Section 257.03 - Data Sharing(1) A Sports Wagering Operator shall not share a patron's Confidential Information or Personally Identifiable Information with any third party except for legitimate business purposes necessary to operate or advertise a Sports Wagering Area, Sports Wagering Facility or Sports Wagering Platform or to comply with M.G.L. c. 23N, 205 CMR, or any other applicable law, regulation, court order, subpoena, or civil investigative demand of a governmental entity, to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity, debug to identify and repair errors, to investigate, respond to and defend against filed or reasonably anticipated legal claims, and for other reasonable safety and security purposes. In addition, sharing of a patron's Confidential Information or Personally Identifiable Information may be permissible where necessary to conduct commercially reasonable review of a Sports Wagering Operator's assets in the context of the sale of all or a portion of the Sports Wagering Operator's business.(2) If a Sports Wagering Operator shares a patron's Confidential Information or Personally Identifiable Information pursuant to 205 CMR 257.03(1), the Operator shall take commercially reasonable measures to ensure the party receiving a patron's Confidential Information or Personally Identifiable Information keeps such data private and confidential, except as required for the authorized use or purpose pursuant to 205 CMR 257.03(1) The party receiving such data shall only use a patron's Confidential Information or Personally Identifiable Information for the purpose(s) for which the data was shared.(3) If a Sports Wagering Operator deems it necessary to share a patron's Confidential Information or Personally Identifiable Information with a Sports Wagering Vendor, Sports Wagering Subcontractor, or Sports Wagering Registrant, a Sports Wagering Operator shall enter into a written agreement with the Sports Wagering Vendor, Sports Wagering Subcontractor or Sports Wagering Registrant, which shall include, at a minimum, the following obligations: (a) The protection of all Confidential Information or Personally Identifiable Information that may come into the third party's custody or control against a Data Breach;(b) The implementation and maintenance of a comprehensive data-security program for the protection of Confidential Information and Personally Identifiable Information, which shall include, at a minimum, the following:1. A security policy for employees relating to the storage, access and transportation of Confidential Information or Personally Identifiable Information;2. Restrictions on access to Personally Identifying Information and Confidential Information, including the area where such records are kept, secure passwords for electronically stored records and the use of multi-factor authentication;3. A process for reviewing data security policies and measures at least annually; and4. An active and ongoing employee security awareness program for all employees who may have access to Confidential Information or Personally Identifiable Information that, at a minimum, advises such employees of the confidentiality of the data, the safeguards required the protect the data and potentially applicable civil and criminal penalties for noncompliance pursuant to state and federal law.(c) The implementation, maintenance, and update of security and breach investigation and incident response procedures that are reasonably designed to protect Confidential Information and Personally Identifiable Information from unauthorized access, use, modification, disclosure, manipulation or destruction; and(d) A requirement that the maintenance of all Confidential Information and Personally Identifiable Information by a Vendor, Subcontractor or Registrant must meet the standards provided in 205 CMR 257.02.(4) Sports Wagering Operators shall encrypt or hash and protect, including through the use of multi-factor authentication, from incomplete transmission, misrouting, unauthorized message modification, disclosure, duplication or replay all Confidential Information and Personally Identifiable Information within their possession, custody or control. An Operator may request approval by the Commission to protect Confidential Information and Personally Identifiable Information in another manner that is equally protective of the information in question.Adopted by Mass Register Issue 1503, eff. 9/1/2023.Amended by Mass Register Issue 1524, eff. 6/21/2024.