask if you can programmatically recode your hosted players to new hosts using a documented and supported programmatic interface.

The Common Situation: The typical case is that system vendors will decide who can access the data and what update rights they have. A common case is that there is no practical way of doing this integration.

The Right to Know Your Data is Being Searched by State or Federal Investigators

Tribal sovereignty is a powerful protection against third party controls and intrusion into your data – it is, however, very easily lost. For example, if your data is in the cloud, it is likely provided by a commercial organization. Search warrants are served against the provider and this can be done without notice to you. This means that your data may be subject to investigation without you having any knowledge that this is taking place. Furthermore, these investigations could be ongoing for considerable periods of time before you discover you are being investigated.

What to Ask: Is any data housed off tribal land? For example, is any data housed in a non-tribal cloud? Specifically, ask if your data warehouse is governed by tribal law as this database will often hold a complete copy of all of your critical data.

The Common Situation: It is a recent trend that data is being moving to the cloud by cloud-based vendors. As a side note, consider what would happen if your critical infrastructure was governed by state law. If your data was physically housed in California, then California authorities would likely have the right to enact regulatory and legislative actions that could control your ability to operate your facility.

In Summary

In today’s world, data is the water that flows through your organization enabling almost every aspect of your facility to operate. With the current labor shortages, businesses are even more technology dependent to run operations.

Full ownership of your data is ownership of all the sticks in the bundle, and you need to own all of them. The risk here is that without careful legal and technical review, you may find you have already lost some or all of these rights to your database, and without action you may not get those rights back.  

Andrew Cardno is Co-Founder and Chief Technology Officer of Quick Custom Intelligence (QCI). He can be reached by calling (858) 299-5715 or email [email protected].