Protecting both yours as well as your customers data is crucial
In July, California will begin enforcing its “Track-and-Trace” program, which requires that all annual cannabis business licensees use the California Cannabis Track and Trace METRC system to record, track and maintain a cannabis plant’s every move along the supply chain. This software will help regulators track cannabis throughout its lifecycle and down the supply chain – from cultivator to manufacturer to distributor to lab to retailer and, eventually, to the consumer – and ensure that properly licensed cannabis doesn’t end up in the wrong hands. However, to comply, business operators must maintain a large amount of valuable data, increasing the risk of liability in the event of a cybersecurity incident.
CANNABIS LICENSEE DATA COLLECTION
The California Department of Food and Agriculture, which regulates the state’s cannabis tracking system, requires that annual cannabis business licensees start using the METRC system within fifteen days of licensure. The track and trace program includes an electronic seed to sale software tracking system that requires cannabis businesses to capture data points along the entirety of the supply chain, and record the information so that it is accessible online to regulatory authorities in real time.
Employee personnel records must also be maintained and made accessible to authorities. This includes every employee’s full name, social security number or individual tax payer identification number, and the dates of employment. Local regulations vary by jurisdiction, but often require employment applications to include employee background checks, addresses, and financial account information.
Cannabis retailers are responsible for checking each customer’s government-issued identification card and medical recommendation, as applicable, which may contain patient health information and medical condition. All business records must be kept for a minimum of seven years. If a business fails to maintain the requisite data, it could be subject to fines up to $30,000 per incident.
In addition to the above data, cannabis companies are beginning to employ electronic data collection to capture other operational information. This includes day-to-day operations management, evaluation of growth and productivity, consumer habits, as well as information that the company submitted through the local permitting process.
LEGAL IMPLICATIONS OF DATA RETENTION
Under California law, any company that maintains specified types of data in electronic format must implement certain safeguards to ensure the security of the individual’s private information. See Cal. Civ. Code §§ 1798.29, 56.101. Operators with access to employee or patient medical information are also required to keep a record of any change or deletion of any medical electronic information, including the identity of the person who accessed and changed the information, the date and time accessed, and the change that was made. Because the state’s cannabis regulations mandate that data be available in real-time, business operators are forced to support electronic data access.
More importantly, would-be hackers could wreak havoc on a business’ operations given the volume and variety of data managed by cannabis businesses. For example, when software company MJ Freeway’s system was maliciously hacked in January 2017, business operations at over 1,000 client dispensaries in 23 states across the country were interrupted. Five months later, a portion of the company’s valuable source code was stolen and posted publically on Reddit. In December 2016, Nevada’s Medical Marijuana Program database was breached, exposing the personally identifiable information of over 11,000 people including names, social security numbers, race, and address. Incidents like these will be on the rise as the cannabis industry expands and captures the attention of malicious actors.
By now, everyone is aware that cyber security incidents are a primary risk management concern of businesses of all types. According to the Identity Theft Resource Center, the number of U.S. data breaches hit an all time high in 2017with an estimated 1,579 incidences. Cannabis businesses have cause for concern. Cyber security firm Symantec reports:
“Cyber-thieves have been increasingly targeting small businesses over the last four years. Cyber hackers view small businesses as a soft, easy mark versus big blue chip companies which have ramped up their cyber firewalls. . . [A]lmost half of cyber-attacks worldwide, 43% [in 2016,] were against small businesses with less than 250 workers.”
The profitability of selling stolen personally identifiable information, private health information, and company trade secrets on the dark web has fostered hacker ingenuity. Cyber criminals have a panoply of tools at their disposal including phishing, malware, skimming, and distributed denial of service (DDoS) attacks, all of which can result in data loss, business interruption, and negative reputational consequences, as well as civil liability and regulatory fines. Negligent or disgruntled employees and lost or stolen storage devices can also lead to the unauthorized disclosure of a business’s data.
RISK MANAGEMENT OBSTACLES TO CANNABIS DATA PRIVACY DEFENSE
Bill Gates has said that cyber security is the “biggest problem facing mankind.” Yet cannabis companies preoccupied with licensing, regulatory compliance and day-to-day management might be slow to understand or prioritize data protection, whether due to a dearth of time and resources, or a lack of formal guidance. This trend needs to be reversed, with data privacy becoming a primary risk management objective of every cannabis business.
Another major obstacle for properly protecting a cannabis business from data security exposure is the lack of cannabis-specific cyber or data security insurance policies that are currently available on the market. We remain optimistic, however, that as data security becomes better understood by the cannabis industry, and as insurance carriers become more comfortable operating in the cannabis space, policies that offer real cyber/data security coverage will be available soon.
CALIFORNIA OBLIGATIONS FOLLOWING UNAUTHORIZED DATA DISCLOSURES
California cannabis businesses should be particularly mindful of the state’s information privacy regulations and the California Confidentiality of Medical Information Act.
California Information Privacy
California law requires a business to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person. “Personal information” includes an individual’s name in combination with their social security number, California government identification card number, or medical information. Notification must be made without unreasonable delay and in the most expedient time possible. If more than 500 residents’ information was breached, companies must also provide notice to the California Attorney General.
California Confidentiality of Medical Information Act
California’s cannabis statute specifies that information in a patient’s physician recommendation received by a licensee is considered “medical information” pursuant to the Confidentiality of Medical Information Act (CMIA). This covers both electronic and paper format patient information. CMIA requires licensees to investigate and report any unlawful or unauthorized access to, or use and disclosure of a patient’s medical information to the California Department of Public Health and to the affected individual within fifteen business days of discovering the unlawful or unauthorized access. An individual right of action is available to California residents who suffer an injury due to a business’ non-compliance.
MINIMIZING DATA SECURITY RISKS
One important step that a cannabis business can take to limit its exposure to litigation arising from unauthorized data disclosure is to prepare for how it will respond to a breach. A well-designed breach response plan identifies how and where valuable data is stored by the company, and delineates clear lines of responsibility and authority in responding to a breach. Breach response plans help to ensure that exposure is minimized at every step. Companies that understand their legal obligations will be best equipped to quickly handle the aftermath, comply with statutory disclosure deadlines, and lessen the financial impact of a breach.
Cannabis companies would be wise to consider implementing additional best practices to decrease their exposure to data security threats, including:
- Instituting good password hygiene that includes not sharing passwords and using a complex password at least twelve characters in length to decrease the odds of a successful brute force attack
- Shredding anything sensitive that is on paper
- Using a secure, private wireless network to keep out intruders seeking to sniff data
- Changing system passwords frequently and implement multi-factor authentication
- Training employees to identify digital security risks
- Backing up company data regularly
- Testing system security to identify vulnerabilities
- Obtaining cyber liability insurance when it becomes available for the cannabis industry
Finally, if you become the victim of a breach or attack, it is critical to contact your IT team, legal counsel and cyber liability insurance agent immediately.
The growth of data breach litigation underscores the real and imminent exposure that cannabis operators face both from private litigants and public agencies. No risk management plan is complete without a cannabis business operator acknowledging and preparing for the risks of digital data management.
About the Authors
Ian A. Stewart is a partner and Nicole A. Aaronson is an associate in the Los Angeles office of national law firm Wilson Elser. Through its dedicated Cannabis Law practice, Wilson Elser attorneys assist growers, processors, distributors and vendors within the legalized cannabis industry as well as organizations outside the industry impacted by cannabis legalization.