Your Systems and Data Assets
A modern gaming operation is utterly dependent on their systems and their associated data to operate and run the basis of the business. Over a dozen core systems are used to operate a resort business, and new systems are added continuously. These data and systems are some of the most valuable assets in your business and are essential tools to protect and diversify your resort revenue.
Tribal gaming revenue is inherently valuable to your Tribal nation, serving as a fundamental driver of the Tribe’s welfare and the strength of its community by funding essential resources. The development of Indian gaming has proven the importance of Tribal sovereignty while creating greater awareness about sovereign rights. To ensure the protection of Tribal sovereignty, it’s crucial to be aware of and proactive against sovereignty threats, particularly relating to your Tribal gaming operation’s data and systems.
Sovereign Jurisdictional Rights Over Core Systems
Cloud computing is becoming more prevalent in your industry because it can increase efficiency and reduce information technology costs; however, there are substantial risks to Tribal sovereignty by allowing your core systems to enter the cloud. Due to various and often unknown locations of servers holding core systems managed by third-party cloud service providers, operating in the cloud creates jurisdictional ambiguity. At best, a Tribal casino’s guest database in the cloud removes a layer of protection; at worst, it removes the Tribal nation’s sovereign jurisdictional rights protecting core systems.
The increasing prevalence of cyberattacks on your industry coupled with ambiguous jurisdictional governance of cloud operations presents too great a risk to Tribal sovereignty to secure your casino’s core systems anywhere other than inside the protection of the casino firewall on your Tribal land. When Tribal core systems are secured within the firewall of the casino in coordination with carefully planned and executed cybersecurity measures, the threat of a cyberattack compromising your operation can dramatically diminish. Simply put, the ability to operate your gaming business completely detached from the outside world is one of the best cyber protections you can have. However, a core system in the cloud moves your casino’s operation out of Tribal land explicitly protected by sovereignty. As a result, concerns are not only raised around the safety of Tribal data held in the cloud, but also about whether Tribal sovereignty will continue protecting the cloud-hosted data and systems from your Tribal land.
Transborder Data Flows Cyber Intelligence Sharing and Protection Act (CISPA)
Regarding jurisdictional ambiguity and concerns surrounding transborder data flows in the cloud, it is important to be aware that under the Cyber Intelligence Sharing and Protection Act (CISPA), there are over 550 government agencies that have power to access data shared by third parties. This means that third-party data can be shared with the government simply by a vague claim that it is being used for cybersecurity purposes. Putting this in perspective, there are 79 independent agencies and government corporations that can access third-party data under CISPA, along with 24 agencies within the Executive Office of the President, 24 agencies within the Department of Agriculture, 25 agencies within the Department of Commerce, 52 agencies within the Department of Defense, 22 agencies within the Department of Education, 22 agencies within the Department of Health and Human Services, 61 agencies within the Department of Justice, and 61 agencies and bureaus within the Department of State – this encompasses only about two-thirds of the total 550+ capable agencies. Thus, the risk of putting your Tribal data into the cloud is compounded by concerns around the protection of your Tribal sovereignty from state and federal agencies.
Additionally, the Tribe could face third-party litigation once data moves outside Tribal land protected by sovereignty because a data breach exposing the database containing personally identifiable information (PII) would mean that the Tribe can be sued outside the rights of Tribal immunity. Furthermore, if a casino’s data is held by a third party and then seized by outside government entities, the casino will not be informed that its data is under investigation because it is no longer within its control (it will be under the control of the core systems operator). Casino data that is secured on-premise within Tribal land, however, maintains protection from litigation through Tribal sovereignty, and sovereign immunity acts as a strong layer of defense against outside parties taking legal action.
Other potential sovereignty issues arising in the future can pose a serious threat to a Tribal nation whose casino stores data in the cloud. If the U.S. government enacts legislation imposing taxes based on systems or data usage, Tribal data located outside sovereign land could be subject to jurisdiction the cloud server resides in. This is an example of why putting Tribal data into the cloud could open a Pandora’s box, as it’s unknown what measures U.S government bodies will attempt to regulate your operation once an argument can be established asserting that your core systems usage or its data is subject to taxation.
Tribal Sovereignty Over Your Core Systems and Data
When it comes to the possibility of compromising your heavily protected sovereignty as a Tribal nation, your Tribal casino should maintain even greater hesitance and extreme caution. Ask these questions: do you trust the U.S. government and justice system to honor their promises to protect the interest of Tribal nations, and even rely on untested digital protection rights to uphold your Tribal sovereignty?
Powerful measures that can preserve your Tribal data and sovereignty are maintaining possession of your casino core systems and data surrounded by your firewall on Tribal land and enacting proactive Tribal legislation to ensure protection around Tribal data and systems sovereignty.