Data Breaches are Coming and Will Wreak Havoc in the Cannabis Industry

Virtually everyone knows about breaches of companies like Equifax. Massive breaches have happened to established, mega-companies who still took major reputational and monetary hits after they were breached. What many people don’t realize is that it doesn’t take a major breach to devastate a business. We don’t want to be dramatic, but we also don’t want to downplay the significance of breaches—they are coming, and cannabis companies that are not prepared may be left in the dust.

Data breaches can range from anything from malicious hacking to the simple loss of a laptop containing unencrypted “personal information”. In either case, if statutorily defined classes of personal information were accessed or acquired without authorization, the party who held the personal information must provide written notification to the affected individuals within a relatively short period of time, and in many cases to other services like credit monitoring. This may seem like a straightforward process. It is not. Just figuring out what kinds of information may have been accessed and whose information may have been accessed could take tens of thousands—if not hundreds of thousands—of dollars in forensic review.

Take the following example: A human resources manager is the victim of a phishing attack. Typically, forensic review of the affected account may need to be undertaken to determine what part of the manager’s email accounts were accessed—did the attacker review one email, or access the entire mailbox? If the forensic vendor determines that the entire account was or could have been accessed, the entire account may need to be “data mined” at a high per-gigabyte cost to see whether emails contain personal information that could require reporting. This could potentially involve tens of thousands of dollars in expenses for one account. Now imagine this happens to five employees.

Not only is this piecing together of events time consuming and expensive, but it only gets half the job done. Once a list is made of the affected individuals and reportable information, notification (often drafted by lawyers) needs to be provided to individuals. This requires engaging companies to ensure that the individuals live where they are thought to live, and to physically mail notification letters out. Then, usually at a certain price per enrollee, credit or identity theft monitoring is provided.

It’s not difficult to see why this process is expensive, and the fact that it needs to occur in such a short period of time can cause intense pressure on an enterprise. To boot, in many states, attorneys general need to be given notification if a certain threshold of citizens of those states were notified of a breach. These attorney generals can (and sometimes do) request detailed summaries of how the breach happened and can even bring administrative actions against the companies who were the victims of the data breach.

Breaches are not unique to the cannabis industry —the Breach Level Index (“BLI”) estimates that more than 14 billion data records have been lost or stolen since 2013, with an average frequency of an astounding 6.9 million records per day. However, this industry is particularly susceptible to data breaches and their damaging effects for many reasons. Here are a few examples:

• Companies may not be willing to report breaches to federal authorities like the FBI or IRS, who otherwise would likely be notified, in light of the federal illegality of cannabis. Malicious actors may believe that this gives them some sort of advantage—and to some extent it does if law enforcement is not given notice.
• Given the state of banking in the cannabis industry, cannabis businesses may use cryptocurrency, which could have keys that are stored on electronic devices that are capable of breach. This could expose a cannabis business to financial losses unlike in virtually any other industry.
• The reputational harms to an up-and-coming licensee could destroy a cannabis business. Even though many of the stigmas around cannabis have gone away, many people wouldn’t want their employer or the general public to know that they bought cannabis. Imagine what a government employee would think if a cannabis business was the victim of a breach and his or her employer suddenly could find out about the employee’s purchase history. That business probably would not last.
• The industry is forced to interact with technology in a way that many others are not. In California, as well as most other states with licensing regimes, cannabis companies must implement track-and-trace systems to monitor all commercial cannabis activity. Licensees of the California Bureau of Cannabis Control (“BCC”) are legally prohibited from transporting, transferring, or delivering goods during outages of track-and-track systems—i.e., doing most kinds of business. What happens when they are the victim of a ransomware attack (a situation in which a hacker encrypts all computer systems and demands compensation in cryptocurrency or something similar in exchange for the decryption key, which may take days or weeks to fully restore)? Businesses could literally bleed out while trying to negotiate with–or pay a ransom to–someone across the globe.
• State attorneys general may need to be notified of certain data breaches. If an attorney general in a state in which cannabis was not legal receives notice that a number of the attorney general’s home state citizens were the victims of a data breach, that attorney general may want to target that cannabis business with an enforcement action.

These are just a few of the unique pressures the cannabis industry faces.

Breaches are in many senses inevitable. There is still a lot that companies can do to reduce the impact of them or to attempt to prevent them. Below are a few:

• Having a privacy policy and sticking to it. We’ve written about the need for policies before, and the potential penalties for not complying. We get the sense that a lot of cannabis businesses think of this as unnecessary or just a rote copy-and-paste job. This is not accurate. These policies are detailed, and are designed to identify the information gathering and usage policies of an organization. If an organization follows a policy, then it should in theory know what information it has, and where. This could be the difference in whether significant time and resources are spent tracking down potentially accessed information.
• Complying with relevant information security standards. Many states actually require businesses to adopt certain standards when it comes to information storage. Technical measures can be adopted to reduce the likelihood or impact of breaches.
• Planning for breaches. Training employees, and having plans for what to happen in the event of a breach, could also avoid or lessen the impact of a breach.
• Considering insurance. Insurance companies are starting to provide cyber liability insurance, which could cover the costs of some breaches. This won’t actually prevent a breach, but may stop a company from spending significant amounts of money in response to a covered breach.

The point of this post is to highlight just how significant breaches can be for cannabis businesses. Preparing now, rather than after they occur, could avoid a great deal of issues later.