Casinos and sportsbooks tapping, for the first time, what used to be an illegal multibillion-dollar betting market for the NCAA men’s basketball tournament run the risk of violating state privacy and data-security laws if their systems are compromised by cybercriminals.

Operators are likely to see millions in enforcement fines if they can’t adequately protect bettors’ data or don’t notify users soon after any breach, privacy and gaming attorneys said.

Sportsbooks and casinos have to deal “with a patchwork of state regulations” that can make compliance burdensome, said David O. Klein, managing partner at Klein Moynihan Turco LLP in New York who focuses on gaming and privacy law. Operators can make compliance easier by following industry encryption standards, limiting unnecessary data-sharing partnerships, and having data breach notification plans, he said.

Legalized sports gambling boomed after the U.S. Supreme Court last year struck down the Professional and Amateurs Sports Protection Act. The decision led to seven states legalizing sports gaming for the first time, including New Jersey, Delaware, and Pennsylvania. Only Nevada could take legal sports bets prior to the top court’s decision.

New legal-gaming laws and those pending in states like New York allow casinos and sportsbooks to get their share of the “$9.7 billion illegally bet on the NCAA men’s basketball tournament,” Brian Egger, Bloomberg Intelligence senior industry analyst, said.

But new revenue could be at risk if an operator is hit with a hacking attack in the run up to the tournament. It is “fairly common for” gambling operations to see increased cyber-activity around the NCAA tournament, Parnian Borazjani, senior cybersecurity analyst at FireEye Inc., said. Cybercriminals can “exploit large, unsupervised electronic fund transfers associated with online gambling platforms to launder money,” she said.

Sports-betting operators say they are training day-to-day employees on data protection and data security requirements; following international, federal, and state privacy and gaming laws; implementing payment-card industry standards; and investing in data security protections.

MGM Resorts has operated sports books for decades and “always made protecting data a top priority,” a company spokesman said on the condition of anonymity.

The company has “has rigorous standards for security and we will continue to develop and implement digital strategies designed to provide a safe and enjoyable experience for all of our guests.”

Patchwork

States upped their privacy focus after the Facebook Inc.-Cambridge Analytica data scandal was revealed in 2018. The event led to California passing a tough new privacy law. Others, like Washington and Massachusetts, are considering similar measures to hold companies accountable for privacy failures.

Absent a privacy law, states will use their consumer-protection statutes to enforce compliance where a privacy law doesn’t exist. For example, multiple state attorneys general obtained $148 million from Uber Technologies Inc. after its 2016 data breach.

“Legalized sports gaming in the U.S. is relatively new so you can easily imagine state regulators – such as state attorneys general – taking the lead when it comes” to enforcing these standards, Craig Newman, chair of Patterson Belknap Webb & Tyler LLP’s privacy & data security group, said.

State gaming laws also have data-security obligations, privacy attorneys said.

For example, Massachusetts’s fantasy-sports regulations require operators to follow state data security rules. In case of a data breach, “the operator would need to follow the requirements in those laws, such as providing breach notification letters to consumers and notifying state attorney generals and other agencies where required,” said Michelle W. Cohen, member of Ifrah PLLC and chair of the firm’s privacy and data security practice.

New Jersey and Pennsylvania also have gaming data security requirements, while others have data security “sprinkled throughout” their gaming laws, said Cohen, who also focuses on gaming law. The intersection of privacy, data security, and gaming laws is evolving, she said.

Casinos and sportsbooks may implement top-notch privacy and data security protections throughout the year. But during major events they need to stay even more alert, cybersecurity pros said.

“Financially-motivated criminals are the most prolific threat to the casino and online gambling industry,” especially during the tournament, Borazjani said.