Leak of 30,000 cannabis customer records heightens need for effective data security

The leak by THSuite, a vendor of cannabis dispensary software, exposed at least 30,000 files containing personally identifiable information (PII), and possibly protected health information (PHI), of medical and adult-use cannabis customers, according to vpnMentor, the web privacy firm that discovered the leak. vpnMentor found the data Dec. 24 in an unsecured Amazon S3 bucket owned by THSuite. The exposed information was traced to three dispensaries in Colorado, Maryland, and Ohio.

The incident emphasizes the need for effective data security to safeguard against privacy risks and cyber-attacks. Consider, for instance, that Amazon S3 provides built-in capabilities that allow companies to easily encrypt and block public access to storage buckets. THSuite’s bucket was “completely unsecured and unencrypted,” according to vpnMentor. 

This leak should serve as a wake-up call for the industry, not only because it may violate the Health Insurance Portability and Accountability Act (HIPAA) and potentially other state privacy laws, such as the California Consumer Privacy Act (CCPA). The personal information that cannabis-touching enterprises hold is highly sensitive and must be protected with the same level of privacy and security safeguards as data held by more mature industries, such as healthcare. Failure to safeguard this data can result in costly financial and regulatory impacts, and more than that, a leak can also severely damage the trust of customers, vendors, and other industry participants. Reputation is a critical differentiator for an emerging market, and loss of customer trust can put a company in grave danger. 

In the cannabis sector, determining what qualifies as PHI can be a bit hazy. PHI is protected under a patchwork of state privacy laws, as well as HIPAA, and most experts agree that some of the information leaked by THSuite would be subject to these mandates. 

Case in point: Medical marijuana cards, which must be presented to enter a dispensary, often contain PHI such as the individual’s medical diagnosis. Dispensaries typically store this information alongside the customer’s name, contact information, and other personal information. Exposure of medical information that can be used to identify individuals is a HIPAA violation that carries fines of up to $50,000 per exposed record. 

Records for adult-use cannabis users, on the other hand, typically are not considered PHI and therefore are not regulated under HIPAA. Nonetheless, exposure of personal information could run afoul of state privacy and data-breach laws like the newly effective CCPA, with potentially steep consequences: Businesses that violate CCPA provisions may be subject to fines of up to $7,500 per incident, as well as individual or class-action lawsuits with statutory damages of up to $750 per consumer, per incident, or actual damages, whichever is higher. In addition, the social stigma associated with cannabis use – not to mention the fact that employees can be fired from their jobs in some states and industries – makes it more likely that plaintiffs will be successful in proving damages in court compared with other types of data-breach cases.  

Despite these risks, many cannabis businesses lack the technologies, processes, and people to protect sensitive data. And it’s not just an issue for “young” businesses; in this nascent, constantly evolving industry, every business is young. 

Truly effective protection will require an end-to-end cybersecurity and privacy strategy. In other words, organizations must establish a comprehensive cybersecurity and privacy risk-management program using a risk-based approach to effectively identify and mitigate threats. 

The first step should be a risk-based assessment to guide the end-to-end security strategy. The assessment should include: 

- A thorough understanding of what data is collected, processed, and shared 

- A data-governance program to manage collection, storage, retention, and destruction of data  

- Role-based access control guided by the principle of least privilege, which limits user-access rights to the minimum permissions employees require to perform their work 

- Advanced user authentication, such as multifactor authentication 

- Encryption of data at rest and data in motion

- Classification and segmentation of data, which identifies, categorizes, and labels data to better control access

- An updated, proactive patch-management program 

- Intrusion detection and prevention solutions

- Requirement that downstream partners with access to PII and other confidential information agree to protect that information

If you are player in the cannabis supply chain, it is critical that your security and privacy programs adequately protect the personal information your company collects. Now is a good time to review your internal policies and procedures. You should also check your contracts with cloud providers and other third-party partners to make sure they also can protect confidential information, including PII, and have appropriate cybersecurity and privacy programs in place. 

In the cannabis sector, the need for strong privacy and data security is more important than ever. For many, it’s an existential obligation that can ultimately determine the viability of the business.

Bhavesh Vadhani, Principal, National Director, Cybersecurity and Privacy

703.744.6700

Ira Weinstein, Principal, Cannabis Industry National Leader

410.783.8328