No longer operating in the margins, the highly profitable, and highly regulated, legalized cannabis industry has ably, as well as nimbly, pushed its sales through to mainstream business. Total legal sales of cannabis in the U.S. are projected by some industry researchers to grow by a double-digit compound annual growth rate of 14% and have forecast revenues to reach an estimated $30 billion by 2025. But the outlook cannot be all roses. The business of legalized cannabis has cybersecurity and data privacy challenges unlike those confronting other industries. Legalized cannabis maintains stores of personalized data and information, which by its very nature requires regulatory compliance with cybersecurity and data privacy laws. There is, however, a layer of complexity for the cannabis industry because of data collection and mandatory retention requirements.
Let us take California for example. The California Cannabis Track-and-Trace (“CCTT”) system is used to record the inventory and movement of cannabis and cannabis products through the commercial cannabis supply chain. California requires all annual and provisional cannabis licensees, including those with licenses for cannabis cultivation, manufacturing, retail, distribution, testing labs, and micro-businesses, to track cannabis through the supply chain using METRC (Marijuana Enforcement Tracking Reporting Compliance). In fact, California requires each licensee to maintain records related to commercial cannabis activity for a minimum of 7 years. California cannabis licensing requires licensees using METRC to track and maintain an enormous amount of valuable data. What type of valuable data you might ask? The type of data hackers are especially looking for, like combinations of personal data and/or health data like names, social security numbers, addresses, copies of driver’s licenses and identification cards, and so forth.
In the medical marijuana area, medical recommendations are included as part of the data collected. Those medical recommendations can include a medical diagnosis or related health information that would constitute protected health information (“PHI”). Depending on the nature of the business, those in the cannabis industry may be impacted by the Health Insurance Portability and Accountability Act (“HIPAA”), particularly in cases where the business is asked to sign Business Associate Agreements (“BAAs”) by HIPAA Covered Entities, i.e., a healthcare provider wants to share medical data with a medical marijuana provider. The healthcare provider, as the Covered Entity, may require the medical marijuana provider to sign a BAA. These BAAs significantly increase potential liability for those sellers because it pulls them into the regulatory oversight of HIPAA and the Office of Civil Rights (“OCR”).
Putting the HIPAA issue to the side, the PHI collected is alone a highly attractive target for hackers. It is a well-known fact that the healthcare industry always tops the list of industries most likely to suffer a data breach. The UK’s Information Commissioner’s Office (“ICO”) reported that 18% of all breaches were reported within that sector, compared with 16% within central and local government, 12% within education, 11% within justice and legal, and 9% within financial services. Nevertheless, PHI is not the only attraction for hackers when it comes to the cannabis industry.
In addition to PHI, cannabis employee records are also required to be maintained. Depending on the jurisdiction, this employee data can include background checks and financial information, along with standard data containing an employee’s name and social security number. Moreover, just as in other corresponding industries, cannabis-related companies are predictably capturing and using other sources of information data to drive sales and marketing. Those data sources can spell out things like productivity, daily operations, and consumer purchasing habits.
This type of data collection is certainly not a foreign concept to most business operations, including the mandatory compliance-related issues. Nevertheless, data stored by companies in the cannabis industry has an added sensitivity for the simple fact that it is associated with individual customers who demand data confidentiality and anonymity. Literally, for the cannabis industry, where there is smoke, there is fire. By housing large stores of sensitive data, which cannot be simply minimized, legalized cannabis businesses have become increasingly more attractive to hackers.
As such, legalized cannabis businesses must be ever mindful of a two-fold challenge particularly applicable to their industry that could markedly impact their bottom line profitability: (1) assessing their data security risks given the regulatory scrutiny they face from various state and local agencies, and (2) having strong outwardly facing data security measures to maintain and preserve consumer confidence. Add to that the spider web of state data privacy regulations, and you have the perfect storm of high-level interest from both hackers and regulatory bodies.
Earlier this year, a database backing point-of-sale system used in medical and recreational marijuana dispensaries was compromised. The breach potentially impacted nearly 30,000 individuals connected to the medical and recreational marijuana industry. An unsecured Amazon S3 bucket was uncovered online without any authentication or security and is being attributed as the source of the leak. And this is just the most recent reported incident. In late 2016, Nevada’s Medical Marijuana Program database was breached. This breach exposed the sensitive data of over 11,000 people including names, social security numbers, race, and addresses. Then, in January 2017, business operations at over 1,000 client dispensaries in 23 states across the country were interrupted when MJ Freeway, a software company servicing the cannabis industry, experienced a hack. Only 5 months after the reported incident, a portion of the company’s source code was stolen and posted publicly on Reddit. While dealing with data breaches seems commonplace today, it is the cost of those data breaches that causes great concern. A concern that particularly affects the cannabis industry.
According to the annual Cost of a Data Breach Report conducted by the Ponemon Institute and IBM, the global average total cost of a data breach in 2019 was nearly $4 million. While the hard numbers can be staggering, for the legalized cannabis industry those losses are just the tip of the proverbial iceberg. One of the real issues facing the cannabis industry is of course loss of customer trust which can have serious financial consequences. In that same annual report from the Ponemon Institute and IBM, the average cost of lost business for organizations studied in 2019 related to a data breach was found to be $1.42 million. This figure represents an eye-opening 36% of the total average cost of nearly $4 million and was the biggest contributor to data breach costs. In conjunction with those financial losses, regulatory fines and crippling oversight can last up to 20 years, e.g., the Federal Trade Commissions’ 20 Year Settlement with Facebook. With the lifecycle of data breaches getting longer and more costly, the legalized cannabis industry cannot afford to put data security on the back-burner. Furthermore, under California law, any company that maintains data electronically must implement certain safeguards to ensure an individual’s private information is secure. Cal. Civ. Code §§ 1798.29, 56.101. In short, the industry cannot simply be reactive to the problem but rather must be proactive if it wants to maximize profits and minimize liability and risk.
All told the issues surrounding legalized cannabis and data security create a multi-front battle that can be incredibly challenging from a legal and technological perspective. The fact that the cannabis industry has intertwining issues of highly sensitive data, regulatory oversight, and mandatory data collection requirements creates a very distinctive challenge for the profitability of those businesses. But many of those challenges can be addressed using some of the same practices and solutions. Preserving profit margins and exploring innovation is fundamental to staying solvent in an industry-driven to deliver results.
In conclusion, the risks associated with having weak, or even underdeveloped, data security and data privacy practices coupled with a failure to use legal counsel experienced in these matters to craft appropriate vendor contracts, vet third party vendors, and examine insurance coverage will not only impede growth and profit margins but likely stop it in its tracks. Proactively safeguarding your systems is an effective and necessary first step to gaining the necessary financial advantage in this rapidly expanding industry and competitive global marketplace. Legalized cannabis businesses that go on to have a well-executed, comprehensive written information security program (“WISP”) that has been operationalized will surely give them the edge to take the lead in the “green rush.”
* * * * * *
This article is reprinted with the permission of the New Jersey Law Journal.
Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind. If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.