Generally speaking, the first step is to make sure the company's legal documents contain reasonable dispute resolution provisions that are fair to the consumer in light of the 2007 Bragg v. Linden Lab case.
This first step includes paying attention to items such as putting the consumer on adequate notice of the dispute resolution procedures, offering meaningful customer service process for informal dispute resolution, allowing a venue for the dispute that is reasonable or perhaps phone arbitration/mediation options, and making certain the costs are not unduly burdensome on the player.
Second, add a section that prevents class action lawsuits or grouping complaints through any other mechanism. Data breaches are expensive enough without having to divert resources to plaintiff's attorneys.
A competent attorney can help your company amend terms of service and end user license agreements to make certain this is done properly. These kinds of edits should always be made in consultation with counsel familiar with this area of the law.
Having a data breach response plan involves two steps. First, make certain the company has access to the right team of professionals. That team would include internal executives familiar with the company data plans, attorneys familiar with the law, technical experts who can evaluate the cause and extent of a breach, and PR professionals who can adequately communicate the with customers after a breach.
Second, have this group coordinate to know -- in advance -- what they would do in data breach situations. It may seem obvious, but planning in advance is cheaper and leads to more efficient communication and execution than working ad hoc in an emergency.
Quickly and clearly communicating about a data breach is usually received positively by the community. This is true even if the company does not have all the information confirmed. Waiting for certainty is usually waiting too long. Delays such as the ones we saw in 2011 (over a week, in some instances) are not looked on favorably.
The game industry was the target of numerous successful attacks last year. In 2012, it will likely collect more personal information than ever before -- and will thus likely be a bigger target than ever before.
The industry is growing as a target because its monetary worth and cultural presence is growing. Games are indisputably the most valuable entertainment products of any kind. With a total value of $74 billion dollars in 2011, and predicted growth to $112 billion by 2015, it is absolutely going to attract unwanted attention.
The film, music, sports, and print industries all provide entertainment, but do not have as much access to a consumer's personal information and are not experiencing growth comparable to the game industry. Much of that growth is directly tied to the data through digital distribution, multi-platform interconnectivity, social networks, and mobile platforms.
In 2012, the industry has to do better than 2011 protecting customer data. It has to do better because it is the right thing to do for our customers and because it is more profitable for everyone involved in the industry. As connectivity and data collection increases, it changes the character of what companies are selling.
Traditionally, the game industry is selling entertainment and that will always be true. But as we move forward, the industry has to understand that what it is selling is trust. While the risks associated with storing a huge volume of consumer data cannot be completely eliminated, they can be managed.
Acknowledgement: The authors would like to thank Justin Berman, senior security engineer at Aspect Security for his review of and contributions to this article.