Data security incidents have unique considerations and implications for tribal entities.
Several tribal entities experienced significant ransomware incidents this past year, and given the overall impression that casinos have access to large amounts of cash, threat actors view tribally owned casinos as favorable victims.
For Native American tribes and Alaska Native Corporations, incident response is not one-size-fits-all. While a tribe itself may be a sovereign nation, most tribes operate complex business ventures, including those in the tourism, mobile gaming, manufacturing, and healthcare spaces, and the general idea that all governmental and commercial activities both on- and off-reservation are protected by sovereign immunity is changing in today’s virtual world. For instance, federal courts are now weighing issues related to tribal casinos’ operation of online gaming, which may ultimately impact applicability of state and federal privacy regulations.
Data governance and privacy regulations should be top of mind for leadership. Tribes typically hold four classes of data: Commerce (IRS Form W-2 G, contracts); Government (member information, employment); Member Services (health, housing, funding); and Cultural (language records, photo archives). Tribes should invest in determining the value and location of each class of data; it is more than an exercise in data mapping – it is a key element in cyber preparedness. Tribes also should focus on compliance with privacy regulations. Many tribal entities are now working to implement their own privacy laws and assess what risks they might face if a federal privacy law were to be enacted. Tribes can enact laws to direct how they want to protect the data they hold, and compliance with these laws should be incorporated into the incident response plan.