Seven Steps to Improved Security
May 2, 2012 Page 1 of 3
While privacy and data security are hot topics everywhere these days, they are of particular interest to the game industry. Vast quantities of consumer data are generated every day in the game industry, including through consoles, websites, and mobile devices. Data can be a significant asset in that it provides valuable insight into a consumer's behavior which can be used to improve games and target messages and offerings. However, data can also be a liability.
Data breaches in games are prevalent. In 2011 alone, Sega, Nexon, Codemasters, Sony, Bethesda, Square Enix, and Valve were all targets of successful attacks. We can be certain in 2012 that any game company handling substantial personal information will continue to be a target as well.
The costs associated with a data breach are usually described as several dollars to several hundred dollars per affected record (depending on the extent of the breach and the items included in the long-term costs). Considering that many of the data breaches last year affected more than a million records, those costs are significant.
One company was attacked several times and had a total of more than 100 million records affected, leading to a cost of about $170 million dollars in the month after the attack and projections of over a billion dollars as an all-inclusive cost.
Some costs of a data breach are easier to identify than others. The cost areas range from legal compliance to the potential for lost profits. For legal compliance, consider that there are currently 46 states with data breach notification laws that require companies to inform users in the event of a breach with respect to their personal information. Each law has its own unique requirements, which can make compliance an expensive endeavor in the event of a breach.
Beyond notification and legal compliance, there is lost revenue associated with downtime for the hacked network. There are the customer service and PR costs to consider -- these often include credit and identity theft monitoring services for the affected records. There are the promotional costs of give-aways and "welcome back" packages to regain consumer confidence. Unfortunately, the costs often include settling litigation and regulatory investigations that result from the data breach. As an example, one of the largest breaches this year was followed by 25 class action lawsuits and a congressional investigation.
Clearly, the game industry is substantially threatened by data privacy and security issues. Furthermore, given the number and scale of the breaches in 2011, it is also clear the industry, as a whole, was not ready for that threat. Going forward, what can the game industry do to minimize further damage?
The seven steps below are a good start. You might be surprised to see that only one piece of advice is "technical". Data security and privacy must be driven by sound decisions on a policy level. The technology is only as good as the planning and decision-making behind it.
1. Take Inventory
Take stock of the personal information the company has in its possession or control. A company cannot know what to protect if it does not know what it is storing.
Is there a person in your company that knows all of the customer data collected and where it is located? Is that person both responsible and adequately empowered to make decisions to protect that data? If your company is like most game companies, the answer to that question is probably "no" and in the best cases, it is a "maybe".
Since data issues are not exclusive to one particular business function, an organization should have a privacy steering committee which consists of representatives from information technology, legal, management, public relations and human resources.
The group should be led by one chief privacy officer, or someone with a similar title and authority. This group needs to understand what customer information the company has, how it is stored, how to control its transfer, and how/when to delete it.
2. Reduce Inventory
Think about what data the company can do without. A company cannot lose data it doesn't have. Reevaluate the company policies and consider not storing and collecting data in each instance. Only collect the data really needed -- and that means data tied directly to business goals.
On the whole, game companies collect a lot more data than they actually use, especially in these days of mandatory registration. Just five years ago, with the rare exception of MMOs, the idea of mandatory account registration or an "always on" internet connection in the name of DRM and marketing would be viewed as ridiculous. Today those practices are becoming the norm even for single player games. Consider that data loss was not a substantial problem in the 1990s because companies did not have the data to lose.
Match the data to the goals of your business. Collectively, we need a better reason than "marketing purposes" to collect data. There is a 21st century problem across many technically-sophisticated industries: substituting data collection and analysis for good judgment.
Data should only be collected if it is part of a focused, clear strategy for adding value to the game company and preferably that collection should improve the entertainment products and experiences offered to consumers. Stated another way, data should only be collected if it is going to be used and the benefits of using it outweigh the costs of collecting, safely storing, and disposing of the data.
Monthly subscription renewal for auto-billing makes sense, as well as similar collection for the purchase of virtual goods and DLC. These are directly related to revenue gains, because we know that when players have to re-enter that information, you'll lose sales. Collecting email addresses for a newsletter also makes sense if it is managed properly.
But what about the data we have stored for years on older games, or data on the demographics of our user base? Do we really need to know that in 2009 the company was very popular among men 35-37 in the 10038 zip code? Even if that is important, is there any reason to store data we derived that information from?
Page 1 of 3