Sports Betting and Data Security
Cybersecurity experts warn about the risks posed by the lure of the anticipated handle, both legal and illegal, around sports betting. While money laundering and theft are concerns, so are data breaches of customer information, which in the long run may be even more valuable—and more damaging—to patron and operator alike. The customer data collected by casinos often is extensive. Bettors may be required to provide date of birth, Social Security number, physical and email addresses, and other personal identifying information. They may also be required to create accounts with financial and banking information, along with passwords and security questions. Customer habits and preferences may be tracked through players club cards and apps. For online and mobile betting, age (sometimes via date of birth) and location data is also collected.
But sports betting also has other valuable data: sports data.
Sports books offer wagers not just on the outcome of the game (win or moneyline), but on the score (over/under, point spread) and special events (proposition bets, such as whether the game will go into overtime or whether a particular player will score a touchdown). In-play or live betting allows bettors to place wagers after an event has started and up to the time of its conclusion. The odds on all of these bets are driven by sports data on all features of the players, teams, contests, and leagues. The security of sports data is critical to the integrity of legalized sports betting. As sports betting has one of the slimmest margins of any casino games, the security of sports data also is critical to the financial risk inherent in a casino’s sports book.
Sports data also is an intellectual property asset. Leagues and teams have claimed ownership of sports data, with the business plan of selling their official data to data analytics companies and oddsmakers, or charging integrity or data rights fees to the gaming industry. For example, in 2018, MGM Resorts entered into a 3-year deal with the NBA to receive league-verified data for some $25 million, followed by similar deals between MGM and the NHL and MLB. But there are unsettled questions regarding ownership, copyright, and fair use. Broadcasts of sporting events may be copyrightable, but the live game likely is not. Prior cases, including NBA v. Motorola, Inc., 105 F.3d 841 (2d Cir. 1997) (broadcasts, not games, are copyrighted; facts derived from broadcasts are not copyrighted; a sports broadcast is not “hot news”), Morris Communications Co. v. PGA Tour, 364 F.3d 1288 (11th Cir. 2004) (a sports league may charge a fee for access to proprietary data without violating antitrust laws), C.B.C Distribution & Marketing, Inc. v. MLB Advanced Media, 505 F.3d 818 (8th Cir. 2007) (a fantasy sports operator’s use of baseball statistics in the public domain is protected by the First Amendment), and Daniels v. FanDuel, Inc., 909 F.3d 876 (7th Cir. 2018) (college athletes’ names, likenesses, and statistical data are “newsworthy” and may be used without an athlete’s permission), provide clear answers to issues that are increasingly significant, or even novel, in the post-Murphy legal environment as the legal sports betting industry—and its demands for data—expand.
Similar considerations and questions with regard to data security and intellectual property apply to DFS and esports.
Applicable Data Security Laws
While data protection, data privacy, and data-breach notification are recognized as critical dimensions of cybersecurity law, regulation, and policy, these issues have yet to be addressed in any comprehensive legislation in the U.S Not so elsewhere. The European Union’s comprehensive General Data Protection Regulation (GDPR) took effect in 2018. The GDPR regulates the processing of personal data within its territoriality requirements. Processing of personal data includes collection, use, storage, organization, disclosure, or any other operation performed on personal data. Personal data is defined as any information relating to an identified or identifiable person, including names, identification numbers, location data, IP addresses, etc. The GDPR’s territoriality requirements bring within its scope any organization with an “establishment” in the EU that processes personal data as part of that establishments’ activities.
As for the U.S., there is not yet a single, comprehensive federal data protection law. There are several federal laws that address data security in specific areas, including:
- Children’s Online Privacy Protection Act (COPPA)
- Computer Fraud and Abuse Act (CFAA)
- Consumer Financial Protection Act (CFPA)
- Electronic Communications Privacy Act (ECPA)
- Family Educational Rights and Privacy Act (FERPA)
- Federal Trade Commission Act (FTC Act)
- Health Insurance Portability and Accountability Act (HIPAA)
- Fair Credit Reporting Act (FCRA)
These laws, however, speak to highly diverse forms of data and expectations of privacy, with divergent requirements for relevant industry actors.
States, however, have moved more rapidly to address privacy, cybersecurity, and data breaches, passing or at least considering hundreds of bills across all 50 states, territories, and the District of Columbia, many of which focus heavily on consumer protection. At least 25 states have laws addressing data security practices in the private sector, more than half of them passed in the last five years. Most states also now have data disposal laws, governing how companies destroy or render indecipherable the personal information obtained from customers and employees. The California Consumer Privacy Act (CCPA) is notable for its comprehensive approach, as it applies to most for-profit companies that do business in the state, and regulates all “personal information,” encompassing nearly any and all information that a business might collect from a customer.
The rapid expansion of legalized sports betting, as well as the emergent areas of DFS and esports, have created both opportunities and challenges for the business lawyer. In particular, online and mobile platforms for sports betting and DFS, as well as team trademarks and design of esports games, raise rapidly mounting issues and dynamic questions related to intellectual property and data protection, privacy, and security.
A business lawyer advising clients in these areas, or working directly in the gaming industry or with public officials who either have or claim a stake in the success of gaming regulation, needs to know how data protection compliance and intellectual property interests operate in these rapidly developing contexts as they merge with gaming law in retail casino operations and online or mobile wagering alike.
Fortunately, the ABA’s Business Law Section, including its Gaming Law, Intellectual Property, and Sports Law Committees, will continue to spotlight these issues as they arise and evolve.