While privacy and data security are hot topics everywhere these days, they are of particular interest to the game industry. Vast quantities of consumer data are generated every day in the game industry, including through consoles, websites, and mobile devices. Data can be a significant asset in that it provides valuable insight into a consumer’s behavior which can be used to improve games and target messages and offerings. However, data can also be a liability.
Data breaches in games are prevalent. In 2011 alone, Sega, Nexon, Codemasters, Sony, Bethesda, Square Enix, and Valve were all targets of successful attacks. We can be certain in 2012 that any game company handling substantial personal information will continue to be a target as well.
The costs associated with a data breach are usually described as several dollars to several hundred dollars per affected record (depending on the extent of the breach and the items included in the long-term costs). Considering that many of the data breaches last year affected more than a million records, those costs are significant.
One company was attacked several times and had a total of more than 100 million records affected, leading to a cost of about $170 million dollars in the month after the attack and projections of over a billion dollars as an all-inclusive cost.
Some costs of a data breach are easier to identify than others. The cost areas range from legal compliance to the potential for lost profits. For legal compliance, consider that there are currently 46 states with data breach notification laws that require companies to inform users in the event of a breach with respect to their personal information. Each law has its own unique requirements, which can make compliance an expensive endeavor in the event of a breach.
Beyond notification and legal compliance, there is lost revenue associated with downtime for the hacked network. There are the customer service and PR costs to consider — these often include credit and identity theft monitoring services for the affected records. There are the promotional costs of give-aways and “welcome back” packages to regain consumer confidence. Unfortunately, the costs often include settling litigation and regulatory investigations that result from the data breach. As an example, one of the largest breaches this year was followed by 25 class action lawsuits and a congressional investigation.
Clearly, the game industry is substantially threatened by data privacy and security issues. Furthermore, given the number and scale of the breaches in 2011, it is also clear the industry, as a whole, was not ready for that threat. Going forward, what can the game industry do to minimize further damage?
The seven steps below are a good start. You might be surprised to see that only one piece of advice is “technical”. Data security and privacy must be driven by sound decisions on a policy level. The technology is only as good as the planning and decision-making behind it.