Two states recently passed laws with specific data security requirements for entities that are gaming operators or licensees. These new regulations in Nevada and Massachusetts add to the already complex set of data security laws that exist at the federal and state level. In the US, companies may be subject to certain data security laws because of the type of information they collect or because of the industry they are in (financial, healthcare, insurance, telecommunications, etc.). The gaming industry is the latest to add to the mix.
In this latest addition to this complex patchwork, the Nevada Gaming Commission adopted regulations for certain operators at the end of 2022 with the regulations becoming effective January 1, 2023. The rules apply to certain “covered entities” and impose requirements around: (1) risk assessments, (2) incident response, and (3) personnel. The Massachusetts law, aimed at both “operators” and “licensees” impose both general and specific obligations. Among other items, the law sets forth specific requirements for privacy policies, individual rights, automated decision making, and data security. While the Massachusetts rules were published with effective dates of December 2022, comments are invited until February 2023.
Putting it into practice. Gaming operators will want to make sure that they understand these laws and their requirements, including around data security and privacy disclosures. If you are a vendor working with covered entities, you may also want to look at these requirements. Those outside of this industry should take heed, as these two new laws signal the ever-evolving web of privacy and data security laws, including sector-specific requirements.