One of our Washington cannabis clients recently learned that its employee was the target of a cybersecurity attack. The employee, who was following instructions via a messaging app, wired money to an individual at the request of who he believed to be an owner of the company. That was not the case! The employee had fallen victim to a cybersecurity attack. Our client has asked us to publish this post as a public service announcement to other cannabis businesses.

These attacks are becoming more and more prevalent as we continue to communicate online. In this case, the employee was a victim of “phishing,” which is a scheme where a fraudster impersonates another person to induce individuals to reveal information or, in this case, send money. Other cybercrimes include data breaches, where hackers obtain sensitive information by breaching a company’s secured files and then use that information for identiy theft, blackmail, or to commit other crimes.  Cybercriminals can operate across the globe meaning that anyone online can quickly become a target. Marijuana businesses in Washington State (and elsewhere) need to be aware of the risk of cyber attacks as we enter a new decade.

No industry is safe from the threat of a cyber-attack or other security incidents relating to technology. However, nefarious online fraudsters may see a unique opportunity in the marijuana industry. Marijuana businesses generally have a lack of access to traditional financial services and therefore deal with a lot of cash. By way of example, compare a restaurant to a marijuana business. A restaurant is inevitably going to deal with cash. Diners may pay an entire bill using cash or may leave a cash tip after charging their meal. But, it’s unlikely that a restaurant’s owner will pay its employees and vendors in cash. Most restaurants also don’t require that their customers pay only in cash.

Now consider a standard marijuana business. Washington’s recreational marijuana market is one of the oldest in the country and many marijuana businesses in Washington can obtain a checking account. However, marijuana retailers are generally operating on a “cash-only” business model as credit card companies like Visa and Mastercard will not process transactions that involve the sale of federally illegal substance. That means retailers often have large amounts of cash to deal with each day. Some of that cash may go directly to pay producers and processors for products on the retailer’s shelves. Regardless of the type of license, many marijuana businesses often have large amounts of cash at hand.  It is therefore not unheard of for an employee of a marijuana business to field requests that involve wiring cash to a given account or otherwise undertake a transaction that might seem odd in any other industry. Lack of access to financial services has made the unusual normal in the marijuana industry.

Cybercriminals may also be drawn to marijuana businesses due to the illicit nature of marijuana under federal law. As we’ve written probably a million times, marijuana is illegal under federal law. That makes reporting cybersecurity events more challenging due to the risk of self-incrimination. A marijuana business may not want to “make waves” by reporting to federal agencies like the Department of Justice (DOJ) or the Federal Bureau of Investigation (FBI). However, it’s worth noting that the FBI has sought out tips relating to corruption in the cannabis industry. Nevertheless, federal prohibition does, at the very least, complicate the ability of marijuana businesses to report cybercrime. Those concerns are not as pronounced if reporting to local law enforcement in states that have legalized marijuana.

If you’re concerned about scams, here is a nonexhaustive list of steps that you can take to mitigate cybersecurity risks before they happen:

Internal policies

Adopt or update a policy where employees are to obtain confirmation by phone before sending money to any person outside of the usual course of business. This doesn’t mean that a person needs to check in before paying a known vendor, but would prevent an employee from wiring money based solely on messages or email.

Check usernames and email addresses

If I email someone, my name will show up as “Daniel Shortt” and my email will read “daniel@harrisbricken.com.” Someone who was impersonating me could list their name as “Daniel Shortt” even if their email address was “ScammyMcScammerson@fraud.net.” The same concept is true with usernames. On twitter, my name is “Daniel Shortt” and my handle is @dshortt90. A fraudster could change his or her name to Daniel Shortt with a handle of @dshort90. This is even trickier as my handle is very close to the fraudster’s (my name has two t’s at the end). Employees should be on the lookout for these fake emails and usernames.

Implement a protocol for reporting security events

If you’ve been targeted once chances are you’ll be targeted again, perhaps in a more sophisticated manner. You want to be able to get the news out without exposing your others to security threats. Forwarding an email to another worker just increases the risk of that person clicking on a link to install malware or engaging with a fraudster. Establishing protocols to send screenshots of suspicious messages or forward them to a designated fraud account are some examples of dealing with this issue.

Audit your existing security procedures

This can be done in house or by hiring a consultant or attorney. If you don’t have a security protocol in place, that’s an even bigger reason to audit your company’s operations. That way you can identify risks before they happen.

Protect your passwords and other sensitive information

You may want to require that your employees use multi-step authentication software when signing into company accounts. This usually requires that a person confirm their login on a separate device such as a smartphone app or link sent via text. Make sure your employees are not sending passwords through email or messaging services. Passwords should also be complex and changed regularly.

If you do fall victim to a cybersecurity attack make sure to respond quickly and notify others in your organization about the threat. You should also reach out to your organization’s lawyer or in-house counsel to discuss next steps, which may include reporting to law enforcement.

We’ve been writing a lot lately about recent major changes in federal hemp laws that will likely affect every hemp company in the United States (see here, here, and here). While we’re on the topic of dramatic legal changes, it’s probably a good idea to talk about a California privacy law that’s about to take effect and require many cannabis and hemp companies across the nation to dramatically change their business practices—the California Consumer Privacy Act (or “CCPA”).

CCPA takes effect January 1, 2020. If you haven’t heard of it yet, you will soon. It is comparable in scope and breadth to the EU’s General Data Protection Regulation (or “GDPR”) which is a real nightmare for businesses to comply with. CCPA is by far the most significant and expansive U.S. privacy law to date. Just keeping up with the law has been difficult—there have been a dozen attempts to amend the law, many of which have been successful (some privacy organizations have even created amendment trackers), and the California Attorney General recently issued proposed regulations that add another layer of complexity to the already complex law.

One of the first (and more complicated) aspects of CCPA is figuring out to whom it even applies. CCPA applies to (a) for-profit businesses who (b) do business in California and (c) collect consumers’ personal information themselves or through others or determine the purposes and means of processing consumers’ personal information and (d) meet one of the following three criteria:

1. A business generates more than $25 million in annual gross revenues (this number will be adjusted over time).
2. A business “Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.”
3. A business derives at least 50 percent of its annual revenues from selling consumers’ personal information.

This is a mouthful. Here are some of the particularly important notes:

• There is no requirement that the business is located in California.  A cannabis or hemp company in any other state or country could be forced to comply so long as it hits the above criteria.
• “Doing business” is not defined and could be construed very broadly to include seemingly minor relations to the state of California.
• CCPA can apply to certain parents or subsidiaries of companies to whom CCPA applies. In other words, if an out-of-state cannabis or hemp company owns a company to whom CCPA applies, then CCPA may apply to both companies even though the parent is based elsewhere and otherwise wouldn’t need to comply.
• For many companies, points 1 and 3 may not apply. However, point 2 should give any company pause. In recent guidance, the California Attorney General interpreted this provision by stating that “[A]ny firm that collects personal information from more than 137 consumers or devices a day will meet the 50,000 threshold. To provide an upper bound on the number of firms potentially affected by the CCPA regulations, we consider two alternative assumptions. We assume that either 50% or 75% of all California businesses that earn less than $25 million in revenue will be covered under than CCPA.” In other words, if a business obtains personal information (which is defined in an extremely broad way) from just 137 consumers or “devices” per day, then CCPA could apply. And of course, this is not limited to online collection.

If CCPA applies to a cannabis or hemp business, compliance will be no small undertaking. Below are some of the key aspects of CCPA that businesses should be aware of:

1. CCPA creates numerous rights for consumers with respect to businesses who hold their personal information, including the right to find out what information about the consumer a business possesses, the right to deletion of certain information, the right to opt out of the sale of information, and so on. Businesses must be able to comply with customer requests and doing so can be complex. Is the average cannabis or hemp business able to drop everything and identify to a consumer within a short window exactly what information the business has about the customer?
2. To really be able to comply with CCPA, businesses should be able to identify how they collect information from any source, and what they do with it. This can be a tremendously complicated task, especially for larger businesses or businesses that have an online presence.
3. Companies need to have privacy policies that explain to customers what information they have, how they obtained it, and what they do with it. While California already required businesses with websites to have privacy policies, CCPA-type privacy policies will be much more broad and will not just apply to information collected through websites. Moreover, pursuant to the proposed regulations recently released by the California Attorney General, those policies must be accessible to consumers with disabilities, which can be a huge challenge to comply with for covered businesses.
4. If businesses sell (or in some cases even provide) customer information to third parties, that will need to be explained to customers up front, and customers will have the ability to opt-out of such information sharing. In fact, per the Attorney General regulations, websites should even include a special opt-out button.
5. Businesses who provide consumer information to third-party “service providers” to process the information on behalf of the business must enter into contracts with the service providers that obligate them to adhere to certain standards under CCPA.
6. Businesses must train their employees and agents concerning certain privacy practices.
7. CCPA creates a private right of action for consumers and allows them to seek statutory or actual damages in the event of certain breaches where companies failed to adopt reasonable security measures. This means that there will likely be an onslaught of class-action suits against all kinds of companies in the future, including cannabis companies. Even companies who do believe they have reasonable security measures in place will have to essentially prove that through expensive litigation. The one saving grace is that there may be a cure period for some businesses, but in all likelihood, lawsuits will be coming.

This is just a short list of some of the more important requirements of CCPA. As any reader can see, compliance will not be easy. Cannabis and hemp companies that don’t start thinking about CCPA now may be at risk later.

The aspect of track-and-trace with the biggest potential for disaster isn’t the fact that it’s so complex, but rather the fact that loss of access to the system could be devastating for licensees. Each of the three California cannabis agencies’ track-and-trace rules prohibit licensees from transferring cannabis to other licensees in the event of loss of access to the track-and-trace system. This effectively means that businesses have to stop doing business until access is restored—no matter what—and every day waiting could cost thousands of dollars in lost revenues. It doesn’t matter if the loss of access was caused by a licensee, a third party, or even issues with METRC or a third-party application integrated with METRC.

This leads me to a post I wrote several months ago on how data breaches are likely to ravage the cannabis industry. One of the things I talked about is the potential for “ransomware” or similar attacks—situations where hackers encrypt files or even in some cases lock users out of systems and demand money (the ransom) in exchange for giving access back to the user.

If a ransomware or similar attack causes loss of access to a licensee’s track-and-trace software, the licensee will be at the mercy of hackers and won’t be able to conduct business until they either pay the ransom (which may pose legal problems in and of itself, see here) or figure out how to gain back access themselves (which may be impossible). If there’s an attack to or even simply unintended downtime in the METRC system or integrated applications, that could cause chaos for operators across the state.

While loss of access to the entire METRC system could happen, it’s probably not very likely. What is virtually guaranteed to occur is individualized loss of access to the track-and-trace system following routine computer incidents or malicious hacking. There’s not much that the industry can do if METRC is breached and there’s widespread loss of access. But there is a lot that companies can do to protect themselves from individualized breaches or at least minimize the damage caused by breaches—from cyber insurance to breach planning to privacy policy compliance.

In our experience, these are issues that the average cannabis company just isn’t even considering. Because of the expense and difficulty of complying with cannabis laws, data make cannabis companies take a very hard look at how they operate.

Cannabis companies have a lot more to lose than regular companies given the federal status of cannabis (would cannabis companies want to report data breaches to the FBI?) and the fact that data breaches can already be tremendously expensive for companies that don’t have to spend tens (or hundreds) of thousands of dollars on permits and deal with Internal Revenue Code section 280E. Cannabis companies should consult with their counsel to figure out solid ways to protect themselves in the event of loss of access to the track-and-trace system or from other data security problems.

Ever since the passage of the 2018 Farm Bill, our hemp lawyers have been getting a barrage of questions about the lawful status of hemp and hemp-derived cannabidiol (“Hemp CBD”) in the United States. The hemp laws appear to be changing in favor of a pro-hemp marketplace, but at a much slower pace than the actual U.S. market for hemp is growing.

As the market in the U.S. continues to develop, companies may shift their focus to the international market. As we recently wrote, selling hemp or Hemp CBD products in the European Union (“EU”) is one area that—sort of like in the U.S.—is bursting with various legal and regulatory concerns from the top EU agencies to the individual EU states.

In addition to the array of legal and regulatory concerns about the sale of Hemp CBD products in the EU noted in our above-linked post, the EU’s General Data Protection Regulation (“GDPR”) is something that almost any U.S.-based company doing business in the EU will need to become familiar with. And it won’t be pretty.

The GDPR is a groundbreaking EU privacy and data security regulation that went into effect on May 25, 2018. The GDPR gives EU residents a broad array of privacy rights with respect to holders of their data. EU residents have the right to, for example, request that companies delete or modify certain data about them, or even provide notification to the residents about what data they have. Companies are required to adopt very complex data security measures and enter into numerous data security contracts. Companies must disclose their privacy practices to consumers at the point of data collection (e.g., having a privacy policy, which is already required in the U.S., but on a lesser scale). And companies are only allowed to “process” (i.e., obtain or use) data upon consent or if there is another lawful basis for processing. This may not sound like a lot, but it created a worldwide rush to compliance leading up to May 2018, with many companies still trying to get their ducks in a row.

What U.S. companies need to seriously be concerned about is whether they engage in conduct that triggers GDPR compliance, which according to GDPR Article 3(2) could happen even for wholly U.S.-based companies:

This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
2. the monitoring of their behaviour as far as their behaviour takes place within the Union.

This is a very broad jurisdictional “hook”. If a U.S. company is offering goods or services—even for free—to EU residents, then GDPR may apply. Selling or even offering for sale hemp or Hemp CBD products to EU countries (assuming that there were no other regulatory barriers) thus could subject a U.S.-based operator to GDPR compliance. There is no threshold of goods that must be sold to trigger GDPR compliance, so even a few sales could theoretically require compliance.

The monitoring component is also important for companies to consider. Companies may use marketing tools to “profile” potential customers online. Applying these tools to EU residents could be another way to land oneself in GDPR compliance territory.

What happens if companies don’t comply with GDPR’s requirements if they are mandatory? First, effected EU residents may bring actions against the companies. Second, the companies could be subject to fines (see Article 83(4)–(5)) as high as €20,000,000 or four percent of a company’s annual turnover (i.e., its gross revenues). As GDPR is so new, we don’t yet know what enforcement will look like against U.S. companies and how foreign fines or judgments would be dealt with in the U.S.

The bottom line is that doing business in the EU may likely subject U.S. companies to very onerous compliance requirements. While we don’t yet have a full picture of what enforcement will look like, we wouldn’t be surprised if European regulators took a hard line against U.S. companies selling hemp or Hemp CBD products in their home states which they viewed as harmful or unlawful.

Virtually everyone knows about breaches of companies like Equifax. Massive breaches have happened to established, mega-companies who still took major reputational and monetary hits after they were breached. What many people don’t realize is that it doesn’t take a major breach to devastate a business. We don’t want to be dramatic, but we also don’t want to downplay the significance of breaches—they are coming, and cannabis companies that are not prepared may be left in the dust.

Data breaches can range from anything from malicious hacking to the simple loss of a laptop containing unencrypted “personal information”. In either case, if statutorily defined classes of personal information were accessed or acquired without authorization, the party who held the personal information must provide written notification to the affected individuals within a relatively short period of time, and in many cases to other services like credit monitoring. This may seem like a straightforward process. It is not. Just figuring out what kinds of information may have been accessed and whose information may have been accessed could take tens of thousands—if not hundreds of thousands—of dollars in forensic review.

Take the following example: A human resources manager is the victim of a phishing attack. Typically, forensic review of the affected account may need to be undertaken to determine what part of the manager’s email accounts were accessed—did the attacker review one email, or access the entire mailbox? If the forensic vendor determines that the entire account was or could have been accessed, the entire account may need to be “data mined” at a high per-gigabyte cost to see whether emails contain personal information that could require reporting. This could potentially involve tens of thousands of dollars in expenses for one account. Now imagine this happens to five employees.

Not only is this piecing together of events time consuming and expensive, but it only gets half the job done. Once a list is made of the affected individuals and reportable information, notification (often drafted by lawyers) needs to be provided to individuals. This requires engaging companies to ensure that the individuals live where they are thought to live, and to physically mail notification letters out. Then, usually at a certain price per enrollee, credit or identity theft monitoring is provided.

It’s not difficult to see why this process is expensive, and the fact that it needs to occur in such a short period of time can cause intense pressure on an enterprise. To boot, in many states, attorneys general need to be given notification if a certain threshold of citizens of those states were notified of a breach. These attorney generals can (and sometimes do) request detailed summaries of how the breach happened and can even bring administrative actions against the companies who were the victims of the data breach.

Breaches are not unique to the cannabis industry —the Breach Level Index (“BLI”) estimates that more than 14 billion data records have been lost or stolen since 2013, with an average frequency of an astounding 6.9 million records per day. However, this industry is particularly susceptible to data breaches and their damaging effects for many reasons. Here are a few examples:

• Companies may not be willing to report breaches to federal authorities like the FBI or IRS, who otherwise would likely be notified, in light of the federal illegality of cannabis. Malicious actors may believe that this gives them some sort of advantage—and to some extent it does if law enforcement is not given notice.
• Given the state of banking in the cannabis industry, cannabis businesses may use cryptocurrency, which could have keys that are stored on electronic devices that are capable of breach. This could expose a cannabis business to financial losses unlike in virtually any other industry.
• The reputational harms to an up-and-coming licensee could destroy a cannabis business. Even though many of the stigmas around cannabis have gone away, many people wouldn’t want their employer or the general public to know that they bought cannabis. Imagine what a government employee would think if a cannabis business was the victim of a breach and his or her employer suddenly could find out about the employee’s purchase history. That business probably would not last.
• The industry is forced to interact with technology in a way that many others are not. In California, as well as most other states with licensing regimes, cannabis companies must implement track-and-trace systems to monitor all commercial cannabis activity. Licensees of the California Bureau of Cannabis Control (“BCC”) are legally prohibited from transporting, transferring, or delivering goods during outages of track-and-track systems—i.e., doing most kinds of business. What happens when they are the victim of a ransomware attack (a situation in which a hacker encrypts all computer systems and demands compensation in cryptocurrency or something similar in exchange for the decryption key, which may take days or weeks to fully restore)? Businesses could literally bleed out while trying to negotiate with–or pay a ransom to–someone across the globe.
• State attorneys general may need to be notified of certain data breaches. If an attorney general in a state in which cannabis was not legal receives notice that a number of the attorney general’s home state citizens were the victims of a data breach, that attorney general may want to target that cannabis business with an enforcement action.

These are just a few of the unique pressures the cannabis industry faces.

Breaches are in many senses inevitable. There is still a lot that companies can do to reduce the impact of them or to attempt to prevent them. Below are a few:

• Having a privacy policy and sticking to it. We’ve written about the need for policies before, and the potential penalties for not complying. We get the sense that a lot of cannabis businesses think of this as unnecessary or just a rote copy-and-paste job. This is not accurate. These policies are detailed, and are designed to identify the information gathering and usage policies of an organization. If an organization follows a policy, then it should in theory know what information it has, and where. This could be the difference in whether significant time and resources are spent tracking down potentially accessed information.
• Complying with relevant information security standards. Many states actually require businesses to adopt certain standards when it comes to information storage. Technical measures can be adopted to reduce the likelihood or impact of breaches.
• Planning for breaches. Training employees, and having plans for what to happen in the event of a breach, could also avoid or lessen the impact of a breach.
• Considering insurance. Insurance companies are starting to provide cyber liability insurance, which could cover the costs of some breaches. This won’t actually prevent a breach, but may stop a company from spending significant amounts of money in response to a covered breach.

The point of this post is to highlight just how significant breaches can be for cannabis businesses. Preparing now, rather than after they occur, could avoid a great deal of issues later.

Unless you’ve been living under a rock for the past few months, you’ve probably read about the host of sweeping new laws in California, like its new Internet of Things law, cannabis privacy law, or net neutrality law, to name just a few. California has long been regarded a trailblazer when it comes to making people who are outside of California do things to comply with California law. So it probably comes as no surprise that website operators outside of California may need to comply with a privacy policy law in California: the California Online Privacy Protection Act.

Pursuant to this law, any business that owns or operates a website that advertises to, services, or in many cases is simply accessible by California residents will almost certainly need to conspicuously post (and—importantly—actually follow) a privacy policy containing statutorily defined disclosures. This requirement applies when a website collects “personally identifiable information” about California consumers, including first and last name, home or other address, email address, telephone number, Social Security number, or any other information that would permit a person to contact a website user (either physically or online). Moreover, a policy may be required even for businesses located in distant areas of the United States just by virtue of the fact that its website can collect this information.

If a company fails to create or adhere to a privacy policy and does so either intentionally or in a material and negligent way, that company may be in violation of the law. The law does state that website operators will not be in violation until 30 days after being notified that their website does not contain a privacy policy, but it does not specify where notification can come from (i.e., the state or any source), which means that reliance on this window may be risky. The law is enforced by the California Attorney General, with penalties of up $2,500 per violation. These penalties could be a severe for businesses that offer mobile apps, as the California Attorney General has taken the position that a new (potentially $2,500) violation occurs each time a non-compliant app is downloaded.

You may be wondering how this applies to your cannabis business. The fact is that there are numerous ways in which even seemingly passive websites collect protected information from and about users. Even if your website does not sell any products, it may include “Contact Us” or mailing list subscription portals which collect protected information. If your website sells or ships any sort of product, it may collect at least some protected information. Even if your business has not collected information about any California residents in the past but simply could do so, the mere possibility may mean it needs to comply.

Furthermore, there are other good business and legal reasons to post and adhere to a privacy policy. Customers appreciate when businesses are transparent about their privacy practices. For obvious reasons, ensuring that cannabis customers’ privacy is maintained is important. Additionally, in the event of a data breach which requires notification to state or federal authorities, the fact that a company took steps to maintain customer privacy may be important considerations in determining if any enforcement actions should be taken.

The good news is that, unlike some laws or regulations that cannabis companies face, California’s privacy policy law is relatively straightforward in that it specifies what a company needs to disclose in a privacy policy and how that policy needs to be displayed on a website. That said, ensuring that a privacy policy accurately describes a company’s current and future privacy practices can be a challenge, and inaccurate or gratuitous statements in a privacy policy could expose a company to additional liability. In other words, a policy needs to be tailored to a company’s specific practices, and so copying language from other privacy policies could cause even more trouble for a company.

Cannabis companies have enough to worry about. They shouldn’t add to the problem by failing to address privacy or data security laws. A good place to start is engaging counsel to draft a comprehensive privacy policy. After all, at least according to California, one is required.

Two years ago, we published a series of posts about the cannabis industry’s embrace of the Internet of Things (“IoT”)—the network of physical objects connected through the Internet—for use in everything from garden sensors to dispensers. In that same series, we also discussed some of the potential legal risks and ramifications of using the IoT in the cannabis business—particularly some of the privacy and security risks inherent in the IoT.

Just last week, California Governor Jerry Brown approved of SB-327, the first information security law in the U.S. specifically targeting the IoT. SB-327 takes effect on January 1, 2020, and will require manufacturers of connected devices—essentially, devices in the IoT—to equip them with “reasonable” security measures. These security measures must be appropriate to the nature of the devices and information they collect and contain, and must be designed to protect the devices from unauthorized access, destruction, use, modification, or disclosure. SB-327 also requires devices that can be accessed outside of a local area network either to be equipped with a unique password or to allow a user to generate its own password.

It’s important to emphasize that SB-327 does not impose any requirements on users of IoT devices, but rather to manufacturers. So, for many businesses in the cannabis space that rely on the IoT, no real changes in operations may be necessary. Both plant-touching and ancillary marijuana companies that manufacture qualifying devices, on the other hand, may need to re-do or even re-invent their products.

It’s also important to note that the law applies to more than just California manufacturers. It applies so long as a business manufactures—either itself or through a contracting third party—qualifying devices that will be sold or offered for sale in California. Crucially, there is no threshold for product sales in California. Consequently, any manufacturer, anywhere, could be subject to SB-327.

Complying with SB-327 may be as simple as assigning randomly generated passwords to each device or re-tooling software or firmware to provide more robust security protection. But for some manufacturers—especially of devices that gather or contain sensitive information—compliance may be more involved and may require a ground-up reinvention. Consultation with counsel is always the best step towards compliance.

Pursuant to Oregon Revised Statutes (“ORS”) § 646A.622 any business that “owns, maintains or otherwise possesses, and has control over or access to,” written and electronic data that includes personal information used for business purposes, must develop, implement, and maintain reasonable safeguards to protect the personal information.

Generally, “personal information” means a Consumer’s first name or first initial and last name in combination with, for example, a Consumer’s social security number, driver license number or financial account information, if (1) encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and (2) the data element or combination of data elements would enable a person to commit identity theft against a consumer.

The company must act in accordance with this law by:

(1) Complying with:

• State or federal laws with greater protections for personal information than ORS § 646A.622;
• Gramm-Leach-Billey Act as of January 1, 2016 as of June 2018, if the company is subject to this act; or
• Requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as of June 2018, if HIPAA applies to the company;

and

(2) Implementing a security program that includes:

Administrative Safeguards, such as:

• Frequently identifying reasonably foreseeable internal and external risks;
• Frequently training and managing employees in security program practices and procedures; and
• Selecting service providers that are capable of maintaining appropriate safeguards and adhering to procedures and protocols to which you and the service provider agree, but also requiring the service providers by contract to maintain the safeguards, procedures and protocols.

 Technical Safeguards, like:

• Assessing risks and vulnerabilities in network and software design;
• Taking reasonably timely action to address the risks and vulnerabilities; and
• Applying security updates and a reasonable security patch management program to software that might reasonably be at risk of or vulnerable to a breach of security;

and

 Physical Safeguards, including but not limited to:

• Monitoring, detecting, preventing, isolation and responding to intrusions timely and frequently; and
• Disposing of personal information after you no longer use it for business purposes, pursuant to local, state and federal law.

So what does all of this mean? Simply put, business owners with 100 or fewer employees (which includes almost all Oregon cannabis businesses), will comply with these statutory requirements if their information security and disposal program contains administrative, technical and physical safeguards and disposal measures that are appropriate to: (1) the size and complexity of their business; (2) the nature and scope of their activities; and (3) the sensitivity of the personal information collected from or about a Consumer.

Cannabis business should take these safeguard standards seriously. Each violation if subject to a penalty of up to $1,000. Note that each day of a continuing violation is a separate violation, but the maximum penalty for any occurrence is $500,000. Civil penalties under ORS § 183.745 may also apply.

Complying with ORS § 646A.222 is not only required by law, it is also a very good idea for all cannabis business. Indeed, developing a vetted, comprehensive plan of action is the best way to effectively respond to an attack and to reduce the amount of damage to your company. Be safe out there!

Oregon Revised Statutes (“ORS”) 646A.602 defines “breach of security” as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” “Personal information” means an Oregon resident’s:

• Social security number;
• Driver license number or state identification card number;
• Passport number or other identification number;
• Financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account;
• Physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction;
• Health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the resident; or
• Any information about their medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment information.

Personal information also includes any of the data elements listed above, without the resident’s name, if the data elements, alone or in combination with others, would enable a person to commit identify theft against the resident.

However, the breach of a resident’s personal information does not, in and of itself, prompt the notification requirement. In Oregon, notification is not mandated if, after an appropriate investigation or consultation with law enforcement agencies, the company reasonably determines that the resident has not and is not likely to be harmed from the breach. Such determination must be documented in writing and maintained by the company for a minimum of 5 years.

If the company determines that the stolen data will harm or is likely to harm the resident, then the company must notify the resident “in the most expeditious manner possible, without unreasonable delay,” but no later than 45 days after discovering or receiving notification of the breach. Notification may only be delayed if the notice were to impede on a criminal investigation.

The notification, which must be made in writing, by phone or electronically, must include, at a minimum:

• A description of the breach in general terms;
• The approximate date of the breach;
• The type of personal information that was subject to the breach;
• The company’s contact information;
• The contact information for national consumer reporting agencies; and
• Advice to the consumer to report suspected identity theft to law enforcement, including the state Attorney General and the Federal Trade Commission.

Moreover, if more than 250 residents are notified, the company will be required to submit, in writing or electronically, a copy of the notification to the Attorney General. If more than 1,000 residents are notified, then the company will also have to notify all nationwide Consumer Reporting Agencies.

Data breach notification laws are demanding on hacked companies, but they are not the only laws with which these business entities must comply following a cyber attack. State and federal laws, including employment, medical, and financial laws, usually apply. In addition, states like Oregon impose pre-data breach measures, also known as information security standards—we will further cover this issue in our next post—on any company doing business in the state to protect the security, confidentiality and integrity of personal information before a breach. (California just passed one such law, specifically targeted at marijuana businesses.)

Cannabis companies affected by a data breach should always consult with experienced cyber security attorneys to avoid any civil penalty, but also to retain public confidence and maintain their competitive edge in this high-risk cyber environment.