Code of Massachusetts Regulations
205 CMR - MASSACHUSETTS GAMING COMMISSION
Title 205 CMR 257.00 - Sports Wagering Data Privacy
Section 257.03 - Data Sharing

Universal Citation: 205 MA Code of Regs 205.257

Current through Register 1531, September 27, 2024

(1) A Sports Wagering Operator shall not share a patron's Confidential Information or Personally Identifiable Information with any third party except for legitimate business purposes necessary to operate or advertise a Sports Wagering Area, Sports Wagering Facility or Sports Wagering Platform or to comply with M.G.L. c. 23N, 205 CMR, or any other applicable law, regulation, court order, subpoena, or civil investigative demand of a governmental entity, to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity, debug to identify and repair errors, to investigate, respond to and defend against filed or reasonably anticipated legal claims, and for other reasonable safety and security purposes. In addition, sharing of a patron's Confidential Information or Personally Identifiable Information may be permissible where necessary to conduct commercially reasonable review of a Sports Wagering Operator's assets in the context of the sale of all or a portion of the Sports Wagering Operator's business.

(2) If a Sports Wagering Operator shares a patron's Confidential Information or Personally Identifiable Information pursuant to 205 CMR 257.03(1), the Operator shall take commercially reasonable measures to ensure the party receiving a patron's Confidential Information or Personally Identifiable Information keeps such data private and confidential, except as required for the authorized use or purpose pursuant to 205 CMR 257.03(1) The party receiving such data shall only use a patron's Confidential Information or Personally Identifiable Information for the purpose(s) for which the data was shared.

(3) If a Sports Wagering Operator deems it necessary to share a patron's Confidential Information or Personally Identifiable Information with a Sports Wagering Vendor, Sports Wagering Subcontractor, or Sports Wagering Registrant, a Sports Wagering Operator shall enter into a written agreement with the Sports Wagering Vendor, Sports Wagering Subcontractor or Sports Wagering Registrant, which shall include, at a minimum, the following obligations:

(a) The protection of all Confidential Information or Personally Identifiable Information that may come into the third party's custody or control against a Data Breach;

(b) The implementation and maintenance of a comprehensive data-security program for the protection of Confidential Information and Personally Identifiable Information, which shall include, at a minimum, the following:
1. A security policy for employees relating to the storage, access and transportation of Confidential Information or Personally Identifiable Information;

2. Restrictions on access to Personally Identifying Information and Confidential Information, including the area where such records are kept, secure passwords for electronically stored records and the use of multi-factor authentication;

3. A process for reviewing data security policies and measures at least annually; and

4. An active and ongoing employee security awareness program for all employees who may have access to Confidential Information or Personally Identifiable Information that, at a minimum, advises such employees of the confidentiality of the data, the safeguards required the protect the data and potentially applicable civil and criminal penalties for noncompliance pursuant to state and federal law.

(c) The implementation, maintenance, and update of security and breach investigation and incident response procedures that are reasonably designed to protect Confidential Information and Personally Identifiable Information from unauthorized access, use, modification, disclosure, manipulation or destruction; and

(d) A requirement that the maintenance of all Confidential Information and Personally Identifiable Information by a Vendor, Subcontractor or Registrant must meet the standards provided in 205 CMR 257.02.

(4) Sports Wagering Operators shall encrypt or hash and protect, including through the use of multi-factor authentication, from incomplete transmission, misrouting, unauthorized message modification, disclosure, duplication or replay all Confidential Information and Personally Identifiable Information within their possession, custody or control. An Operator may request approval by the Commission to protect Confidential Information and Personally Identifiable Information in another manner that is equally protective of the information in question.

Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.