The digital era has transformed professional sports, exposing sports organizations to a new, largely unfamiliar landscape of cybersecurity and data privacy risks. The sports industry has seen a marked increase in cyberattacks over the past five years. High-profile cybersecurity breaches, including ransomware attacks, data leaks, and fraud, underscore the need for robust cybersecurity measures and risk management strategies. These breaches expose fans’ personal and payment data, as well as sensitive player health information, increasing potential third-party liabilities. Safeguarding the interests of organizations requires protective insurance coverage and analysis of any potential coverage gaps. Cyber insurance has emerged as a critical tool in mitigating the financial consequences of cyberattacks, yet the coverage is imperfect and continually developing. Sports organizations have a variety of policies at play, all with varying insuring language and requirements necessitating careful consideration and evaluation of potential coverage gaps for cybersecurity or data privacy claims.
These vulnerabilities are not merely theoretical. In 2019, hackers targeted the Atlanta Hawks’ online store and stole the addresses and credit card information of fans who made purchases on the Hawk’s website.[1] This attack demonstrates that sophisticated e-commerce platforms, even those deployed by professional sports franchises, are not immune to cybercriminals looking to exploit weaknesses in digital infrastructure, and the need for robust protective measures. In April 2024, the Hawks announced a partnership with a cyber protection technology company to protect and enhance their digital systems.[2] In 2020, more than a dozen NFL teams experienced unauthorized access to their social media accounts, exposing the weakness in the organizations’ account security.[3] In 2023, the Royal Dutch Football Association (KNVB) was the victim of a ransomware attack. LockBit, a known cybercriminal group, claimed to have stolen the personal data of 1.2 million KNVB players, employees, and members, potentially including salary information and medical details.[4] They threatened to publish the data unless KNVB paid a ransom. Business operations and football matches were not impacted, and KNVB entered into agreements to prevent the dissemination of the information.
These scenarios raise serious concerns for sports organizations. If, for example, a point-of-sale system is shut down during a game, there is the potential for a loss of income. The organization might have generated tens of thousands of dollars in sales during the game. Incidents such as the threatened data publication that hit KNVB also highlight the risk of a reputational fallout that sports organizations must grapple with after a breach, as well as the high financial cost of complying with ransom demands. Standard Business Interruption coverage may not cover this type of loss because it is typically contingent physical loss or damage to tangible property, and loss of data may not trigger that requirement. It also may not provide crisis management or reputational harm coverage extensions. Similarly, CGL policies often include a very broad “cyber incident” exclusion, which prohibits coverage for any unauthorized access to or use of any of the insured’s computer systems and may not be implicated in the first place without property damage or bodily injury. If an officer of an organization falls for a scam resulting in the ransomware payment, that could potentially implicate Directors & Officers (“D&O”) coverage, but that insurance usually requires a “wrongful act” and not all markets include coverage for cyberattacks. Rather, D&O policies often exclude coverage for claims arising from any act or failure to act of an insured’s employee in connection with a cyberattack. The Insured may look to its Crime policy to cover such a loss, however, we have seen policies with “cyberextortion exclusions” that directly exclude coverage for any payment of ransom, forcing the insured to look elsewhere. More recently, we have seen some insurers offer “cyber suite” coverage extensions to a CGL policy, which may cover computer attacks, cyber extortion, misdirected payment fraud, and computer fraud. Alternatively, some Commercial Property carriers have started offering “social engineering” coverage, which often responds to losses resulting from an incident where the insured transferred money to a fraudster in good-faith reliance on fraudulent email instructions, for example.
Cyber risks are implicating new exposures around every corner. In 2024, a class action lawsuit was filed against the New York Mets, alleging that the organization collects and profits from fans’ biometric data at its stadium.[5] CitiField uses facial recognition technology at its entrances to identify fans who are not permitted to enter the venue.[6] The class action alleges a violation of local laws concerning unlawful use and profiting from biometric data. Although not a data privacy breach, such allegations raise concerns about privacy rights connected to biometric identifiers used at sporting and entertainment venues. Typically, biometric identifiers are an individual’s physiological, biological, or behavioral characteristics used to establish an individual’s identity. In this situation, the organization may look to its corporate CGL policy for coverage, which will likely be challenging as many CGL policies include endorsements that explicitly exclude coverage for any actual or alleged violation of any federal, state, or local ordinance, statute, or regulation involving the misuse, collection, or capture of biometric identifiers. Such an exclusion might apply to the allegations made against CitiField because the complaint alleges that the park uses technology to compile biometric data of its fans for security purposes, potentially in conflict with New York local laws. In such a situation, the organization would likely look to its Cyber policy for coverage. However, some cyber policies contain exclusions for the unauthorized collection and or use of “private information”. Under cyber policies, “private information” is sometimes defined to include personal information, which encompasses biometric identifiers and biometric information. In such circumstances, the organization would likely be barred from coverage for allegations of the wrongful collection and maintenance of biometric data of its fans.
Generally, cyber policies cover a wide range of incidents, including data breaches, ransomware attacks, and business interruptions caused by security breaches. However, cyber policies also typically require that the insured implement certain cyber security protocols and procedures—making coverage contingent on those measures being in place. Some of these measures include multi-factor authentication, cybersecurity training for employees, comprehensive cyber incident response plans, etc. Because coverage is sometimes contingent the insured’s compliance, it is imperative for organizations to understand the insuring conditions of their cyber policy as well as the coverage afforded.
Given the significant costs associated with breach notification, regulatory fines, legal fees, and public relations efforts to restore any reputational harm, cyber insurance should be a central part of the risk management portfolio for athletic organizations. Cyber risks and data privacy concerns are dynamic, so it is also imperative to continually assess an organization’s exposure and risks in conjunction with available coverage to ensure adequate protection.
As cybersecurity threats become more sophisticated, insurance has evolved in an attempt to respond. Organizations have options, but the coverage grants, conditions, exclusions, and extensions, each nuanced and complex, may leave potential gaps. A thorough review and assessment are necessary to understand an organization’s business exposures. In an era where data is integral for any business operations conducted electronically, cyber threats are a constant concern. Protecting the integrity of sports organizations requires a multi-faceted, proactive approach involving comprehensive risk assessment and strong insurance coverage.
If you are looking to bolster risk management strategies considering the technical complexity of your organization, please reach out to Nora G. Liebowitz at NLiebowitz@sdvlaw.com to discuss.
[1] Sansec Forensic Team, Credit Cards of Atlanta Hawks fans stolen, Threat Research (April 24, 2019), https://sansec.io/research/atlanta-hawks-magecart.
[2] Atlanta Hawks, Hawks Bolster Cybersecurity Efforts in New Acronis #TeamUp Partnership (April 16, 2024, at 11:00AM EDT), https://www.nba.com/hawks/news/hawks-bolster-cybersecurity-efforts-in-new-acronis-teamup-partnership.
[3] BBC, Twitter and Facebook accounts for 15 NFL team hacked (January 27, 2020), https://www.bbc.com/news/technology-51275786; Jonathan Berr, Hackers Target NFL, Team’ Social Media Accounts (January 28, 2020, 9:38PM EST), https://www.forbes.com/sites/jonathanberr/2020/01/28/hackers-target-nfl-teams-social-media-accounts/.
[4] KNVB Cyber Breach Information 2023, https://www.knvb.nl/info/68084/informatie-cyberinbraak-knvb (last visited April 2, 2025).
[5] See Chris Dowling v. Sterling Mets, L.P. and DOES 1-10, Case No. 718313/2024, as filed in the Eastern District of New York, October 8, 2024.
[6] Insurance Journal, New York Mets Hit With Class Action Alleging Biometric Privacy Violations (October 11, 2024), https://www.insurancejournal.com/news/east/2024/10/11/796892.htm.