How Sports Gaming Sites Could be Gambling with Your Information

By Tonecia Brothers-Sutton
3/2/2021

As legalized sports betting continues to expand, sports gaming law has presented concerns for data protection and privacy rights. Over 24 states and the District of Columbia have officially legalized sports betting since the invalidation of the federal ban. In Murphy v. National Collegiate Athletic Association (NCAA), the United States Supreme Court invalidated the federal ban on sports wagering. Before Murphy, the Professional and Amateur Sports Protection Act (PASPA) made it unlawful for a state to operate or authorize “betting, gambling or wagering scheme[s] based . . .” on sports. Following the invalidation, legal wagers have hit unprecedented numbers. Over $136 million was bet on this year’s Super Bowl matchup between the Kansas City Chiefs and Tampa Bay Buccaneers and, as March Madness approaches, the American Gaming Association (AGA) has predicted that 50 million Americans will place a bet on the NCAA tournament. As more people participate in sports betting, more consumer information is being shared across different gaming platforms. This influx in shared information has generated concerns for potential data breaches.

The use of mobile online sports betting has contributed to this increase in shared information. Many states have implemented legislation allowing bettors to make both in-person and mobile online bets. Along with the expansion of online wagering, states are facing concerns about data security for consumers. Gaming companies collect and store an immense amount of financial and personal identifiable information from their consumers. Bettors may be required to provide a date of birth, a Social Security number, and physical and email addresses. In addition, consumers may also be asked to supply financial and banking information when creating accounts. Cybersecurity experts  warn about potential data breaches in physical casinos and online betting sites. Hackers have targeted bettors in two major ways: the theft of betted money and the theft of bettor’s confidential account data. Hackers are now able to take advantage of the sports betting industry by stealing data information and compromising the privacy of consumers.

Although nationwide legal sports betting is a new industry, the cyber threat is not. Gaming companies are one of the most favorable targets for hackers and scammers. In the last couple of years, a few of the industry’s biggest casinos have been subject to data breaches. In 2015, Hard Rock Hotel & Casino Las Vegas suffered a malware attack that allowed hackers to steal cardholder names, credit card numbers, and CVV codes belonging to hotel guests and customers. In 2017, the Hard Rock Hotel experienced another data breach when hackers gained access to unencrypted payment card information for customers. The guests of 11 Hard Rock locations lost confidential information due to this data breach. Further, as recent as 2020, MGM Resorts International suffered a data breach that affected the personal data of 10.6 million guests. This affected personal data included full names, home addresses, phone numbers, email addresses and dates of birth. These guests included “tourists, business travelers, tech CEOs, reporters, government officials and more.” The data from this breach was then posted online to a hacker forum.

Aside from the implication of consumer data, valuable sports data is also vulnerable. Depending on the bookmaker, bettors are allowed to place both “pre-match” and “in-play” bets. “Pre-match” betting occurs “up until the second the sports event begins,” while “in-play” betting allows bettors to make wagers while the sports event is taking place. The bets taken during in-play betting are based on how the game will progress with odds changing after almost every play or possession. The odds of these bets are based on sports data about teams, leagues, and players. This sports data is very critical for bettors and sportsbooks who guarantee “official data”. If this data is not reliable, bettors could become unengaged, and sportsbooks could lose their integrity. This data is also very important to leagues and teams that have ownership rights over their sports data. The ownership over sports data provides leagues and teams the exclusive right to sell their data to analytics companies and oddsmakers. Official sports data must be quick and reliable to maintain these business relationships.

Although data privacy and breaches of that privacy are serious concerns in the validation of legalized sports betting, no federal laws have been put in place to address these concerns. As of today, the federal government has not implemented legislation for a comprehensive federal data protection scheme. The lack of federal regulation leaves this legislative responsibility up to individual states. This year, four states (Washington, Virginia, Oklahoma, and Minnesota) have officially made steps toward enacting state-level privacy legislation. These laws focus on providing privacy rights to consumers, implementing privacy protection standards for data controllers, and regulating how these companies dispose of consumer information. Data disposal laws are beginning to trend across all 50 states. The most notable of these new privacy and data disposal laws is the California Consumer Privacy Act (CCPA). The CCPA is a comprehensive piece of legislation that gives consumers more control over how businesses collect and use a customer’s personal data. This law requires most for-profit businesses operating in California to disclose what types of personal information are disclosed, the purpose of collection, and with whom the information is being shared. In addition, businesses are also required to provide consumers a description of their rights under the CCPA and allow them to opt-out of having their personal information sold or disclosed to third parties. While having individual state legislation is a step in the right direction, without a federal legislative scheme companies may face inconsistent standards varying from state to state. If state laws differ, companies that operate in multiple states could encounter conflicting regulatory standards.

As legislative bodies create regulatory frameworks, bettors can do a few things to ensure they are playing safely. Bettors should be aware of gaming applications associated with Application Programming Interfaces (APIs). Applications with authorized API’s can decrease the likelihood of an attack on information that is exchanged between a sportsbook and bettor. Bettors can also use alternative payment methods instead of using credit or debt cards. Many online gaming sites allow bettors to use payment methods such as cryptocurrency and PayPal that protect financial privacy. Bitcoin is the best-known cryptocurrency that ensures bettors privacy. Norton Security also encourages bettors to create strong passwords, change those passwords often and never save passwords on a device. As we wait for a comprehensive federal data protection law, bettors must safeguard the use of personal information online, which is essential to decrease the risk associated with online gambling.

As public concern for protecting private information in sports betting has increased, it is expected that Congress will make a serious effort to create a federal data protection plan this year. Congress should address these challenges by implementing a comprehensive data protection plan that emulates California’s CCPA. A cohesive federal law would limit the possibility of conflicting state laws and create a national standard to be applied to all businesses and organizations. Federal law should make an effort to replicate the rights afforded to California citizens to access, modify, delete, and export data. A federal plan that provides similar standards and requirements could protect all American sports bettors from a potential data breach.