Section 257.06 - Data Breaches(1) In the event of a suspected Data Breach involving a patron's Confidential Information or Personally Identifiable Information, a Sports Wagering Operator shall immediately notify the Commission and commence an investigation of the suspected Data Breach, which shall be commenced no less than five days from the discovery of the suspected breach, and completed as soon as reasonably practicable thereafter.(2) Following completion of the investigation specified pursuant to 205 CMR 257.06(1), the Sports Wagering Operator shall submit a written report to the Commission describing the suspected Data Breach and stating whether any patron's Confidential Information or Personally Identifying Information was subjected to unauthorized access. Unless the Sports Wagering Operator shows that unauthorized access did not occur, the Sports Wagering Operator's written report shall also detail the Operator's plan to remediate the Data Breach, mitigate its effects, and prevent Data Breaches of a similar nature from occurring in the future.(3) Upon request by the Commission, the Sports Wagering Operator shall provide a report from a qualified third-party forensic examiner, the cost of which shall be borne by the Sports Wagering Operator being examined.(4) In addition to the other provisions of 205 CMR 257.06, the Sports Wagering Operator shall be required to comply with any other legal requirements applicable to such Data Breaches or suspected Data Breaches, including its obligations pursuant to M.G.L. c. 93H and 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth.Adopted by Mass Register Issue 1503, eff. 9/1/2023.