Alert 03.31.22
Alert
Alert
05.10.22
Developments in Sports Betting
In 2018, the Supreme Court struck down the federal ban on state-sponsored sports betting in Murphy v. NCAA. The sports betting industry, which was previously confined to Nevada, Delaware, Oregon and Montana, has flourished as more states pass laws permitting sports betting. Sports gambling is now a multibillion-dollar industry with experts projecting that the industry’s market will grow to $106.25 billion by 2025. As the industry has continued to grow, its online presence has also increased. In 2021, more than 86 percent of sports wagers were placed online.
Currently, 33 states and the District of Columbia have legalized sports betting and wagering. In 22 of these states, online sports betting is permitted. Most of the country now has access to sports betting either online or in person.
Several state legislatures haven taken up the issue this legislative session. Kansas, South Carolina, Missouri, Maine and Massachusetts are five such states with recent developments.
California voters will consider whether to bring sports gambling to their state this November in a voter referendum. Two ballot initiatives have already garnered enough signatures to be put to a vote this fall. The first would legalize in-person sports betting at regulated establishments. The second would legalize online sports betting in the state. Each ballot must be approved by a majority of California voters to become law.
Cybersecurity and Data Privacy Risks Associated with Sports Betting
As sports betting becomes more pervasive, so do the cybersecurity and data privacy vulnerabilities that the industry presents. When placing a sports bet, bettors are required to disclose a large amount of personal information. This can include the individual’s date of birth, Social Security number, physical address, email address, financial and banking information, and location data.
In addition to the data that users contribute to place bets, the platforms used to place bets also use and generate a lot of data about the sports themselves. Most sports betting platforms allow bettors to bet on a wide variety of events such as which team will win the game, the score of a game, the performance of a certain player and whether a game will go into overtime. These bets remain open throughout the game, and the odds are driven by data. The data used to calculate these odds include statistics relating to the performance of the players and teams, the composition of the league, the time in the season which games are scheduled and other factors. The privacy and integrity of this data is crucial to a properly regulated sports gambling industry. If this data is compromised, it could have drastic effects both for bettors and for the integrity of the sports betting industry.
Due to the sensitive information that sports betting technology holds, these systems are ripe for cyberattack. Across the board, cyberattacks are on the rise. The highly valuable personal information held by sports gambling providers makes these companies ripe targets for malicious cyber actors. Malicious cyber actors have already executed hacks of similar gambling operations, such as lotteries and casinos, to access this type of information. In 2016, the United Kingdom’s national lottery was hacked, and more than 26,500 online lottery accounts were compromised. As a result of this attack, malicious cyber actors gained access to personal information of those individuals whose accounts were compromised. In February 2020, MGM Resorts and Casino experienced a cyberattack in which 142 million individuals’ personal details were stolen and placed for sale on the dark web. Information accessed in the intrusion included private information about guests and players, including names, home addresses, phone numbers, emails and dates of birth. Moreover, there has already been one reported cyberattack on an online sports betting portal. In March 2020, the Oregon lottery had to shut down its online sports betting platform, SBTech Scoreboard, due to a suspected breach. Ultimately, no information was compromised in the attack because SBTech was able to take its systems offline and resolve the intrusion before the hackers accessed any of this data.
Best Practices for Cybersecurity and Data Privacy
States and companies that are operating sports betting platforms should invest in implementing cybersecurity and data privacy best practices. Cybersecurity best practices for these organizations align with general cybersecurity best practices and can include:
Companies involved in sports betting should also be aware of any laws in their states that concern safe storage of data as well as their obligations to consumers in the case of a data breach. Many states’ data privacy regulations will cover obligations in both instances.
The bottom line is that cyber criminals—like any other criminals—follow the money. It follows, then, that the massive increase in sports betting across the United States is bound to attract hackers looking to steal funds and disrupt platforms. Venue owners and operators as well as sports betting platforms should be taking steps now to minimize the possibility of suffering cyberattacks.