Professional athletes, teams, and leagues have embraced wearable technology. But as this new technology becomes ubiquitous, a new category of valuable—and personally sensitive—data has emerged, raising novel data security issues and incentives for would-be hackers.
Data analysis has spawned a revolution in professional sports management (think, for example, of Moneyball). Sports data is coveted by everyone from the casual fan to competitors. In one high-profile incident from a few years ago, former St. Louis Cardinals scouting director Chris Correa was charged with hacking the rival Houston Astros’ private online database and obtained all kinds of confidential data, including scouting reports, statistics, and contract information. The hack cost the Astros an estimated $1.7 million, but had the potential to be more widespread if the Astros had been collecting wearable data at the time.
Wearables present an exciting opportunity to learn more about professional athletes, generate information that can sharpen performance, create competitive advantages, and create new monetization opportunities. A dizzying array of wearables are already being used—MLB players use the Motus Baseball Sleeve, Zephyr Bioharness, Catapult’s OptimEye S5, WHOOP Strap, and Blast Motion bat sensors; NBA players use Adidas miCoach elite, Catapult Sports ClearSky and Optimeye, Intel Curie, STAT Sports Viper, VERT Wearable Jump Monitors, Zebra wearable tags, and Zephyr Bioharness; and the NFL requires its players to use pads embedded with Radio-frequency identification (“RFID”) tags to track their movement, “providing metrics such as player speed, distance traveled, acceleration and deceleration.” These wearables collect movement information that can be seen by the naked eye, as well as more sensitive athlete biometric information such as heart rate, skin temperature, blood oxygen, and the like.
Wearables also present significant new data security issues. Teams and leagues generate vast amounts of sensitive information about all of their players. The wearable devices themselves and the companies that manufacture and sell the wearables are all targets for attacks, creating new opportunities for nefarious access to or inadvertent disclosure of this data. Indeed, Stroz Friedberg warns in its 2018 Cybersecurity Predictions report that large organizations—like professional teams or leagues—will be targeted by hackers attacking small manufacturers of Internet of Things devices, including wearable technologies.
The leagues have begun to address the data security risks associated with wearable technology. The MLB and NBA Collective Bargaining Agreements (“CBAs”), for example, require the leagues and teams to identify who will have access to player data, to treat all wearable data as highly confidential, and to impose strict and ongoing data management and cybersecurity standards for the storage of wearable data.
The NFL requires its players to use wearables and makes some data it collects available publicly. And starting this year, in-game player-tracking data will be released to each team. The NFL CBA also permits the NFL to require players to wear technology “for purposes of collecting information regarding the performance of NFL games, including players’ performances and movements, as well as medical and other player safety-related data,” though it cannot use sensors “for health or medical purposes” without the consent of the NFL Players Association (“NFLPA”). Separately, the NFLPA formed a partnership with WHOOP, allowing players to commercialize their data through a group licensing program, potentially making biometric data available publicly and raising interesting questions about who owns this new data.
The NHL CBA, meanwhile, does not currently address wearables or cybersecurity standards applicable to wearable data. And, while the NHL has hinted about introducing a player-tracking system in the near future, it has not addressed any associated data security concerns.
Professional sports was a nearly $70 billion industry in North America in 2017, and it continues to grow. As major professional sports leagues in North America become increasingly data-driven—including with data generated from wearables—the challenges of safeguarding this new sensitive data have emerged.