Originally published on Bloomberg Law
Marijuana businesses have access to sensitive consumer information, particularly those businesses that retain health and identification records in order to fulfill medical marijuana orders. Perkins Coie attorneys outline some proactive steps to mitigate risks related to data protection for an industry in which legality differs not only from state to state, but also between the states and the federal government.
Marijuana businesses, especially those in the medical marijuana industry, often have access to sensitive consumer information. Many state laws mandate the collection and retention of such information, including photo identification and health records. By complying with these laws, marijuana businesses may become potential targets of data losses.
Failure to take reasonable measures to secure personal information can lead to considerable legal risk for marijuana companies.
Data Breaches in the Marijuana Context
The marijuana industry is particularly susceptible to data security risks because of legal requirements—sometimes from overlapping sources—regarding the compilation and retention of consumers’ personal information. Dispensaries typically must collect names, Social Security numbers, phone numbers, and other highly-sensitive information from consumers.
Recent data breaches demonstrate the vulnerability of marijuana companies to the potential disclosure of consumer information. Just a few months ago, researchers found over 85,000 unencrypted files in an unsecured database belonging to THSuite, a point-of-sale and inventory management software platform used by many marijuana businesses across the country. All told, this data leak potentially publicly exposed the personal information and marijuana preferences of 30,000 individuals.
The leaked information included full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical identification numbers, cannabis used, price, quantity, receipts as well as scanned government and employee identification. Several plaintiffs’ firms have begun investigations into this data breach.
The THSuite data loss was not the first data breach affecting the marijuana industry, nor is it likely to be the last. Earlier data breaches have occurred, such as that experienced by MJ Freeway, a seed-to-sale software platform, in 2017. MJ Freeway suffered several hacking attacks and was targeted in a phishing scheme offering to sell information about Washington state cannabis businesses.
What’s Unique About Marijuana Businesses?
Although any organization should be concerned about the reputational and financial damage that data breaches can cause, marijuana businesses may find those costs particularly burdensome because marijuana legality differs from state to state between the states and the federal government.
Data-breach notification laws in all 50 states and the District of Columbia are generally based on where the affected individuals reside, rather than where they have conducted transactions. (A summary of state laws regarding data breach notifications is available here.)
As a result, a marijuana business that conducts transactions legally in one state may fall under the notification laws of another state where the same transactions are illegal. Furthermore, many state notification laws require notice of data breaches to state attorneys general. Such notification may invite hostile scrutiny from an attorney general in a state whose data breach laws are implicated by residents who have traveled to and conducted marijuana transactions in marijuana-friendly states.
Medical marijuana businesses are at particularly elevated risk given that they might be required to collect patient health information pursuant to state law. This collected data may be subject to protections under both the federal Health Insurance Portability and Accountability Act (HIPAA) and state laws. Violations of HIPAA can result in significant fines and even criminal penalties.
Finally, some marijuana-related businesses face difficulty in protecting themselves from the consequences of data breaches through traditional means. For example, many insurers have balked at insuring marijuana-related companies due to regulatory uncertainties. This may constrain the ability of many companies in the marijuana industry to access cyber insurance and other insurance products. Even if insurance is available, the coverage may be insufficient or prohibitively expensive to adequately protect against data breach liability.
What Can Marijuana Companies Do?
Given these risks, it is particularly important that marijuana companies take proactive steps to mitigate their risks relating to data protection. These steps include:
- Reviewing existing data privacy and data security policies, and, if such policies are not already in place, establishing them when necessary;
- Developing a comprehensive incident response plan that takes into account the particular risks and consequences of a breach affecting that company or one of its vendors;
- Implementing and maintaining reasonable procedures and practices to secure consumer and employee information;
- Minimizing the amount of personal data collected, to the extent possible given state law requirements; and
- Training employees in cybersecurity best practices to reduce the risk of a data breach through phishing or other means.
The steps outlined above can reduce the risk of a data breach, though they cannot eliminate such risk for any company, including any marijuana-related business. Companies are advised to seek out legal counsel to assist them in establishing and maintaining compliance with best practices to reduce the risk of, and respond appropriately to, data security issues.