Code of Massachusetts Regulations
205 CMR - MASSACHUSETTS GAMING COMMISSION
Title 205 CMR 257.00 - Sports Wagering Data Privacy
Section 257.05 - Data Program Responsibilities

Universal Citation: 205 MA Code of Regs 205.257

Current through Register 1531, September 27, 2024

(1) A Sports Wagering Operator shall develop, implement and maintain comprehensive administrative, technical and physical data privacy and security policies appropriate to the size and scope of business and addressing, at a minimum:

(a) Practices to protect the confidentiality, integrity and accessibility of Confidential Information or Personally Identifiable Information;

(b) The secure storage, access and transportation of Confidential Information or Personally Identifiable Information in the Sports Wagering Operator's possession, custody or control, including the use of encryption and multi-factor authentication;

(c) The secure and timely disposal or anonymization of Confidential Information or Personally Identifiable Information, including data retention policies;

(d) Employee training on data privacy and cyber security for employees who may have access to Confidential Information or Personally Identifiable Information that, at a minimum, advises such employees of the confidentiality of the data, the safeguards required to protect the data and any applicable civil and criminal penalties for noncompliance pursuant to state and federal law;

(e) Restrictions on access to Personally Identifying Information or Confidential Information, including the area where such records are kept, secure passwords for electronically stored records and the use of multi-factor authentication;

(f) Reasonable monitoring of systems, for unauthorized use of or access to Confidential Information or Personally Identifying Information;

(g) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis;

(h) cyber security insurance, which shall include, at a minimum, coverage for data compromise response, identity recovery, computer attack, cyber extortion and network security;

(i) Data Breach investigation and incident response procedures;

(j) Imposing disciplinary measures for violations of Confidential Information and Personally Identifiable Information policies;

(k) Active oversight and auditing of compliance by Vendors, Registrants, or Subcontractors with 205 CMR 257.03(3) and with the Operator's Confidential Information and Personally Identifying Information policies.

(l) Quarterly information system audits; and

(m) A process for reviewing and, if necessary, updating data privacy policies at least annually.

(2) A Sports Wagering Operator shall maintain on its website and Sports Wagering Platform a readily accessible copy of a written policy explaining to a patron the Confidential Information and Personally Identifiable Information that is required to be collected by the Sports Wagering Operator, the purpose for which Confidential Information or Personally Identifiable Information is being collected, the conditions under which a patron's Confidential Information or Personally Identifiable Information may be disclosed, and the measures implemented to otherwise protect a patron's Confidential Information or Personally Identifiable Information. A Sports Wagering Operator shall require a patron to agree to the policy prior to collecting any Confidential Information or Personally Identifiable Information, and require a patron to agree to any material updates. Agreement to this policy shall not constitute required consent for any additional uses of information. The Sports Wagering Operator shall not be required to include in the publicly available version of such policy any information which might compromise the policy's effectiveness in protecting and safeguarding Confidential Information, Personally Identifiable Information.

(3) A Sports Wagering Operator, Sports Wagering Vendor, Sports Wagering Subcontractor, Sports Wagering Registrant, or Person to whom an Occupational License is issued shall comply with all applicable state and federal requirements for data security, including M.G.L. c. 93A, M.G.L. c. 93H, 940 CMR 3.00: General Regulations, 940 CMR 6.00: Retail Advertising and 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth.

Disclaimer: These regulations may not be the most recent version. Massachusetts may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.