SubTitle12-865-1_12-865-34. Online Casino Gaming, Retail and Online Sports Wagering, Fantasy Contests, Keno and Online Sale of Lottery Tickets

As used in this section and sections 12-865-2 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies, the following words and terms have the following meanings unless the context clearly indicates otherwise:

(1) “Act” means Public Act 21-23.

(2) “Auto play” means a feature that allows an internet game to place wagers automatically without patron interaction, once a denomination, wager and other play attributes have been selected by the patron.

(3) “Bots” means a computerized player of an internet game.

(4) “Business entity” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(5) “CLC” means the Connecticut Lottery Corporation as created under section 12-802 of the Connecticut General Statutes.

(6) “Commissioner” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(7) “Compliance manager” means the individual designated to be responsible for overseeing and managing compliance issues within each gaming entity licensee, including compliance with internal controls and all statutory and regulatory requirements.

(8) “Complimentaries” means promotional allowances or other promotional credits, including free play, that are provided to patrons and which allow patrons to participate in internet games on an electronic wagering platform or participate in retail sports wagering.

(9) “Comprehensive identity check” means the steps taken to: prevent identity theft and fraud; confirm that patrons meet minimum legal age requirements and are not a prohibited patron; and comply with master wagering licensee and online gaming operator’s anti-money laundering and “know your customer” internal controls.

(10) “Confidential information” means an individual’s first and last name in combination with one or more of the following: date of birth, mother’s maiden name, motor vehicle operator’s license number, Social Security number, employer or taxpayer identification number, alien registration number, government passport number, health insurance identification number, demand deposit account number, bank account number, credit card number, debit card number or unique biometric data such as fingerprint, voice print, retina or iris image, or other unique physical representation, voluntary self-exclusion list information, protected health information, as defined in 45 CFR 160.103, as amended from time to time, and information sufficient to determine the location of a patron. “Confidential information” does not include information that may be lawfully obtained from publicly available sources or from federal, state, or local government records.

(11) “Confidential information breach” means unauthorized access to, or unauthorized acquisition, control, or possession of, confidential information owned, licensed, or maintained by or on behalf of a gaming entity licensee, unless such information is in electronic form and encrypted or secured by a comparably effective method that renders the information unreadable or unusable. Any and all instances in which there is a substantial risk of identity theft or fraud to the licensee, its employees, patrons, or the state shall be considered a confidential information breach.

(12) “Consumables” means objects such as dice or playing cards used in live online casino games.

(13) “Core function” means any function related to the placement, recording, and resolution of wagers, or any other function or feature that affects the security, confidentiality, integrity, availability, or record keeping of the electronic wagering platform.

(14) “Critical component” has the same meaning as provided in section 12-858 of the Connecticut General Statutes.

(15) “Department” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(16) “Disaster recovery plan” means a plan that provides for a back-up site, detailing the computer systems, communications equipment, power supply, security procedures, recovery procedures, and time schedules for the recovery and continuation of the electronic wagering platform operation.

(17) “Document” means all records, including without limitation any writing, drawing, graph, chart, photograph, sound recording, video recording, image, code, algorithms, code repositories, audit logs, and other data or data compilation, stored in any medium from which information can be obtained either directly or, if necessary, after translation into a reasonably usable form. A draft or nonidentical copy is a separate document within the meaning of this term. The term “documents” expressly includes electronically stored information including, but not limited to, electronic mail, text messages, Microsoft Teams messages, Zoom chats, instant messaging, and Slack communications.

(18) “Dormant account” means an internet gaming account, which has had no patron initiated activity for a period of three years.

(19) “Drawing” means the process whereby winning numbers or symbols in a keno or lottery game are conclusively determined.

(20) “Drawing device” means an instrument approved by the department for conducting an electronically generated drawing.

(21) “Electronic wagering platform” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(22) “Entry fee” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(23) “Excluded person” means any individual who has voluntarily placed himself or herself in the voluntary self-exclusion database and who is prohibited from establishing an internet gaming account or participating in wagering on internet games or retail sports wagering.

(24) “Fantasy contest” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(25) “Gaming” means offering internet games and retail sports wagering.

(26) “Gaming entity licensee” means a master wagering licensee and a licensed online gaming operator, online gaming service provider and sports wagering retailer.

(27) “Gaming equipment” means any component of an electronic wagering platform or any equipment used to operate internet games.

(28) “Geolocation system” means the processes used to reasonably detect the physical real-world geographic location of an individual.

(29) “Gross receipts” has the same meaning as provided in section 12-868 of the Connecticut General Statutes.

(30) “Hardware” means all equipment, devices and peripherals, including, but not limited to, computers and computer components.

(31) “House-banked internet game” means any internet game of chance that is played with the house as a participant in the game, where the house takes on all players, collects from all losers, and pays all winners, and the house can win.

(32) “House rules” means the terms and conditions for sports wagering.

(33) “Incident” means a statutory, regulatory, or criminal violation or allegation of a violation and any irregularity that affects a gaming entity licensee or electronic wagering platform.

(34) “Independent audit” means an audit of records, policies, and procedures by a certified public accountant consistent with the standards accepted by the American Institute of Certified Public Accountants or a successor organization.

(35) “Interactive online game” means online casino gaming and online sports wagering.

(36) “Internal controls” means the written system of administrative and accounting processes and procedures implemented or anticipated to be implemented at a master wagering licensee or online gaming operator that are designed to ensure compliance with the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies, including, but not limited to: (A) financial reporting, (B) effectiveness and security of operations, (C) “know your customer” procedures, and (D) deterring fraud and anti-money laundering.

(37) “Internet games” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(38) “Internet gaming” means placing wagers through an electronic wagering platform.

(39) “Internet gaming account” means an account established by a patron and maintained and overseen by an online gaming operator that a patron uses for the deposit and withdrawal of funds used for internet gaming.

(40) “Internet gaming app” means the software application used to participate in internet games that is installed on a patron device.

(41) “Keno” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(42) “Key employee” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(43) “Know your customer” has the same meaning as provided in Financial Industry Regulatory Authority Rule 2090.

(44) “Licensee” means a person licensed by the department pursuant to the act.

(45) “Live game equipment” means equipment used in conducting online casino gaming that involves at least one physical component or object whose real-time use is part of the game experience and includes, but is not limited to, live game systems, automated or non-automated roulette wheels, card shufflers, automated card readers, and automated dice shakers and throwers.

(46) “Live online casino games” includes live dealer and peer-to-peer internet games.

(47) “Lottery” means the lottery as defined in section 12-801 of the Connecticut General Statutes.

(48) “Lottery draw game” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(49) “NIST” means the National Institute of Standards and Technology.

(50) “Occupational employee” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(51) “Occupational licensee” means an employee of a gaming entity licensee with a position integral to gaming as described in section 12-858 of the Connecticut General Statutes.

(52) “Official procedures” means the documents which contain the methods of operation and management of online lottery and online keno, including, but not limited to, technical specifications, rules of play, and the configuration of the electronic wagering platform.

(53) “Online casino gaming” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(54) “Online gaming operator” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(55) “Online gaming service provider” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(56) “Online keno” means keno through the internet or a mobile application.

(57) “Online lottery” means the sale of tickets for lottery draw games through the internet or a mobile application.

(58) “Ownership interest” means any right to, ownership, an investment or a compensation arrangement with another person through business, investment or family. “Ownership interest” does not include ownership of investment securities in a publicly-held corporation that is traded on a national exchange or over-the-counter market, provided the investment securities held by such person and such person’s spouse, parent or child, in the aggregate, do not exceed one-half of one per cent of the total number of shares issued by the corporation.

(59) “Patron” means any individual who takes part in an internet game or places a wager at a sports wagering retailer facility.

(60) “Patron device” means any device that is used to interact with an electronic wagering platform for the purpose of conducting internet gaming. A patron device includes, but is not limited to, personal computers, mobile phones and tablets.

(61) “Patron session” means a period of time when a patron is logged on to an electronic wagering platform.

(62) “Peer-to-peer gaming” means all gaming activity, such as poker, where patrons compete against each other.

(63) “Person” means any business entity as defined in section 12-850 of the Connecticut General Statutes or any individual.

(64) “Physical receipt” means a print-out or other item evidencing a wager placed at a sports wagering retailer.

(65) “Pool” means the amount of money wagered for a particular keno or lottery draw game.

(66) “Prizes” means anything of value provided to a patron due to the outcome of online lottery game or online keno. Prizes may include money, complimentaries, or merchandise; however, for purposes of calculating gross revenue for online keno, “prize” shall include only money paid to a patron and shall not include complimentaries, merchandise, or admission to another competition.

(67) “Prohibited patron” means an individual prohibited from placing a wager in accordance with section 12-864 or 12-561 of the Connecticut General Statutes and the following individuals:

(A) An individual who is under the minimum legal age.

(B) An individual not in an authorized location to make a wager.

(C) An individual placing a wager on behalf of another.

(D) An individual wagering in violation of state, tribal, or federal law.

(E) Other individuals determined by the department to pose a threat to the integrity of gaming due to cheating or involvement in criminal activity.

(68) “Promotion” means an event or activity, conducted by a licensee for the purpose of encouraging participation in internet games or retail sports wagering.

(69) “Promotional drawing” means any keno or lottery drawing that determines the winner of any prize that is provided by the CLC and that is not part of any lottery game prize structure.

(70) “Reservation” has the same meaning as provided in section 2(t) of the Mashantucket Pequot procedures and section 2(t) of the Mohegan compact, as such terms are defined in section 12-850 of the Connecticut General Statutes, and the geographic boundaries for geofencing the reservation shall be established by plots and grid coordinates based on U.S. Census maps.

(71) “Retail sports wagering” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(72) “Return to player” means the percentage of wagers that will be returned to players of a specific game over time.

(73) “Script” means a list of commands that a fantasy contest related computer program can execute and that are created by patrons, or by third parties for the use of patrons, to automate processes on an electronic wagering platform solely used for fantasy contests.

(74) “Sports wagering” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(75) “Sports wagering retailer” has the same meaning as provided in section 12-850 of the Connecticut General Statutes.

(76) “Sports wagering retailer facility” means the premises approved by the department where a sports wagering retailer is authorized to conduct sports wagering.

(77) “State” means the state of Connecticut, excluding the reservations.

(78) “Strong authentication” means a method used to secure computer systems or networks by verifying a user’s identity by requiring multiple factors in order to authenticate (such as, something you know, something you are, or something you have).

(79) “Substantial change” means any change that directly affects the operation of a core function.

(80) “Suspended account” means an internet gaming account that has been temporarily disabled from engaging in internet gaming.

(81) “T&S controls” means an online gaming operator’s technical and security standards.

(82) “Technical standard” means a standard or specification prescribed by the department concerning the design, performance, operation, testing, or maintenance of the electronic wagering platform and all gaming equipment.

(83) “Terminal” means a piece of equipment located in a sports wagering retailer facility that is dedicated to sports wagering activity utilizing the electronic wagering platform employed by or contracted for by the CLC.

(84) “Ticket” means any lottery ticket approved for sale to the general public pursuant to sections 12-568a-1 to 12-568a-24, inclusive, of the Regulations of Connecticut State Agencies.

(85) “Voluntary self-exclusion” means the process for an individual to designate himself or herself as an excluded person.

(86) “Wager” means the risking or accepting of money, credit, deposit, cash equivalent, including free play, loyalty points, and other redeemable betting credits, or anything of value on an uncertain occurrence, but does not include entry fees.

(87) “Winnings” means anything of value provided to a patron due to the outcome of a sports wager, online casino game or fantasy contest. Winnings may include money, competition credits, merchandise, or admission to another competition; however, for purposes of calculating gross revenue, “winnings” shall include only money paid to a patron and shall not include the cash equivalent value of any merchandise or thing of value or admission to another competition.

(88) “Youth athletics” means an athletic event (A) involving a majority of participants under eighteen years of age or (B) in which at least one participant is a team from a public or private elementary, middle, or secondary school, regardless of where such school is located. However, if an athletic event is a college sports or professional sports athletic event, such event shall not be considered youth athletics regardless of the age of the participants.

(a) Record retention. Every person required by sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies, to prepare, obtain or keep documents, and every person in charge, or having custody, of such documents, shall maintain such documents in an auditable format for no less than five years, or such longer or shorter period as may be specified in the Regulations of Connecticut State Agencies or the act. Upon request, such person shall make such documents immediately available for review to the department, in electronic form, unless not commercially practical, and submit copies to the department. The commissioner may request any information the commissioner deems necessary for the proper administration of the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies. In complying with this section, no person shall use a foreign language, codes, or symbols in the keeping of any required document. Notwithstanding other provisions of this subsection, personnel files shall be retained by the gaming entity licensees pursuant to the act for the duration of an individual licensee’s employment and for two years after separation from employment with the gaming entity licensee.

(b) Inspection of premises. The department shall be granted unrestricted twenty-four hour access to all areas of a gaming entity licensee’s business facilities where any records or equipment or hardware that is associated with the electronic wagering platform, live online casino games, or retail sports wagering is located that impacts the operation of gaming in the state of Connecticut.

(a) Internet gaming shall only be engaged in by patrons who have established an internet gaming account. A gaming entity licensee may only allow an individual to establish one account on each electronic wagering platform operated by the licensee in accordance with Section 12-865–11(a) of the Regulations of Connecticut State Agencies.

(b) Gaming entity licensees shall not include in any internet gaming app any software that: permits unauthorized data collection or file extraction; contains malware; or contains any other feature that compromises the integrity of the patron device or the data contained therein.

(c) A gaming entity licensee shall have a compliance manager, licensed as a key employee, responsible for the operation and integrity of internet games and gaming and reviewing all reports of suspicious activity that impacts the integrity of internet games and gaming in Connecticut. In addition to notifying the department of the suspicious activity listed in subdivisions (1) to (7), inclusive, of this subsection, the licensee shall provide a detailed description of the incident and a resolution report within seven days of discovery of such incident. In the event that such issue cannot be resolved within seven days, the licensee shall provide the department with an interim resolution report, which shall be updated every seven days thereafter until the issue is fully resolved. In addition to any required reporting to law enforcement under other law or regulation, a gaming entity licensee shall immediately, but no later than twenty-four hours, notify the department in writing, upon detecting or becoming aware of any of the following:

(1) Any person participating in internet gaming or retail sports wagering who is engaging in or attempting to engage in, or who is reasonably suspected of, cheating, theft, embezzlement, collusion, use of funds derived from illegal activity, money laundering, or any other illegal activities.

(2) Any individual who is reasonably suspected of misrepresenting such individual’s identity or using false identification to establish or attempt to establish an internet gaming account.

(3) Suspected criminal activity related to any aspect of either internet gaming or retail sports wagering.

(4) Any criminal or disciplinary proceedings commenced against the online gaming operator or sports wagering retailer in connection with its internet gaming or retail sports wagering operations.

(5) Any suspicious wagering activity or patterns that indicate a concern regarding the integrity of an internet game or sports wagering.

(6) Any other conduct that corrupts the outcome of an internet game or sports wagering.

(7) Any wagers that violate any applicable state or federal law.

(d) A gaming entity licensee shall comply with all federal requirements including, but not limited to, suspicious activity reporting and W2-G reporting.

(e) A gaming entity licensee shall not knowingly allow a patron to place a wager as an agent or a proxy for another individual.

(f) A gaming entity licensee shall not knowingly allow a prohibited patron to place a wager on an internet game or sporting event that the patron is prohibited from participating in or be paid winnings or prizes from such wager.

(g) If an online gaming operator determines that an individual is prohibited from engaging in all or a specific type of gaming for reasons other than voluntary self-exclusion, the online gaming operator shall document the reason that the individual is prohibited, suspend the internet gaming account or place reasonable restrictions to prohibit the individual from gaming in specific types of gaming, and, if prohibited from all forms of gaming, prohibit the individual from creating a new internet gaming account with such online gaming operator until such time that the individual is no longer determined to be a prohibited patron.

(h) Gaming entity licensees shall comply with the data privacy and cybersecurity provisions of section 12-865-32 and 12-865-33 of the Regulations of Connecticut State Agencies. Additionally, gaming entity licensees shall maintain cybersecurity insurance coverage, provide relevant employee training on data privacy and cybersecurity, and conduct information system audits no less than quarterly. Cybersecurity insurance coverage shall include coverage for data compromise response, identity recovery, computer attack, cyber extortion, and network security.

(i) Master wagering licensees, online gaming operators and sports wagering retailers shall comply with all of the following tax withholding and reporting requirements:

(1) Master wager licensees, online gaming operators or sports wagering retailers shall be responsible for all applicable federal and state withholding and reporting responsibilities arising under the provisions of the act pertaining to gaming. The department shall be held harmless by such master wagering licensees, online gaming operators, and sports wagering retailers from any federal or state tax penalties or interest that may arise as a result of such licensee’s activities in performing these responsibilities.

(2) The department shall have the right to inspect withholding and miscellaneous income records and related tax filings prepared by, or obtained by, the master wagering licensee, online gaming operator, or sports wagering retailer at all times.

(3) The master wagering licensee, online gaming operator, or sports wagering retailer shall provide W2-G information to the department as requested and on an annual basis, by June 30th of each year, in a format acceptable to the department.

(4) An online gaming operator or sports wagering retailer shall provide notice to a patron in the event that such patron’s internet gaming account is subject to tax withholdings.

(j) In the event of any changes to the contact information, management, or licensure status in another jurisdiction in the United States, a gaming entity licensee shall report any such changes to the department within ten days of such change and the department may require the licensee to file an amended application or provide additional documentation.

(k) A license issued under 12-865-4 to 12-865-8, inclusive, of the Regulations of Connecticut State Agencies shall not be transferred or sold. Prior to any transfer, sale, or change in ownership of a gaming entity licensee, a new license shall be obtained by the licensee or new owner, as applicable, unless one of the following provisions is met:

(1) The change in ownership is a sale of shares of a publicly listed or traded company to a shareholder that will own less than five percent of the gaming entity licensee after the transaction. No notice to the department is required based on this change of ownership.

(2) The change in ownership is a sale of shares of a publicly listed or traded company to a financial institution or other investor, which in the sole judgment of the commissioner is determined to be a passive investor in the gaming entity licensee, and where the financial institution or other investor does not exercise any control of the gaming entity licensee. For the purpose of this subsection, “control” means the power to exercise authority over, or direct the management and policies of, a business entity. Written notice shall be provided to the department of the sale of five percent or more of the gaming entity licensee. The new owner shall provide the department with documentation sufficient to verify the terms of the sale and the role of the new owner so that the commissioner may make a determination under this provision.

(3) There is a change of fifty percent or less in the ownership of a non-publicly listed or traded gaming entity licensee and such change in ownership does not result in a change in control of the gaming entity licensee. Written notice shall be provided to the department, describing the parties and transaction involved with such change in ownership.

(4) The commissioner waives the requirement for a new application.

(l) A gaming entity licensee shall inform the department in writing within five days of any change to the name of such licensee, including establishing a trade name.

(m) In the event of any changes to the contact information or licensure status in another jurisdiction in the United States, an occupational licensee or key employee shall report any such change to the department within ten days of such change and the department may require the licensee to file an amended application or provide additional documentation.

(n) The department shall maintain a list of technical standards on the department’s website, which shall be reviewed by the department annually to ensure the technical standards preserve the integrity of gaming through sufficient system requirements and patron account management standards. The department may modify or update the technical standards based on the following reasons: in response to a legal interpretation; to include additional or amend existing technical standards that the commissioner deems necessary to preserve the integrity of gaming or protect consumers from financial harm; to adjust to changes in technology, relevant standards, or platform design; or for any other reason necessary to preserve that integrity of gaming under the act. The department shall post any updates to the technical standards on the department’s website and such technical standard shall be effective thirty days after such posting unless such period is extended by the commissioner. The department shall provide written notice to all active online gaming operator licensees of any updates to the technical standards prior to implementation.

(o) The department may waive any technical standard established pursuant to subsection (n) of this section of the Regulations of Connecticut State Agencies, upon written request by a licensee. Waiver shall only be granted if the department determines that the gaming entity licensee has established, through written certification to the department’s satisfaction, that such gaming entity’s systems or standards:

(1) Meet the policy goals of the technical standard that is being waived; or

(2) Are equivalent to or exceed the NIST standards required in sections 12-865-11, 12-865-13, 12-865-20 and 12-865-33 of the Regulations of Connecticut State Agencies.

(p) The department may rescind a waiver granted under subsection (o) of this section at any time if the department has reason to believe that the licensee no longer meets the policy goals of the waived technical standard.

(q) A gaming entity licensee shall suspend a patron’s internet gaming account and disable account access if the licensee discovers (1) that the patron is using proxy servers, virtual private networks, spoofing, or other means designed to disguise identity or physical location, (2) that the location information indicates a likelihood of unauthorized or improper access, or (3) any other violation of the act or sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies that threatens the integrity of gaming.

(r) Gaming entity license applicants shall notify the department at the time of application of the identity of each key employee. Gaming entity licensees shall notify the department of any change to or addition of key employees within one week, unless a shorter period is prescribed by law.

(s) A gaming entity licensee shall notify the department within one business day that an employee holding a key employee license or an occupational license is terminated, suspended, or otherwise disciplined for alleged conduct that is in violation of the act or sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies. A monthly report shall be provided to the department with names and license numbers of all licensed employees that were suspended, terminated or voluntarily departed from employment during the previous month.

(t) Upon request, an online gaming operator shall provide an electronic, sortable list of all employees of the online gaming operator, who directly or indirectly impact internet games or gaming in the state, by department and position. All online gaming operators shall also maintain and provide upon request an electronic, sortable list of all online gaming service providers doing business with such online gaming operator.

(u) No person whose application for a license has been denied due to the applicant's character and fitness may make another application for a license under sections 12-865-4 to 12-865-8, inclusive, of the Regulations of Connecticut State Agencies for at least one year from the date of denial.

(v) All persons licensed under sections 12-865-4 to 12-865-8, inclusive, of the Regulations of Connecticut State Agencies shall notify the department within one business day of becoming aware of any licensee that has been convicted of a crime set forth in section 12-865-8(j) of the Regulations of Connecticut State Agencies or a conviction that otherwise threatens the integrity of gaming.

(w) If a master wagering licensee does not utilize an online gaming operator and, instead, develops its own electronic wagering platform, the master wagering licensee will be considered both an online gaming operator and a master wagering licensee and shall be held to the requirements set forth in the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies for both license types.

(x) A licensee shall not directly or indirectly give, promise, or offer to any professional or amateur sporting event player or referee or other official who participates or expects to participate in any sporting event, or to any manager, coach, or trainer of any team or player or prospective player in any such event, any benefit with intent to influence the person to lose or try to lose or cause to be lost or to limit the person's or person's team's margin of victory or defeat.

(y) Each person applying for a license under the act and all licensees have the affirmative responsibility and continuing duty to provide all information, documentation and assurances pertaining to qualifications required or requested by the department and to cooperate with the department in the performance of its duties, including but not limited to, any investigation conducted by the department. Any refusal by such persons to comply with a formal request for information, evidence or testimony shall be a basis for denial, revocation, or suspension of a license. No license shall be granted to any person who fails to provide information, documentation and assurances required by the act or requested by the department or who fails to reveal any fact material to qualification.

(z) Prior to offering internet games to the general public, an online gaming operator shall perform a soft launch of any electronic wagering platform that the online gaming operator operates. The soft launch, which shall be a limited opening of gaming services by the online gaming operator, shall occur after written approval by the department of the online gaming operator’s electronic wagering platform and all internal controls that require approval. The soft launch shall be for a period of no less than seven days and shall be offered to a limited group of patrons, as determined by the online gaming operator. The online gaming operator shall provide written notice to the department of the scope of games and patrons anticipated for inclusion in the soft launch at least ten days prior to such soft launch. For live online casino games, the soft launch requirements shall be as specified in section 12-865-18 of the Regulations of Connecticut State Agencies. This subsection shall not apply to offering fantasy contests in the state, which shall not be subject to a soft launch period.

(a) Upon completion of the requirements set forth in sections 12-852(a) and 12-853(a) of the Connecticut General Statutes, the commissioner may issue a master wagering license to each of the following persons upon receipt of a complete application in a form and manner prescribed by the commissioner:

(1) The Connecticut Lottery Corporation;

(2) The Mashantucket Pequot Tribe, or an instrumentality of or an affiliate wholly-owned by said tribe, as approved by the department; and

(3) The Mohegan Tribe of Indians of Connecticut, or an instrumentality of or an affiliate wholly-owned by said tribe, as approved by the department.

(b) The master wagering license shall list the names and contact information of all owners and key employees of the master wagering licensee.

(c) No person shall act as a master wagering licensee without a license issued by the department under the act.

(d) The master wagering licensee shall confirm, in a manner acceptable to the department, the master wagering licensee’s relationship with an applicant for an online gaming operator, online gaming service provider, sports wagering retailer, or occupational or key employee license prior to the department processing such application.

(e) In the event that a master wagering licensee terminates the master wagering licensee’s business relationship with an online gaming operator, online gaming service provider or sports wagering retailer, the master wagering licensee shall notify the department of such termination within twenty-four hours.

(a) No person shall be licensed as an online gaming operator without first entering into an agreement with a master wagering licensee to operate an electronic wagering platform for purposes of offering internet games or retail sports wagering. A master wagering licensee shall confirm, in a manner acceptable to the department, that such licensee has entered into an agreement with the online gaming operator and authorize such online gaming operator to provide gaming services on behalf of the master wagering licensee.

(b) An online gaming operator applicant shall apply on a form and in a manner prescribed by the department. The department shall permit applicants with comparable credentials in another state that has substantially similar license requirements to apply for reciprocal licensing based on the applicant’s status as a licensee in good standing in such other state. If the department issues an online gaming operator license to an applicant based on reciprocity, the applicant shall provide all information required of a non-reciprocal initial applicant no later than three months prior to the renewal date when such license expires. An online gaming operator applicant shall be required to supply in its application information sufficient to demonstrate to the department the good character, fitness, and financial stability of the applicant, which at a minimum shall include:

(1) the name of the master wagering licensee with whom the applicant has contracted;

(2) the name, and location of the applicant’s business;

(3) the applicant’s federal tax identification number, Connecticut tax registration number, and, where applicable, social security number;

(4) the nature of the applicant’s business;

(5) the names, contact information and dates of birth of owners and key employees, as required by the commissioner;

(6) a breakdown of ownership interests in the applicant;

(7) an explanation of any criminal conviction, other than minor traffic offenses, of the applicant and any of its owners, or key employees;

(8) consent to conduct a financial history and criminal background check;

(9) an explanation of any tax disputes or delinquencies involving taxes owed by the applicant;

(10) disclosure of any pending action or fine against or, suspension or revocation of any permit, license, registration or authorization issued by any state, federal or tribal authority, or authority in any other state, of the applicant and any owner or key employee of the applicant;

(11) the applicant's interest, if any, in other entities offering internet games or retail sports wagering that hold a credential in the state or another jurisdiction; and

(12) any additional information required by the department to ensure that the applicant meets licensing criteria.

(c) In determining an applicant’s qualifications for licensure as an online gaming operator, the department may consider factors that include, but are not limited to:

(1) The financial responsibility of the applicant. The department may conduct an investigation into the credit worthiness of the applicant utilizing the services of a commercial credit-reporting agency or other method approved by the commissioner;

(2) Any falsification of the information submitted with the license application or failure to disclose any fact material to the application;

(3) Records of criminal convictions;

(4) Federal and state tax compliance; and

(5) Such other information as the department may deem pertinent to the issuance of an online gaming operator license.

(d) An applicant shall not withdraw its application without the permission of the commissioner.

(a) No person shall act as an online gaming service provider without a license issued by the department under the act.

(b) No person shall be licensed as an online gaming service provider unless the person is doing business with a master wagering licensee, an online gaming operator, online gaming service provider, or a retail sports wagering licensee.

(c) Business entities that are required to be licensed in accordance with this section shall include the following unless determined by the department to have a de minimis impact on the integrity of internet games, retail sports wagering or gaming: manufacturers of gaming equipment, or software integral to internet games and retail sports wagering; suppliers or distributors of gaming equipment and software integral to gaming or internet games; servicers and repairers of electronic wagering platforms; suppliers of security services; geolocation services; age and identity verification; payment processors; vendors who monitor and audit electronic wagering platforms; and business entities providing other services including, but not limited to, operating live online casino games, testing of internet games and the electronic wagering platform and determining what wagers to accept or the betting lines or odds to be offered for a wager for an internet game. In addition to other provisions of this subsection, the department may require additional business entities to be licensed if such business provides goods or services utilized in, or incidental to internet games or retail sports wagering that are integral to the public confidence, credibility, or integrity of the gaming industry in this state.

(d) An online gaming service provider applicant shall apply on a form and in a manner prescribed by the department. The department shall permit applicants with comparable credentials in another state that has substantially similar license requirements to apply for reciprocal licensing based on the applicant’s status as a licensee in good standing in such other state. If the department issues an online gaming service provider license to an applicant based on reciprocity, the applicant shall provide all information required of a non-reciprocal initial applicant no later than three months prior to the renewal date when such license expires.

(e) An online gaming service provider applicant shall supply in its application information sufficient to demonstrate to the department the good character, fitness, and financial stability of the applicant, which at a minimum shall include:

(1) The names of all master wagering licensees, licensed online gaming operators or licensed sports wagering retailers with whom the applicant has contracted;

(2) The name and location of the applicant’s business; the applicant’s federal tax identification number, Connecticut tax registration number, and, where applicable, social security number;

(3) The nature of the applicant’s business;

(4) The names, contact information and dates of birth of owners, and key employees, as required by the commissioner;

(5) An explanation of any criminal conviction, other than minor traffic offenses, of the applicant and any of its owners, or key employees;

(6) Consent to conduct a credit history and criminal background check;

(7) An explanation of any tax disputes or delinquencies involving taxes owed to the state by the applicant; disclosure of any pending action or fine against or, suspension or revocation of any permit, license, registration, or authorization issued by any state, federal or tribal authority, or authority in any other state, of the applicant and any owner or key employee of the applicant;

(8) The applicant's interest, if any, in other entities offering internet games or retail sports wagering that hold a credential in the state or another jurisdiction; and

(9) Any additional information required by the department to ensure that the applicant meets licensing criteria.

(f) In determining an applicant’s qualifications for licensure as an online gaming service provider, the department may consider factors that include, but are not limited to:

(1) Any falsification of the information submitted with the license application or failure to disclose any fact material to the application;

(2) Records of criminal convictions;

(3) Federal and state tax compliance; and

(4) Such other information as the department may deem pertinent to the issuance of an online gaming service provider license.

(a) No person shall act as a sports wagering retailer without a license issued by the department under the act.

(b) A sports wagering retailer applicant shall apply on a form and in a manner prescribed by the department. The department shall permit applicants with comparable credentials in another state that has substantially similar license requirements to apply for reciprocal licensing based on the applicant’s status as a licensee in good standing in such other state. If the department issues a sports wagering retailer license to an applicant based on reciprocity, the applicant shall provide all information required of a non-reciprocal initial applicant no later than three months prior to the renewal date when such license expires.

(c) An applicant for a sports wagering retailer license shall apply on a form and in a manner prescribed by the commissioner that includes, but is not limited to, submitting the following:

(1) Applicant contact information;

(2) Evidence of site control, demonstrated by an executed lease agreement or title to the premises;

(3) Detailed plans, maps, and specifications of the proposed sports wagering retailer facility;

(4) Detailed security plans for the sports wagering retailer facility, including continuous surveillance camera monitoring of any area where patrons will interact with a terminal or an individual to place a wager, which footage shall be preserved by the sports wagering retailer for a period of no less than thirty days, however, if the footage is of any event that is subject to any investigation then such footage shall be maintained until the completion of the investigation; and

(5) A business arrangement with CLC to facilitate sports wagering.

(d) Lines of betting and odds of winning related to sporting events available to place wagers on at a sports wagering retailer facility shall be available to patrons in such facility and notice on how patrons can access the lines of betting and odds of winning shall be prominently displayed.

(e) Sports wagering retailers shall comply with all applicable statutes and Regulations of Connecticut State Agencies relating to unclaimed funds, abandoned property and escheatment to the Office of the State Treasurer. All records related to notice to patrons of unclaimed funds or abandoned property required under chapter 32, part III of the Connecticut General Statutes shall be made available electronically to the department upon request. Sports wagering retailers shall concurrently provide a digital copy to the department of any reports or transfers sent to the Office of the State Treasurer relating to unclaimed funds or abandoned property from the sports wagering retailer facility.

(f) Terminals shall be certified as gaming equipment by a licensed independent testing laboratory.

(g) Terminals shall be tamper-proof. Access to any back-end computer system component or cash depository in the terminal shall be securely locked and access shall be limited to key and occupational licensees.

(h) Terminals, as well as any location in a sports wagering retailer facility where an individual will be accepting wagers from patrons, shall be equipped with printers to provide each patron a physical receipt for each transaction.

(i) Physical receipts shall expire no earlier than one hundred and eighty days after issuance. If a sports wagering retailer offers physical receipts that expire, such retailer shall clearly and prominently display the expiration policy by posting wall signs next to all kiosks and cages where physical tickets may be obtained, and providing a prominent notice on the physical receipt that is a font size no smaller than the font used to indicate the value of the receipt. On or before April 1, 2022, a sports wagering retailer or the CLC may request a hardship waiver from the department to allow the sports wagering retailer to utilize their existing inventory of physical tickets that do not comply with the font size requirement until April 1, 2023. The existing inventory of physical tickets solely includes those that are in the possession of the sports wagering retailer or CLC as of March 1, 2022.

(j) Patron winnings shall be paid in cash up to five hundred dollars, unless requested otherwise by the patron and agreed upon by the sports wagering retailer. The sports wagering retailer shall maintain sufficient cash on hand to cover patron winnings. The sports wagering retailer may pay larger winnings by check. Cashed physical receipts shall be maintained for no less than six months.

(k) All appropriate federal and state tax, withholding, and other patron financial reporting forms shall be completed before the sports wagering retailer issues any payment for winnings in accordance with the federal and state mandated reporting and withholding requirements. Such reports shall then be distributed to the patron and handled by the sports wagering retailer or CLC in accordance with federal and state law. In addition, prior to issuing winnings in an amount requiring tax reporting, the sports wagering retailer shall confirm the patron’s identity to verify that the patron is not a prohibited or excluded person.

(l) Sports wagering retailers, independently or through the CLC, shall maintain a reserve that meets the following minimum reserve requirements: a reserve of not less than the greater of $25,000 or the sum of the following amounts: (1) amounts accepted by the sports wagering retailer as wagers on contingencies whose outcomes have not been determined; and (2) amounts owed but unpaid by the sports wagering retailer on winning wagers through the period established for honoring winning receipts.

(a) No individual shall act as an occupational licensee, or represent that such person is an occupational licensee, unless such individual has obtained a license from the department pursuant to this subsection. Such individual shall apply for a license on a form and in a manner prescribed by the commissioner. The department shall permit occupational employee applicants with comparable credentials in another state that has substantially similar license requirements to apply for reciprocal licensing if licensed in good standing in another state. If the department issues an occupational employee license to an applicant based on reciprocity, the applicant shall provide all information required of a non-reciprocal initial applicant no later than three months prior to the renewal date when such license expires.

(b) The following individuals who are directly or substantially involved in the operation of internet games or retail sports wagering in a manner that impacts the integrity of gaming shall obtain an occupational employee license:

(1) Individuals who have system access or authority to modify any critical component of the electronic wagering platform or to impact or revise the outcome of a wager;

(2) Individuals who have authority to modify a patron’s bank account information, full birth date, social security or tax identification number, deposit patron funds from external funding sources, wagering limits, or wager history in an internet gaming account, excluding those individuals who are authorized only to update patron contact information, resolve patron complaints, including through the issuance of complimentaries, and other non-material changes to internet gaming accounts;

(3) Individuals who manage or supervise information technology employees;

(4) Individuals who manage or supervise data security staff;

(5) Individuals who have the managerial authority to approve deployment of code for internet games or an electronic wagering platform;

(6) Individuals who manage or supervise individuals responsible for testing of internet games or gaming equipment;

(7) Individuals who accept wagers at a sports wagering retail facility; and

(8) The general manager of a sports wagering retail facility.

(c) In addition to the individuals listed in subsection (b) of this section, occupational employees may include, at the discretion of the department, managerial or supervisory level employees that have the potential to materially impact or influence the integrity of internet games, retail sports wagering, or gaming activity.

(d) No individual shall act as a key employee, or represent that such individual is a key employee, unless such individual has obtained a license from the department pursuant to this subsection, is within the thirty-day notice period specified in subsection (g) of this section, or has submitted a preliminary application, with payment in full, to the department and the individual’s license application is pending review by the department. Such individual shall apply for a license on a form and in a manner prescribed by the commissioner. The department shall permit key employee applicants to apply for reciprocal licensing based on the applicant’s status as a licensee in good standing in another state that uses the multi-jurisdictional personal history disclosure form. If the department issues a key employee license to an applicant based on reciprocity, the applicant shall provide all information required of a non-reciprocal initial applicant no later than three months prior to the renewal date when such license expires.

(e) The following individuals are required to obtain a key employee license:

(1) President or chief officer, who is the top-ranking individual of the licensee and is responsible for all staff and the overall direction of business operations;

(2) Financial manager, who is the individual who reports to the president or chief officer who is generally responsible for oversight of the financial operations of the licensee, including, but not limited to, revenue generation, distributions, tax compliance and budget implementation;

(3) Compliance manager, who is the individual that reports to the president or chief officer and who is generally responsible for ensuring the licensee complies with all laws, regulations and requirements related to the operation of the licensee;

(4) Chief information officer or chief data security officer, or any individual with a similar title who exercises control over information systems and technical systems;

(5) Individuals who are responsible for establishing the policies or procedures on, or make management decisions related to, wagering structures or outcomes for a gaming entity licensee; and

(6) Individuals with an ownership interest in a gaming entity licensee provided the interest held by such individual and such individual’s spouse, parent, and child, in the aggregate, is five per cent or more of the total ownership or interest rights in the gaming entity licensee.

(f) In addition to the individuals listed in subsection (e) of this section, key employees may include, at the discretion of the department, individuals who have control over technical systems or general operation of the licensee that materially impact the integrity of gaming, internet games and retail sports wagering. For the purpose of this section, “control” means the authority of employees, directors, members, and trustees to establish policies or procedures on, or making management decisions related to, technical systems, financial management, and wagering structures or outcomes for a gaming entity licensee, or supervisory oversight over occupational employees.

(g) An individual who requires licensure as a key employee shall submit a preliminary application to the department no later than thirty days after commencement of employment in such role or thirty days after notice to the gaming entity licensee by the department that an individual is a key employee. An individual who requires licensure as a key employee shall submit a complete application to the department no later than ninety days after commencement of employment in such role, unless an extension is granted by the department. No individual shall be designated a key employee without attaining at least eighteen years of age.

(h) An individual, who would otherwise be a key employee based on the individual’s ownership interest in a gaming entity licensee may request that the commissioner waive the application requirement for a key employee license by providing evidence acceptable to the commissioner that the applicant is a passive or institutional investor. The commissioner may grant a waiver, in the commissioner’s sole discretion, if the commissioner concludes that the investor is unable to exert control over the gaming entity licensee. To determine whether an investor is able to exercise control, the commissioner may consider among other things:

(1) Whether the investor is a financial institution; and

(2) The nature of the investment interest, including the extent to which it is attributable to debt warrants or other unexercised rights.

(i) The key employee license application form shall require the applicant for a key employee license to submit to a state and national criminal history records check conducted in accordance with section 29-17a of the Connecticut General Statutes, which may include a financial history check if requested by the commissioner, to determine the character and fitness of the applicant for the license.

(j) A key employee applicant may be denied a license in the event the applicant’s background check reveals a conviction related to the mismanagement of funds, consumer fraud, computer fraud, a violation of communication or data privacy laws, other financial or computer crimes, or other crimes that may disqualify the applicant based on the criteria in section 46a-80 of the Connecticut General Statutes. If the key employee is denied a license after the individual has commenced employment as a key employee, the gaming entity licensee employing the key employee shall immediately upon receipt of notice cease utilizing such individual in activity requiring a key employee license.

(k) A key employee may appeal a denial by requesting a hearing before the commissioner in accordance with chapter 54 of the Connecticut General Statutes. Such request for hearing shall be made in writing to the commissioner within ten days of receipt from the department of a license denial.

(a) This section shall apply to all electronic wagering platforms except those electronic wagering platforms that exclusively offer and support fantasy contests, which shall be governed by the provisions of section 12-865-10 of the Regulations of Connecticut State Agencies.

(b) Each electronic wagering platform shall employ a geolocation system that checks a patron’s location when a patron logs on to the patron’s internet gaming account, opens an internet gaming app, and places a wager, and at other times or at a frequency as may be required by the department to ensure account security and the location of the patron related to an investigation, compliance review, audit, or enforcement action. If the geolocation system identifies that the physical location of the patron is outside the state, the electronic wagering platform shall not accept wagers until such time that the patron is in the state, the boundaries of which shall be defined by the department based on U.S. Census maps, and shall not include the reservations. Internet gaming is conducted exclusively on a reservation only if the patron who places the wager is physically present on the reservation when the wager is initiated and when the wager is received, and the wager on an internet game is initiated, received, or otherwise made in conformity with the safe harbor requirements described in 31 USC 5362(10)(C).

(c) The geolocation system shall be fully equipped to dynamically and consistently monitor the patron's location and block unauthorized attempts to access the electronic wagering platform throughout the duration of the patron session. The geolocation system shall comply with all technical standards and testing requirements set forth in this section.

(d) The electronic wagering platform shall trigger the following geolocation checks:

(1) A geolocation check prior to the placement of the first wager in the patron session.

(2) Recurring periodic geolocation checks. If a patron session is longer than a single wager, the recurring periodic geolocation check shall be administered as follows:

(A) Static connection: Recheck every twenty minutes, or five minutes if within one mile of the state border; and

(B) Mobile connections: Recheck intervals to be based on a patron’s proximity to the state border, with an assumed travel velocity of seventy miles per hour and a maximum interval not exceeding twenty minutes.

(e) If the online gaming operator utilizes a third-party geolocation service, then the online gaming operator shall define the reasons for all trigger instances, for example single wager or deposit, and communicate the trigger reason using an anonymized user identification to the geolocation system when requesting each geolocation check.

(f) A geolocation check shall be conducted immediately upon the detection of a change of the patron’s internet protocol (IP) address.

(g) If the electronic wagering platform determines that a patron is located outside the state, the patron shall be provided limited access to the electronic wagering platform and to the patron’s internet gaming account limited to withdrawal or deposit of funds, viewing, and changing settings or updating the patron’s account information. The patron shall be prohibited from placing a wager until a geolocation re-check is performed and confirms the patron is located within the state.

(h) The geolocation system shall handle location data accurately as follows:

(1) To ensure location data is accurate and reliable, the geofencing system shall:

(A) Utilize pinpointed and accurate location data sources to confirm the patron is located within state. When a mobile carrier’s data is used, the patron’s device (where the patron session occurs) and the mobile carrier’s data source shall be in proximity to each other;

(B) Disregard IP location data for devices utilizing mobile internet connections; and

(C) Possess the ability to control whether the accuracy radius of the location data source is permitted to overlap or exceed defined buffer zones or the state border.

(2) To mitigate and account for discrepancies between mapping sources and variances in geospatial data, and to ensure accuracy of locational data, the geolocation system shall:

(A) Utilize boundary polygons based on audited maps; and

(B) Overlay location information onto these boundary polygons.

(3) The geolocation system shall monitor and flag for investigation any wagers placed by a single account from geographically inconsistent locations during a single authorized patron session.

(i) The geolocation system shall ensure location data integrity as follows:

(1) Detect and block any locational data fraud, including but not limited to proxy servers, fake location applications, virtual machines, and remote desktop programs;

(2) Utilize detection and blocking mechanisms verifiable to a source code level;

(3) Follow best practice security measures to stop “man in the middle” attacks and prevent code manipulation such as replay attacks;

(4) Detect and block non-secure devices and those which indicate any system-level tampering, including, but not limited to, rooting and jailbreaking; and

(5) Detect and flag for investigation any patron who makes repeated unauthorized attempts to access the electronic wagering platform.

(j) All location fraud shall be assessed on a single geolocation check, as well as on a cumulative basis of a patron’s history over time.

(k) The geolocation system shall:

(1) Display the specific and real-time data feed of all geolocation checks and potential fraud risks.

(2) Offer an alert system to identify unauthorized or improper access.

(3) Facilitate routine, reoccurring delivery of supplemental fraud reports that pertain to the following:

(A) Suspicious or unusual activities;

(B) Account sharing;

(C) Malicious devices; and

(D) Other high-risk transactional data.

(l) To verify the overall integrity of the geofencing system, the geofencing system shall adhere to the following system maintenance requirements:

(1) Be reviewed at least once every three months to assess and measure its continued ability to detect and mitigate existing and emerging location fraud risks;

(2) Undergo updates, at least one every three months, to implement the most current industry data collection, device compatibility, and fraud prevention capabilities; and

(3) Utilize databases that are updated daily, at a minimum, and are not open source. Such databases shall include, but not be limited to, IP, proxy, and fraud.

(m) The electronic wagering platform shall send a message to a patron notifying them of a geolocation failure, which messages shall be approved by the department prior to use.

(a) Notwithstanding the provisions of 12-865-9 of the Regulations of Connecticut State Agencies, each electronic wagering platform that exclusively provides fantasy contests shall employ a geolocation system when a patron initiates payment of an entry fee for a fantasy contest. The geolocation system shall, at a minimum, have the capacity to:

(1) Detect the location of a patron’s device notwithstanding the use of a proxy server or virtual private network, or alternatively, prohibit participation of a patron utilizing a proxy server or virtual private network;

(2) Using industry standard technologies for fantasy contests that are approved by the department, check the location of a patron’s device when submitting entry fees and prohibit a patron from submitting an entry fee when the location of the patron’s device is unable to be determined;

(3) Provide a pop-up notification to a patron when the patron is attempting to submit an entry fee when the patron’s device is unable to be located; and

(4) Notify the online gaming operator offering the fantasy contest, and the patron, if the patron’s account is being accessed from geographically inconsistent locations, including, but not limited to multiple locations that are not possible to travel between each initiation of entry fee payment.

(a) Prior to engaging in internet gaming, a patron shall establish an internet gaming account. A patron shall have only one internet gaming account for each online gaming operator for use in the State of Connecticut, except if the online gaming operator is operating multiple types of internet games on separate electronic wagering platforms, the patron may have one internet gaming account for each electronic wagering platform operated by such online gaming operator.

(b) The electronic wagering platform shall display a message prior to an internet gaming account being established informing the patron that certain individuals are prohibited from engaging in certain types of gaming. The message shall include a link to a location that provides additional information on the categories of persons prohibited from gaming. The electronic wagering platform will require the patron to affirm that the patron will not place a wager on an internet game from which the patron is prohibited.

(c) In order to establish an internet gaming account, the online gaming operator shall:

(1) Create an electronic patron file, which shall include at a minimum:

(A) Patron’s legal name;

(B) Patron’s date of birth;

(C) Entire or last four digits of the patron’s Social Security number or equivalent for a foreign patron such as a passport number or taxpayer identification number;

(D) Patron’s internet gaming account number;

(E) Patron’s address;

(F) Patron’s electronic mail address;

(G) Patron’s telephone number;

(H) Any other information collected from the patron used to verify the patron’s identity;

(I) The method used to verify the patron’s identity; and

(J) Date of verification.

(2) Encrypt all confidential information contained in an electronic patron file.

(3) Verify the patron’s identity in accordance with section 12-865-12 of the Regulations of Connecticut State Agencies or other methodology for remote multi-sourced authentication, which may include third-party and governmental databases, that may be approved by the department.

(4) Follow NIST Special Publication 800-63-3 “Digital Identity Guidelines” or other technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies for password and access security including required multi-factor identification.

(5) Verify that the patron meets the minimum legal age requirement and is not on the self-exclusion list, or otherwise prohibited from participation in gaming;

(6) Record the patron’s acceptance of the gaming entity licensee’s terms and conditions to participate in internet gaming;

(7) Record the patron’s certification that the information provided to the online gaming operator by the individual who registered is accurate;

(8) Record the patron’s acknowledgement that the patron meets the minimum legal age requirement and acknowledgement that the patron is prohibited from allowing any other person to access or use the patron’s internet gaming account; and

(9) Notify the patron of the establishment of the internet gaming account via electronic mail.

(d) Online gaming operators shall implement methods for securely issuing, modifying, and resetting a patron’s internet gaming account password, personal identification number, or other approved security feature, if applicable. Any method shall include notification to the patron following any modification via electronic or regular mail, text message, or other manner approved by the department. Such methods shall include, at a minimum, one of the following:

(1) The correct response to two or more challenge questions; or

(2) Strong authentication.

(e) Each internet gaming account shall be:

(1) Non-transferable;

(2) Unique to the patron who establishes the account; and

(3) Distinct in account number from any other account that the patron may have established with the online gaming operator in another state, territory, or on a reservation.

(f) A patron's internet gaming account may be funded through the use of:

(1) An electronic fund transfer from patron’s account, not a trust or business entity account, with a bank or other financial institution provided that the gaming entity licensee verifies the validity of the account with the financial institution;

(2) One credit card held in the name of the patron, not through a payment gateway, payment aggregator or other third-party payment processor that does not require the use of a merchant account, or one debit card, held in the name of the patron, through direct payment. A patron may only link one credit card or one debit card to the patron’s internet gaming account at any point in time. A patron may change the patron’s credit card or debit card at any point in time as long as the patron deletes the card actively linked to the internet gaming account and subsequently activates and links a different credit or debit card;

(3) Complimentaries;

(4) Winnings or prizes;

(5) Travelers checks;

(6) Certified checks;

(7) Wire transfer;

(8) Adjustments made by the online gaming operator with documented notification to the patron; or

(9) Any other means approved by the department.

(g) Funds may be withdrawn from a patron's internet gaming account by the following methods:

(1) Adjustments made by the online gaming operator with documented notification to the patron;

(2) A cash-out transfer to the debit card or credit card that was used to fund patron’s internet gaming account;

(3) Cash-out transfers directly to the patron's individual, not a trust or business entity account, account with a bank or other financial institution provided that the licensee verifies the validity of the account with the financial institution; or

(4) Any other means approved by the department.

(h) An online gaming operator shall not permit a patron to transfer funds to another patron.

(i) All adjustments to internet gaming accounts for amounts of $500.00 or less shall be periodically reviewed by supervisory personnel as set forth in the online gaming operator's internal controls. All other adjustments shall be authorized by supervisory personnel prior to being entered.

(j) Electronic wagering platforms shall provide an account statement with account details to a patron immediately on demand, which shall include detailed account activity for at least the twelve months preceding the request unless the patron requests a shorter period. In addition, an electronic wagering platform shall, upon request, be capable of providing a summary statement of all patron activity since the internet gaming account was established. Information to be provided on the summary statement shall include, at a minimum, the following:

(1) Deposits to the internet gaming account;

(2) Withdrawals from the internet gaming account;

(3) Win or loss statistics, including monetary amount won or lost;

(4) Beginning and ending account balances; and

(5) Self-imposed responsible gaming limit history, if applicable.

(k) The online gaming operator shall maintain a reserve in the amount necessary to ensure the security of funds held by the online gaming operator on behalf of patrons in internet gaming accounts. The reserve shall be in the form of:

(1) Cash or cash equivalents maintained in a U.S. bank account segregated from the online gaming operator’s operational funds;

(2) An irrevocable letter of credit;

(3) A bond;

(4) Any other form acceptable to the department; or

(5) Any combination of the allowable forms set forth in subdivisions (1) to (4), inclusive, of this subsection.

(l) The reserve shall be not less than the sum of the following:

(1) The daily ending cashable balance of all patrons’ internet gaming accounts;

(2) Pending withdrawals; and

(3) The sum of all pending internet wagers, funds transferred to an internet game not yet wagered, and pending wins.

(m) Funds held in internet gaming accounts shall not be automatically transferred by the online gaming operator. The online gaming operator shall not require a patron to transfer funds from the patron’s internet gaming account in order to circumvent the provisions of subsection (l) of this section.

(n) Amounts available to patrons for wagering that are not redeemable for cash may be excluded from the reserve computation.

(o) Upon request, the department may allow the online gaming operator to combine the reserve for all of its Connecticut internet wagering.

(p) The online gaming operator shall have access to all internet gaming account and transaction data to ensure the amount of its reserve is sufficient. Unless otherwise directed by the department, the online gaming operator shall file a monthly attestation with the department, in the form and manner prescribed by the department, that the reserve is adequately funded pursuant to this section.

(q) At least annually, the online gaming operator shall, at the operator’s own expense, submit to an independent audit of such licensee’s reserve accounts. A copy of the audit shall be provided to the department within ten days of receipt by the online gaming operator. Additionally, the department may audit an online gaming operator’s reserve accounts at any time.

(r) Based on the results of any such audits, the department may direct an online gaming operator to take any action necessary to ensure the purposes of subsections (k) to (q), inclusive, of this section are achieved, including but not limited to requiring the online gaming operator to modify the form of its reserve or increase the amount of its reserve.

(s) Patron protection information shall be readily accessible to the patron. The patron protection information shall contain at a minimum:

(1) Information about potential risks associated with excessive participation in gaming, and where to get help related to responsible gaming education and compulsive gaming support;

(2) Self-imposed limitations invoked by the patron;

(3) A list of the available patron protection measures that can be invoked by the patron, such as self-imposed limits and self-exclusion, and information on how to invoke those measures; and

(4) Mechanisms available to the patron to detect unauthorized use of the patron’s account, such as reviewing credit card statements against known deposits and for unknown charges.

(t) Patrons shall be provided an easy and obvious method to impose limitations for gaming parameters including, but not limited to, deposit caps, individual and cumulative wager maximums, and time-based limitations. Online gaming operators that offer fantasy contests may request a hardship exemption to the requirement to impose time-based limitations for fantasy contest activity, and the commissioner may waive this requirement, if the online gaming operator can demonstrate that such waiver will not detrimentally impact problem gambling or consumer protections. The self-imposed limitation method shall provide the following functionality:

(1) Upon receiving any self-imposed limitation order, the online gaming operator shall ensure that all specified limits are correctly implemented immediately or at the point in time that was clearly indicated by the patron;

(2) The self-imposed limitations set by a patron shall not override more restrictive operator imposed limitations. The more restrictive limitations shall take priority; and

(3) Once established by a patron and implemented by the online gaming operator, it shall only be possible to reduce the severity of self-imposed limitations upon twenty-four hours’ notice, or as required by the department.

(u) The electronic wagering platform shall either clearly display the amount of time, or provide a periodic pop-up message at least once every thirty minutes if a patron has not logged out of the patron’s account during such thirty minute period, that states the amount of time a patron has spent on the electronic wagering platform during that patron session.

(v) The electronic wagering platform shall clearly display to the patron the amount of funds available in the patron’s internet gaming account.

(w) An electronic wagering platform shall employ a mechanism that places an internet gaming account in a suspended mode under any of the following conditions:

(1) When requested by the patron for a specified period of time, if time-based limitations are required pursuant to subsection (t) of this section, which period shall be no less than seventy-two hours;

(2) When required by the department;

(3) Upon a determination that, based on the specific type of gaming a patron is engaged in, that such patron is a prohibited patron; and

(4) When initiated by an online gaming operator that has evidence that indicates any of the following:

(A) Illegal activity;

(B) A negative internet gaming account balance; or

(C) A violation of the internet gaming account terms and conditions.

(x) When an internet gaming account is in a suspended mode, the electronic wagering platform shall do all of the following:

(1) Prevent the patron from internet gaming;

(2) Prevent the patron from depositing funds unless the internet gaming account is suspended due to having a negative balance but only to the extent the internet gaming account balance is brought back to zero dollars;

(3) Prevent the patron from withdrawing funds from the patron’s suspended account, unless the suspended mode was initiated by the patron or the withdrawal request is from the patron in the absence of any suspected fraud or misconduct;

(4) Prevent the patron from making changes to the patron’s internet gaming account;

(5) Prevent the deletion of the internet gaming account from the electronic wagering platform; and

(6) Prominently display to the patron that the internet gaming account is in a suspended mode, the restrictions placed on the internet gaming account, and any further course of action needed to remove the suspended mode.

(y) The online gaming operator shall notify a patron immediately via electronic mail and text message, unless the patron has selected either electronic mail or text message solely for fantasy contest internet gaming accounts, or other method approved by the department, whenever the patron’s internet gaming account has been closed or placed in a suspended mode. Such notification shall include the restrictions placed on the internet gaming account and any further course of action needed to remove the restriction.

(z) A suspended account may be restored for any of the following reasons:

(1) Upon expiration of the time period established by the patron;

(2) If authorized by the department;

(3) When the patron is no longer a prohibited patron; and

(4) When the online gaming operator has lifted the suspended status after concluding that the basis for the suspension no longer applies to the account or patron.

(a) Online gaming operators shall conduct a comprehensive identity check before an individual is allowed to open an internet gaming account. An online gaming operator may contract with a third-party for age and identity verification of individuals seeking to open an internet gaming account.

(b) The online gaming operator shall ensure that any individual under the legal age to participate is denied the ability to open an internet gaming account, deposit funds or participate in gaming. The comprehensive identity check shall include, at minimum, an identity search of the individual’s name, date of birth, address, and last four digits of the individual’s social security number, government issued identification card, including, but not limited to, a passport or other U.S. government issued travel document or tax identification number. In addition, prior to opening an internet gaming account, an online gaming operator shall utilize identity authentication questions that require a patron to provide information known only to the patron such as previous addresses or credit transactions, unless an alternate method of authentication of equal or greater security and effectiveness is approved in writing by the department. Where a prospective patron’s age or identity information is rejected by the online gaming operator, the prospective patron shall be afforded a means to attempt to resolve the rejection by providing additional identifying information.

(c) An identity check to create an internet gaming account exclusively for the purpose of fantasy contests shall not be subject to the provisions of subsection (b) of this section. To verify the identity of a patron engaging exclusively in fantasy contests, an online gaming operator shall require the patron to submit the individual’s full legal name, date of birth, address, and electronic mailing address. Online gaming operators shall take commercially and technologically reasonable measures to verify fantasy contest patrons' true identities and shall use such information, at a minimum, to enforce age restrictions. The patron shall also attest to the patron’s age and authenticity of identity.

(d) Only patrons twenty-one years of age and older may open an internet gaming account, deposit funds or participate in sports wagering or online casino gaming.

(e) Only patrons eighteen years of age and older may open an internet gaming account, deposit funds or participate in fantasy contests, keno or the purchase of tickets for lottery draw games through the Internet or a mobile application.

(f) An online gaming operator shall void all wagers and entry fees placed by a patron who does not meet the minimum age requirement, in accordance with section 12-865-34 of the Regulations of Connecticut State Agencies, and shall dispense any amounts won to the patron or patrons who were the next runner- or runners-up and to each next eligible patron in the fantasy contest, if possible to determine, or the amounts deposited and won shall be dispensed to the chronic gamblers treatment rehabilitation account, established under section 17a-713 of the Connecticut General Statutes. An online gaming operator shall keep a record of any such voided transactions and the reason for voiding the transaction.

(g) Before accepting a wager from a patron, an online gaming operator shall use commercially reasonable standards to confirm that the patron is not a prohibited patron with regard to the internet game the patron is seeking to participate in, including but not limited to using reasonably available public information and by exercising reasonable efforts to obtain information from the department or the relevant sports governing body.

(h) Online gaming operators shall check the self-exclusion database established pursuant to section 12-865-23 of the Regulations of Connecticut State Agencies to confirm that a patron is not an excluded person prior to opening an internet gaming account and shall refuse to open the account if such patron is an excluded person.

(i) Online gaming operators and online gaming service providers shall protect the details of patron verification in the same manner as confidential information.

(j) An online gaming operator shall develop and implement risk-based procedures for conducting ongoing patron due diligence, including, but not limited to:

(1) Obtaining and analyzing patron information such as the patron’s historical pattern of transactions and the patron’s historic funding source for the purpose of developing a patron risk profile;

(2) Conducting ongoing monitoring to identify and report suspicious transactions; and

(3) Identifying signs that a patron's identification has been compromised.

(k) Prior to conducting internet gaming or establishing an internet gaming account, the online gaming operator shall develop and implement a policy for the handling of patrons discovered to be using an internet gaming account in a fraudulent manner, that includes but is not limited to:

(1) The maintenance of information about any patron’s activity, such that if fraudulent activity is detected, the department or law enforcement has all of the necessary information to investigate and take appropriate action;

(2) The suspension process for any internet gaming account discovered to be providing access to fraudulent patrons; and

(3) The treatment of deposits, wagers, and wins associated with a fraudulent internet gaming account.

(a) The provisions of this section apply to all electronic wagering platforms used by an online gaming operator to offer any of the following, directly or through a sports wagering retailer:

(1) Interactive online games;

(2) Retail sports wagering:

(3) Online keno; and

(4) Online lottery.

(b) All equipment for an electronic wagering platform under this section, except equipment used exclusively for fantasy contests, shall be located as follows:

(1) Hardware shall be located in a facility owned or leased by the online gaming operator that is secure, inaccessible to the public, and specifically designed to house that equipment, and where the equipment shall be under the control of the online gaming operator, within the state or located as permitted under subsection (bb) of this section; and

(2) Hardware and any backup hardware for an electronic wagering platform used solely to operate fantasy contests is not required to be located within the State of Connecticut.

(c) Online gaming operators shall take commercially reasonable steps to ensure that redundancy protocols are adopted in the event electronic wagering platform outages occur. Such steps shall include that the backup hardware is located in a secure facility, inaccessible to the public and located in the state. The Department may permit backup hardware for the operation of online lottery and online keno to be located outside of the state if an appropriate location is approved by the department in writing, which approval shall be at the commissioner’s discretion and not subject to administrative appeal. The online gaming operator shall ensure the department has access to the physical location where the server is housed within six hours of a request by the department, which access shall be reflected in the agreement between the online gaming operator and the cloud-based server host.

(d) The online gaming operator shall provide access to electronic wagering platform related data considered necessary by the department and in a manner approved by the department. For electronic wagering systems operating online lottery and keno, the online gaming operator shall give the department the ability to independently monitor the electronic wagering platform transactions and reporting related to online lottery and keno.

(e) An electronic wagering platform used for operating online keno and online lottery shall also comply with the provisions set forth in sections 12-865-17 and 12-865-21 of the Regulations of Connecticut State Agencies.

(f) Electronic wagering platforms shall require a patron after fifteen minutes of user inactivity, as measured by the electronic wagering platform, to re-enter his or her username and password manually or through biometric authentication, including fingerprint, facial or voice recognition, or any other method approved by the department.

(g) Each online gaming operator offering internet gaming shall comply with the data privacy provisions of section 12-865-32 and the cybersecurity provisions of section 12-865-33 of the Regulations of Connecticut State Agencies and shall perform an annual system integrity and security assessment conducted by an independent security professional selected by the licensee and licensed by the department as an online gaming service provider. The independent professional's report on the assessment shall be submitted to the department annually within thirty days of submission of the report to the licensee and shall include:

(1) Scope of review;

(2) Name and company affiliation of the individual or individuals who conducted the assessment;

(3) Date of the assessment;

(4) Findings;

(5) Recommended corrective action, if applicable; and

(6) Licensee's response to the findings and recommended corrective action.

(h) An electronic wagering platform shall utilize sufficient security to ensure patron access is appropriately limited to the account holder. Unless otherwise authorized by the department, security measures shall include at a minimum:

(1) A username;

(2) Compliance with NIST Special Publication 800-63-3 “Digital Identity Guidelines” for password and access security including requiring two of the three multi-factor identification methods, which include a (i) strong alphanumerical password; (ii) fingerprint or other biometric data; and (iii) cryptographic key by SMS or electronic mail verification, or other requirements set forth by the department under section 12-865-3(n) of the Regulations of Connecticut State Agencies; and

(3) Electronic notification to the patron's registered electronic mailing address, cellular phone or other device each time an internet gaming account is accessed, except that a patron may opt out of such notification.

(i) An electronic wagering platform shall be designed to detect and report:

(1) Suspicious behavior, such as cheating, theft, embezzlement, collusion, money laundering, or any other illegal activities; and

(2) The creation of an account by an excluded person or any individual who is prohibited from any form of internet gaming.

(j) Internet gaming account access information shall not be permanently stored on a patron device that is provided for patron use at a sport wagering retailer facility. Such information shall be masked after entry, encrypted immediately after entry is complete, and may be temporarily stored or buffered during patron entry provided that the buffer is automatically cleared as follows:

(1) After the patron confirms that the account access entry is complete; or

(2) If the patron fails to complete the account access entry within one minute.

(k) Unless otherwise approved by the department, an electronic wagering platform shall associate a patron's account with a single patron device during each patron session.

(l) Each patron session shall have a unique identifier assigned by the electronic wagering platform.

(m) The electronic wagering platform shall immediately terminate a patron session whenever:

(1) Required by the department or licensee;

(2) The patron ends a session;

(3) The patron logs onto the system from another patron device;

(4) The patron fails more than once any authentication during a game or patron session; or

(5) A system error impacts game play.

(n) Electronic wagering platforms shall employ a mechanism that can detect and prevent any patron initiated wagering or withdrawal activity that would result in a negative balance of an internet gaming account.

(o) Electronic wagering platforms shall disable a patron's account after three failed log in attempts and require strong authentication to recover or reset a password or username.

(p) An electronic wagering platform shall allow a patron to establish responsible gaming limits. Any change making the limits more restrictive shall be effective no later than the patron's next log in. Any change making the limits less restrictive shall become effective only after the time limit previously established by the patron has expired and the patron reaffirms the requested change. Responsible gaming limit options offered to patrons shall include, but are not limited to, the following:

(1) A deposit limit shall be offered on a daily, weekly, and monthly basis and shall specify the maximum amount of money a patron may deposit into his or her internet gaming account during a particular period of time.

(2) A spend limit shall be offered on a daily, weekly, and monthly basis and shall specify the maximum amount of patron deposits that may be put at risk during a particular period of time.

(3) A time-based limit shall be offered on a daily basis and shall specify the maximum amount of time, measured hourly from the patron's log in to log off, a patron may spend playing on an electronic wagering platform, provided, however, that if the time-based limit is reached a patron will be permitted to complete any round of play.

(q) An electronic wagering platform shall implement automated procedures to identify and prevent the following individuals from placing a wager:

(1) Individuals under the minimum legal age;

(2) Individuals outside of Connecticut;

(3) Individuals on the self-exclusion list;

(4) Patrons who have had their account closed;

(5) Patrons who have had their account suspended;

(6) Patrons who have exceeded their spend or time-based limit; and

(7) Patrons prohibited from placing a wager pursuant to the act, but only with regard to the categories of games that such patrons are prohibited from participating in.

(r) An electronic wagering platform shall provide a patron with the ability to view the outcome and subsequent account balance changes for the previous game, including a game completed subsequent to an outage (for example, network disconnection or patron device malfunction).

(s) Unless otherwise approved by the department, a record of all complimentaries redeemed in the state shall be maintained in an electronic file that is readily available to the department. The master wagering licensee and online gaming operator shall only deduct complimentaries redeemed in the state from gross gaming revenue. All complimentaries shall be stated in clear and unambiguous terms and shall be readily accessible by the patron. Offer terms and the record of all offers for complimentaries shall include at a minimum:

(1) The date and time presented;

(2) The date and time the offer is active and expires; and

(3) Patron eligibility and redemption requirements.

(t) Manual adjustments by a licensee to internet gaming data shall only be made by a software application approved by the department.

(u) When a patron's lifetime deposits exceed $2,500, the electronic wagering platform shall prevent any wagering until the patron acknowledges the following:

(1) The patron has met the department's lifetime gaming deposit threshold of $2,500;

(2) The patron has the capability to establish responsible gaming limits or close the patron’s account;

(3) The message “If you or someone you know has a gambling problem and wants help, call (888) 789-7777 or visit ccpg.org/chat,” or the equivalent of such message in a language other than English. The department may update the phone number or web address to be displayed by providing ten days’ notice to each licensee, after which time the licensee shall display the new number and address. The department shall consult with the Department of Mental Health and Addiction Services prior to revising the required problem gambling message and shall provide ten days’ notice to each licensee, after which time the licensee shall display the new message; and

(4) The acknowledgements prescribed in subdivisions (2) and (3) of this subsection shall be required every six months after the patron has met the department’s lifetime gaming deposit threshold of $2,500.

(v) Gaming entity licensees may utilize celebrity or other players to participate in peer-to-peer gaming for advertising or publicity purposes. Such players may have their accounts funded in whole or in part or may be paid a fee by a gaming entity licensee. If a celebrity player is utilized and the celebrity player generates winnings or prizes that the gaming entity licensee does not permit the celebrity player to retain, such winnings or prizes shall be included as internet gaming gross revenue in a manner approved by the department.

(w) The system requirements in this section apply to all of the following components of an electronic wagering platform:

(1) Electronic wagering platform components which record, store, process, share, transmit or retrieve confidential information;

(2) Electronic wagering platform components which generate, transmit or process random numbers used to determine the outcome of games or virtual events;

(3) Electronic wagering platform components which store results or the current state of the patron’s wager;

(4) Points of entry and exit from the systems described in subdivisions (1) to (3), inclusive, of this subsection or other systems which are able to communicate directly with core critical systems; and

(5) Communication networks which transmit patron information.

(x) An online gaming operator shall not engage in any public facing gaming activity unless its electronic wagering platform has been tested and certified by a licensed independent laboratory as set forth in 12-865-19 of the Regulations of Connecticut State Agencies. Online gaming operators shall comply with the following to obtain authorization from the department to use an electronic wagering platform in the state:

(1) Prior to engaging in any public facing gaming activity, the online gaming operator shall submit an application to the department in the manner and form prescribed by the department and provide the documentation required under subsection (y) of this section to request authorization for the use of its electronic wagering platform. The department will review the application and make a suitability determination as set forth in section 12-865-19 of the Regulations of Connecticut State Agencies.

(2) The department may require that an electronic wagering platform be re-certified by a licensed independent testing laboratory and the new certification submitted to the department in the event that the department suspects that the integrity of the electronic wagering platform may be vulnerable or compromised.

(3) The online gaming operator is responsible for all costs associated with testing and obtaining certifications or re-certification.

(y) The online gaming operator shall provide all of the following information and any additional information that the department may request:

(1) A complete, comprehensive, and technically accurate description and explanation of the electronic wagering platform and its intended use in both technical and lay language.

(2) Detailed operating procedures or service manuals, or both, of the electronic wagering platform.

(3) A summary description of internet game play, system features, and fault conditions.

(4) Details of all tests performed on the electronic wagering platform, the conditions and standards under which the tests were performed, the test results, and the identity of the individual who conducted each test.

(5) A description of all hardware devices.

(6) A description of all software including software version.

(7) A description of all wagering communications.

(8) A description of all third-party integrated systems.

(9) Any equipment that is required to perform testing.

(10) A description of the risk management framework including, but not limited to:

(A) User access controls for all electronic wagering personnel;

(B) Information regarding segregation of duties;

(C) Information regarding automated risk management procedures;

(D) Information regarding fraud detection;

(E) Controls for ensuring regulatory compliance; and

(F) Anti-money laundering compliance standards.

(z) Electronic wagering platform and internet games technical standards.

(1) Any electronic wagering platform or internet game shall meet or exceed the specifications set forth in sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies and other technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies. Failure to comply with the approved specifications, internal controls, or technical standards may result in disciplinary action by the department.

(2) Online gaming operators shall meet or exceed the specifications set forth in sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies and any other technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies.

(3) If the electronic wagering platform meets or exceeds the technical standards adopted in subdivision (1) of this subsection, the independent testing laboratory shall certify the electronic wagering platform. Online gaming operators are prohibited from offering gaming in the state without such certification and written approval by the department. The online gaming operator is responsible for all costs associated with testing and obtaining such certifications.

(4) All internet games offered by the online gaming operator shall meet or exceed the technical standards adopted in sections 12-865-15 and 12-865-18 of the Regulations of Connecticut State Agencies and any technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies. Online gaming operators are prohibited from offering any internet game without written approval by the department. The online gaming operator is responsible for all costs associated with testing and obtaining such approvals.

(aa) Additional electronic wagering platform and internet game technical standards.

(1) Software utilized for gaming shall either:

(A) Continuously display the current time in the state of Connecticut and the time elapsed that a patron has been in the current patron session, or

(B) Cause a pop-up notification, at least every thirty minutes, to be prominently displayed on the remote patron device advising the patron of the current time and the amount of time elapsed since the patron’s log on.

(2) An electronic wagering platform shall not induce a patron to continue placing wagers when play is in session, when the patron attempts to stop wagering, when the patron closes the app or program, or when the patron wins or loses a wager.

(3) No auto play feature will be permitted in an electronic wagering platform, unless otherwise provided in subdivision (kk)(6) of this section.

(4) All internet games shall operate in accordance with the game rules and internet gaming account terms and conditions approved by the department.

(bb) Location of servers, security, and cloud storage.

(1) A master wagering licensee and online gaming operator shall place servers or other equipment for the receipt or acceptance of patron wagers and simulcasting live online casino games in secure locations within the state. Equipment not associated with the receipt or acceptance of patron wagers, or simulcasting live online casino games, including remote game servers that are used to determine winners, may be located outside of the state, provided that the location of such equipment complies with all applicable laws, and provided further, that any data located on such equipment shall be available for audit by the department. The location selected shall have adequate security, protections, and controls over the servers or other equipment that is capable of receiving wagers, including those adopted in section 12-865-3(h) of the Regulations of Connecticut State Agencies. The master wagering licensee and online gaming operator shall provide the department with information on the location of all servers and other equipment used in internet gaming under the act, and the department shall have unfettered access to these locations and the data located there with all travel expenses related to inspection of such servers paid for by the master wagering licensee.

(2) The department may approve of the use of cloud storage for duplicate data upon written request of an online gaming operator. All cloud storage shall meet the requirements of subsection 12-865-3(h) of the Regulations of Connecticut State Agencies.

(cc) Communication standards.

(1) All electronic wagering platforms shall be designed to ensure the integrity and confidentiality of all individual and patron communications and ensure the proper identification of the sender and receiver of all communications.

(2) If communications are performed across a public or third-party network, the electronic wagering platform shall either encrypt the data packets or utilize a secure communications protocol to ensure the integrity and confidentiality of the transmission.

(3) Online gaming operators shall meet or exceed the following communication standards:

(A) Wireless communications between a patron device and an electronic wagering platform that is controlled by the online gaming operator shall be secured using robust wireless security and encryption protocols.

(B) An online gaming operator shall mask the service set identification (SSID) of the electronic wagering platform network to ensure that it is unavailable to the general public.

(C) All communications that contain confidential information, patron data, wagers or results, or patron transaction information shall utilize a secure method of transfer such as:

(i) 256-bit key or higher encryption; or

(ii) any other method approved by the department.

(D) Only devices authorized by the department are permitted to establish communications between a patron device and an electronic wagering platform.

(E) An electronic wagering platform shall maintain an internal clock that reflects the current date and time that shall be used to synchronize the time and date among all components that comprise the electronic wagering platform. The electronic wagering platform date and time shall be visible to a patron when logged on.

(4) All data transfers, including for file integrity check sum verification, shall utilize a minimum of a 256-bit key or higher encryption level.

(5) Notwithstanding the minimum standards established in this section, an online gaming operator shall employ reasonable efforts to ensure it meets or exceeds current industry recognized communication standards, which may include, without limitation, timely replacement or upgrading of obsolete technology.

(dd) Gaming data logging standards.

(1) All electronic wagering platforms shall employ a mechanism capable of maintaining a separate copy of all information the department requires to be logged on a separate and independent logging device capable of being administered by an employee with no incompatible function. For the purposes of this subdivision, “incompatible function” means a function or duties that place any person or department in a position to perpetuate and conceal errors, fraudulent or otherwise. If the electronic wagering platform can be configured such that any logged data is contained in a secure transaction file, a separate logging device is not required.

(2) Online gaming operators shall meet or exceed all gaming data logging standards prescribed by the department and shall address all gaming data logging requirements in the internal controls submitted to the department for approval.

(3) The electronic wagering platform shall provide a mechanism for the department to query and export, in a read-only format required by the department, all electronic wagering platform data related to internet gaming and retail sport wagering. Data logging standards prescribed by the department are as follows:

(A) Account Creation Log: Electronic wagering platforms shall log the date and time that any account is created or terminated in a secure electronic log.

(B) Internet Gaming Activity Log: Electronic wagering platforms shall maintain all information necessary to recreate a patron’s wagering and account activity during each patron session, including any identity or location verifications, for a period of no less than five years in a secure electronic log.

(C) Retail Sports Wagering Activity Log: Electronic wagering platforms shall maintain all information of retail sports wagering conducted at retail sports wagering facilities, for a period of no less than five years in a secure electronic log.

(D) Software Installation and Removal Log: Unless otherwise authorized by the department, when software is installed on or removed from an electronic wagering platform, such action shall be recorded in a secure electronic log. This log shall minimally include the following:

(i) The date and time of the action;

(ii) The identification of the software; and

(iii) The full identity and user ID of the individual performing the action.

(E) Game Availability Log for Internet Casino Gaming: Unless otherwise authorized by the department, when a change in the availability of online casino game software is made on an electronic wagering platform, the change shall be recorded in a secure electronic log including no less than the following:

(i) The date and time of the change;

(ii) The identification of the software; and

(iii) The full identity and user ID of the individual performing the change.

(F) Promotions Log: Unless exempted by the department, an electronic wagering platform shall record all complimentaries and promotions issued and redeemed through the electronic wagering platform in a secure electronic log. This log shall provide the information necessary to audit compliance regarding the terms and conditions of current and previous complimentaries and promotions.

(G) Authentication Log: Results of all authentication attempts shall be retained in a secure electronic log and accessible for no less than a period of ninety days.

(H) Adjustments Log: All adjustments to an electronic wagering platform’s data made using stored procedures shall be recorded in a secure electronic log. This log shall contain no less than the following:

(i) The date and time of the adjustment;

(ii) the full identity and user ID of the individual performing the action;

(iii) a description of the event or action taken; and

(iv) the initial and ending values of any data altered as a part of the event or action performed.

(I) If a date and time is required in any log, the following format shall be used:

(i) Date: mm/dd/yyyy; and

(ii) Time: hh:mm:ss.

(ee) Self-monitoring of electronic wagering platform critical components. An electronic wagering platform shall, at least once every twenty-four hours, perform a self-authentication process on all software used to offer, record, and process electronic wagers that is a critical component to ensure there have been no unauthorized modifications. If there is an authentication failure, the electronic wagering platform shall immediately notify the master wagering licensee, the online gaming operator and the department. The results of all self-authentication attempts shall be retained by the electronic wagering platform for not less than ninety days.

(ff) Change approval.

(1) All new core functions shall be tested and certified by a licensed independent testing lab in accordance with this section prior to installation on an electronic wagering platform.

(2) An online gaming operator shall notify the department prior to the installation of any substantial change to a core function on an electronic wagering platform. The notification shall include a clear identification of the core function that is affected, an explanation of the reason for the change, and an identification of any critical files affected.

(3) The department may order that the substantial change to a core function be tested and certified in accordance with this section prior to installation on an electronic wagering platform. If the department does not order testing and certification within seven days after the notification, the online gaming operator may install the substantial change on the electronic wagering platform.

(4) The online gaming operator is not required to notify the department of changes to non-core functions, except when any such change is related to or impacts a core function.

(5) When an unanticipated incident occurs, or is reasonably suspected to have occurred, that causes a disruption in the operation, security, accuracy, integrity, or availability of the electronic wagering system, the online gaming operator shall, upon discovery, notify the department in writing. The online gaming operator may then implement substantial changes to core functions of the electronic wagering platform without prior notification to the department. The online gaming operator a shall submit to the department in writing an incident report that details the incident and the corrections made within twelve hours of such corrective actions. The department may require the online gaming operator to submit the electronic wagering platform to an independent outside lab for recertification and provide the department with the new certification for the electronic wagering platform.

(6) Changes based on subdivision (5) of this subsection shall be documented in the change log and the online gaming operator shall notify the master wagering licensee upon implementation of such changes.

(7) The online gaming operator shall submit change control processes that detail evaluation procedures for all updates and changes to equipment and the electronic wagering platform to the department for approval. These processes shall include details for identifying the criticality of updates and determining the updates that shall be submitted to a licensed independent testing laboratory for review and certification.

(gg) Electronic wagering platform assessment.

(1) Each online gaming operator shall, within ninety days after commencing operations, and annually thereafter, obtain an electronic wagering platform integrity and security assessment conducted by a licensed independent professional selected by the online gaming operator. The scope of the electronic wagering platform integrity and security assessment is subject to approval of the department and shall include, at a minimum, all of the following:

(A) A vulnerability assessment of internal, external, and wireless networks with the intent of identifying vulnerabilities of all devices, the electronic wagering platform, and applications connected to or present on the networks.

(B) A penetration test of all internal, external, and wireless networks to confirm if identified vulnerabilities of all devices, the electronic wagering platform, and applications are susceptible to compromise.

(C) A policy and procedures review against the current NIST 800 standard or other requirements set forth by the department under section 12-865-3(n) of the Regulations of Connecticut State Agencies.

(D) Any other specific criteria or standards for the electronic wagering platform integrity and security assessment as prescribed by the department.

(2) The independent professional's entire report on the assessment shall be submitted to the department and shall include all the following:

(A) Scope of review;

(B) Name and company affiliation of the individual or individuals who conducted the assessment;

(C) Date of assessment;

(D) Findings;

(E) Recommended corrective action, if applicable; and

(F) Master wagering licensee and online gaming operator’s response to the findings and recommended corrective action.

(hh) Online gaming operator’s T&S controls.

(1) An online gaming operator shall adopt, implement, and maintain controls that meet or exceed those specified in subdivision (2) of this subsection. The T&S controls shall apply, at a minimum, to all the following critical components of the electronic wagering platform:

(A) Components that record, store, process, share, transmit, or retrieve sensitive information, including, but not limited to, validation numbers, personal identification numbers, and individual and patron data.

(B) Components that generate, transmit, or process random numbers used to determine the outcome of games or virtual events.

(C) Components that store results or the current state of a patron’s electronic wager.

(D) Points of entry to and exit from the components provided for in subparagraphs (A) to (C), inclusive, of this subdivision and other systems that are able to communicate directly with core critical electronic wagering platform components.

(E) Communication networks that transmit sensitive information involving internet gaming under the act.

(2) The following T&S controls are the minimum standards an online gaming operator shall incorporate into its internal controls:

(A) T&S controls addressing electronic wagering platform operations and security include, but are not limited to all of the following:

(i) Electronic Wagering Platform Operations and Security. The online gaming operator shall adopt, implement, and maintain procedures for, at a minimum, the following:

(I) Monitoring the critical components and the transmission of data of the entire electronic wagering platform.

(II) Maintenance of all aspects of security of the electronic wagering platform to ensure secure and reliable communications.

(III) Defining, monitoring, documenting, reporting, investigating, responding to, and resolving security incidents.

(IV) Monitoring and adjusting resource consumption and maintaining a log of the electronic wagering platform performance.

(V) Investigating, documenting, and resolving malfunctions.

(ii) Physical Location of Servers and Security. The electronic wagering platform shall be housed in secure locations. Online gaming operators shall provide the department with information on the location of all electronic wagering platform servers. The secure locations shall have sufficient protection from unauthorized access and physical and environmental hazards and be equipped with surveillance and security systems that meet or exceed industry standards.

(iii) Electronic Wagering Platform Logical Access Controls. The electronic wagering platform shall be logically secured against unauthorized access.

(iv) Electronic Wagering Platform User Authorization. The electronic wagering platform shall be subject to user authorization requirements as required by the department.

(v) Server Programming. The electronic wagering platform shall be sufficiently secure to prevent any user-initiated programming capabilities on the server that may result in unauthorized modifications to the database.

(vi) Verification Procedures. Procedures shall be in place for verifying on demand that the critical control program components of the electronic wagering platform in the production environment are identical to those approved by the department.

(vii) Electronic Document Retention System. The online gaming operator shall establish procedures that ensure that all reports required under the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies are stored in an electronic document retention system.

(viii) Asset Management. All assets that house, process, or communicate sensitive information, including those comprising the operating environment of the electronic wagering platform or its components, or both, shall be accounted for and have a key employee that is responsible for each asset.

(B) T&S controls addressing data security and backup recovery include, but are not limited to, all of the following:

(i) Data Security. The electronic wagering platform shall provide a logical means for securing individual and patron data and wagering data, including accounting, reporting, significant event, or other sensitive information, against alteration, tampering, or unauthorized access.

(ii) Data Alteration. The alteration of any accounting, reporting, or significant event data relating to electronic wagering under the act is not permitted without supervised access controls. If any data is changed, all information required by the department shall be documented or logged.

(iii) Backup Frequency. Backup scheme implementation relating to information involving electronic wagering under the act shall occur at least once every day or as otherwise specified by the department.

(iv) Storage Medium Backup. Audit logs, electronic wagering platform databases, and any other pertinent patron data and wagering data shall be stored using reasonable protection methods. The electronic wagering platform shall be designed to protect the integrity of this data if there is a failure. Redundant copies of this data shall be kept on the electronic wagering platform with open support for backups and restoration, so that no single failure of any portion of the electronic wagering platform would cause the loss or corruption of the data.

(v) Electronic Wagering Platform Failure. The electronic wagering platform shall have sufficient redundancy and modularity so that if any single component or part of a component fails, the functions of the electronic wagering platform and the process of auditing those functions can continue with no critical data loss. If two or more components are linked, the process of all electronic wagering operations between the components shall not be adversely affected by restart or recovery of either component and upon restart or recovery, the components shall immediately synchronize the status of all transactions, data, and configurations with one another.

(vi) Accounting and Master Resets. The online gaming operator shall be able to identify and properly handle the situation where a master reset has occurred on any component that affects gaming under the act.

(vii) Recovery Requirements. If there is a catastrophic failure which results in the electronic wagering platform being unable to be restarted in any other way, the electronic wagering platform shall be restored from the last backup point and fully recovered. The contents of that backup shall contain all critical information to fully restore the electronic wagering platform as required by the department.

(viii) Uninterrupted Power Supply (UPS) Support. All electronic wagering platform components shall be provided with adequate primary power. If the server is a stand-alone application, it shall have a UPS connected and shall have sufficient capacity to permit a methodical shut-down that retains all individual and patron data and wagering data during a power loss. It is acceptable that the electronic wagering platform may be a component of a network that is supported by a network-wide UPS if the server is included as a device protected by the UPS. There shall be a surge protection system in use if not incorporated into the UPS itself.

(ix) Business Continuity and Disaster Recovery Plan. A business continuity and disaster recovery plan shall be in place to recover gaming and wagering operations if the electronic wagering platform’s production environment is rendered inoperable.

(C) T&S controls addressing communications include, but are not limited to, all of the following:

(i) Connectivity. Only authorized devices are permitted to establish communications between any electronic wagering platform components.

(ii) Communication Protocol. Each component of the electronic wagering platform shall function as indicated by a documented secure communication protocol.

(iii) Communication Over Electronic and Public Networks. Communications between electronic wagering platform components shall be secure. Patron data, confidential information, wagers, results, financial information, and patron transaction information related to gaming shall always be encrypted and protected from incomplete transmissions, misrouting, unauthorized message modification, disclosure, duplication, or replay.

(iv) Wireless Local Area Network Communications. The use of wireless local area network communications shall adhere to applicable requirements specified for wireless devices and is subject to approval by the department.

(v) Network Security Management. Networks shall be logically separated to ensure that there is no network traffic on a network link that cannot be serviced by hosts on that link.

(vi) Mobile Computing and Communications. Formal policies shall be in place, and appropriate security measures shall be adopted to protect against the risk of using mobile computing and communication facilities. Telecommuting shall not be permitted except under circumstances where the security of the endpoint can be guaranteed.

(D) T&S controls addressing third party service providers include, but are not limited to, communications between the electronic wagering platform and third-party service providers. Where communications related to internet gaming are implemented with third-party service providers, the electronic wagering platform shall securely communicate with all third-party service providers utilizing encryption and strong authentication, ensure that all login events are recorded to an audit file, and ensure that all communications do not interfere or degrade normal electronic wagering platform functions.

(E) T&S controls addressing information security, include but are not limited to, all of the following:

(i) Domain Name Service Requirements. The online gaming operator shall establish requirements that apply to servers used to resolve domain name service queries used in association with the electronic wagering platform.

(ii) Cryptographic Controls. The online gaming operator shall establish and implement a policy for the use of cryptographic controls that ensures the protection of information.

(iii) Encryption Key Management. The management of encryption keys shall follow defined processes established by the online gaming operator.

(F) The T&S controls addressing remote access and firewalls include, but are not limited to, all of the following:

(i) Remote Access Security. Remote access, if approved by the department, shall be performed via a secured method, shall have the option to be disabled, may accept only the remote connections permissible by the firewall application and electronic wagering platform settings, and shall be limited to only the application functions necessary for users to perform their job duties.

(ii) Remote Access and Test Account Procedures. Remote access and test account procedures shall be established that ensure that remote access is strictly controlled.

(iii) Remote Access Activity Log. The remote access application shall maintain an activity log that updates automatically and records and maintains all remote access information.

(iv) Firewalls. All communications, including remote access, shall pass through at least one approved application-level firewall. This includes connections to and from any non-electronic wagering platform hosts used by the online gaming operator.

(v) Firewall Audit Logs. The firewall application shall maintain an audit log and shall disable all communications and generate an error if the audit log becomes full. The audit log shall contain, at a minimum, all the following information:

(I) All changes to configuration of the firewall.

(II) All successful and unsuccessful connection attempts through the firewall.

(III) The source and destination IP addresses, port numbers, protocols, and, where possible, MAC addresses.

(vi) Firewall Rules Review. The firewall rules shall be reviewed no less than twice each calendar year by the master wagering licensee and online gaming operator to verify the operating condition of the firewall and the effectiveness of its security configuration and rule sets. The review shall be performed on all the perimeter firewalls and the internal firewalls.

(G) T&S controls addressing change management include, but are not limited to, all of the following:

(i) Program Change Control Procedures. Program change control procedures shall ensure that only authorized versions of programs are implemented on the production environment.

(ii) Software Development Life Cycle. The acquisition and development of new software shall follow defined processes established by the master wagering licensee, online gaming operator or online gaming service provider and subject to review by the department.

(iii) Patches. All patches should be tested, as applicable, in a development and test environment configured to match the target production environment before being deployed into production. Permitted exceptions and related procedures and controls shall be fully addressed.

(H) T&S controls addressing periodic security testing include, but are not limited to, all of the following:

(i) Technical Security Testing. Periodic technical security tests on the production environment shall be performed quarterly or as required by the department to guarantee that no vulnerabilities putting at risk the security and operation of the electronic wagering platform exist.

(ii) Vulnerability Assessment. The online gaming operator shall conduct vulnerability assessments. The purpose of the vulnerability assessment is to identify vulnerabilities, which could be later exploited during penetration testing by making basic queries relating to services running on the electronic wagering platform concerned.

(iii) Penetration Testing. The online gaming operator shall conduct penetration testing. The purpose of the penetration testing is to exploit any weaknesses uncovered during the vulnerability assessment on any publicly exposed applications or electronic wagering platform hosting applications processing, transmitting, or storing sensitive information.

(iv) Information Security Management System (ISMS) Audit. An audit of the ISMS will be periodically conducted, including all the locations where sensitive information is accessed, processed, transmitted, or stored. The ISMS will be reviewed against common information security principles in relation to confidentiality, integrity, and availability such as NIST 800 or other requirements set forth by the department under Section 12-865-3(n) of the Regulations of Connecticut State Agencies.

(v) Cloud Service Audit. An online gaming operator that utilizes a cloud service provider (CSP), if approved by the department, to store, transmit, or process sensitive information shall undergo a specific audit as required by the department. The CSP shall be reviewed against common information security principles in relation to the provision and use of cloud services, such as NIST 800, or other requirements set forth by the department under section 12-865-3(n) of the Regulations of Connecticut State Agencies.

(3) The online gaming operator shall include the T&S controls in the operator’s internal controls and electronic wagering platform submitted to the department for approval.

(4) The T&S controls shall:

(A) Have a provision requiring review when changes occur to the electronic wagering platform;

(B) Be approved by the online gaming operator’s senior management;

(C) Be communicated to all affected employees and relevant external parties;

(D) Undergo review at planned intervals; and

(E) Delineate the responsibilities of the master wagering licensee’s staff, the online gaming operator’s staff, and the staff of any third parties for the operation, service, and maintenance of the electronic wagering platform or its components, or both.

(ii) An online gaming operator or online gaming service provider may establish test accounts to be used to test the various components and operation of an electronic wagering platform pursuant to internal controls adopted by the online gaming operator, which, at a minimum, shall address all of the following:

(1) The procedures for issuing funds used for testing, including the identification of who may issue the funds and the maximum amount of funds that may be issued.

(2) The procedures for assigning each test account for use by only one individual. However, an online gaming operator may establish a specific scenario or instance of a test account that may be shared by multiple users if each user’s activities are separately logged.

(3) The maintenance of a record for all test accounts, to include when the test account is active, to whom the test account is issued, and the employer of the individual to whom the test account is issued.

(4) The procedures for auditing testing activity by the online gaming operator or online gaming service provider to ensure the accountability of funds used for testing and proper adjustments to gross gaming revenue from internet games and retail sports wagering.

(5) The procedures for authorizing and auditing out-of-state test activity.

(jj) The online gaming operator shall put in place procedures to permit the department to establish test accounts on the electronic wagering platform.

(kk) Electronic wagering platforms shall include the following patron protections:

(1) The electronic wagering platform shall not force game play as follows:

(A) The patron may not be forced to play an internet game just by selecting that game.

(B) It shall not be possible to start a new internet game in the same patron user session before all relevant account balances have been updated on the electronic wagering platform.

(2) Bots are only permitted when employed by the electronic wagering platform in free play or training mode, or if use of the bot satisfies all of the following:

(A) The use of artificial intelligence software is clearly explained in the help menus and game rules; and

(B) All bots engaging in internet gaming shall be clearly marked so that patrons are aware of which players are not human.

(3) Patrons shall be prohibited from utilizing bots, automated computerized software or other equivalent mechanism to engage in play.

(4) No patron shall occupy more than one position at an online casino game at any given time, unless such conduct is authorized in advance by the department for a specific casino game.

(5) A game is incomplete when the internet game outcome remains unresolved or the outcome cannot be properly seen by the patron.

(A) The online gaming operator may provide a mechanism for a patron to complete an incomplete internet game.

(B) Incomplete internet games shall be resolved before a patron is permitted to participate in another instance of the same game.

(C) Wagers associated with an incomplete game shall be voided, and recorded in the change log required pursuant to section 12-865-34 of the Regulations of Connecticut State Agencies, and the wagers can be forfeited or returned to the patron provided that:

(i) The terms and conditions or the game rules, or both, shall clearly define how wagers will be handled when they remain undecided beyond the specified time period and the electronic wagering platform shall be capable of returning or forfeiting the wagers, as appropriate.

(ii) In the event that a game cannot be continued due to an electronic wagering platform action, all wagers shall be returned to the patrons playing that game, except that if a patron’s participation in the game prior to its discontinuance was such that the patron would have received winnings greater than the wager, the patron shall be provided the amount of winnings earned prior to discontinuance in addition to the return of the wager.

(6) Auto play of internet games shall be prohibited. Internet game play shall be initiated only after a patron has affirmatively placed a wager and activated play. An auto play feature is not permitted in interactive online game software unless the department determines that the auto play feature will not cause substantial financial harm to patrons, nor a security or gaming integrity concern for the department, and the department provides written approval of such feature. If an auto play feature is authorized by the department, it shall be possible for a patron to turn auto play off at any time during game play.

(a) An online gaming operator authorized to operate fantasy contests through an agreement with a provisional licensee pursuant to Section 315 of June Special Session Public Act 21-2 shall remain authorized to operate under such provisional license until the provisional license, as may be extended, expires.

(b) Hardware and backup hardware for the electronic wagering platform used for fantasy contests shall be located in separate facilities owned or leased by the master wagering licensee or online gaming operator that are secure, inaccessible to the public, and specifically designed to house that equipment, and where the equipment shall be under the complete control of the master wagering licensee or online gaming operator, as applicable.

(c) An electronic wagering platform offering fantasy contests shall clearly identify on the internet website and mobile application the person that is offering the fantasy contest.

(d) Online gaming operators that are only offering fantasy contests shall provide a set of terms and conditions that satisfy the provisions in section 12-865-30(b) of the Regulations of Connecticut State Agencies and are readily accessible to patrons on its electronic wagering platform.

(e) The online gaming operator shall ensure that fantasy contests on its electronic wagering platform comply with the following provisions:

(1) No winnings shall be offered or awarded to the winner of, or athletes in, the underlying competition itself; and

(2) Fantasy contests shall not be offered based on the performances of participants in high school or youth athletics.

(f) An online gaming operator shall have procedures that do all of the following prior to operating fantasy contests in this state:

(1) Prevent unauthorized withdrawals from a patron’s account by the online gaming operator or others;

(2) Make clear that funds in a patron’s account are not the property of the online gaming operator and are not available to the online gaming operator’s creditors;

(3) Ensure any winnings won by a patron from participating in a fantasy contest are deposited into the patron’s account within forty-eight hours of winning;

(4) Ensure patrons can withdraw the funds maintained in their individual accounts in accordance with the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies;

(5) Allow a patron to permanently close the patron’s account at any time for any reason; and

(6) Offer patrons access to their play history and account details.

(g) An online gaming operator shall establish procedures for a patron to report complaints to the online gaming operator regarding whether the patron’s account has been misallocated, compromised, or otherwise mishandled, and a procedure for the online gaming operator to respond to those complaints. Online gaming operators shall maintain a record of all complaints.

(h) If a session is terminated due to a patron inactivity timeout, the patron’s device shall display to the patron that the session has timed out and inform him or her of the steps needed to reestablish the session. If the session is terminated due to a patron inactivity timeout, no further participation is permitted unless and until a new session is established by the patron. This process shall include, at a minimum, the manual entry of the patron’s secure password.

(i) Online gaming operators shall use commercially reasonable efforts to prevent the use of unauthorized scripts in fantasy contests. Unauthorized scripts are any scripts not made readily available to all patrons that offer an unfair advantage over other patrons for reasons including, but not limited to:

(1) Facilitating entry of multiple fantasy contests with a single line-up;

(2) Facilitating changes in many line-ups at one time; or

(3) Facilitating use of commercial products designed to identify advantageous fantasy contest strategies.

(j) Online gaming operators may prohibit the use of any and all scripts in fantasy contests.

(k) Online gaming operators shall monitor fantasy contests to detect the use of unauthorized scripts and restrict patrons found to have used such scripts from entering or participating in further fantasy contests.

(l) Online gaming operators shall make information regarding authorized scripts readily available to all patrons, provided that an online gaming operator shall clearly and conspicuously publish its rules on what types of scripts may be authorized in the fantasy contest.

(m) Bots are only permitted when employed by the electronic wagering platform in free play or training mode, or if use of the bot satisfies all of the following:

(1) The use of artificial intelligence software is clearly explained in the help menus and game rules; and

(2) All bots engaging in fantasy contests shall be clearly marked so that patrons are aware of which players are not human.

(n) Patrons shall be prohibited from utilizing bots, automated computerized software or other equivalent mechanism, except for authorized scripts, to engage in play.

(a) Except as otherwise determined by the department in writing, an online gaming operator shall not operate an online casino game, which shall have the same meaning as online casino gaming, unless the game has been certified by a licensed independent testing laboratory as provided for in section 12-865-19 of the Regulations of Connecticut State Agencies. The online gaming operator is responsible for all costs associated with testing and obtaining such certification.

(b) Online gaming operators may seek approval of an online casino game by submitting an application to the department in the manner and form prescribed by the department.

(c) An online gaming operator shall submit all online casino games proposed for use to an independent lab licensed by the department for evaluation and certification and all changes to online casino games in accordance with 12-865-19 of the Regulations of Connecticut State Agencies. The online gaming operator shall provide to the department the certification issued by the licensed independent lab. If the licensed independent lab fails to certify the online casino game, the online gaming operator may seek to have the online casino game certified by another independent lab licensed by the department. If the second independent lab certifies the online casino game the department will review the findings from both labs and make a determination as to whether or not to approve the online casino game.

(d) The online gaming operator seeking approval for an online casino game shall provide all information the department requests, including, but not limited to, the following:

(1) A complete, comprehensive, and technically accurate description and explanation of the online casino game and its intended use in both technical and lay language.

(2) Detailed operating procedures.

(3) A description of online casino game play, system features, and fault conditions.

(4) A description of all software including software version.

(5) Complete pay table information including pay table identification and date code.

(6) Detailed information on the random number generator.

(7) Return to player calculation sheet.

(8) Rake or scaled commission fee percentage.

(9) Rules of the online casino game.

(e) All online casino game software used to conduct internet gaming shall be designed with a method to permit the validation of software using a gaming authentication tool or other method approved by the department.

(f) A submission for department approval of software to be used on an electronic wagering platform for progressive jackpot games, where the amount of the jackpot increases each time an online casino game is played but the jackpot is not won, shall also include all of the following at a minimum:

(1) Software controlling the electronic jackpot.

(2) A mechanism to authenticate the software.

(3) Rules that will be displayed to the patron that apply to a progressive jackpot.

(4) The online casino games that are common to a single progressive.

(5) The odds of hitting the progressive amount.

(6) The reset value of the progressive.

(7) The rate of progression for the progressive amount.

(8) How the rate of progression is split between the various progressive components.

(9) Other information considered necessary and requested in writing by the department to ensure compliance with the act and this section.

(g) All the following provisions apply to calculation sheets:

(1) For each online casino game program submitted, the online gaming operator requesting approval shall supply calculation sheets that determine the return to player percentage, including base game, bonus games or features, free games, double-up options, progressives, and any other game features included in the return to player calculation.

(2) Where different player options such as number of credits, lines bet, or player strategy cause the pay table to vary, a separate calculation for each option is required.

(h) The online gaming operator shall submit all online casino game source code and any special tool, computer equipment, compiling program, or other technical assistance necessary to compile the submitted software. The result of the compiled source code shall be identical to that in the storage medium submitted for evaluation.

(i) The online gaming operator shall provide the department with a method to compensate for or resolve any differences between the compiled program and the submitted program. The online gaming operator may employ other equivalent methods that ensure the results of the compiled source code are identical to the storage medium submitted for evaluation upon written request and approval of the department.

(j) Except where the department has provided written notification that approval is not required, an online gaming operator shall only operate an online casino game that has been approved by the department. An online gaming operator shall not alter the manner in which the online casino game operates without the prior written approval of the department.

(k) After evaluating the online casino game, the department shall advise the online gaming operator, in writing, of the determination.

(l) Each house-banked internet game that requires an electronic wager shall have a return to player equal to or greater than 80% unless otherwise authorized by the department. The return to player shall be calculated using both the highest and lowest level of skill, where player skill impacts the return to player.

(m) A house-banked internet game shall comply with all technical standards set forth in section 12-865-13 of the Regulations of Connecticut State Agencies and other technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies, except that the odds of achieving the highest advertised award that is based solely upon chance shall occur at least once in every 50 million games.

(n) The return to player of a house-banked internet game shall not decrease by more than 1/100 of a percentage point with an increased electronic wager unless the aggregate total of the decreases in return to player for plays offered by the house-banked online casino game is no more than one half of one percent.

(o) The projected contribution from a progressive award may not count toward the return to player of a house-banked online casino game in order to achieve the minimum return to player as approved by the department.

(a) Online gaming operators shall adopt comprehensive house rules for sports wagering and submit them for review and approval by the department prior to offering sports wagering.

(b) House rules shall include, but not be limited to the following:

(1) Method for calculation and payment of winning wagers;

(2) Description of the process for handling incorrectly posted events, odds, wagers, or results;

(3) Effect of schedule changes;

(4) Method of notifying patrons of odds or proposition changes;

(5) Acceptance of wagers at other than posted terms;

(6) Method of contacting the online gaming operator for questions and complaints;

(7) Description of prohibited patrons;

(8) A statement regarding the policy and methods for limiting the maximum amount that a patron can win on any particular wager; however, such policy will not preclude a patron from collecting a payout in excess of the purported amount if the system allows the patron to place a valid wager that pays more than the stated maximum amount; and

(9) Method of funding a wager.

(c) The house rules, together with any other information the department deems appropriate, shall be conspicuously displayed in the retail sports wagering facility, easily accessible in the mobile app and on the online gaming operator’s website, and included in the terms and conditions of the electronic wagering platform, and copies of the house rules shall be made readily available to patrons.

(a) The CLC shall establish written official procedures and internal controls to protect the integrity of online lottery and online keno. The operation of online lottery and online keno shall be approved in writing by the department prior to public promotion, implementation, or sale of tickets online for such games.

(b) The official procedures for online lottery and online keno shall include procedures to protect the electronic wagering platform from tampering with pools and liabilities; and the configuration of the electronic wagering platform.

(c) The department may accept, reject, or require modification of any official procedure or internal control for online lottery or online keno based on potential adverse impacts on: the integrity of gaming operations; data privacy; physical security of online lottery or online keno or the CLC; or the department’s ability to effectively regulate the operation of online lottery or online keno by the CLC. The CLC may appeal any rejection of an official procedure by requesting a hearing before the commissioner, in accordance with chapter 54 of the Connecticut General Statutes, within fifteen days of receipt from the department of a rejection of an official procedure.

(d) The CLC shall abide by such official procedures and internal controls at all times, provided that the department may approve deviations in the event of an emergency.

(e) A lottery draw game or keno game for which tickets are sold online established by the CLC may be discontinued upon written notice to the department prior to, or within twenty-four hours after such discontinuation. Discontinuation shall not affect the rights of those who purchased tickets prior to the effective date of discontinuation, except as provided otherwise under sections 12-568a-1 to 12-568a-24, inclusive, of the Regulations of Connecticut State Agencies.

(f) Notwithstanding the provisions of subsections (a) to (e), inclusive, of this section, in the event of unforeseen problems that might reasonably cause substantial detriment to the public interest of the state, the department may order an immediate suspension of the online sales of any tickets or the conducting of any drawing relating to online lottery or online keno. The department shall provide written notice to the CLC of such suspension and set forth any specific requirements regarding public notice of the game suspension. The department may thereafter require the CLC to establish new official procedures to address such problems.

(a) All live online casino gaming shall be conducted in a secure live game environment, located in the state, not accessible by the public, and accessed through an electronic wagering platform that complies with section 12-865-13 of the Regulations of Connecticut State Agencies. Notwithstanding the other provisions of this subsection, simulcasting of live online casino gaming may be conducted in another state within the United States through March 31, 2022 and broadcast by the online gaming operator licensee so long as the entity simulcasting the live online casino game holds an active gaming license from the state where the simulcasting originates and an online gaming service provider license pursuant to section 12-865-6 of the Regulations of Connecticut State Agencies and the live online casino gaming servers are located in accordance with section 12-865-13 of the Regulations of Connecticut State Agencies.

(b) No in‐person wagering of patrons physically located where the live online casino game is taking place shall be permitted during a live online casino game. Live online casino gaming shall be offered exclusively to patrons accessing the game through the electronic wagering platform.

(c) An online gaming operator shall submit all live online casino games, including gaming equipment, proposed for use by any online gaming operator to an independent testing laboratory licensed by the department which lab shall review and certify such game in accordance with the standards set forth in section 12-865-15 of the Regulations of Connecticut State Agencies. The online gaming operator is responsible for all costs associated with testing and obtaining such approvals.

(d) All live online casino games for proposed use shall meet or exceed the technical standards specified in sections 12-865-13 and 12-865-15 of the Regulations of Connecticut State Agencies and any other technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies. Master wagering licensees and online gaming operators are prohibited from offering any live online casino game without independent testing laboratory certification and written approval by the department.

(e) The master wagering licensee and its online gaming operator shall place the electronic wagering platform, servers, or other equipment related to live online casino games that is capable of receiving internet wagers in this state in accordance with sections 12-865-13(b), (c), and (bb) of the Regulations of Connecticut State Agencies.

(f) The online gaming operator providing live online casino games shall adopt, implement, and maintain all technical standards specified in this section and sections 12-865-13 and 12-865-15 of the Regulations of Connecticut State Agencies, including the requirements for live online casino games, and any other technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies.

(g) The live game environment shall be clearly defined and demarcated and have appropriate physical security controls. Secure areas, live game consumables, and live game equipment shall be protected by entry controls and security procedures to ensure that only authorized employees are allowed access. Live game equipment and consumables shall be subject to access controls, both physical and logical, that prevent unauthorized access to the live game equipment and consumables. Live game environment security shall include, but is not limited to, the following:

(1) Access to the areas where the live online casino games occur, the whole of the area near the live game equipment, and the areas where consumables are stored or prepared for use shall be protected by physical barriers and security systems;

(2) Delivery, loading areas, and other access points to the facility where the live online casino games occur or consumables may be stored or prepared for use shall be controlled and isolated from operations areas to avoid access by unauthorized individuals;

(3) The live game equipment and consumables shall be subject to access controls, both physical and logical, that prevent unauthorized access to the live game equipment and consumables; and

(4) Access points shall be actively monitored by security staff.

(h) The online gaming operator shall install, maintain, and operate a surveillance system that has the capability to monitor and record continuous unobstructed views of all live game play and areas where consumables are stored or prepared for use.

(i) A continuous recording shall be made of all the live online casino games played which includes, but is not limited to, all of the following:

(1) Identifiable and distinguishable information necessary to adequately reconstruct each game, consistent with any required technical standards established by the department under 12-865-3(n) of the Regulations of Connecticut State Agencies. The live online casino game recall shall display information including, but not limited to, all of the following, as applicable:

(A) The date and time the game was played.

(B) The denomination played for the game, if a multi‐denomination game type.

(C) The display associated with the final outcome of the game, either graphically or by a clear text description.

(D) The funds available for wagering at the start of play and at the end of play.

(E) Total amount wagered, including any complimentaries.

(F) Total amount won.

(G) Rake, commission, or fees collected.

(H) The results of any patron choices involved in the game outcome.

(I) The results of any intermediate game phases, such as double‐up gamble or bonus feature games.

(J) If a progressive jackpot or incrementing jackpot was won, an indication that the jackpot was awarded.

(K) Any patron advice that is offered to the patron for games with skill.

(2) Information necessary to determine the date and time of each live online casino game to an accuracy of one second relative to the clock used by the electronic wagering platform.

(3) Information necessary to determine the sequence of live interactive online games relative to each other.

(4) Procedures shall be in place to ensure that the recording meets all the following minimum conditions:

(A) Covers the defined live game environment and areas where consumables are stored or prepared for use with sufficient detail to confirm whether all game rules and relevant procedures were followed and to identify any discrepancies.

(B) Is captured in such a way that precludes interference or any deletion.

(C) Is actively monitored by surveillance personnel.

(D) Can be reviewed by the online gaming operator and the department in the event of a patron complaint or dispute.

(E) Is kept for at least ninety days or as otherwise determined by the department. Recordings shall be maintained of any event that is subject to any investigation until the completion of the investigation.

(j) The online gaming operator offering a live online casino game shall utilize simulcast control servers for recording all gaming activity and results. The online gaming operator may use the operator’s own surveillance camera and split live feed to the simulcast control servers, or there may be a separate network of video involved. The simulcast control servers shall do the following, including, but not limited to:

(1) Provide the patron with real‐time audio and visual access to the live game being played, which shall include, but is not limited to, the following:

(A) Any information required in the technical standards;

(B) The actions of the gaming attendant and, where applicable, other patrons;

(C) Date and time at the live game studio;

(D) Location of the live game studio;

(E) Game identification, and the table number.

(2) Provide each patron with an equivalent quality video and audio feed. This equivalence shall be measured and verified whenever communications are initiated, including reconnection due to signal interruptions or re‐initiation when the signal was severed. A minimum signal connection requirement shall be established, enforced and disclosed to the patron.

(3) Prevent anyone from accessing the live game outcome prior to finalizing a wager.

(4) Record internet game results before posting to the electronic wagering platform.

(5) Be equipped with a mechanism to void game results, if necessary. The conditions under which a game may be voided shall be clearly detailed in internal controls.

(k) The online gaming operator shall assign a unique asset number for each live game equipment item. The online gaming operator shall maintain an inventory of each live game equipment item. The online gaming operator shall provide the inventory to the department upon request. The inventory of live game equipment shall include the following information:

(1) The asset number assigned by the online gaming operator;

(2) The type of game for which the live game equipment item is designed and used;

(3) The location of each live game equipment item; and

(4) The manufacturer, supplier, or vendor of the live game equipment item.

(l) Unless otherwise authorized by the department, approved live game equipment and consumables may only be installed and used to provide live online casino games to an online gaming operator. Access to live game equipment and consumables shall be strictly controlled to prevent unauthorized access.

(m) The online gaming operator shall provide a secure location for the placement, operation, and usage of live game equipment, including simulcast control servers, gaming servers, and communications equipment. Security policies and procedures shall be in place and reviewed periodically to ensure that risks are identified and mitigated. Live game equipment shall meet all of the following minimum requirements:

(1) Live game equipment shall be installed according to a defined plan and records of all installed live game equipment shall be maintained.

(2) Live game equipment shall be sited or protected to reduce risk from all of the following, without limitation:

(A) Environmental threats and hazards.

(B) Opportunities for unauthorized access.

(C) Power failures.

(D) Other disruptions caused by failures in supporting utilities.

(3) Access to the live game equipment by the gaming attendant, such as a dealer or croupier, shall be controlled by a secure logon procedure or other secure process to ensure that only authorized gaming attendants are allowed access. All modifications to configuration settings of the live game equipment shall follow a secure process and be performed in accordance with approved change management and related release note processes.

(4) A patron session, where supported by live game equipment, shall be initiated by the gaming attendant logging in to the attendant’s user account using the attendant’s secure username and password or an alternative means for the gaming attendant to provide identification information. The user session shall meet the following minimum requirements:

(A) All available options presented to the gaming attendant shall be tied to the gaming attendant’s user account.

(B) If the live game equipment does not receive input from the gaming attendant within five minutes, or a period specified by the department, the patron session shall time out or lock up, requiring the gaming attendant to re‐establish the gaming attendant’s login in order to continue.

(5) Live game equipment shall be correctly maintained, inspected and serviced at regular intervals by designated staff to ensure that it is free from defects or mechanisms that could interfere with its proper operation or integrity.

(6) Prior to disposal or re‐use, live game equipment containing storage media shall be checked to ensure that any licensed software and other sensitive information has been removed or securely overwritten, not just deleted.

(7) Since the live game wagering will be conducted by the online gaming operator and the conduct of the live online casino games will flow through the electronic wagering platform, all applicable technical standards in this section and section 12-865-13 of the Regulations of Connecticut State Agencies or technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies are applicable to live game equipment. The online gaming operator shall adopt, implement, and maintain technical standards and controls that meet or exceed those adopted in sections 12-865-13 and 12-865-15 of the Regulations of Connecticut State Agencies and any other technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies. An online gaming operator shall amend the operator’s internal controls, as needed, to address the various aspects of live online casino games.

(n) Online gaming operators shall ensure that all relevant technical standards for live online casino gaming are adopted, implemented, and maintained within their internal controls and procedures.

(o) Integration testing of live game equipment to all electronic wagering platforms shall be performed by an independent test lab licensed by the department. The online gaming operator shall provide the department with all integration testing results.

(p) Online gaming operators shall submit products that require approval to a licensed independent test laboratory for testing to Connecticut’s technical requirements. The independent test lab shall provide the online gaming operator with the results of testing and a certification letter upon completion of its evaluation. Live game equipment shall be tested in accordance with the testing standards as set forth in section 12-865-19 of the Regulations of Connecticut State Agencies and any other technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies. Live game equipment to be tested includes, but is not limited to, the following:

(1) Live dealer games.

(2) Live game systems.

(3) All live game equipment used in conjunction with card, roulette, dice, and wheel games, such as automated card readers, roulette wheels, and automated dice shakers and throwers, shall be tested as part of the applicable game.

(4) Card shufflers.

(q) The online gaming operator shall submit the certification letter received from the licensed independent testing laboratory as a part of the application for product approval. Such application shall be submitted to the department in a form and manner prescribed by the commissioner.

(r) Consumables used by online gaming operators providing live online casino games shall meet minimum standards, specifications, and requirements prescribed the department. General requirements for live game consumables include, but are not limited, to all the following:

(1) Procedures shall be implemented for tracking the inventory of consumables from receipt, through storage, installation, use, retirement, and destruction. All consumables shall have an associated audit trail showing which designated staff had access to the consumables at any given time for any given operation.

(2) Inspections shall be performed on consumables before they are placed in operation. Periodic random inspections shall be performed on the consumables while in use, from disbursement to retirement.

(3) Used consumables shall be destroyed in a manner which prevents their accidental re‐use in live online casino games, and which puts them permanently beyond use. Consumables that are the subject of any investigation shall be retained until completion of the investigation.

(4) Procedures shall be in place to ensure consumables are stored in secure locations and are properly accounted for and controlled.

(s) All playing cards utilized in the live online casino games shall comply with all of the following specifications:

(1) Unless otherwise determined by the department, all decks of cards shall be one complete standard deck of fifty-two cards in four suits. The four suits shall be hearts, diamonds, clubs, and spades. Each suit shall consist of all the following numerical cards:

(A) Two to ten.

(B) A jack.

(C) A queen.

(D) A king.

(E) An ace.

(2) The backs of each card in a deck shall be identical and no card shall contain any marking, symbol, or design that will enable an individual to know the identity of any element printed on the face of the card or that will differentiate the back of that card from any other card in the deck.

(3) All edges shall be perfectly square with each side at a precise ninety degree angle to each adjacent side of the card.

(4) The radius of all four corners shall be exactly the same.

(5) Unless otherwise approved by the department, the decks of cards utilized by the online gaming operator shall be unique to the conduct of live online casino games in Connecticut and distinct from other decks of cards utilized by the online gaming operator in other jurisdictions including a reservation.

(6) All new card decks shall arrive at the live game environment wrapped in cellophane, shrink wrap packaging, or with a tamper‐resistant security seal.

(7) The card supplier’s identification name shall be placed on each box.

(t) Unless otherwise approved by the department, all dice utilized by an online gaming operator shall comply with all of the following specifications:

(1) Each die shall be formed in the shape of a perfect cube and of a size no smaller than 0.750 inches on each side nor larger than 0.775 inches on each side.

(2) Unless otherwise approved by the department, the dice utilized by the online gaming operator or online gaming service provider shall be unique to the conduct of live online casino games in Connecticut and distinct from other dice utilized by the online gaming operator in other jurisdictions.

(3) Each die shall be transparent and made exclusively of cellulose, except for the following:

(A) Spots.

(B) Name, trade name, or logo of the online gaming operator.

(C) Serial number or letters, or both.

(4) The surface of each side of the die shall be perfectly flat and the spots contained in each side of the die shall be perfectly flush with the area surrounding the spots.

(5) The edges and corners of each die shall be perfectly square and form ninety degree angles with each adjacent side.

(6) The texture and finish of each side shall be identical to the texture and finish of all other sides.

(7) The weight of each die shall be equally distributed throughout the cube, and no side of the cube may be heavier or lighter than any other side of the cube.

(8) Each die shall have six sides bearing white circular spots from one to six, respectively, with the diameter of each spot equal to the diameter of every other spot on the die.

(9) Each die shall have spots arranged so that all the following provisions are satisfied:

(A) The side containing one spot is directly opposite the side containing six spots.

(B) The side containing two spots is directly opposite the side containing five spots.

(C) The side containing three spots is directly opposite the side containing four spots.

(10) Each spot shall be placed on the die by drilling, or the equivalent, into the surface of the cube and filling the drilled-out portion with a compound that is equal in weight to the weight of the cellulose drilled out and that forms a permanent bond with the cellulose cube.

(u) Each table used for live online casino games shall contain a symbol imprinted on it that clearly indicates that the online gaming operator is offering the game for play in Connecticut.

(v) In connection with approving game rules and live online casino game internal controls, the department may prescribe specifications for any other consumable, the requirements for which are not set forth in this section, that will be utilized to conduct live online casino games. Such specifications may include the size, weight, appearance and operation of such consumable in order to ensure the integrity of gaming.

(w) Soft launch procedures shall be conducted by the department for each new interactive online game that an online gaming operator offers. The soft launch shall provide an opportunity for the online gaming operator to demonstrate to the department that live game staff are trained in the performance of their duties, all systems perform as expected under the stress of live gaming, and operational and revenue reporting internal controls and procedures are effective.

(x) Prior to commencing a soft launch, the online gaming operator shall:

(1) Schedule a site inspection with the department to ensure adequate security and surveillance measures are in place.

(2) Provide a URL and access credentials for a production environment test account to include all live online casino games offered in the live game environment.

(3) Schedule pre‐launch testing with the department of all games to demonstrate performance of the games and that staff are adequately trained in the performance of their duties.

(4) Provide the department with a list of the live online casino games to be offered during soft launch and the schedule for each game.

(5) Provide the department with a list of personnel responsible for overseeing the soft launch. The list shall identify the name or names of the individuals and the contact information and area of responsibility for each individual.

(6) Provide read‐only remote access to the electronic wagering platform or platforms and any additional live game systems for designated department personnel.

(7) Provide the department with sample reports of wins and losses by gaming date and month.

(8) Provide the department with a list of games, software, hardware, equipment, and consumables to be utilized to conduct live online casino games.

(9) Provide the department with all manuals and additional documents for live game equipment and other devices used to conduct live online casino games.

(10) Schedule an inspection of any remote game server hardware not located in the live game environment.

(11) Obtain written approval from the department to commence soft launch.

(y) During a soft launch, the online gaming operator shall:

(1) Offer each live game type for play for a minimum of three hours each day.

(2) Demonstrate opening, closing, card shuffling, and consumable change procedures for each live game offered for play during soft launch.

(3) Demonstrate resolution of anomalous events and dealer mistakes in accordance with approved internal controls and procedures.

(4) Demonstrate acceptable minimum latency between the audio/video signal of each live online casino game and the user interface to ensure the performance and integrity of games.

(5) Demonstrate that all live game activity is properly recorded by simulcast control servers.

(6) Demonstrate performance of the tipping functionality with the electronic wagering platforms, if applicable.

(7) Demonstrate performance of barcoded card counting or reading machines and dice readers by conducting tests under department observation.

(8) Demonstrate performance of roulette wheels and balls by conducting tests under department observation.

(9) Demonstrate performance of dice shakers and throwers by conducting tests under department observation.

(10) Demonstrate that cards, dice, and other consumables meet specifications established by the department by conducting tests under department observation.

(11) Demonstrate that the electronic wagering platform and live game system properly prevent past posting.

(12) Demonstrate knowledge, skills and abilities of staff assigned to monitor live game play from a central control room.

(z) The online gaming operator operating live online casino games shall provide the department with continual and unrestricted access to the live gaming production environment, physical location, and live game equipment and consumables for any reason the department determines necessary to regulate, license, enforce, and audit the conduct of live online casino games. This shall include, but is not limited to, access to all live audio/video feeds required or otherwise implemented under this section, and all entry and exit points.

(aa) Each online gaming operator that intends to conduct live online casino games shall amend the operator’s internal controls to include live online casino games. The internal controls shall ensure all the following, without limitation:

(1) All live online casino game security issues, significant system failures, and incidents are responded to and reported to the department within twenty-four hours.

(2) Any person is prevented from tampering with or interfering with the operation of any live online casino games or live game equipment.

(3) All live interactive online games have been approved by the department prior to being offered to any patron by an online gaming operator.

(4) Staff of the online gaming operator, including game attendants:

(A) Attend and receive adequate training to provide live online casino games in a fair and honest manner according to documented procedures and game rules. Evidence of initial training and periodic refresher training shall be maintained.

(B) Receive training on and reminders of any physical behavior which is prohibited or mandated. The training received shall be reinforced by supervisory staff.

(5) Shift rotations, shift patterns and staff allocation are documented, including how game attendants are allocated to tables or games (i.e., without prior knowledge of which tables or games they will be serving and with their time‐on‐game set at a level to deter harmful relationships being developed) and changes in game attendants during exceptional circumstances.

(6) Patrons who reject a table or a game and re‐apply for another within the same game type on a consistent basis until they arrive at their preferred table or game are reasonably detected and prevented from wagering.

(7) Records are maintained which allow staff records to be audited and investigated if staff members are directly involved in a chain of events or if their presence in a particular place or at a particular time is crucial to understanding a chain of events.

(8) The hiring and termination of staff follow defined processes and are properly documented.

(9) Supervisory employees are always present when live online casino games are taking place.

(10) Staffing logs are maintained for each table and game.

(11) Anomalous events which may occur during live online casino games are documented and understood by staff, including, but not limited to, all of the following:

(A) Specialized device or physical randomness device malfunctions, including incorrect outcome detection.

(B) Dropped cards.

(C) Misdeals.

(D) Re‐spins.

(E) Aborted games.

(F) Table and game closures.

(12) Consistent card shuffling procedures are in place, including a verification of the card count, frequency of shuffling, and cases for reshuffling. The shuffling of cards shall be logged.

(13) A single member of staff would not be able to undertake all duties concerning game management and there is adequate segregation of responsibilities prior to play, during play and after play.

(14) Defined procedures are in place to address patron disconnection or any video, voice, or data stream disruptions during a live game and those procedures are readily accessible and clearly communicated to all patrons.

(15) Wagers placed on live online casino games follow defined procedures, including, but not limited to, all of the following:

(A) When wagers are placed by verbal instruction, the content of the wager is communicated back and acknowledged by the patron before the wager is confirmed.

(B) When a game attendant is receiving wagers indicated by the patron, a clear indication or notification if the wager has been accepted or rejected (in full or in part) is provided to the patron.

(C) The winning patron is notified of the patron’s win, including the amount won, after the completion of the game and the patron’s account balance is updated either immediately or once the patron exits the game.

(16) Variations in the operation of card shufflers and shoes, roulette wheels, dice shakers and throwers or other live game equipment are incorporated into the game procedures to maintain randomness. This equipment shall have a level of randomness consistent with strict regulation provided in land‐based casinos to ensure the equipment’s fairness and integrity.

(17) Card shoes and similar specialized devices and physical randomness devices are tamperproof once they have been loaded to preclude interference prior to and during play.

(18) Any specialized devices and physical randomness devices are periodically inspected and tested for reliability and integrity. Logs and records shall be maintained of all inspections.

(19) Patrons are informed when the manual operation mode of a specialized device is activated. Any use of the manual operation mode shall be tracked for further review.

(20) Specialized devices and physical randomness devices which show an unacceptable level of errors are identified and replaced.

(21) Game logs and records which collate game events into statistics are generated, reviewed, and analyzed for trends, irregularities, and errors relating to all of the following:

(A) Game performance.

(B) Staff or locations in the live game environment, including supervisors.

(C) Shifts.

(D) Procedure violations.

(E) Other incidents.

(22) Live gaming is monitored to ensure that all live online casino games are being conducted in accordance with internal controls and procedures and in a fair and honest manner.

(23) Live gaming and all live online casino game transactions are properly accounted for and recorded.

(24) Collusion between a patron and a dealer is detected and prevented.

(25) Change control processes, which include related release note reporting format and processes, are adopted, implemented, and maintained in a manner approved by the department.

(26) Live game equipment and consumables are inspected before being placed in operation with periodic random inspections performed thereafter.

(27) Past posting of wagers is prevented.

(28) Tips, if allowed by the online gaming service provider or the online gaming operator, are properly processed and accounted for. Tipping procedures shall adequately mitigate the risk of collusion between a patron and a dealer, which shall include, but is not limited to, the pooling of all tips received.

(29) The rules of each live interactive online game shall be submitted to the department for review and approval.

(30) The online gaming operator may only conduct live online casino games that are authorized under the act and 12-865-15 and 12-865-18 of the Regulations of Connecticut State Agencies and approved by the department.

(31) The department will review the listing provided by the online gaming operator of all live game equipment and consumable items that will be utilized in the conduct of live online casino games, which includes the supplier or vendor for each item, to determine which entities require an online gaming service provider license. The following are generally considered internet gaming suppliers related to the conduct of live online casino games:

(A) Online gaming operators.

(B) Live game equipment and game suppliers.

(C) Card, dice, and other consumable suppliers.

(D) Suppliers of card shufflers and shoes, automated card readers, and automated dice shakers and throwers.

(E) Roulette wheel suppliers (both automated and non‐automated).

(bb) The online gaming operator shall provide an organizational chart of personnel with responsibility over the conduct of live online casino games for the department to determine which positions will require an occupational license. Occupational licenses are generally required for dealers, security and surveillance personnel, and live online casino game supervisors and management personnel.

(a) All internet games and gaming equipment shall be tested and certified, in a manner and frequency deemed necessary by the department to preserve gaming integrity, by a department-approved independent testing laboratory prior to use by an online gaming operator or a sports wagering retailer. The requirement for internet game testing and certification shall not apply to fantasy contests.

(b) The department may develop technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies against which all independent testing laboratories shall test any internet games and gaming equipment for compliance.

(c) All internet games and gaming equipment shall be tested by the independent testing laboratory in accordance with sections 12-865-9 to 12-865-18, inclusive, of the Regulations of Connecticut Agencies as applicable. In addition, the report issued by the independent testing laboratory shall include:

(1) The extent to which the gaming equipment meets the technical standards, if any;

(2) Whether the gaming equipment meets the requirements of the act and 12-865-9 to 12-865-18, inclusive, of the Regulations of Connecticut State Agencies; and

(3) Any additional information the department needs to certify the gaming equipment.

(d) The department shall review all internet games and gaming equipment for proper mechanical and electronic functioning, and consider the testing results and certifications submitted by the independent testing laboratory.

(e) After completing evaluations of the internet games and gaming equipment, the department may approve such games or equipment for use in the state.

(f) Internet games and gaming equipment shall be approved by the department prior to use by an online gaming operator or sports wagering retailer.

(g) The department may suspend or revoke the approval of any internet games or gaming equipment without notice if the department has good cause to believe the continued operation of such gaming equipment poses a threat to the security and integrity of gaming in the state.

(h) The department may issue a temporary approval for any internet games or gaming equipment that has been previously tested and approved for operation in another jurisdiction that maintains similar standards to the state of Connecticut.

(i) In determining whether to issue temporary approval, the department shall consider relevant factors, including, but not limited to:

(1) Standards for similar equipment and testing in other jurisdictions;

(2) Date of the most recent testing;

(3) Professional reputation and history of the supplier;

(4) The best interests and needs of the state’s gaming industry; and

(5) Whether issuing temporary approval would pose a threat to public confidence and trust in the state’s gaming industry, or to the integrity and security of the state’s gaming industry.

(j) The department may rescind temporary approval at any time for any just cause, including, but not limited to, the factors identified in subsection (i) of this section.

(k) Temporary approval shall expire after ninety days. The department may renew any temporary approval for good cause shown.

Independent testing laboratories shall be licensed and comply with the following requirements:

(1) Hold an active accreditation in accordance with NIST 800 or an active accreditation from an accreditation body that is a signatory to the International Laboratory Accreditation Cooperation Mutual Recognition Agreement. In addition to an active accreditation the independent testing lab shall be licensed in the United States by a state gaming agency to perform independent testing laboratory services.

(2) Provide authorized individuals for the department to contact on a twenty-four-hour basis.

(3) Provide written reports regarding testing and tests results submitted which include at a minimum:

(A) All testing performed;

(B) A description of the products tested;

(C) The unique identification code or signature, as approved by the department, assigned to the internet game or gaming equipment;

(D) A secure hash using cryptographic function that uses 256-bit encryption keys in compliance with the current NIST 800 standard or other requirements set forth by the department under section 12-865-3(n) of the Regulations of Connecticut State Agencies, whichever is higher;

(E) A list of pay tables or other settings on the tested internet game or gaming equipment, if applicable;

(F) A description of the modifications between the tested internet game or gaming equipment, and previous versions of the tested product, if applicable; and

(G) A list of components with which the internet game or gaming equipment was verified to be compatible.

(4) Provide the department with real-time online access to all gaming services, reports and documents via secure communication protocol and allow the department to view updated reports of all pending, approved and obsolete electronic games and related equipment for which the department’s approval has been revoked.

(5) Disclose all locations of any laboratory or factory at which independent outside testing services may be conducted.

(6) Assign a unique identification code or signature, as approved by the department, and a secure hash using cryptographic function designated by the department to all critical storage media upon testing. For the purposes of this subdivision, “critical storage media” means any program storage media containing software that is involved in, or that significantly influences, the operation and calculation of game play, game display, game result determination, game accounting, revenue or security.

(A) Software in program storage media includes, but is not limited to:

(i) Game accounting software;

(ii) System software; and

(iii) Peripheral firmware devices.

(B) Critical storage media shall be verified utilizing an external third-party methodology approved by the department.

(C) Critical storage media may be required, as determined by the department, to have security seals attached.

(7) Conduct its operations in a manner that does not reflect adversely on the security or integrity of gaming within the state.

(8) Conduct its operations in a manner that deals fairly with other licensees of the department.

(a) Official procedures prescribing the process to conduct drawings for lottery draw games for which tickets are sold online or via a mobile application shall be utilized for every such lottery drawing to ensure the integrity and accuracy of all drawings. This includes assuring that all equipment is properly certified and maintained and that all official numbers are randomly selected.

(b) The winning numbers and symbols for all lottery draw games that are offered through online lottery and drawn in the state shall be selected using a random number generator, ball machine or other drawing device, and shall be the same results used for retail lottery games. Prior to implementation, unless previously tested and approved by the department related to retail lottery operations, such device shall be tested and certified by a department-approved independent testing laboratory, including all device software and hardware. The device may also be tested by the department. No device shall be utilized for lottery drawings conducted in the state until approved by the department. Certification by a department-approved independent testing laboratory shall be completed upon any update or change made to the drawing device, unless the update or change does not significantly impact the operation of the device and a waiver of this requirement is granted in writing by the department.

(c) The drawing device shall randomly select winning number combinations for all lottery draw games that are offered through online lottery. Drawings shall be programmed to run no more frequently than every four minutes for drawings for online lottery and shall be programmed to run no more frequently than every three minutes for keno drawings.

(d) The drawing device shall be located in a secure, locked room outfitted with an alarm system and subject to twenty-four hours video surveillance. No one shall have unfettered access to the drawing device, including all hardware and software utilized by the device. Only designated employees of the department, CLC and authorized independent testing laboratory employees shall be allowed access to the drawing device and there shall be physical observance and electronic recording of any access to the device. The CLC shall report to the department within twenty-four hours any security breach or attempted security breach to the drawing device.

(e) On a yearly basis, the CLC shall have an independent audit conducted on drawings for online lottery and keno drawings that are offered online or via a mobile application to assure that drawings are being conducted in accordance with approved drawing procedures, including but not limited to, verification of pool closings and verification of the accuracy of the winning numbers. The audit firm shall provide the department with a written report of all audit findings.

(f) Once the winning numbers have been drawn the results shall be verified by quality assurance tests that have been previously tested and certified by an independent testing laboratory and approved by the department. Once the numbers have been verified as accurate, the winning numbers of the lottery draw game shall be displayed on the CLC website, electronic wagering platform, and mobile application.

(g) Once the winning numbers are verified, all winning account holders shall be notified and all winning prizes shall be credited to the winning account holders in accordance with CLC’s official procedures on ticket redemption. Thereafter customer account balances shall be updated with prize amounts and immediately available for use on the electronic wagering platforms, or withdrawal of funds.

(h) No drawings shall take place live on the CLC website or mobile application, however all past in-person drawings, which were not conducted by a random number generator, shall be made available to the public for review for a reasonable period of time as determined by CLC.

(i) The CLC shall provide the department with advance notice of, and procedures for, conducting the drawings and any promotional drawings that are offered online or via a mobile application. Such procedures shall include the process for entering a promotional drawing, selecting winners, and how promotional drawing prizes shall be funded. All promotional drawing procedures shall be reviewed by the department and approved prior to said events being publicized or offered to patrons.

(j) Gross gaming revenue from keno, as defined in section 12-853 of the Connecticut General Statutes, shall be reported to the department on a monthly basis. Gross gaming revenue from keno shall not incorporate the issuance or redemption of complimentaries.

(k) All lottery draw game and keno ticket purchases that are made online or via a mobile application shall be final.

(l) In the event of unforeseen problems which might reasonably cause substantial detriment to the public interest of the state, the department may order an immediate suspension of the sales of any tickets or the conducting of any drawing relating to a particular game of online keno or a particular lottery drawing for which tickets are sold through the internet or a mobile application. The department shall provide written notice to the CLC of such suspension and set forth any specific requirements regarding public notice of the game suspension. The department may thereafter require the CLC to establish new procedures relating to the manner in which any incidental drawings are to be conducted, winners to be determined, and the amount of any prizes to be fixed. In addition, if during the actual conduct of any drawing related to online lottery or online keno, a problem arises requiring immediate action, the commissioner shall take immediate action.

(m) The CLC shall prohibit unauthorized persons from accessing proprietary lottery draw game winning ticket information. In the event the CLC becomes aware of a compromise or potential compromise of security regarding exposure of information contained in the game winning ticket information, the CLC shall notify the commissioner upon such discovery. The CLC shall thereafter take all necessary steps to restore security as quickly as possible.

(n) The CLC shall submit to the department game certification for any online lottery draw game or keno game for functionality and compliance with the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies. The department may require the CLC to submit any online lottery draw game or keno game for testing at an independent testing laboratory and production of a compliance certification report in a form prescribed by the department. The CLC shall also submit any additional information requested by the department.

(o) In addition to the disclosures of odds of winning required under section 12-568a-17(p) of the Regulations of Connecticut State Agencies, the CLC shall include a prominent and clear statement of the average chances of winning per ticket on the electronic wagering platform for all online lottery and online keno offered on the electronic wagering platform. Additionally, the CLC shall include a prominent and clear statement of the odds of winning each individual prize level in game descriptions on its website.

(p) Except as otherwise provided in sections 12-568a-1 to 12-568a-24, inclusive, of the Regulations of Connecticut State Agencies, a lottery draw game discontinuation shall not affect the rights of those who purchased tickets prior to the effective date of discontinuation.

(q) In the event that the CLC changes a lottery draw game to a different lottery draw game, the CLC shall set a date that all eligible tickets must be purchased by in order to participate in the final drawing of the old game.

(r) The CLC, and any online gaming operator that may offer online lottery or keno on behalf of the CLC, shall require that any online gaming service provider that has access to the electronic wagering platform utilized for online lottery and keno shall utilize software protection to prohibit the provider’s employees from tampering with pools, liabilities or winning ticket information.

(s) The CLC, and any online gaming operator that may offer online lottery or keno on behalf of the CLC, shall produce system pool reports to verify liabilities, which shall be generated immediately at the close of online lottery and keno games. If an attempt is made to tamper with information, such activity shall be indicated on the activity log and the online gaming operator shall notify the department and the CLC upon discovering such attempt.

(t) If the CLC utilizes the same online gaming operator for online lottery and keno as it uses for sports wagering, it shall ensure that the online gaming operator provides system reports that reveal all system activity generated at and by terminals that are used to wager on a sports event at a sports wagering facility, including, but not limited to: wagers, cashes, cancels, errors, statuses, validations, activations, deactivations, special reports, sign-ons, sign-offs, inquiries, and diagnostic requests. These reports shall be available upon the department’s request and shall be used to verify the operating status of the electronic wagering platform and the sport wagering retailer terminals.

(a) An online gaming operator offering fantasy contests shall:

(1) Prevent the sharing of inside information with third parties that could affect the outcome of a fantasy contest until the information is made publicly available. As used in this subdivision, “inside information ” means information related to the play of a fantasy contest by fantasy contestants obtained as a result of or by virtue of an individual’s employment;

(2) Provide that a winning fantasy contest outcome may not be based on the score, point spread or performance of a single actual sports team or combination of such teams or solely on a single performance of an individual athlete or participant in a single actual sports event;

(3) Annually conduct an independent audit to ensure compliance with the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies, except that an online gaming operator of fantasy contests with annual gross fantasy contest revenues of less than $100,000 is not required to contract with a certified public accountant as prescribed by this subdivision unless required by the commissioner, in which case the commissioner shall notify such online gaming operator and allow a reasonable period of time to comply with the requirement for an independent audit;

(4) By June 30th of each year, submit a report to the department that includes the following information regarding accounts with the online gaming operator of fantasy contests held by fantasy contestants in the State:

(A) The number of accounts held by fantasy contestants on all platforms offered by the online gaming operator. The online gaming operator of fantasy contests shall identify the number of internet gaming accounts held by highly experienced fantasy contestants on all platforms offered by the online gaming operator;

(B) The total number of new internet gaming accounts established and accounts permanently closed in the preceding year or, if the online gaming operator of fantasy contests has been licensed for less than one year, the number of new accounts and permanently closed accounts in the period since the online gaming operator's license was issued; and

(C) The total amount of gross fantasy contest revenues received by the online gaming operator of fantasy contests;

(5) Offer introductory procedures for patrons that explain fantasy contest play and how to identify a highly experienced player. For purposes of this section, “highly experienced player” means an individual who has entered more than one-thousand fantasy contests offered by a single online gaming operator of fantasy contests or has won more than three fantasy contests with winnings valued at $1,000.00 each or more from a single online gaming operator of fantasy contests;

(6) Identify all highly experienced players in any fantasy contest by a symbol attached to such players' usernames, or by other means that are easily visible to all fantasy contest patrons;

(7) Disclose the maximum number of total entries allowed for each fantasy contest;

(8) Offer each patron information regarding his or her internet gaming account history and account details;

(9) Promptly, accurately and regularly update the number of entries that have been submitted for the fantasy contest at a given time, for any fantasy contest it offers, which update shall occur at least daily;

(10) Ensure the value of any winnings offered to patrons is established and made known to patrons in advance of when the online gaming operator allows patrons to enter the fantasy contest; and

(11) Establish and disclose a limitation on the number of entries an individual patron may submit for each fantasy contest and have an approved procedure in place to prevent a patron from exceeding that number.

(b) Each online gaming operator of fantasy contests shall publish information on its internet website and mobile application regarding average winnings, which shall include, at a minimum:

(1) The median and mean net winnings of all patrons participating in fantasy contests offered by such online gaming operator; and

(2) The percentage of winnings awarded by the online gaming operator to highly experienced players participating in fantasy contests offered within the preceding calendar year.

(c) Each online gaming operator of fantasy contests shall retain records for all fantasy contests offered, which shall include:

(1) The date and time the fantasy contest started and ended;

(2) Compensation or winnings structure used;

(3) Patrons that entered the fantasy contest;

(4) Selections each patron made for his or her team;

(5) Total number of points earned by each patron’s team;

(6) Total amount of entry fees paid;

(7) Results, including the points earned by the winning patron or patrons;

(8) Total amount of patrons' winnings; and

(9) Total amount of cash or cash equivalents awarded to patrons.

(a) The department shall create and maintain a voluntary self-exclusion list for all gaming under the act. Any individual may have the individual’s name included on the self-exclusion list by submitting a request in the manner and form prescribed by the department.

(b) Online gaming operators may create a voluntary self-exclusion portal, incorporated into their electronic wagering platform and made conspicuously available through the internet website and mobile application, where individuals may request inclusion on the list. The department shall require specific information to be collected from and disclosed to individuals for the purpose of the online gaming operator’s voluntary self-exclusion list.

(c) An individual requesting placement on the self-exclusion list shall submit a completed request for self-exclusion online, in a form and method prescribed by the commissioner, or at a location approved by department.

(d) The voluntary self-exclusion form utilized by an online gaming operator or sports wagering retailer shall be approved in writing by the department. At the time of requesting self-exclusion through the online gaming operator or sports wagering retailer, an individual may be required, as prescribed by the department, to provide the following information:

(1) Name, including any aliases or nicknames;

(2) Social Security number or other government issued identification number;

(3) Date of birth;

(4) Address of current residence;

(5) Telephone number;

(6) Electronic mail address or addresses, or such other information as needed to exclude such individual from targeted advertising;

(7) A copy of a valid government-issued photo identification containing the individual’s signature and photograph;

(8) Acknowledgement that the request for self-exclusion has been made voluntarily;

(9) Acknowledgement that the request for self-exclusion will prohibit the individual from all forms of internet games and retail sports wagering authorized pursuant to the act and the individual will be subject to forfeiture of any winnings, or other things of value obtained as a result of engaging in gaming;

(10) Acknowledgement that the individual will remain on the self-exclusion list until a request for removal pursuant to this section is approved, which request shall not be considered until the period of self-exclusion has lapsed;

(11) Release that indemnifies and holds harmless the State, the gaming entity licensee and any licensee from and against any claims, damages, losses, expenses or liability arising out acts or omissions related to the oversight of or implementation of the self-exclusion list;

(12) Certification that the information provided in the request is true and accurate; and

(13) Such other information as the department may request to effectively identify an excluded person and implement the self-exclusion list.

(e) The duration of self-exclusion may be:

(1) One year;

(2) Five years; or

(3) Lifetime.

(f) Online gaming operators and sports wagering retailers shall submit a list of all requests made during the last thirty-six hour period by individuals for inclusion on the voluntary self-exclusion list to the department on a daily basis at a time specified by the department. Such list shall be sent in a format and manner prescribed by the department. The voluntary self-exclusion list shall be maintained in a secure database that is encrypted, copies of which will be made available to online gaming operators and sports wagering retailers to view and retrieve data from.

(g) Any information submitted by any individual to a gaming entity licensee or the state regarding such individual’s participation in the voluntary self-exclusion process shall be treated as confidential information that would constitute an invasion of personal privacy if disclosed and shall not be distributed by any person beyond what is necessary to implement sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies and achieve the purposes of the voluntary self-exclusion list. Gaming entity licensees shall take all commercially reasonable actions to safeguard the information in the voluntary self-exclusion list from unauthorized distribution or release.

(h) The online gaming operator shall compare the operator’s internet gaming accounts with the department’s centralized voluntary self-exclusion list at least once daily. The online gaming operator shall suspend any account associated with an excluded person within four hours of retrieving the department’s daily updated voluntary self-exclusion list or upon written notification from the department that such person has been included on the voluntary self-exclusion database, whichever is earlier.

(i) Online gaming operators and sports wagering retailers shall compare their internet gaming accounts with the voluntary self-exclusion list prior to sending any communications to patrons, other than communications solely related to account close-out, withdrawals, and security, to verify whether any of their patrons or targeted audience are included on the voluntary exclusion database. Where an online gaming operator or sports wagering retailer uses a third-party to send such communications, the third party shall sign a confidentiality agreement and affidavit affirming the third party’s obligation to maintain the confidentiality of the information in the database prior to the third party’s use of the database and prior to the third party’s dissemination of any communication or other marketing material. Prior to contracting with any third-party communication service provider, the gaming entity licensee shall ensure that the third-party complies with the requirements of section 12-865-32 of the Regulations of Connecticut State Agencies.

(j) An individual requesting removal from the self-exclusion list shall be required to verify the individual’s identity in a manner comparable to the verification performed when the request for inclusion on the list was made.

(k) If a patron has suspended his or her account or is on the voluntary self-exclusion list, a licensee shall not send gaming-related communications, advertisements or notices, other than communications solely related to account close-out, withdrawals, and security, to such patron while the internet gaming account is suspended or inactive.

(l) Compensation received from a fantasy contest, prizes or winnings received by an individual on the excluded persons list shall be forfeited and shall be dispensed to the patron or patrons who were the next runner- or runners-up and to each next eligible patron, for compensation related to a fantasy contest, if possible to determine, or the amounts deposited and won shall be dispensed to the chronic gamblers treatment rehabilitation account, established under section 17a-713 of the Connecticut General Statutes.

(m) In the event a patron has a pending sports wager and then self-excludes, the wager shall be cancelled, and the funds returned to the patron according to approved internal controls.

(a) Each online gaming operator shall include the following information in a prominent place on the internet gaming log on screen and on the log off screen whenever the electronic wagering system detects a log off:

(1) The message “If you or someone you know has a gambling problem and wants help, call (888) 789-7777 or visit ccpg.org/chat,” or the equivalent of such message in a language other than English. The department may update the required phone number or web address to be displayed by providing ten days’ notice to each licensee, after which time the licensee shall display the new number and address. The department shall consult with the Department of Mental Health and Addiction Services prior to revising the required problem gambling message and shall provide ten days’ notice to each licensee, after which time the licensee shall display the new message;

(2) Procedures for patrons to self-exclude themselves;

(3) Procedures in accordance with sections 12-865-11 and 12-865-13 of the Regulations of Connecticut State Agencies for the patron to impose limits on the patron’s gaming activities;

(4) The date, time and duration of the patron's previous log on; and

(5) A notification that if the individual is on the self-exclusion list, the individual shall be barred from collecting any winnings or prizes if the individual participated in gaming for which the individual self-excluded.

(b) Each sports wagering retail facility shall include a sign of at least 12” x 12” at the entrance, near every automatic teller machine or other machine where cash may be withdrawn or advanced, and at the location where wagers are placed that prominently displays the following information:

(1) “If you or someone you know has a gambling problem and wants help, call (888) 789-7777 or visit ccpg.org/chat,” or the equivalent of such message in a language other than English. The department may update the required phone number or web address to be displayed by providing ten days’ notice to each licensee, after which time the licensee shall display the new number and address. The department shall consult with the Department of Mental Health and Addiction Services prior to revising the required problem gambling message and shall provide ten days’ notice to each licensee, after which time the licensee shall display the new message.

(2) Where within the retail facility the patron can go to place himself or herself on the self-exclusion list.

(3) A notification that if the individual is on the self-exclusion list, the individual shall be barred from collecting any winnings or prizes if the individual participated in gaming for which the individual self-excluded.

(c) An electronic wagering platform shall either:

(1) Continuously and prominently display the current time in the State of Connecticut and the time elapsed while in the current patron session; or

(2) Cause a pop-up notification, at least every half-hour, to be prominently displayed that advises the patron of the current time, the amount of time elapsed, and amount wagered since his or her log on.

(d) If an individual is on the self-exclusion list or is otherwise barred from participating in gaming, a licensee shall not market gaming related activities or businesses to that individual in any way, including phone, mail, text, electronic mail, through social media or by knowingly directing any form of advertisement or marketing material to that individual.

(e) Excluded persons shall not collect any prizes or winnings or recover any losses arising from any prohibited participation in gaming activity. Prizes or winnings received in a fantasy contest by an individual on the excluded persons list shall be dispensed by the online gaming operator to the patron or patrons who were the next runner- or runners-up and to each next eligible patron, for compensation related to a fantasy contest, if possible to determine, or the amounts deposited and won shall be dispensed to the chronic gamblers treatment rehabilitation account, established under section 17a-713 of the Connecticut General Statutes. Prizes or winnings received in any other internet game by an individual on the excluded persons list shall be forfeited and shall be dispensed by the online gaming operator to the chronic gamblers treatment rehabilitation account, established under section 17a-713 of the Connecticut General Statutes.

(f) Each licensee shall train all employees that may have direct contact with patrons, whether in-person, by phone, electronic mail, electronic chat or others means, on problem gambling and gambling disorder. The training program shall comply with the following:

(1) The training shall occur before the employee begins employment, or begins working in a position where the employee may interact with patrons, and shall occur at regular intervals thereafter of not less than once per year.

(2) Such training shall include training on the licensee’s policies, best practices and resources for identifying and assisting individuals who may be exhibiting problem gambling behavior, including:

(A) Recognizing the nature and symptoms of problem gambling behavior and how to assist players in obtaining information regarding help for a gambling problem and self-exclusion programs;

(B) Responding to patrons who may disclose that they have a gambling problem; and

(C) Responding to reports from third parties, such as family members, about patrons who may have a gambling problem.

(3) The training provided by the licensee shall consist of a program or programs approved by the Department of Mental Health and Addiction Services.

(g) An electronic wagering platform shall not induce a patron to continue placing wagers when play is in session, when the patron attempts to end a session, or when the patron wins or loses a bet. If a patron has initiated a withdrawal request, the gaming entity licensee may not offer anything of value to reverse the withdrawal request.

(a) Each licensee shall be responsible for the content and conduct of all gaming related advertising or marketing developed by, placed or disseminated on its behalf or to its benefit whether by the licensee, an employee or agent of the licensee, an affiliated entity or a third party pursuant to contract, regardless of whether the licensee participated directly in its preparation, placement or dissemination.

(b) For the purposes of this section, advertising and marketing shall include, but not be limited to:

(1) Mail, including electronic mail;

(2) Telemarketing, including text messaging;

(3) Broadcast media;

(4) Billboards and signage;

(5) Internet advertising;

(6) Play-for-free versions of internet games;

(7) Social media;

(8) Sponsorships; and

(9) Patron acquisition, referral, rewards and retention programs.

(c) Each gaming entity licensee shall retain a copy of all advertising, marketing and other promotional materials intended to promote any gaming, including a log of when, how, and with whom, those materials have been published, aired, displayed, or disseminated. A gaming entity licensee shall also grant the department access to all social media platforms utilized by the licensee.

(d) All gaming related advertising, marketing and other promotional materials and the publication log shall be made available to the department on request.

(e) All advertising, marketing and other promotional materials published, aired, displayed, or disseminated by or on behalf of any licensee shall:

(1) Include the message “If you or someone you know has a gambling problem and wants help, call (888) 789-7777 or visit ccpg.org/chat,” or the equivalent of such message in a language other than English. The department may update the required phone number or web address to be displayed by providing ten days’ notice to each licensee, after which time the licensee shall display the new number and address. The department shall consult with the Department of Mental Health and Addiction Services prior to revising the required problem gambling message and shall provide ten days’ notice to each licensee, after which time the licensee shall display the new message;

(2) Not directly advertise or promote gaming, parimutuel wagering or casino gaming on or off of the reservations to individuals that are (A) excluded persons, or (B) under twenty-one years of age, or, if pertaining exclusively to keno, online lottery and fantasy contests, individuals under eighteen years of age;

(3) State that patrons shall be eighteen or twenty-one years of age or older, as applicable, to participate;

(4) Not contain images, symbols, celebrity or entertainer endorsements, or language designed to appeal specifically to those under twenty-one years of age, or if pertaining exclusively to keno, online lottery and fantasy contests, individuals under eighteen years of age;

(5) Not contain inaccurate or misleading information that would reasonably be expected to confuse and mislead patrons in order to induce them to engage in gaming;

(6) Not feature anyone who is, or appears to be, under twenty-one years of age, or, if pertaining exclusively to online keno, online lottery and fantasy contests, anyone who is, or appears to be, under eighteen years of age;

(7) Not be published, aired, displayed, or disseminated in media outlets, including social media, that appeal primarily to individuals under twenty-one years of age, or, if pertaining exclusively to online keno, online lottery, and fantasy contests, individuals under eighteen years of age;

(8) Not be placed before any audience where the majority of the viewers or participants is presumed to be under twenty-one years of age, or, if pertaining exclusively to online keno, online lottery and fantasy contests, under eighteen years of age;

(9) Not imply greater chances of winning versus other licensees;

(10) Not imply greater chances of winning based on wagering in greater quantity or amount, except for online keno and online lottery that include game features approved by the department that increase the chances of winning;

(11) Not contain claims or representations that gaming will guarantee an individual's social, financial, or personal success;

(12) Not use any type, size, location, lighting, illustration, graphic, depiction or color resulting in the obscuring of any material fact; and

(13) If a direct advertising, marketing, or promotion, include a clear and conspicuous link that allows patrons to unsubscribe by clicking on one link.

(f) Play-for-free versions of internet games shall not be marketed to individuals under the legal age permitted to place wagers on the corresponding play-for-money internet games.

(g) All play-for-free versions of internet games offered by an online gaming operator shall comply with the following:

(1) The online gaming operators shall ask an individual to verify the individual’s age before allowing the individual to play.

(2) The play-for-free version of an internet game shall follow the same game rules as the corresponding play-for-money internet game.

(3) Online gaming operators shall ensure that play-for-free versions of internet games accurately represent the likelihood of winning and prize distribution in the play-for-money internet game.

(4) Play-for-free versions of internet games shall use the same random number generator as the corresponding play-for-money internet game.

(5) The distribution of winnings or prizes in play-for-free versions of internet games shall accurately represent the play-for-money internet game. For example, where a play-for-free version of an internet game uses virtual cash, the virtual cash payouts shall be the same as the corresponding play-for-money internet game, and where tokens are used, the allocation of tokens as winnings or prizes shall be proportionate to the stakes and winnings or prizes in the play-for-money internet game.

(h) Where videos are used to advertise an internet game’s features, the online gaming operator shall make it clear to consumers where footage has been edited or sped-up for promotional purposes. Where an online gaming service provider’s website is demonstrating an internet game with higher than normal returns the online gaming service provider shall make it clear to consumers that it is a demonstration internet game specifically designed to demonstrate the bonus features.

(i) No master wagering licensee or online gaming operator may enter into an agreement with a third party to conduct advertising or marketing on behalf of, or to the benefit of, the licensee when compensation is dependent on, or related to, the volume of patrons or wagers placed, or the outcome of wagers.

(j) Each gaming entity licensee shall ensure that excluded persons do not receive advertising, marketing or other promotional materials relating to gaming.

(k) Advertising, marketing, or promotional materials may not be placed on any website or printed page or medium devoted primarily to responsible gaming.

(l) Licensees shall provide the requirements of this section to advertising, marketing, and promotions personnel, contractors, agents, and agencies and shall require, and be held responsible for, compliance with the same.

(m) The following notices and communications shall not be deemed advertising, marketing, or other promotional materials for purposes of this act: Any sign, notice, or other information required to be provided by the act or sections 12-865-1 to 12-865-34, inclusive, of the Regulations of the Connecticut State Agencies, including, without limitation, the following:

(1) Notice regarding the terms and conditions or official procedures of the internet games; and

(2) The posting of information about rules of games, payoffs of winning wagers and odds.

(n) A licensee shall discontinue as expeditiously as possible the use of a particular advertisement in this state or directed to residents in this state upon receipt of written notice that the department has determined that the use of the particular advertisement in this state could adversely impact the public or the integrity of gaming. The licensee may appeal a determination by the department that a particular advertisement must be removed by requesting a hearing before the commissioner in accordance with chapter 54 of the Connecticut General Statutes. Such request for hearing shall be made in writing to the commissioner within fifteen days of receipt from the department of the notice requiring such advertisement be removed and discontinued.

(o) If an online gaming operator offers complimentaries to patrons that are subject to conditions in order to redeem the complimentary, such as expiration dates or engagement in multiple internet games, the online gaming operator shall clearly disclose all such conditions or limitations to the patron through the following methods:

(1) In any advertisement or inducement where complimentaries are advertised;

(2) If being added to an internet gaming account while a patron is logged into the patron’s account, through the use of a pop-up message; and

(3) If the offer requires the patron to wager a specific dollar amount to receive the complimentary, the amount that the patron is required to wager of the patron’s own funds shall be disclosed in the same size and style of font as the amount of the complimentary.

(a) Each gaming entity licensee shall investigate each patron complaint related to such licensee’s gaming and provide a response to the patron within ten calendar days. For complaints that cannot be resolved to the satisfaction of the patron, related to internet gaming accounts, game outcomes or illegal activity, a copy of the complaint and the licensee's response, including all relevant documentation, shall be provided to the department. All other complaints and responses related to internet gaming, including, but not limited to, account access problems, online chat disputes and technical matters, shall be provided monthly, upon request or with such frequency approved by the department.

(b) Each gaming entity licensee shall establish a process for resolving customer complaints and disputes. Such policy shall be conspicuously posted on its internet website and mobile application, if applicable.

(c) Each gaming entity licensee shall establish a policy for patrons that are alleged to be prohibited patrons or excluded persons to appeal such determination. Such policy shall be conspicuously posted on its internet website and mobile application, if applicable.

(d) Each gaming entity licensee shall conspicuously include on its internet website, and mobile application, if applicable, the availability of a mechanism for resolving a customer’s complaint. This shall include information explaining how complaints can be filed, how complaints are resolved, and how a patron can submit a complaint to the department after attempting to resolve the issue with the master wagering licensee, online gaming operator or sports betting retailer.

(e) The terms and conditions provided to patrons shall provide for a method for filing a complaint with the gaming entity licensee and method for filing with the department an unresolved complaint after all reasonable means to resolve the complaint with the gaming entity licensee have been exhausted.

(a) Unless otherwise provided for by the department, before beginning internet gaming, an online gaming operator and sports wagering retailer shall submit their internal controls in detail in writing for department review and approval. If an online gaming operator is licensed to offer more than one type of internet game, for example online casino gaming and fantasy contests, the online gaming operator may have separate sets of internal controls for each type of internet game. Internal controls shall include a detailed description of the administrative and accounting procedures to be utilized by the online gaming operator in compliance with the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies. The procedures shall include, but not be limited to:

(1) An online gaming operator’s procedures for responding to a failure of the electronic wagering platform, including procedures for restoring internet gaming.

(2) An online gaming operator’s automated and manual risk management procedures, including procedures to govern emergencies such as suspected or actual cyber-attacks on, hacking of, or tampering with the electronic wagering platform and associated equipment. The procedures shall include the process for the reconciliation or repayment of an internet gaming account.

(3) Procedures for identifying and reporting fraud and suspicious conduct.

(4) Procedures to prevent wagering by excluded or prohibited patrons.

(5) Procedures for online gaming operator and sports wagering retailer imposed expulsion of patrons, including the following:

(A) Providing a notification to the patron of the patron’s expulsion status and general instructions for resolution.

(B) Ensuring that immediately upon executing the expulsion order, no new wagers or deposits are accepted from the expelled patron, until such time as the licensee lifts the expulsion order.

(C) Ensuring that the patron is not prevented from withdrawing any or all of his or her account balance, if the online gaming operator acknowledges that the funds have cleared, and that the reason or reasons for expulsion would not prohibit a withdrawal.

(6) Description of the process for voiding or cancelling wagers and refunding the patron.

(7) Procedures for issuance and acceptance of complimentaries for internet gaming.

(8) Procedures for identifying and restricting prohibited patrons.

(9) An online gaming operator’s methods for securely issuing, modifying, and resetting a patron’s account password, personal identification number, or other approved security feature, if applicable. Any such method shall include notification to the patron following any modification via electronic or regular mail, text message, or other manner approved by the department. Such methods shall include, at a minimum, one of the following:

(A) Proof of identity, if in person.

(B) The correct response to two or more challenge questions.

(C) Strong authentication.

(10) In detail, the location of the online gaming operator’s gaming servers, including any third-party remote location servers, and what controls will be in place to ensure security of the gaming servers.

(11) Procedures and security for the calculation, recording, and reporting of gross revenue, adjusted gross revenue, winnings, and prizes; or gross receipts and winnings if the online gaming operator provides fantasy contests.

(12) Policies and procedures in connection with the internal audit, or equivalent, function of its internet gaming operations.

(13) Any other items considered necessary by the department.

(b) Modifications or additions to any portion of the internal controls shall be submitted to the department for approval prior to implementation.

(c) The commissioner may accept, reject or require modification of any internal control. Rejection or required modifications of internal controls shall be based on the potential for detrimental impact on: the integrity of gaming operations; financial, cyber or physical security related to an electronic wagering platform; or the department’s ability to effectively regulate gaming operations. An online gaming operator or sports wagering retailer may appeal any rejection of an internal control by requesting a hearing before the commissioner in accordance with chapter 54 of the Connecticut General Statutes. Such request for hearing shall be made in writing to the commissioner within fifteen days of receipt from the Department of a rejection of such internal control.

(d) Within thirty days of offering online wagering or retail sports wagering to patrons, the online gaming operator and sports wagering retailer shall create and approve the following internal administrative procedures that shall not be subject to department approval but shall be available to the department upon request:

(1) User access controls for all online gaming operator internet gaming personnel.

(2) Segregation of duties.

(3) Description of anti-money laundering compliance standards.

(4) Description of an online gaming operator’s process for accepting multiple wagers from one patron in a twenty-four-hour cycle, including process to identify patron structuring of wagers to circumvent recording and reporting requirements.

(5) Procedures for processing consumer complaints and for the appeal of the designation of a patron as a prohibited or excluded person.

(6) Description of process to close out dormant accounts.

(7) The online gaming operator’s Procedures for making adjustments to an internet gaming account, providing a method for a patron to close out an account and how a patron will be refunded after the closure of an account or how funds will be escheated.

(8) The online gaming operator’s procedures to verify each patron’s physical location.

(9) The online gaming operator’s procedures for the security and sharing of personal identifiable information of a patron, funds or financial information in an internet gaming account, and other information as required by the department. The procedures shall include the means by which an online gaming operator and a master wagering licensee provide notice to a patron related to the sharing of personal identifiable information.

(10) Detailed responsible gaming measures.

(11) The online gaming operator’s T&S controls.

(12) The online gaming operator’s procedures for terminating an internet gaming account and the return of any funds remaining in the internet gaming account to the patron or confiscation of funds.

(13) The online gaming operator’s procedures for the logging in and authentication of a patron to enable the patron to commence internet gaming and the logging off of the patron when the patron has completed play, including a procedure to automatically log a patron out of the internet gaming account after a specified period of inactivity.

(14) The online gaming operator’s procedures for withdrawing funds from an internet gaming account by the patron.

(15) The online gaming operator’s procedures and appropriate measures implemented to deter, detect, and, to the extent possible, prevent cheating, including collusion, and use of cheating devices, including the use of software programs that make bets according to algorithms.

(16) Policies and procedures with respect to accepting or extending patron credit.

(17) Any other items considered necessary by the department in order to ensure the integrity of gaming and internet games in the state.

(e) To the extent a third-party is involved in or provides any of the internal controls required in sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies, the online gaming operator’s internal controls shall document the roles and responsibilities of the third-party and shall include procedures to evaluate the adequacy of and monitor compliance with the third-party’s internal control procedures.

(f) In the event of an emergency, the online gaming operator may temporarily amend an internal control. The online gaming operator shall notify the department that an emergency exists before temporarily amending an internal control procedure.

(g) An online gaming operator shall submit the temporary emergency amendment of the internal control procedures to the department within three days of the amendment. The submission shall include the detailed emergency procedures that will be implemented and the time period the emergency procedures will be temporarily in place. Any concerns the department has with the submission shall be addressed with the online gaming operator.

(h) As soon as the circumstances necessitating the emergency amendment to the internal controls abate, an online gaming operator shall resume compliance with the approved internal controls.

(a) Prior to any independent audit of a master wagering licensee or online gaming operator to be performed by a certified public accountant, the master wagering licensee or online gaming operator shall provide to the department the opportunity to meet with the independent certified public accountant that will perform such audit to identify areas of audit to be conducted. At least ten days prior to issuance of a final independent audit report, the certified public accountant performing such audit shall send the draft report to the department for review. The department may require a meeting with the certified public accountant prior to issuance of the final audit report.

(b) A master wagering licensee and online gaming operator shall have an independent certified public accountant audit its books and accounts at least once each fiscal year. The books, records and financial statements of the master wagering licensee and the online gaming operator shall be prepared in accordance with generally accepted accounting principles. A master wagering licensee and online gaming operator shall require that an independent certified public accountant submit to the department within one-hundred-fifty days after the close of its fiscal year, a complete set of audited financial statements that present the licensee’s financial position and the results of its operations and its cash flows in conformity with generally accepted accounting principles.

(c) A master wagering licensee and online gaming operator shall provide to the department any audit report related to internet games, or sports wagering retail operation in the state of Connecticut, completed by any governmental body, independent certified public accountant, independent testing laboratory, or other consultant, including any audit report performed on its electronic wagering platform.

(d) Master wagering licensees and online gaming operators shall provide the following to the department on an annual basis:

(1) An organizational chart;

(2) A report as to whether any material deficiencies in internal controls were noted by the independent certified public accountant during the course of the annual independent audit of the licensee’s financial statements. In addition, the master wagering licensee and the online gaming operator shall submit to the department a copy of any report and associated certified public accountant engagement letters issued by the independent certified public accountant lawyers’ contingency letters in connection with the annual audit;

(3) The master wagering licensee and the online gaming operator’s management representation letter to the auditor for accounting information material to the financial statements and for matters relating to audit disclosure requirements. Any reports resulting from an examination or the performance of mutually agreed upon procedures relating to the design or operating effectiveness of the master wagering licensee and the online gaming operator’s internal controls; and

(4) If amended since the last annual submission to the department, articles of organization, certificates of incorporation, bylaws, corporate resolutions or any other organizing documents of the master wagering licensee or the online gaming operator.

(e) An online gaming operator shall also disclose on an annual basis all related-party transactions. For the purposes of this subsection, “related party transaction” means any transaction that includes the online gaming operator and at least one of the following:

(1) Any director or executive officer of the online gaming operator;

(2) Any nominee for director or executive officer;

(3) Any immediate family member of a director or executive officer of the online gaming operator or any business in which such family members collectively have a greater than 5% ownership interest. An immediate family members includes any child, stepchild, parent, stepparent, spouse, sibling, mother-in-law, father-in-law, son-in-law, daughter-in-law, brother-in-law, sister-in-law or any person other than a tenant or employee, sharing the household of such director or executive officer of the online gaming operator; or

(4) An owner of the online gaming operator with an interest of more that 5% in such other business.

(f) Recommendations made to a master wagering licensee or online gaming operator as a result of an independent audit shall be implemented within a reasonable time frame, which shall not exceed one year unless approved in writing by the commissioner. If a licensee disagrees with the recommendations, it shall provide a written explanation to the department as to why such recommendations will not be implemented within thirty days of receipt of the audit recommendations. Thereafter, a final determination shall be made by the department as to whether implementation of such recommendations shall be required.

(g) The department may require, in its sole discretion, the master wagering licensee or online gaming operator to submit to an audit, which cost shall be borne by the master wagering licensee or online gaming operator, by the department or a third-party, of its financial reports or internal controls. The department, or its duly authorized representatives, shall be provided with total cooperation and such information in a timely manner as may be requested.

(h) The master wagering licensee and online gaming operator shall have procedures to internally balance and reconcile all activity from the electronic wagering platform on a daily and monthly basis and shall provide reports of same to the department. Such reporting shall be in a manner and at a frequency determined by the commissioner.

(i) Each master wagering licensee and online gaming operator, other than a master wagering licensee or online game operator that solely operates fantasy contests, shall provide the department with continuous internet based read-only access to financial reports maintained by such licensee that provide detailed reporting of the following financial transactions: sales, cashes, cancels, complimentaries issued and redeemed, purges, adjustments, unclaimed sports wagering tickets, dormant internet game accounts, forfeited winnings, forfeited prizes, or any other financial report deemed necessary by the commissioner. If, in the discretion of the commissioner, any such reporting requirements are not necessary to monitor, audit and investigate the operation of fantasy contests conducted by an online gaming operator that does not solely operate fantasy contests, the commissioner may reduce the volume and scope of the requirements.

(j) The master wagering licensees and online gaming operators that solely operate fantasy contests, shall provide the department with weekly and monthly reports showing the following daily financial transactions: entry fee, winnings, cancels, purges, adjustments, dormant internet game accounts, forfeited winnings, location percentage as defined in section 12-868 of the Connecticut General Statutes or any other financial report deemed necessary by the commissioner. If, in the discretion of the commissioner, any such reporting requirements are not necessary to monitor, audit and investigate the operation of fantasy contests conducted by an online gaming operator that does not solely operate fantasy contests, the commissioner may reduce the volume and scope of the requirements.

(k) Gross receipts from fantasy contests shall be reported to the department on a weekly and monthly basis. Gross receipts shall not include the issuance or redemption of complimentaries. If, in the discretion of the commissioner, any such reporting requirements are not necessary to monitor, audit and investigate the operation of fantasy contests conducted by an online gaming operator that does not solely operate fantasy contests, the commissioner may reduce the volume and scope of the requirements.

(l) Coupons or credits, as described in sections 12-866 or 12-867 of the Connecticut General Statutes and actually played by the patrons, shall be maintained in an electronic file that is readily available to the department. The master wagering licensee and online gaming operator shall only deduct coupons or credits from gross gaming revenue if such coupons or credits are issued for use for gaming in the state and redeemed in the state.

(m) Each master wagering licensee and online gaming operator shall provide the department, prior to commencing public operation of internet gaming and on an annual basis thereafter, a list of all electronic wagering platform reports and a description of the content of each report. The commissioner may require additional system reporting capabilities and specific information to augment such reports.

(n) A master wagering licensee shall make monthly payments based on gross receipts to the State in accordance with section 12-868 of the Connecticut General Statutes.

(o) A master wagering licensee that operates fantasy contests, either directly or through an online gaming operator, that exceeds a single monthly reporting period, such as a season-long single-sport fantasy contest, may estimate its monthly payment for gross receipts associated with such contests. Such master wagering licensee shall pay a monthly payment that would be equal to the total gross receipts for the contest divided by the number of months or partial months that the contest runs. Prior to providing an estimated fee pursuant to this subsection, the master wagering licensee shall notify the department of its intent to pay an estimated fee and its methodology for determining the fee and shall receive written approval to provide such estimated fee.

(p) A master wagering licensee that operates fantasy contests, either directly or through an online gaming operator, shall notify the department if it concludes that it needs to adjust the estimated fee paid pursuant to subsection (o) of this section because the estimated monthly gross receipts were greater than or less than the amount the master wagering licensee should have owed based on the calculation set forth in the act. The notification shall be provided in a manner and on a form provided by the department and shall include such documentation as the department may request to demonstrate the need for an adjustment. If the department agrees that an adjustment is warranted, the payment for the final month shall be adjusted to reflect the over- or underpayment of the payment.

(a) Investigation. The department may investigate any person with a license issued pursuant to this act for potential violation of the technical standards or state or federal law.

(b) Failure to comply with the act, sections 12-865-1 to 12-865-34, inclusive of the Regulations of Connecticut State Agencies, internal controls, or technical standards established pursuant to section 12-865-3(n) of the Regulations of Connecticut State Agencies shall constitute a violation of law and the commissioner shall have authority to issue fines, or suspend, revoke, deny, or place conditions upon a license pursuant to section 12-862 of the Connecticut General Statutes.

(c) Inspection of records. Every person required by sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies, to prepare, obtain or keep records, logs, reports or other documents, and every person in charge of or having custody of such documents, shall maintain such documents in an auditable format. Upon request, such person shall make such documents available for review and copying by the department. When possible, such documents shall be submitted to the department in electronic form. The commissioner may request any information the commissioner deems necessary for the proper administration of the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies. Inspection may include the review and reproduction of any record.

(d) Application Denial. The department may deny any application for a license or renewal application for cause, including, but limited to, conduct of a character inimical to the integrity of gaming, the provision of false or misleading information, or due to an incomplete application. Upon refusal to issue or renew a license, the commissioner shall notify the applicant of the denial and of the applicant's right to request a hearing within ten days from the date of receipt of the notice of denial. If the applicant requests a hearing within such ten days, the commissioner shall give notice of the grounds for the commissioner's refusal and shall conduct a hearing concerning such refusal in accordance with the provisions of chapter 54 of the Connecticut General Statutes concerning contested cases. If the commissioner's denial of a license is sustained after such hearing, an applicant may make new application not less than one year after the date on which such denial was sustained.

(e) License Enforcement Actions. The commissioner shall have the authority to take enforcement action against licensees in accordance with chapter 54 of the Connecticut General Statutes. The department is authorized to engage in settlement negotiations and enter into settlement agreements with licensees in lieu of formal administrative enforcement action.

(f) Summary Suspension, Cease and Desist. A license may be summarily suspended, pending a hearing pursuant to section 4-182 of the Connecticut General Statutes, or a cease and desist order may be issued to the licensee by the commissioner, if the department finds that based on the conduct of a licensee, emergency action is required to protect public health, safety, or welfare, such as when a licensee, or employee or officer of a licensee, is alleged to have manipulated or inappropriately accessed an electronic wagering system or any associated hardware or software; tampered with a licensee’s gaming files; or otherwise defrauded the public by compromising wagering authorized by the act.

(g) Distribution of Investigation and Enforcement Information. To ensure compliance with technical standards, and state and federal laws and regulations, the department may refer any case involving an alleged violation of law to a state, federal or local law enforcement agency. In addition, the department may inspect, obtain or provide information regarding applicants, licensees or any of their affiliates from or to law enforcement entities or gaming authorities and other domestic, federal or foreign jurisdictions, including the Federal Bureau of Investigation.

(h) Embargo of Unlawful Hardware. Whenever the department finds, or has probable cause to believe, that any hardware related to gaming authorized by the act has been compromised in such a way that affects the integrity of gaming or causes economic harm to consumers or the state, the department may require that such hardware be embargoed in a manner acceptable to the department. Upon notice by the department of such embargo, the licensee or such third party in control of the hardware shall immediately affix a tag or other appropriate marking on the hardware to indicate that it is not available for use. The licensee may request a hearing before the commissioner in accordance with chapter 54 of the Connecticut General Statutes. Such request for hearing shall be made in writing to the commissioner within ten days of receipt from the department of the notice of embargo. The Commissioner may grant or deny the request for a hearing at the Commissioner’s discretion. If such request for a hearing is denied, the denial shall be final and the licensee may appeal such denial to the Superior Court in accordance with section 4-183 of the Connecticut General Statutes.

(i) No person shall transfer, remove or dispose of the embargoed hardware without the written permission of the commissioner. The embargo shall remain in force until removed by the commissioner, ordered to be removed by a court of competent jurisdiction or the hardware is confiscated pursuant to an order by the court.

(a) Online gaming operators shall disclose to consumers their license information on the footer of the online gaming operator’s home landing webpage and on any webpages through which patrons located in the state may place a wager or enter a fantasy contest, and where general contact information is posted in the mobile application. The online operator shall disclose this information in the following format: (Online gaming operator’s name) is licensed in the State of Connecticut - License (#####).

(b) All terms and conditions for internet gaming accounts shall be accessible through a link on the footer on any webpages through which patrons located in the state may place a wager or enter a fantasy contest and where general contact information is posted in the mobile application. Additionally, they shall be included as an appendix to the internal controls of the licensee. Terms and conditions for internet gaming accounts shall address all aspects of the operation, including the following:

(1) Name of the party or parties with whom the patron is entering into a contractual relationship, including any licensee;

(2) Patron's consent to have the licensee confirm the patron's age and identity;

(3) Rules and obligations applicable to the patron other than rules of the game including, but not limited to:

(A) Prohibition from allowing any other individual to access or use the patron’s internet gaming account;

(B) Prohibition from engaging in gaming activity, unless the patron is physically present in Connecticut;

(C) A patron may only place a wager on internet games authorized by the act while physically in the state;

(D) Consent to the monitoring and recording by the online gaming operator or the department of any wagering communications and geographic location information;

(E) Consent to the jurisdiction of the State of Connecticut to resolve any disputes arising out of internet gaming other than fantasy contests; and

(F) Prohibition against utilizing automated computerized software or other equivalent mechanism, such as a “bot,” to engage in play.

(4) Full explanation of all fees and charges imposed upon a patron related to gaming transactions;

(5) Availability of account statements detailing internet gaming account activity;

(6) Privacy policies, including information access;

(7) Legal age policy, including a statement that it is a criminal offense to allow an individual who is under the permitted minimum age to participate in internet games;

(8) Notification that if the patron's internet gaming account remains dormant according to the Connecticut General Statutes and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies, any funds remaining on deposit shall be forfeited and remaining funds shall be remitted pursuant to the state’s unclaimed property requirements;

(9) Patron's right to set responsible gaming limits and to self-exclude;

(10) Patron's right to suspend the patron’s internet gaming account for a period of no less than seventy-two hours;

(11) Actions that will be taken in the event a patron becomes disconnected from the electronic wagering platform during game play;

(12) Notice of when a wager may be voided;

(13) Estimated time period for withdrawal of funds from an internet gaming account; and

(14) Process for a patron to file a complaint with the licensee and subsequently file with the department an unresolved complaint after all reasonable means to resolve the complaint with the gaming entity licensee have been exhausted.

(c) Terms and conditions that require acceptance prior to establishing an internet gaming account shall not include a general consent by a patron for the online gaming operator to utilize the patron’s name, voice, photograph or likeness. Consent to use a patron’s name, voice, photograph or likeness shall be accepted or denied by the patron in a manner distinct from the terms and conditions that provides the patron the opportunity to decline the patron’s consent to such use. A patron shall not be denied the ability to wager or enter a fantasy contest solely based on a denial of consent to use the patron’s name, voice, photograph or likeness. If a patron consents to the use of the patron’s name, voice, photograph or likeness, the patron shall be provided an opportunity to revoke such consent at a later date by a clear process set forth in the terms and conditions by the online gaming operator.

(d) Licensees shall display the information in this subsection on an easily accessible patron protection page which shall be accessible to a patron during a patron session. The patron protection page shall contain, at a minimum, the following:

(1) A prominent message, which states “If you or someone you know has a gambling problem and wants help, call 1-888-789-7777 or visit ccpg.org/chat,” or the equivalent of such message in a language other than English;

(2) Direct links to the Department of Mental Health and Addiction Services problem gambling website, the state’s voluntary self-exclusion list, and the Connecticut Council on Problem Gambling website; and

(3) A clear statement of the online gaming operator's policy and commitment to responsible gaming;

(4) Information regarding the following subjects, or a direct link to information regarding the following subjects, if available, from an organization based in the United States dedicated to helping people with potential gambling problems:

(A) Practical tips to stay within safe limits;

(B) Myths associated with gambling;

(C) Information regarding the risks associated with gambling; and

(D) The potential signs of a gambling problem;

(5) Rules governing self-imposed responsible gaming limits;

(6) Method for changing or retrieving a password or other approved access security feature;

(7) Notification that the patron is required to utilize strong authentication log in protection;

(8) Method for obtaining a copy of the terms and conditions agreed to when establishing an internet gaming account;

(9) Method for the patron to obtain account and game history from the licensee;

(10) Notification that underage gambling is a criminal offense and that anyone who facilitates someone under the minimum permitted age to gamble has committed a criminal offense and shall be prohibited from gaming;

(11) Notification that the patron is responsible for configuring his or her patron device's auto-lock feature to protect the patron device from unauthorized use;

(12) Notification that a patron is prohibited from allowing any other individual to access or use the patron’s internet gaming account; and

(13) Notification of federal prohibitions and restrictions regarding internet gaming, except fantasy contests, specifically, any limitations upon internet gaming as set forth in the federal Interstate Wire Act of 1961, 18 USC 1081 et seq., and the federal Unlawful Internet Gambling Enforcement Act, 31 USC 5361 et seq. The notice shall explicitly state that it is a Federal offense for individuals physically located outside of Connecticut to engage in internet gaming through a Connecticut gaming platform, unless explicitly authorized by the department.

(e) Whenever the terms and conditions that apply to an internet gaming account are changed, the gaming entity licensee shall require a patron to acknowledge acceptance of such change. Unless otherwise authorized by the department, the patron's acknowledgement shall be date and time stamped by the electronic wagering platform, as applicable.

(a) Licensees shall report to the department within one business day all incidents or allegations of misconduct involving any employee licensed by the department that threatens the integrity of the gaming entity licensee or the operation of gaming in the state. In addition to the reporting requirements established by section 4-33a of the Connecticut General Statutes, each gaming entity licensee shall also notify the department of any unauthorized, illegal, irregular or unsafe handling or expenditure of state or quasi-public agency funds that threatens the integrity of the gaming or may negatively impact revenue to the state from gaming.

(b) The gaming entity licensee’s employees and key employees shall report within one business day to the department all statutory, regulatory and criminal incidents, or allegations of incidents, affecting gaming. The department, in its sole discretion, may conduct its own investigation into any and all suspected incidents or violations.

(c) The CLC or any licensee shall report to the department, no later than one business day after discovery, any attempt or suspected attempt by any person to tamper with the lottery gaming system or any related system and shall report any missing, lost, or stolen, retail sports wagering receipt property or equipment related to the operation or play of any online lottery game, keno, or sports wagering.

(d) Failure by the CLC or any licensee to report incidents set forth in this section in a timely manner may be cause for suspension or revocation of the license of any licensee, after being afforded the opportunity for a hearing in accordance with chapter 54 of the Connecticut General Statutes and the department rules of practice and hearing procedures.

(a) Gaming entity licensees shall provide a readily accessible privacy policy to patrons on its electronic wagering platform. The privacy policy shall state the information that is required to be collected, the purpose for information collection, and the conditions under which information may be disclosed. Any information about a patron’s internet gaming account that is not subject to disclosure pursuant to the privacy policy shall be kept confidential, except where the release is required by law or requested by the department. Patron information shall be securely erased from all storage media, including but not limited to HDD, SDD, Flash, Mobile, Cloud, Virtual, RAID, LUN, hard disks, solid state memory, and other devices before the device is decommissioned. If erasure is not possible, the storage device shall be destroyed.

(b) Gaming entity licensees shall take reasonable steps to ensure that confidential information security measures are implemented which, at a minimum, shall:

(1) Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of confidential information and to ensure secure and timely disposal of such information once there is no longer a business need for such information;

(2) Create a data minimization plan to ensure that only data required to ensure the verification of a patron’s identity and authenticate patron financial information is collected. Such plan shall also set forth the licensee’s policy for data destruction after the applicable record retention expiration date;

(3) Immediately, but in no event later than one business day, notify the department after becoming aware of a suspected confidential information breach;

(4) Within five business days of notifying the department of a suspected confidential information breach, provide the department a written notice that (A) details the suspected or confirmed confidential information breach, including the licensee’s plan to remediate the breach, mitigate its effects, and prevent breaches of a similar nature from occurring in the future, or (B) details why, upon further investigation, the licensee believes that a breach did not occur;

(5) Upon request of the department, provide a forensic report from a qualified third-party forensic examiner, the cost of which report shall be paid by the licensee contracting for the report;

(6) Establish and publish privacy protection policies on the gaming entity licensee’s website that shall include, but not be limited to: safeguarding confidential information, computer files and documents containing confidential information from misuse by third parties; and destroying, erasing or making unreadable such confidential information, computer files and documents prior to disposal; and

(7) Comply with the breach of security reporting requirements of section 36a-701b of the Connecticut General Statutes.

(c) Every written agreement that authorizes a master wagering licensee or online gaming operator to share confidential information with an online gaming service provider or sports wagering retailer shall require the online gaming service provider or sports wagering retailer to do the following:

(1) At its own expense, protect any and all confidential information that it comes to possess or control, wherever and however stored or maintained, against a confidential information breach;

(2) Implement and maintain a comprehensive data-security program for the protection of confidential information. The safeguards contained in such program shall be consistent with and comply with the safeguards for protection of confidential information as set forth in all applicable federal and state law. Such data-security program shall include, but not be limited to, the following: (A) A security policy for employees related to the storage, access and transportation of data containing confidential information; (B) reasonable restrictions on access to records containing confidential information, including the area where such records are kept and secure passwords for electronically stored records; (C) a process for reviewing policies and security measures at least annually; and (D) an active and ongoing employee security awareness program that is mandatory for all employees who may have access to confidential information associated with Connecticut internet gaming or sports wagering that, at a minimum, advises such employees of the confidentiality of the information, the safeguards required to protect the information and any applicable civil and criminal penalties for noncompliance pursuant to state and federal law;

(3) Limit access to confidential information to authorized employees and authorized agents of the gaming entity licensee, for authorized purposes as necessary for the business operations of the licensee;

(4) Maintain all electronic data constituting confidential information obtained pursuant to activity authorized by the act: (A) In a secure server; (B) on secure drives; (C) behind firewall protections and monitored by intrusion detection software; (D) in a manner where access is restricted to employees and agents authorized by the online gaming service provider or sports wagering retailer; and (E) as otherwise required under state and federal law;

(5) Implement, maintain and update security and breach investigation and incident response procedures that are appropriate given the nature of the information involved and that are reasonably designed to protect confidential information from unauthorized access, use, modification, disclosure, manipulation or destruction; and

(6) Include a provision in any agreement the online gaming service provider or sports wagering retailer enters into with a third-party provider or anyone with access to the confidential information, that such provider or person shall comply with the provisions of subsections (b)(1) to (b)(6), inclusive, of this section.

(d) Master wagering licensees, online gaming operators, online gaming service providers and sports wagering retailers shall prohibit unauthorized persons from accessing proprietary internet game programming and electronic wagering platform information. In the event that a gaming entity licensee or key employee of such gaming entity licensee becomes aware of a compromise or potential compromise of security regarding exposure of proprietary internet game or electronic wagering platform information that could impact the integrity of gaming or gross gaming revenue, the gaming entity licensee or key employee shall notify the department within one business day of discovery of such concern. The gaming entity licensee shall thereafter take all necessary steps to restore security as quickly as possible, including submitting a report detailing either (1) the occurrence of the breach or suspected breach, including a plan to mitigate the effects of any breach and specifying the steps taken to ensure future breaches do not occur, or (2) why, upon further investigation, the licensee believes no breach has occurred.

(e) Online gaming service providers shall be prohibited from retaining patron internet account information without the expressed written consent of the online gaming operator or master wagering licensee.

(f) Online gaming service providers and online gaming operators shall obtain a patron’s consent, which may be withdrawn at any time, for the online gaming service provider or online gaming operator to transmit, collect, maintain, process and use the patron’s location data for any purpose beyond verifying the location of a patron for purposes of complying with the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies. Online gaming service providers and online gaming operators shall request a patron’s consent prior to utilizing or transmitting the patron’s personally identifiable information, individual gaming information or location data for any purpose other than complying with geolocation restrictions under the act and sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies. If the patron turns off the location settings on the patron device such that the online gaming service provider cannot verify the patron’s location for purposes of complying with the act or sections 12-865-1 to 12-865-34, inclusive, of the Regulations of Connecticut State Agencies, the patron shall not be able to place wagers. If a patron’s location shall be verified through the patron’s browser location services, the patron shall give thepatron’s consent for such verification, which shall be obtained through an interactive message that appears when the patron tries to make a wager.

(g) Information relating to a patron’s location and the location of the patron’s device shall be shared with the department upon request. Records confirming a patron’s location may be retained by the department for auditing purposes.

(h) The department may request information from licensees that includes personal information of the licensee, patrons or occupational employees. The department shall only request personal information that is necessary in order for it to carry out its functions. Gaming entity licensees shall ensure that their privacy notices advise patrons that their personal information may be shared with the department.

(a) Each gaming entity licensee shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the electronic wagering platform and a gaming entity licensee’s associated information systems.

(b) The cybersecurity program shall be based on a risk assessment and designed to perform the following core cybersecurity functions as outlined under the NIST Cybersecurity Framework 1.1, or other requirements set forth by the department under section 12-865-3(n) of the Regulations of Connecticut State Agencies, including:

(1) Identify and assess internal and external cybersecurity risks that may threaten the security or integrity of the electronic wagering platform or patron information stored on a gaming entity’s information systems;

(2) Use defensive infrastructure and implement policies and procedures to protect the electronic wagering platform and the gaming entity licensee’s information systems, and the nonpublic information stored on those information systems, from unauthorized access or use or other malicious acts;

(3) Detect cybersecurity events;

(4) Respond to identified or detected cybersecurity events to mitigate any negative effects;

(5) Recover from cybersecurity events and restore normal operations and services; and

(6) Fulfill applicable regulatory reporting obligations.

(c) All documentation and information relevant to the gaming entity licensee’s cybersecurity program shall be made available to the department upon request.

(d) The cybersecurity program for each gaming entity licensee shall include monitoring and testing, developed in accordance with the gaming entity licensee’s risk assessment, designed to assess the effectiveness of the gaming entity licensee’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in information systems that may create or indicate vulnerabilities, gaming entity licensees shall conduct:

(1) Annual penetration testing of the gaming entity licensee’s information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and

(2) Bi-annual vulnerability assessments, including any systematic scans or reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the gaming entity licensee’s information systems based on the risk assessment.

(e) Each gaming entity licensee shall securely maintain systems that, to the extent applicable and based on its risk assessment:

(1) Are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the gaming entity licensee; and

(2) Include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the gaming entity licensee.

(f) As part of its cybersecurity program, based on the gaming entity licensee’s risk assessment, each gaming entity licensee shall limit user access privileges to information systems that provide access to nonpublic information and shall periodically review such access privileges.

(g) As part of its cybersecurity program, each gaming entity licensee shall include policies and procedures for the secure deletion on a periodic basis of any patron information that is no longer necessary for business operations or for other legitimate business purposes of the gaming entity licensee, except where such information is otherwise required to be retained by law or regulation.

(h) Each gaming entity licensee shall implement controls, including encryption, to protect patron information and other nonpublic information held or transmitted by the gaming entity licensee both in transit over external networks and at rest.

(i) As part of its cybersecurity program, each gaming entity licensee shall establish a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the gaming entity licensee’s information systems or the continuing functionality of any aspect of the gaming entity licensee’s business or operations. Such incident response plan shall address the following areas:

(1) The internal processes for responding to a cybersecurity event;

(2) The goals of the incident response plan;

(3) The definition of clear roles, responsibilities and levels of decision-making authority;

(4) External and internal communications and information sharing;

(5) Identification of requirements for the remediation of any identified weaknesses in Information systems and associated controls;

(6) Documentation and reporting regarding cybersecurity events and related incident response activities; and

(7) The evaluation and revision as necessary of the incident response plan following a cybersecurity event.

(j) Each gaming entity licensee shall notify the department immediately, but in no event later than seventy-two hours, from a determination that a cybersecurity event has occurred that is either of the following:

(1) A cybersecurity event impacting the gaming entity licensee of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or

(2) A cybersecurity event that has a reasonable likelihood of materially harming any material part of the normal operation or operations of the gaming entity licensee.

(a) For the purpose of this section a voided wager and a cancelled wager shall have the same meaning.

(b) Void notifications from an online gaming operator for the following instances shall be documented in a change log to be submitted to the department weekly, or at such longer interval as deemed appropriate by the department:

(1) A change in the venue where a sporting event was scheduled to be held occurs after a patron has placed a wager;

(2) Bets received on sporting event players that take no part in the sporting event;

(3) Bets received for an act, or set of acts, to be performed during a sporting event when such act or acts does not occur, for example punt return yardage but no punts occur and zero was not an available wager amount;

(4) Bets received on a sporting event that is cancelled or delayed for more than twenty-four hours beyond the originally scheduled start time of the sporting event;

(5) Bets received on whether a team will qualify to participate in post-season competitions when the number of teams allowed to participate in the post-season changes after a patron has placed a wager;

(6) Changes to the format or number of participants scheduled to participate in a particular phase of a sporting event or that particular phase is not played at all; and

(7) When a patron requests a wager be cancelled or modified prior to the commencement of the sporting event due to an error in communicating the type, amount or parameters of the wager or an error of a sports wagering retailer employee entering such transaction in the electronic wagering platform.

(c) The change log for void requests shall include the type of wager by market, the sporting event or events associated with the wager, the date or dates when the sporting event occurred or was scheduled to occur, and any other information required by the department to properly identify and assess the impact of the voided transactions.

(d) For any transaction where an online gaming operator may void a wager, with or without prior authorization by the department, the online gaming operator shall submit an internal control policy for voiding wagers and subsequent allocation of patron funds pursuant to section 12-865-27(a)(6) of the Regulations of Connecticut State Agencies. The policy for voiding wagers shall also be included in the terms and conditions and house rules.

(e) For all void requests that are not set forth in subsection (b) of this section, the online gaming operator shall submit a written void request to the department describing the reason for the request and including the names of patrons impacted, the date and time of the event, and the type and amount of wagers. The online gaming operator shall provide any additional information requested by the department to review and approve the void request. The online gaming operator shall not void such wagers until written approval is received by the department.