This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
| 1 minute read

New Nevada Cybersecurity Requirements for Gaming Operators

On December 22, the Nevada Gaming Commission (“Commission”) adopted new data security requirements for gaming operators, which go into effect January 1, 2023. Nevada is the latest state to adopt such requirements as mobile and online sports gaming increases in popularity. Sports betting (and gaming generally) is a highly regulated area that requires gaming operators to collect and retain personal data (like name, date of birth, Social Security number, residence, geo-location, and email address) from patrons to comply with state and federal regulations. While these information collection practices help guard against fraud and other harms, they also present real data security risks to the gaming operators that must maintain this information and to the patrons to whom the information belongs. 

In general, Nevada’s new regulations require gaming operators to 

  1. Take “all appropriate steps to secure and protect their information systems from the ongoing threat of cyber attacks.” Operators must document the precautions taken and make them available to the Commission upon request. Operators must secure personal information gathered collected from patrons and employees as well as the operator’s own records.  

  1. Conduct a risk assessment and adopt cybersecurity best practices by December 31, 2023. Operators will need to monitor attack trends and periodically reassess their security practices to update their safeguards and risk assessment.  

  1. Notify the Commission no later than 72 hours after becoming aware of a cyber attack that resulted in the material loss of control, compromise, or disclosure of information, investigate the attack, and prepare an investigative report to be shared with the Commission upon request. Sharing this kind of information with the Commission can place the operator at legal risk so such reports will need to be thoughtfully drafted. 

  1. Retain an outside cybersecurity analyst to review the operator’s security practices annually and attest in writing that those practices comply with the Commission’s regulations. 

Our Privacy & Cybersecurity team at Michael Best is experienced in creating information security programs, conducting risk assessments, resolving cyber attacks, and engaging cybersecurity analysts. Please reach out to a member of our team to discuss how to best implement or improve your current information security program to meet these new requirements. 

This action joins agencies in other jurisdictions moving quickly to protect consumers and their personal information in the gaming industry.


privacy cybersecurity, regulatory