Gamasutra is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Gamasutra: The Art & Business of Making Gamesspacer
Seven Steps to Improved Security
View All     RSS
January 15, 2021
arrowPress Releases
January 15, 2021
Games Press
View All     RSS

If you enjoy reading this site, you might also want to check out these UBM Tech sites:


Seven Steps to Improved Security

May 2, 2012 Article Start Previous Page 3 of 3

6. Audit User Terms and Privacy Policies Regularly

Game companies should review terms of use, end user license agreements, and privacy policies as part of their data security measures. The laws are changing frequently in this area. A regular review of these documents ensures compliance and could lead to substantially reduced costs in a data breach.

For instance, as a result of developments in 2011, a company should amend its end user license agreements and terms of use in an effort to prevent class action lawsuits. The U.S. Supreme Court ruled in an AT&T case in 2011 that companies can include "no-class action" clauses in their contracts if certain procedures were followed. This one change could save companies millions of dollars in litigation expenses in a data breach.

Generally speaking, the first step is to make sure the company's legal documents contain reasonable dispute resolution provisions that are fair to the consumer in light of the 2007 Bragg v. Linden Lab case.

This first step includes paying attention to items such as putting the consumer on adequate notice of the dispute resolution procedures, offering meaningful customer service process for informal dispute resolution, allowing a venue for the dispute that is reasonable or perhaps phone arbitration/mediation options, and making certain the costs are not unduly burdensome on the player.

Second, add a section that prevents class action lawsuits or grouping complaints through any other mechanism. Data breaches are expensive enough without having to divert resources to plaintiff's attorneys.

A competent attorney can help your company amend terms of service and end user license agreements to make certain this is done properly. These kinds of edits should always be made in consultation with counsel familiar with this area of the law.

7. Create a Data Breach Response Plan

Having a data breach response plan involves two steps. First, make certain the company has access to the right team of professionals. That team would include internal executives familiar with the company data plans, attorneys familiar with the law, technical experts who can evaluate the cause and extent of a breach, and PR professionals who can adequately communicate the with customers after a breach.

Second, have this group coordinate to know -- in advance -- what they would do in data breach situations. It may seem obvious, but planning in advance is cheaper and leads to more efficient communication and execution than working ad hoc in an emergency.

Quickly and clearly communicating about a data breach is usually received positively by the community. This is true even if the company does not have all the information confirmed. Waiting for certainty is usually waiting too long. Delays such as the ones we saw in 2011 (over a week, in some instances) are not looked on favorably.


The game industry was the target of numerous successful attacks last year. In 2012, it will likely collect more personal information than ever before -- and will thus likely be a bigger target than ever before.

The industry is growing as a target because its monetary worth and cultural presence is growing. Games are indisputably the most valuable entertainment products of any kind. With a total value of $74 billion dollars in 2011, and predicted growth to $112 billion by 2015, it is absolutely going to attract unwanted attention.

The film, music, sports, and print industries all provide entertainment, but do not have as much access to a consumer's personal information and are not experiencing growth comparable to the game industry. Much of that growth is directly tied to the data through digital distribution, multi-platform interconnectivity, social networks, and mobile platforms.

In 2012, the industry has to do better than 2011 protecting customer data. It has to do better because it is the right thing to do for our customers and because it is more profitable for everyone involved in the industry. As connectivity and data collection increases, it changes the character of what companies are selling.

Traditionally, the game industry is selling entertainment and that will always be true. But as we move forward, the industry has to understand that what it is selling is trust. While the risks associated with storing a huge volume of consumer data cannot be completely eliminated, they can be managed.

Acknowledgement: The authors would like to thank Justin Berman, senior security engineer at Aspect Security for his review of and contributions to this article.

Article Start Previous Page 3 of 3

Related Jobs

Sucker Punch Productions
Sucker Punch Productions — Bellevue, Washington, United States

Sucker Punch Productions
Sucker Punch Productions — Bellevue, Washington, United States

Jackbox Games, Inc.
Jackbox Games, Inc. — Chicago, Illinois, United States

Senior Gameplay Engineer
Gunfire Games
Gunfire Games — Austin, Texas, United States

Senior Boss Designer

Loading Comments

loader image