Seven Steps to Improved Security
As the attacks to PSN and other networks in 2011 show, the game industry is substantially threatened by data privacy and security issues -- and given the number and scale of the breaches, it is also clear the industry, as a whole, was not ready for that threat. What can the game industry do to minimize further damage?
May 2, 2012
Author: by Gary Kibel
While privacy and data security are hot topics everywhere these days, they are of particular interest to the game industry. Vast quantities of consumer data are generated every day in the game industry, including through consoles, websites, and mobile devices. Data can be a significant asset in that it provides valuable insight into a consumer's behavior which can be used to improve games and target messages and offerings. However, data can also be a liability.
Data breaches in games are prevalent. In 2011 alone, Sega, Nexon, Codemasters, Sony, Bethesda, Square Enix, and Valve were all targets of successful attacks. We can be certain in 2012 that any game company handling substantial personal information will continue to be a target as well.
The costs associated with a data breach are usually described as several dollars to several hundred dollars per affected record (depending on the extent of the breach and the items included in the long-term costs). Considering that many of the data breaches last year affected more than a million records, those costs are significant.
One company was attacked several times and had a total of more than 100 million records affected, leading to a cost of about $170 million dollars in the month after the attack and projections of over a billion dollars as an all-inclusive cost.
Some costs of a data breach are easier to identify than others. The cost areas range from legal compliance to the potential for lost profits. For legal compliance, consider that there are currently 46 states with data breach notification laws that require companies to inform users in the event of a breach with respect to their personal information. Each law has its own unique requirements, which can make compliance an expensive endeavor in the event of a breach.
Beyond notification and legal compliance, there is lost revenue associated with downtime for the hacked network. There are the customer service and PR costs to consider -- these often include credit and identity theft monitoring services for the affected records. There are the promotional costs of give-aways and "welcome back" packages to regain consumer confidence. Unfortunately, the costs often include settling litigation and regulatory investigations that result from the data breach. As an example, one of the largest breaches this year was followed by 25 class action lawsuits and a congressional investigation.
Clearly, the game industry is substantially threatened by data privacy and security issues. Furthermore, given the number and scale of the breaches in 2011, it is also clear the industry, as a whole, was not ready for that threat. Going forward, what can the game industry do to minimize further damage?
The seven steps below are a good start. You might be surprised to see that only one piece of advice is "technical". Data security and privacy must be driven by sound decisions on a policy level. The technology is only as good as the planning and decision-making behind it.
1. Take Inventory
Take stock of the personal information the company has in its possession or control. A company cannot know what to protect if it does not know what it is storing.
Is there a person in your company that knows all of the customer data collected and where it is located? Is that person both responsible and adequately empowered to make decisions to protect that data? If your company is like most game companies, the answer to that question is probably "no" and in the best cases, it is a "maybe".
Since data issues are not exclusive to one particular business function, an organization should have a privacy steering committee which consists of representatives from information technology, legal, management, public relations and human resources.
The group should be led by one chief privacy officer, or someone with a similar title and authority. This group needs to understand what customer information the company has, how it is stored, how to control its transfer, and how/when to delete it.
2. Reduce Inventory
Think about what data the company can do without. A company cannot lose data it doesn't have. Reevaluate the company policies and consider not storing and collecting data in each instance. Only collect the data really needed -- and that means data tied directly to business goals.
On the whole, game companies collect a lot more data than they actually use, especially in these days of mandatory registration. Just five years ago, with the rare exception of MMOs, the idea of mandatory account registration or an "always on" internet connection in the name of DRM and marketing would be viewed as ridiculous. Today those practices are becoming the norm even for single player games. Consider that data loss was not a substantial problem in the 1990s because companies did not have the data to lose.
Match the data to the goals of your business. Collectively, we need a better reason than "marketing purposes" to collect data. There is a 21st century problem across many technically-sophisticated industries: substituting data collection and analysis for good judgment.
Data should only be collected if it is part of a focused, clear strategy for adding value to the game company and preferably that collection should improve the entertainment products and experiences offered to consumers. Stated another way, data should only be collected if it is going to be used and the benefits of using it outweigh the costs of collecting, safely storing, and disposing of the data.
Monthly subscription renewal for auto-billing makes sense, as well as similar collection for the purchase of virtual goods and DLC. These are directly related to revenue gains, because we know that when players have to re-enter that information, you'll lose sales. Collecting email addresses for a newsletter also makes sense if it is managed properly.
But what about the data we have stored for years on older games, or data on the demographics of our user base? Do we really need to know that in 2009 the company was very popular among men 35-37 in the 10038 zip code? Even if that is important, is there any reason to store data we derived that information from?
3. Network Security is a Process
Game companies that store hundreds of thousands, or millions, of customer service records need evolving technical measures in place as well the policy level considerations above. Security is an arms race where hacking, protections, and countermeasures are constantly at battle with one another.
We know that state of the art technical security in 2012 would include encrypting very sensitive data such as credit card numbers, parameterizing queries to prevent SQL injection, and implementing strong input validation to protect systems from invalid character entries.
While any system can be attacked via zero-day vulnerabilities, ensure your systems are rigorously updated with all security patches to prevent needless exposure.
We also know these measures and how they are implemented will change next year, and even over the course of this year. As your company follows its own internal road map, the company's security should be audited regularly. These audits should usually be internal, but on occasion, the network should engage an independent third party audit to conduct the security system review.
Interacting with external auditors on an ongoing basis provides both a different perspective as well as market knowledge that cannot be achieved internally. Furthermore, regularly planned external audits reduce the emergency or reactive character associated with bringing in external auditors only after a breach.
4. Written Information Security Program
Every organization should have a written information security program which sets forth the organization's data management and security practices. This is actually required by law in some jurisdictions if a company collects personal data -- however, it is a best practice in any regard. The plan should be reviewed and updated on an annual basis. Such a plan makes it easier to measure and manage compliance with sound security practices since there will be objective standards.
5. Children's Data
Extra caution should accompany any project that involves the collection or use of personal information from children. If there is one area of privacy and data security that unites lawmakers, regulators, and consumers, it is the need to protect children online.
Everything in this article applies to children under 13 as well as adults. In addition, compliance with the Children's Online Privacy Protection Act (COPPA) is required if your service is directed to children under 13, or if you know your service is collecting information from children under 13.
In addition, there are self-regulatory guidelines imposed by industry organizations such as the ESRB Kids Privacy Certification and the Children's Advertising Review Unit that monitor self-regulatory programs and COPPA compliance.
COPPA compliance review should be part of the company's privacy and security audit procedures. Certainly, any substantial loss of children's data would be associated with many of the costs attributed to adult data breaches and likely include additional negative publicity. Last year, Playdom was fined 3 million dollars associated with a COPPA violation.
6. Audit User Terms and Privacy Policies Regularly
Game companies should review terms of use, end user license agreements, and privacy policies as part of their data security measures. The laws are changing frequently in this area. A regular review of these documents ensures compliance and could lead to substantially reduced costs in a data breach.
For instance, as a result of developments in 2011, a company should amend its end user license agreements and terms of use in an effort to prevent class action lawsuits. The U.S. Supreme Court ruled in an AT&T case in 2011 that companies can include "no-class action" clauses in their contracts if certain procedures were followed. This one change could save companies millions of dollars in litigation expenses in a data breach.
Generally speaking, the first step is to make sure the company's legal documents contain reasonable dispute resolution provisions that are fair to the consumer in light of the 2007 Bragg v. Linden Lab case.
This first step includes paying attention to items such as putting the consumer on adequate notice of the dispute resolution procedures, offering meaningful customer service process for informal dispute resolution, allowing a venue for the dispute that is reasonable or perhaps phone arbitration/mediation options, and making certain the costs are not unduly burdensome on the player.
Second, add a section that prevents class action lawsuits or grouping complaints through any other mechanism. Data breaches are expensive enough without having to divert resources to plaintiff's attorneys.
A competent attorney can help your company amend terms of service and end user license agreements to make certain this is done properly. These kinds of edits should always be made in consultation with counsel familiar with this area of the law.
7. Create a Data Breach Response Plan
Having a data breach response plan involves two steps. First, make certain the company has access to the right team of professionals. That team would include internal executives familiar with the company data plans, attorneys familiar with the law, technical experts who can evaluate the cause and extent of a breach, and PR professionals who can adequately communicate the with customers after a breach.
Second, have this group coordinate to know -- in advance -- what they would do in data breach situations. It may seem obvious, but planning in advance is cheaper and leads to more efficient communication and execution than working ad hoc in an emergency.
Quickly and clearly communicating about a data breach is usually received positively by the community. This is true even if the company does not have all the information confirmed. Waiting for certainty is usually waiting too long. Delays such as the ones we saw in 2011 (over a week, in some instances) are not looked on favorably.
Conclusion
The game industry was the target of numerous successful attacks last year. In 2012, it will likely collect more personal information than ever before -- and will thus likely be a bigger target than ever before.
The industry is growing as a target because its monetary worth and cultural presence is growing. Games are indisputably the most valuable entertainment products of any kind. With a total value of $74 billion dollars in 2011, and predicted growth to $112 billion by 2015, it is absolutely going to attract unwanted attention.
The film, music, sports, and print industries all provide entertainment, but do not have as much access to a consumer's personal information and are not experiencing growth comparable to the game industry. Much of that growth is directly tied to the data through digital distribution, multi-platform interconnectivity, social networks, and mobile platforms.
In 2012, the industry has to do better than 2011 protecting customer data. It has to do better because it is the right thing to do for our customers and because it is more profitable for everyone involved in the industry. As connectivity and data collection increases, it changes the character of what companies are selling.
Traditionally, the game industry is selling entertainment and that will always be true. But as we move forward, the industry has to understand that what it is selling is trust. While the risks associated with storing a huge volume of consumer data cannot be completely eliminated, they can be managed.
Acknowledgement: The authors would like to thank Justin Berman, senior security engineer at Aspect Security for his review of and contributions to this article.
Read more about:
FeaturesYou May Also Like