Section 138.73 - Personally Identifiable Information and Confidential Information Security(1) Any Confidential Information and Personally Identifiable Information obtained and maintained with respect to a patron, shall be obtained and maintained in compliance with the privacy regulations and standards observed by the Commission, including the application of M.G.L. c. 93H, 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth, and any other applicable law, regulation or court order for the protection of Personally Identifiable Information or Confidential Information for any patron regardless of residency.(2) A system of internal controls submitted by a gaming licensee in accordance with 205 CMR 138.02 shall include procedures for the security and sharing of Personally Identifiable Information and Confidential Information, including:(a) The designation and identification of one or more employees having primary responsibility for the design, implementation and ongoing evaluation of such procedures and practices;(b) The procedures to be used to determine the nature and scope of all information collected, the locations in which such information is stored, and the storage devices on which such information may be recorded for purposes of storage or transfer;(c) The measures to be utilized to protect information from unauthorized access; and(d) The procedures to be used in the event the gaming licensee determines that a Data Breach has occurred, including required notification to the Commission or any other person or entity.Adopted by Mass Register Issue 1486, eff. 12/21/2022 (EMERGENCY).Amended by Mass Register Issue 1492, eff. 3/9/2023 (EMERGENCY).Amended by Mass Register Issue 1494, eff. 3/9/2023 (COMPLIANCE).Amended by Mass Register Issue 1498, eff. 6/7/2023 (EMERGENCY).Amended by Mass Register Issue 1503, eff. 9/1/2023.