Steven Davis, CEO, IT GlobalSecure Inc. & SecurePlay
Benjamin T. Duranske, Attorney, Pillsbury Winthrop Shaw Pittman LLP
Books:
"Virtual Law: Navigating the Legal Landscape of Virtual Worlds" by Durankske
"Protecting Gamers: A Security Handbook for Game Developers and Publishers" by Davis
Davis has blog called "Play No Evil."
Eve Online had someone break into the game itself, company wasn't sure what they were doing, took game offline for a few days. Earlier today or yesterday, they had a smaller incident where someone got into online volunteer service. Again, took it down. No accounts compromised.
Dramatic breaks versus ongoing problems.
One free-to-play game had a SQL injection that allowed backdoor. Copied entirety of server-side software. Able to create pirated servers. Selling in world v goods for much cheaper in the pirated world.
Evaluate your privacy promises/standards. Understand the scope of your risks. Prioritize your privacy resources based on risk. This policy is generally set up pretty early in the start-up process. Privacy law is among the most complex areas of law since it is state-distributed. They are constantly under revision. Ex: MA will require encryption, impacts paper and electronics records. Compliance with 50 states very difficult, but most states require you follow their privacy policy if you have users in their states. If you are honest and up front about the data, you can actually do a lot of things.
Many companies keep zip code, DOB, and gender, which can determine 60-87% data. Advocated for over-disclosure.
For a security breech, there is probably a section that says "In the event of a data security breech, this is what we are going to do ..."
BBB certification, if done properly, gives you a safe harbor under European privacy law. If you are deploying to Europe, you must be very careful about what you are doing with that data. Privacy policy needs to say things like "It is OK for us to export this data to the US."
European perspective: the government is good and we should give them all of our data (very opposite to the US).
For a compromised record, they are typically valued at $600-800/record. You frequently have to offer them free credit counseling, free credit monitoring, etc.
Marketers will approach start ups to get their data. This can include valuable things like chat logs. Who did someone talk to? What did they talk about? What type of relationship do they have? This must be addressed in a privacy policy.
Why encourage companies to maintain this data for a long time? Document retention policy. Reality is that it is not always in the companies best interest. There are some things you are required by law to keep: COPPA. You should keep user transaction records for a little while. Good idea to not keep everything indefinitely due to security breeches and ability to respond to a subpoena. Ex: LL retains data regarding users involved in lawsuits on trademark infringement. Were able to provide a lot of data on that user in response to subpoena. Retrofitting systems that did not anticipate what people would do can be very difficult and expensive.
Bragg v. Linden. After new subpoenas, are LL continuing to hold that much info? Any trends on what they are holding? Bragg sued LL for being banned on how he purchased land. Bragg put the discovery online, which shows a great deal of what LL keeps.
What to worry about: 7 Figure Security: (AKA "world killers")
If there isn't at least $1M involved...
Fraud (payment fraud)
Personal information disclosure (CA disclosure law)
COPPA (gives you a legal safe harbor if you properly comply)
Piracy
In-game fraud/scams
Banning (cheating or griefing)
Proprietary data discloser
...and (at least) $2 for $2 ROI
If your game or the marketing in it appears to be geared towards children, then you are subjected to COPPA.
Who compromised the data? Who is accountable for it? From a legal perspective, if you have registered the copyright in your software (costs $35 and takes 20-50 pages of the source code), you instantly have a far more powerful legal tool than if you had not done it. Registered copyrights give you access to attourney's fees and damages. This should be done every time you update, or at least quarterly.
To ban or not to ban? You really want to avoid it. If you can design the game that there is nothing they can do that is bannable, that is lower customer support costs, a paying customer that stays a paying customer. People who are interested enough to do something bannable are people seriously invested in your game.
Know the laws/regulations and track changes. Hundreds of them in the US alone, even more internationally.
Trademark your v goods and register those trademarks! If you are not actively policing this, you can actually lose the trademark. So don't let it slide.
Glider in WoW. Had a legit copy of the game, editing memory space. Worked b/c it was specifically applied to WoW. But Cheat Engine is not as capable since it is a generic memory editor. Copying a piece of software into RAM can be considered copyright infringement.
Things fall apart when it can be argued that the company is doing too much or making things too big.
ABA Science and Technology Law is a co-sponsor of the Digital Law Conference. They have programs like this all the time. Intersection between law and tech. Webcasts, telecons too.
Five Steps to Security Breach Response:
1. Incident Response Team
2. Be prepared, anticipate problems
3. Discovery and investigation
4. Consumer notification
5. Post-mortem, learn from mistakes, apply best practices
Legal, business, technical, and PR should all be involved in #1 who are senior enough to speak for organization. Have rough plans in place. Make it easy for the customer support guy to rapidly get to #1. "Do not disturb the scene of the crime." By stopping things and closing loop holes, they can actually do more damage. Escalate it to the IRT quickly.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment