To thrive in the metaverse, companies entering this uncharted virtual territory must consider how they collect, use, and manage data.
As the metaverse grows in popularity, researchers are guessing this is new virtual environment could generate $13 trillion in global sales by 2030. The Metaverse promises to expand and digitally revolutionize a wide range of sectors, including retail, gaming, media and entertainment, banking and financial servicesreal estate and insurance.
Businesses recognize the tremendous potential of the Metaverse, and according to one study, investments in the Metaverse exceeded $120 billion in the first half of 2022 alone. It is clear that the metaverse will offer a wealth of opportunities for new business models, products and services. It’s also clear that data is the fuel for these new opportunities. To thrive in the metaverse, companies entering this uncharted virtual territory must consider how they collect, use, and manage data.
With the data-driven capabilities of the metaverse come a variety of novel privacy and data capabilities security risks and regulatory compliance challenges. Laws and regulations designed to address problems posed by new technologies often lag behind their rapid evolution, and the Metaverse is no exception. For example, many countries are currently drafting legislation to regulate the development and deployment of AI, and proposals to regulate the collection and use of biometric data are proliferating around the world. Additionally, a wave of new sweeping privacy laws continues to take the data world by storm.
In the metaverse, many of these laws are potentially relevant. Additionally, policy experts continue to debate the need for metaverse-specific data laws. As more companies delve into the metaverse and virtual life becomes mainstream, despite the current lack of specific legal guidance, companies must make strides in addressing the privacy and cybersecurity risks associated with the metaverse.
Here are five steps organizations can take now to proactively protect data in the metaverse:
1. Take protective measures before entering the metaverse. Before companies enter the metaverse, they should try to understand what data they intend to collect, use, and share in the metaverse, and for what purposes. Taking inventory of information assets and preparing data flow maps to understand the lifecycle of data generated in the metaverse is a critical first step. With this knowledge, a company can make strategic decisions about what information needs to be protected from both a consumer protection and business perspective.
In addition, “privacy by design” (ie the consideration of data protection in the design phase and in the development of product and service offerings) is more important than ever in the metaverse. Organizations that view the Metaverse as a digital playground or innovative test lab without due regard for information protection are likely to have only a brief experience with the Metaverse — especially given the importance of user trust in a world where information gathering is ubiquitous is.
2. Assess the risks associated with new Metaverse offerings and implement appropriate mitigations. Product and service offerings in the metaverse will undoubtedly introduce new risks for companies operating in this space. For example, organizations must balance the requirements associated with the processing of sensitive personal data, including biometric data, in an environment based on the collection and use of physiological data. Conducting data protection impact assessments can serve as a useful tool for identifying relevant risks and taking appropriate remedial action.
Organizations should consider questions such as the amount of data they collect in the metaverse and the purpose for collecting the data (e.g. is the data necessary to provide the relevant services?); from whom the data is collected and with whom it is shared; information that can be derived from the collected data and how the derived data can be used; whether individuals have been adequately informed of the company’s data practices in the Metaverse and the manner in which this notice was transmitted; and additional security measures that may be required beyond existing controls to protect data in the metaverse.
3. Create a privacy program that conforms to shared global principles. It’s not clear how – or which – existing privacy laws will apply in a borderless virtual world. For example, if a California resident meets with an EU citizen in a Metaverse meeting room managed by a multinational company that does business in California and the EU, does the CCPA apply to the data associated with that interaction? Or the GDPR? Or will the Metaverse be considered by the legislature as its own jurisdiction, to be governed by future Metaverse-specific statutes?
Given the uncertainty about what privacy laws will apply in the metaverse, companies joining the metaverse should build a responsible privacy framework that conforms to shared global principles. Such a framework should allow for appropriate transparency (i.e. notice and choice), facilitate the exercise of individual data protection rights, integrate appropriate safeguards and incident response measures, adopt a risk-based approach to privacy protection and responsible innovation, and ensure accountability for data processing in the metaverse.
4. Implement appropriate data protection measures in the metaverse. Data security is critical to success in the Metaverse, especially given the high potential for cyberattacks of all kinds (such as social engineering, data breaches, virtual identity and digital property theft, account takeovers, VR and AR device hacking, and data integrity). risks). As the metaverse evolves, new threats will inevitably emerge. The CIS Critical Security Controls provide a useful set of recommended actions to consider as part of a robust metaverse cyber defense strategy.
As a starting point, companies should focus on secure software development. Secure coding, rigorous software testing, and proper account security features should be top priorities for all Metaverse businesses. Additionally, certain technologies can help mitigate anticipated security risks in the metaverse. For example, the use of blockchain can help prevent theft of digital assets such as NFTs, and AI technology can help detect and prevent fraud. As the Metaverse takes shape and new security threats are identified, organizations should work together to develop a set of Metaverse-specific protocols that will serve as a guide to Metaverse data security best practices.
5. Respond when something goes wrong in the metaverse. Security incidents are inevitable in the metaverse, due in large part to the novel opportunities this virtual environment offers threat actors. Organizations operating in the metaverse should adjust their incident response plans to anticipate new challenges and threats they are likely to encounter in the metaverse. Businesses should also consider conducting tabletop drills in the metaverse to prepare for cybersecurity incidents in this novel environment.
An example of an area that can be investigated using a metaverse table is what breach notification laws apply in the event of a personal data breach. And how are affected users notified? Which supervisory authorities are notified? These and other questions should be considered prior to an actual cybersecurity incident in the metaverse. As far as privacy is concerned, there should be a fallback for users who are victims of Metaverse-related privacy breaches and data breaches. Companies operating in the metaverse should consider in advance how they will address these types of breaches.
The metaverse is an evolving concept. Businesses immersing themselves in this new environment need to be flexible and agile – adapting their privacy and cybersecurity programs over time to keep up with relevant technological and regulatory changes. While the regulatory landscape surrounding the metaverse will no doubt evolve over time and organizations will need to stay abreast of legal developments, those taking a proactive approach to managing privacy and cybersecurity risks in the metaverse will find themselves in this new virtual environment likely to have long-term success Land of Opportunity.
Lisa Sotto is chair of Hunton Andrews Kurth’s global privacy and cybersecurity practice and managing partner of the firm’s New York office. She can be reached at LSotto@HuntonAK.com.
Samuel Grogan is an associate in the global privacy and cybersecurity practice and can be reached at SGrogan@HuntonAK.com.