24 NCAC 06A .0420         Personal Information Security

(a)  Information an Operator obtains with respect to the creation and maintenance of a Wagering Account, including Personal Information and authentication credentials, shall be collected in compliance with the Operator's privacy policies set forth in its Internal Controls; local privacy regulations; applicable state and federal law; and standards enforced by the Commission or Director. Both Personal Information and the Wagering Account funds shall be considered to be critical assets for risk assessment.

(b)  No employee or agent of the Operator shall divulge to any Person Personal Information or Confidential Player Information, information about the placing of a Wager, or other Sensitive Information related to the operation of the Operator without the consent of the Player, except as required by this Rule, the Commission, and as otherwise required or allowed by state or federal law. By way of illustration, an Operator may obtain consent from the Player via agreement to the Operator's Privacy Policy or other similar means.

(c)  The Operator shall implement procedures for the security and sharing of Personal Information, information about funds in a Wagering Account, and other Sensitive Information as required by the Commission, including, but not limited to the:

(1)           designation and identification of one or more employees, including but not limited to contractors or other personnel, having primary responsibility for the design, implementation, and ongoing evaluation of these procedures and practices;

(2)           procedures to be used to determine the nature and scope of information collected, the locations and manner in which this information is stored, and the storage devices on which this information may be recorded for purposes of storage or transfer;

(3)           measures to be used to protect information from unauthorized access; and

(4)           procedures to be used if a breach of data security has occurred, including required notification to the Commission.

 

History Note:        Authority G.S. 18C-114(a)(14);

Previously adopted as Rule 1D-020;

Eff. January 8, 2024;

Readopted Eff. March 27, 2024.