Section 257.03 - Data Sharing(1) A Sports Wagering Operator shall not share a patron's Confidential Information or Personally Identifiable Information with any third party except as necessary to operate a Sports Wagering Area, Sports Wagering Facility or Sports Wagering Platform or to comply with M.G.L. c. 23N, 205 CMR, or any other applicable law, regulation, court order, subpoena, or civil investigative demand of a governmental entity, to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity, debug to identify and repair errors, to investigate, respond to and defend against filed legal claims, and for other reasonable safety and security purposes.(2) If a Sports Wagering Operator shares a patron's Confidential Information or Personally Identifiable Information pursuant to 257.03(1), the Operator shall take commercially reasonable measures to ensure the party receiving a patron's Confidential Information or Personally Identifiable Information keeps such data private and confidential, except as required to comply with M.G.L. c. 23N, 205 CMR, or any other applicable law, regulation, court order, subpoena, or civil investigative demand of a governmental entity. The party receiving such data shall only use a patron's Confidential Information or Personally Identifiable Information for the purpose(s) for which the data was shared.(3) If a Sports Wagering Operator deems it necessary to share a patron's Confidential Information or Personally Identifiable Information with a Sports Wagering Vendor, Sports Wagering Subcontractor, or Sports Wagering Registrant in order to operate its Sports Wagering Area, Sports Wagering Facility or Sports Wagering Platform or to comply with M.G.L. c. 23N, 205 CMR, any other applicable law, regulation, court order, subpoena, or civil investigative demand of a governmental entity, a Sports Wagering Operator shall enter into a written agreement with the Sports Wagering Vendor, Sports Wagering Subcontractor or Sports Wagering Registrant, which shall include, at a minimum, the following obligations: (a) The protection of all Confidential Information or Personally Identifiable Information that may come into the third party's custody or control against a Data Breach;(b) The implementation and maintenance of a comprehensive data-security program for the protection of Confidential Information and Personally Identifiable Information, which shall include, at a minimum, the following:1. A security policy for employees relating to the storage, access and transportation of Confidential Information or Personally Identifiable Information;2. Restrictions on access to Personally Identifying Information and Confidential Information, including the area where such records are kept, secure passwords for electronically stored records and the use of multi-factor authentication;3. A process for reviewing data security policies and measures at least annually; and4. An active and ongoing employee security awareness program for all employees who may have access to Confidential Information or Personally Identifiable Information that, at a minimum, advises such employees of the confidentiality of the data, the safeguards required the protect the data and any applicable civil and criminal penalties for noncompliance pursuant to state and federal law.(c) The implementation, maintenance, and update of security and breach investigation and incident response procedures that are reasonably designed to protect Confidential Information and Personally Identifiable Information from unauthorized access, use, modification, disclosure, manipulation or destruction; and(d) A requirement that the maintenance of all Confidential Information and Personally Identifiable Information by a Vendor, Subcontractor or Registrant must meet the standards provided in 205 CMR 257.03.(4) Sports Wagering Operators shall encrypt or hash and protect, including through the use of multi-factor authentication, from incomplete transmission, misrouting, unauthorized message modification, disclosure, duplication or replay all Confidential Information and Personally Identifiable Information.Adopted by Mass Register Issue 1503, eff. 9/1/2023.