Cannabis Data Security: How to React to a Cyberattack

As I discussed last week, hacked devices, breached networks, and stolen proprietary information have become commonplace in the cannabis industry. Because cybercrime variants are continually emerging, no company can achieve totally assured cybersecurity. Consequently, we strongly encourage all our clients to adopt a cyber incident plan for responding to attacks before they occur. Developing a vetted, comprehensive plan of action is the best way to effectively respond to an attack and to reduce the amount of damage to your company.

This post highlights some of the best practices for preparing and responding to a cyberattack.

Before falling prey to a cyberattack, your company should:

1. Identify Valuable Assets. Depending on your needs, it may be cost prohibitive to protect your entire business. Therefore, before creating a cyber incident plan, you should determine which data, assets, and device warrant the most protection.
2. Develop a Plan of Action. Cyber incident plans will differ in size and structure, but at a minimum, your plan should:
   (i) Name those who have lead responsibility for different aspects of the response;
   (ii) determine ways to contact critical personnel at all times;
   (iii) identify how to preserve your most valuable assets, data, and device in a forensically sound manner; and
   (iv) develop notification plan for customers and data owners whose data would be compromised during an intrusion.
3. Adopt Appropriate Technology and Services. Adopting off-site data back-up, intrusion detection capabilities, and data loss prevention technology will help you detect intrusions soon after they occur and help minimize the loss of valuable information.
4. Implement Internal Preventative Policies. You must assist your employees with recognizing internal and external vulnerabilities to prevent security breaches but also to effectively react to attacks. Employee training should address issues such as safe password management, cryptographic communications, secure browsing practices and proper system configuration.

Following a breach, you will need to focus on mitigating damages and working with law enforcement. Specifically, you will need to:

1. Assess the Nature and the Scope of the Incident. You will first need to determine whether your company is faced with a malicious act or a technical glitch.
2. Capture the Extent of the Damage. If you detect a cyberattack, you should immediately make a forensic image—an image or exact, sector by sector, copy of a hard disk—of the affected computer(s), which will be used for later analysis and may possibly serve as evidence at trial.
3. Implement Measures to Minimize Damage. To contain the attack and prevent it from spreading, you will need to stop ongoing traffic caused by the attacker. Some measures include rerouting network traffic and isolating all or parts of the compromised network.
   Regardless of the option you select, be sure to keep detailed records of all steps taken. This information may be relevant for recovering damages from responsible parties.
4. Notify. The notification list includes:
   (i) Relevant Personnel: You should inform the relevant personnel (i.e., managers, IT department, security department, and legal department) of the attack and keep them informed of the preliminary analysis.
   (ii) Law enforcement: Generally, you will need to contact law enforcement authorities to assist with investigating the intrusion. Law enforcement can also help coordinate statements to the news media concerning the incident, ensuring that information harmful to the company’s interest won’t unnecessarily be disclosed.
   (iii) Customers: All 50 states have now enacted breach notification laws that require companies faced with a cyberattack to inform customers whose data was compromised by the intrusion. Accordingly, soon after the attack, you should prepare a statement that explains to the customers the scope of the breach of security and which remedial efforts were adopted.

Cyberattacks can raise unique legal questions. Therefore, you should consult with attorneys who are accustomed to addressing these types of issues to assist you with decisions, such as how to interact with government agents, the types of preventative technologies you can lawfully use, your obligations to report the loss of customer information, and your potential liability for taking specific remedial measures when faced with a cyberattack.