A recent leak of 85,000 cannabis dispensary files, including 30,0000 customer records, has put dispensaries and other industry stakeholders under pressure to fortify their systems and processes to comply with data privacy regulations and laws.
Cybercriminals are increasingly infiltrating third-party partners and supply chains as a means to gain a foothold in an organization’s networks and systems. Threat actors look for weak links to gain access to sensitive data, and once they do, they can restrict access to critical data in a ransomware attack or disrupt the business from an operations perspective. As cannabis enterprises move from siloed, manual processes to connected technologies and more sophisticated automated operations, they open themselves to these and other types of attacks.
Though we do not know at this time if the recent breach resulted in any malicious behavior, it presents a good opportunity to review cybersecurity concerns for cannabis businesses throughout the supply chain and the internal policies and procedures that can help address them.
What happened, and why does it matter?
The leak by THSuite, a vendor of cannabis dispensary software, exposed at least 30,000 files containing personally identifiable information (PII), and possibly protected health information (PHI), of medical and adult-use cannabis customers, according to vpnMentor, the web privacy firm that discovered the leak. vpnMentor found the data Dec. 24 in an unsecured Amazon S3 bucket owned by THSuite. The exposed information was traced to three dispensaries in Colorado, Maryland, and Ohio.
The incident emphasizes the need for effective data security to safeguard against privacy risks and cyber-attacks. Consider, for instance, that Amazon S3 provides built-in capabilities that allow companies to easily encrypt and block public access to storage buckets. THSuite’s bucket was “completely unsecured and unencrypted,” according to vpnMentor.
This leak should serve as a wake-up call for the industry, not only because it may violate the Health Insurance Portability and Accountability Act (HIPAA) and potentially other state privacy laws, such as the California Consumer Privacy Act (CCPA). The personal information that cannabis-touching enterprises hold is highly sensitive and must be protected with the same level of privacy and security safeguards as data held by more mature industries, such as healthcare. Failure to safeguard this data can result in costly financial and regulatory impacts, and more than that, a leak can also severely damage the trust of customers, vendors, and other industry participants. Reputation is a critical differentiator for an emerging market, and loss of customer trust can put a company in grave danger.
Is it PHI or PII – or both?
In the cannabis sector, determining what qualifies as PHI can be a bit hazy. PHI is protected under a patchwork of state privacy laws, as well as HIPAA, and most experts agree that some of the information leaked by THSuite would be subject to these mandates.
Case in point: Medical marijuana cards, which must be presented to enter a dispensary, often contain PHI such as the individual’s medical diagnosis. Dispensaries typically store this information alongside the customer’s name, contact information, and other personal information. Exposure of medical information that can be used to identify individuals is a HIPAA violation that carries fines of up to $50,000 per exposed record.
Records for adult-use cannabis users, on the other hand, typically are not considered PHI and therefore are not regulated under HIPAA. Nonetheless, exposure of personal information could run afoul of state privacy and data-breach laws like the newly effective CCPA, with potentially steep consequences: Businesses that violate CCPA provisions may be subject to fines of up to $7,500 per incident, as well as individual or class-action lawsuits with statutory damages of up to $750 per consumer, per incident, or actual damages, whichever is higher. In addition, the social stigma associated with cannabis use – not to mention the fact that employees can be fired from their jobs in some states and industries – makes it more likely that plaintiffs will be successful in proving damages in court compared with other types of data-breach cases.
Toward a secure ecosystem
Despite these risks, many cannabis businesses lack the technologies, processes, and people to protect sensitive data. And it’s not just an issue for “young” businesses; in this nascent, constantly evolving industry, every business is young.
Truly effective protection will require an end-to-end cybersecurity and privacy strategy. In other words, organizations must establish a comprehensive cybersecurity and privacy risk-management program using a risk-based approach to effectively identify and mitigate threats.
The first step should be a risk-based assessment to guide the end-to-end security strategy. The assessment should include:
- A thorough understanding of what data is collected, processed, and shared
- A data-governance program to manage collection, storage, retention, and destruction of data
- Role-based access control guided by the principle of least privilege, which limits user-access rights to the minimum permissions employees require to perform their work
- Advanced user authentication, such as multifactor authentication
- Encryption of data at rest and data in motion
- Classification and segmentation of data, which identifies, categorizes, and labels data to better control access
- An updated, proactive patch-management program
- Intrusion detection and prevention solutions
- Requirement that downstream partners with access to PII and other confidential information agree to protect that information
Check your contracts
If you are player in the cannabis supply chain, it is critical that your security and privacy programs adequately protect the personal information your company collects. Now is a good time to review your internal policies and procedures. You should also check your contracts with cloud providers and other third-party partners to make sure they also can protect confidential information, including PII, and have appropriate cybersecurity and privacy programs in place.
In the cannabis sector, the need for strong privacy and data security is more important than ever. For many, it’s an existential obligation that can ultimately determine the viability of the business.
InsightTop considerations in starting a cannabis-focused alternative investment fundMarc Wolf, Moshe Biderman, Cheryl Watson, Jeffrey MoskowitzFund managers looking to create cannabis-focused investment vehicles face specialized tax, operational, and regulatory considerations.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightPerspectives on growth – Cannabis Quarterly insights, Q1 2022Catch up on trends in banking, the cost of capital, M&A, tax due diligence, and more in CohnReznick’s CannaQuarterly newsletter.
InsightTechnically speaking… Cannabis Quarterly tax and audit insights, Q1 2022Find tips on accounting for cannabis licenses, a roundup of common state and local tax issues, and more in CohnReznick’s CannaQuarterly newsletter.