Global cyber incident / data breach reporting obligations generally apply to entities that control, hold or process personal data. However, in one user experience in the metaverse alone, there may be multiple controllers and processors and roles can change frequently depending on how interactions and data processing operations related to the user experience change or evolve. For example, if a user purchases a ticket (e.g. in the form of a NFT) to watch a concert in a virtual world, there may be multiple data controllers and processors for different data elements of that user experience:

• the platform operator/creator of the virtual world will be a controller over the data it collects and processes directly from a user, such as a user’s online identifiers and user’s activity, in order to provide the user’s experience in the metaverse
• the brand owner (concert artist) will also be controller over any data it collects from users who attend the concert. The platform operator may act as a processor in helping collect and provide this data to the brand owner
• the platform operator and the brand owner may also be joint controllers*** over various analytics gathered from users when in attendance at the concert
• the wallet provider and NFT marketplace are likely to be controllers over various aspects of the financial data used to power the transaction, but may also have roles as processors
• each of the parties may engage processors/sub-processors for specific elements of data processing required during the experience

Mitigating risks

Any organization operating in the metaverse should be mindful that it may be sharing data with partners/third parties far more frequently, in increasingly complex scenarios. But complexity is unlikely a compelling defense when regulators and plaintiffs begin inquiring about data security incidents. So companies that are building and operating in the metaverse should strongly consider taking steps to define respective roles for themselves, for their contractual relationships, and for the Terms & Conditions well in advance of a data breach:

Contracts and Terms of Use

• a truly decentralized and interoperable metaverse will require the free movement of data between different operators/platforms to enable users’ digital assets to move across platforms. In the background, this will require organizations to have established bilateral or multilateral data processing/data sharing agreements as well as direct terms and conditions with users
• the interoperability of services may warrant extra breach cooperation and assistance provisions in agreements, or indeed reciprocal powers of audit
• also, there should be a renewed focus on liability positions – in practice it may not be so easy for users to immediately distinguish which party is responsible for an incident, so it is important to ensure that any damage to reputation, or associated costs from PR remediation, are sufficiently covered

Maintain Risk / Impact Assessments and Access Control Lists

• understand who has access to any data you hold or control and make sure you understand the sensitivity of that data and that appropriate security is in place relative to any risks. Also make sure that appropriate impact assessment has been undertaken in a documented form prior to collecting and further processing user data

Avatar Integrity and Measures Aimed at Preventing Misuse

• apply proper identity verification schemes to help prevent misidentification, identity theft and other misuse of identity and information, and implement additional data security measures to help avoid excessive data concentration****

User acknowledgments (e.g. “you are entering a public space; by entering you acknowledge that what you do and say here is not private;” “you are entering a private space,” “only authorized users may enter,” etc.)