Gotta catch 'em all: Pokémon International complies with data privacy standards

Power up a mobile phone to the world of Pokémon Go and a player is transported to an alternate reality that is vibrant with over 400 of the series' title creatures available for pursuit.

Users are quickly introduced to the series' familiar rules: Trainers must learn how to catch Pokémon in capsules called Pokeballs and learn how to level up their Pokémon. They battle at real-world locations called "gyms" and visit Pokestops.

Likewise, The Pokémon Company International, following the successes of Pokémon Go, is learning the rules of the world its app has taken by storm.

In the last two years, the company has dramatically increased the size of its technology department, standing up an information security team to tackle child privacy and data privacy regulations, including GDPR. Moving more development in-house meant changing how they work between teams and within the organization.

Leveling up the team

The Pokémon Company International is a subsidiary of The Pokémon Company that handles licensing, marketing and geographies outside of Asia, as well as the technology center of the company.

John Visneski joined The Pokémon Company International as its first director of information security in the summer of 2016 with a mandate to build up the company's security team from scratch. Shortly after coming on board — with the GDPR deadline looming less than a year away — Pokémon International also made him its first data protection officer.

Pokémon Go's breakaway success instigated major changes for the company's technology teams. In the past, Pokémon relied heavily on third-party development; Niantic Labs, an augmented reality platform company, developed the game for the Pokémon brand.

John Visneski, director of information security and data protection officer at The Pokémon Company International

But after 750 million users swarmed to the platform — far above the 50 million to 100 million expected — the company made the decision to build out a technology organization and bring a larger portion of application development in-house, Visneski said, in an interview with CIO Dive. This meant standing up new teams dedicated to DevOps, online services, IT and product security.

Over the last two years, the tech team grew from around 10 people to nearly 100, operating "very much like a tech startup nestled inside a very well known brand," Visneski said.

A lot of companies pay lip service to DevSecOps, but it's often just a "bumper sticker for what they're trying to drive to," he said. At Pokémon, while teams have distinct directors, cutting across team lines is critical for effective security posture, especially when working in a heavy cloud environment.

"As our DevOps team starts to move faster and faster, leveraging things like AWS Lambda, Lambda@Edge, serverless computing, containers, all those sorts of things," Visneski said, "the only way security teams specifically are going to be able to keep pace with that movement is if they are working with them hand-in-hand everyday."

For security, that can mean wearing the problem solver hat first and the security professional hat second, Visneski said. The era of security teams air dropping in at the last moment to say "no" are over, and the business demands that security keep pace from the start.

A GDPReckoning

Pokémon International uses both on prem and cloud architectures, but the customer-facing platforms run entirely on the Amazon Web Services cloud — which, even with its vast resources, was strained with the huge outpouring in users for the game, making scalability a top concern.

While Niantic led the Pokémon Go game development, Pokémon International was still responsible for a large part of the backend development, especially child privacy protections, according to Visneski.

Customers use the Pokémon Trainer Club platform to create accounts with the company. With many users under the legal age, a digital entertainment company like Pokémon has to tread carefully around child protections laws such as the Children's Internet Protection Act and the Children's Online Privacy Protection Act.

Ideally, Pokémon International will hold onto a customer for many years, perhaps over the transition from childhood to adulthood. When this transition happens, a businesses needs proper protocols for who can access a users' data and how ownership shifts.

Under current laws, there are two key ages for marketing consent:

13: Children below this age must have parental permission; parents can view and edit this data. Once children are older than 13, they can view, but not edit their information.
18: After hitting the legal age, the parent can no longer access their child's data or even view it; and the company must sever those accounts. Pokémon does maintain a record of the relationship between the parent and child accounts.

There's a lot of personal data on the platform, so Visneski and his team have to approach cloud security and architecture around the core value of child safety and data protection, factoring in needs such as identity access management, data analytics, and compliance and audit mechanisms that satisfy data protection authorities.

Pokémon says it is committed to staying ahead of data privacy and security regulations. Whatever the highest bar is at the moment — right now, GDPR — that's where the company plans to raise its bar, he said.

In the U.S., it will only be five to 10 more years before comprehensive data protection regulations are the norm, Visneski said. Companies that are positioning themselves to manage that now will be in a more successful place down the line when privacy is more ubiquitous.

The gaming industry at large is being affected by the European data privacy rules, which have been in effect for almost half a year. Some companies shuttered their games in response to the regulation after calculating that costs to update outweigh the benefits, while others simply closed off service to EU users.

Digital entertainment businesses with an EU footprint were affected by GDPR, though many reacted quite slowly, according to Jas Purewal and Peter Lewin of Purewal & Partners, in a piece for gamesindustry.biz. Areas affected for these types of companies include:

Contracts between game stakeholders;
Monetization of data by free-to-play businesses;
Clear language requirements for information directed at children;
Contracts with third party developers, licensors, publishers, etc.

Earning the gold security badge

Pokémon isn't just working with customers' data: It has to ensure streams of business data are funneling into the proper feedback loop to drive intelligent decisions and innovation. And the mark of a successful company isn't just collecting data, but monetizing it and using it to make the customer experience and business better.

Pokémon International uses vendors such as Sumo Logic, a log management and security analytics company, and CrowdStrike, a SaaS endpoint protection provider, to help tie everything they do to the core value of child safety and to establish privacy by design.

By integrating security, operations and business intelligence feeds, each tech department can make better and faster decisions.

To carry these objectives out, Visneski pulls from a decade-long career in the U.S. Air Force.

"Even though Uncle Pikachu is very different from Uncle Sam, some of the same principles that I learned working in the Air Force as an officer are things that have been very successful at our company," he said.

Aligning business objectives is just like aligning mission objectives — but private industry does have the benefit of less restrictions that the Pentagon.

By embracing the mentality of sandbox development and a continuous feedback loop, Visneski and his team have been able to experiment, fail, learn and innovate knowing that short term risks will set them up for long-term strength.

Such a mentality is especially important in a company with a cloud focus, where security teams need to keep up with DevOps and other IT teams to move fast and maintain feedback between teams, he said.