The hackers are coming for the gamers: Legal risks and best practices for minimizing liability

11 minute read
31 October 2022

As COVID-19 lockdowns deterred people from leaving their homes, millions turned to video games to escape the four walls of their dwellings and enter the expansive virtual world, where they could connect with family and friends in an unconventional way. For many people, playing video games became something to look forward to after a long "work from home" day and a way to cope with boredom, isolation and mental health issues.

The gaming industry was one of the great beneficiaries of the pandemic, increasing 26 per cent between 2019 and 2021.[1] According to a recent PricewaterhouseCoopers (PwC) report, the expansion of the global gaming industry will be worth $321 billion by 2026.[2]

Unfortunately, as gamers have increased in number and consumers spend more time in expansive virtual worlds, there have also been a significant increase in cybercrimes and cybercriminals seeking to steal people's personal information and real-world dollars.

Global security and digital privacy company Kaspersky released a report (the "Kaspersky findings") noting that in the first half of 2022, there was increased activity of cybercriminals abusing gamers.[3] Cyber security experts have warned that cybercrime in gaming has increased since the start of the pandemic, lurking in cheat codes, micro-transactions and messages exchanged online from other players. Gamers attempting to download new games from unsecure or untrustworthy sources have experienced downloading malicious software, losing their gaming accounts and money. Further, the Kaspersky findings confirm that in some instances, unwanted installations of a category of spyware capable of "tracking any data entered on the keyboard and taking screenshots" were detected.[4] According to the Akamai Report published in August 2022, web application cyberattacks increased by 167 per cent from May 2021 to April 2022 compared to the same time the year before.[5]

Gaming companies have become increasingly lucrative targets for cybercriminals as the range of cyberattacks have expanded. Further, the growing amount of data collected by gaming companies makes them attractive targets.[6] These companies are more vulnerable to data breaches causing loss of customer data and in addition, their product offerings (i.e. games and platforms) being taken offline temporarily. As a result, customers of gaming companies (i.e. individual players) can easily lose game progress, money and sensitive personal data. Cyber-related risks will only intensify as gaming companies will become more involved with selling, buying, trading or holdings customers' digital assets, such as game tokens and coins that can be used to purchase digital products in the expansive virtual worlds.[7] According to the Kaspersky findings, the top three games out of the 28 games included in the scope of research with the highest number of malicious and unwanted files were Minecraft, FIFA and Roblox.[8]

Gaming company executives must be mindful of their legal obligation to protect user information and ensure that their product offerings (i.e. games and platforms) are safe environments. Canadian privacy law governing the commercial collection of personal information requires in general terms that businesses implement safeguards to protect personal information. For instance, the federal law that also governs most Canadian provinces requires security safeguards to "protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification."[9] Note that this law is expected to be replaced soon by the Consumer Privacy Protection Act,[10] which will have similar obligations.[11]

Cyber risk management is a fundamental issue for organizations of all sizes, and smaller gaming companies are by no means exempt. Under Canadian law, directors of corporations are responsible for managing and supervising the management of the corporation's business and affairs. Generally, corporate directors are required to act honestly and in good faith with a view to the best interests of their corporation. Further, they must exercise the care, skill and diligence that a reasonably prudent person would exercise in comparable circumstances. With respect to cyber risk management, corporate directors are increasingly expected to play an active role to determine the corporation's risk tolerance, ensure that the management has taken reasonable steps to identify and manage risks through an appropriate risk management program, and finally, to monitor any significant risks that may affect the corporation. And, while the current federal law does not impose personal liability on directors and officers for breaches, Québec's new Bill 64 imposes stiff fines for individuals who fail to take appropriate security measures to protect personal information.[12]

For game developers, as for any company collecting private information, the best medicine for cyberattacks is still prevention. Companies designing and operating games and game platforms should adhere to the bedrock principles of Canada's current and incoming data protection laws by limiting collection to the data they actually need, seeking informed consent to collect data from the gamers using their products, limiting the uses to which the data is put and the length of time it is retained, and ensuring security safeguards are in place to protect gamers' personal information.

[1] Ampere Analysis, "Global Games Market Forecast to Decline in 2022: A Reversal in Fortune after the Games Market's 26% Expansion during the Pandemic" (5 July 2022), (Accessed 18 October 2022); see also World Economic Forum, "Gaming is Booming and is Expected to Keep Growing." (28 July 2022), (Accessed 18 October 2022).

[2] PwC, "Global Entertainment & Media Outlook 2022-2026" (2022), (Accessed 18 October 2022).

[3] Kaspersky, "Good game, Well played: an Overview of Gaming-related Cyberthreats in 2022", (6 September 2022), (Accessed 18 October 2022).

[4] Kaspersky, "Malware that Steals Credentials and Credit Card Details Abuses the Biggest New Games", (6 September 2022), (Accessed 18 October 2022).

[5] Akamai, "Gaming Respawned: Cyberattacks on Players and Gaming Companies Rise Again" (August 2022), (Accessed 18 October 2022).

[6] E&Y, "What's Possible for the Gaming Industry in the Next Dimension (Chapter 2: Gaming Data Security and Cyber Risks)" (Gaming Industry Survey 2022) (Accessed 18 October 2022).

[7] Ibid.

[8] Supra note 3.

[9] Personal Information Protection and Electronic Documents Act, SC 2000, c 5 s.5(1) and Schedule 1, 4.7 Principle 7--Safeguards

[10] Alycia Riley and Jasmine Samra, "Bill C-27: Canada Reintroduces Sweeping Changes To Federal Privacy Law, Proposes New Ai Legislation" 24 June 2022)

[11] Bill C-27, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts, s.57(1)

[12] Julia Kappler et al., "Bill 64 Marks A New Direction In Quebec Privacy Law — Key Takeaways For Businesses" (27 April 2022).

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.