Section 257.05 - Data Program Responsibilities(1) A Sports Wagering Operator shall develop, implement and maintain comprehensive administrative, technical and physical data privacy and security policies appropriate to the size and scope of business and addressing, at a minimum: (a) Practices to protect the confidentiality, integrity and accessibility of Confidential Information or Personally Identifiable Information;(b) The secure storage, access and transportation of Confidential Information or Personally Identifiable Information, including the use of encryption and multi-factor authentication;(c) The secure and timely disposal of Confidential Information or Personally Identifiable Information, including data retention policies;(d) Employee training on data privacy and cybersecurity for employees who may have access to Confidential Information or Personally Identifiable Information that, at a minimum, advises such employees of the confidentiality of the data, the safeguards required the protect the data and any applicable civil and criminal penalties for noncompliance pursuant to state and federal law;(e) Restrictions on access to Personally Identifying Information or Confidential Information, including the area where such records are kept, secure passwords for electronically stored records and the use of multi-factor authentication;(f) Reasonable monitoring of systems, for unauthorized use of or access to Confidential Information or Personally Identifying Information;(g) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis;(h) Cybersecurity insurance, which shall include, at a minimum, coverage for data compromise response, identity recovery, computer attack, cyber extortion and network security;(i) Data Breach investigation and incident response procedures;(j) Imposing disciplinary measures for violations of Confidential Information and Personally Identifiable Information policies;(k) Active oversight and auditing of compliance by Vendors, Registrants, or Subcontractors with 205 CMR 257.03(3) and with the Operator's Confidential Information and Personally Identifying Information policies.(l) Quarterly information system audits; and(m) A process for reviewing and, if necessary, updating data privacy policies at least annually.(2) A Sports Wagering Operator shall maintain on its website and Sports Wagering Platform a readily accessible copy of a written policy explaining to a patron the Confidential Information and Personally Identifiable Information that is required to be collected by the Sports Wagering Operator, the purpose for which Confidential Information or Personally Identifiable Information is being collected, the conditions under which a patron's Confidential Information or Personally Identifiable Information may be disclosed, and the measures implemented to otherwise protect a patron's Confidential Information or Personally Identifiable Information. A Sports Wagering Operator shall require a patron to agree to the policy prior to collecting any Confidential Information or Personally Identifiable Information, and require a patron to agree to any material updates. Agreement to this policy shall not constitute required consent for any additional uses of information.(3) A Sports Wagering Operator, Sports Wagering Vendor, Sports Wagering Subcontractor, Sports Wagering Registrant, or Person to whom an Occupational License is issued shall comply with all applicable state and federal requirements for data security, including M.G.L. c. 93A, M.G.L. c. 93H, 940 CMR 3.00: General Regulations, 940 CMR 6.00: Retail Advertising and 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth.Adopted by Mass Register Issue 1503, eff. 9/1/2023.