Member Blog: As Cannabis Sales Rise, So Do Questions About Privacy and Security
Frank Nisemboum, Vice President of ERP Sales at c2b teknologies
Legal cannabis is a big business that handles big data. From personalized data to protected health information to cannabis information that requires regulatory compliance with cybersecurity and data privacy laws–the entire cannabis industry faces data privacy and cybersecurity challenges not faced by other sectors.
But wait, other sectors have to navigate data concerns, too right? Cannabis is different. Aside from adhering to all the typical privacy concerns, cannabis data comes with a layer of complexity for cannabis operators due to industry-specific data collection and mandatory retention requirements surrounding it.
Growing Cannabis Data Collection
A cannabis customer provides a vast amount of personally identifiable information every time they buy legal marijuana products. These individuals present a government-issued ID card to confirm they are at least 21 for adult-use purchases or prove they have a prescription to access medical marijuana. The data collected on each transaction includes customer or patient name, date of birth, address, phone number, driver’s license or medical ID card numbers as well as email addresses and signatures.
Cannabis dispensaries also provide equally large amounts of operations data to METRC (Marijuana Enforcement Tracking Reporting Compliance), used in 13 states and the District of Columbia. METRC is not the only government reporting company used to maintain cannabis compliance. For example, California relies on the CCTT (California Cannabis Track-and-Trace) system to report the inventory and movement of cannabis and cannabis products throughout the cannabis supply chain.
Cannabis legalization is expected to spread across the country to all 50 states now that adult-use cannabis is permitted in 11 states and Washington D.C. and 36 states allow medical marijuana. Many of those states require all cannabis licensees, both annual and provisional, to use METRC to track marijuana products through the entire supply chain.
Cannabis cultivators, manufacturers, retailers, distributors, testing labs, and micro-businesses need to manage and maintain those records for a minimum of seven years. It’s a tremendous amount of valuable data for cannabis companies to track, the precious data cybercriminals and hackers seek out, including combinations of protected personal and health data like social security numbers and diagnoses with supplemental information like addresses, copies of ID cards.
If a cannabis company dispenses medical marijuana to patients or supports one who does, they fall into the regulatory oversight of the Health Insurance Portability and Accountability Act (HIPAA) and the Office of Civil Rights (OCR).
Safeguarding Cannabis Data
Legal cannabis and the data security issues it creates form multi-prong challenges from a legal and technological perspective. The cybersecurity and data privacy requirements don’t come with a roadmap cannabis operators can borrow from other industries due to the massive repositories of personalized data that require regulatory compliance with cybersecurity and data privacy laws.
The collection, storage, and security of all this valuable data raise many privacy and security concerns, especially when guidelines for collecting the information vary by state. For example, Ohio and California must house personal data using third-party software to track inventory and retail point-of-sales, whereas Illinois dispensaries cannot store any personally identifiable information onsite and instead use cloud or other off-location services.
Healthcare companies make attractive targets for hackers and often suffer data breach more often due to their huge storage of protected health information (PHI). Medical dispensaries and supporting companies handle PHI too, but PHI is not all a cybercriminal may want from a cannabis operation.
Employee records often contain background checks and financial data along with personally identifiable information such as name, date of birth, and SSN, all in one nice package. And cannabis data has been breached several times in recent years.
Cannabis Data Breaches Happen
Even as a newly legitimized industry, cannabis organizations have already experienced high-impact data and security breaches. In early 2020, a database breach that impacted almost 30,000 people connected to the marijuana industry resulting from an unsecured Amazon S3 data storage bucket was reported. The data breach included scanned versions of government-issued ID cards, purchase dates, customer history, and purchase quantities.
In 2019, a Canadian cannabis company exposed the electronic medical records of over 34,000 customers.
Between 2016 and 2018, the cannabis-tracking software provider MJ Freeway endured significant data breaches where over 1,000 dispensaries in 23 states were hacked. Less than six months later, hackers stole a portion of MJ Freeway’s source code and posted it publicly to social media.
Prior to that, Nevada’s Medical Marijuana Program database was breached in 2016, exposing sensitive personal data of over 11,000 people involved in the Nevada cannabis industry. This breach included names, social security numbers, race, as well as home and business addresses.
Cannabis Operators Short on Cybersecurity Budgets
Cannabis companies are responsible for securing their data to protect their customers and staff. To prevent data leakage, point-of-sale machines need endpoint protection, encryption, secure backups with proper network segmentation.
Unfortunately, some cannabis organizations fall short of installing appropriate cybersecurity measures that could have far-reaching effects on a cannabis user. Leaked personal data could have negative personal and professional consequences for the cannabis patient whose workplace prohibits cannabis use.
To avoid becoming an easy target, cannabis companies need to focus on data privacy and security just as much marketing and sales. The penalties from having a customer or employee’s personally identifiable information and cannabis-related data exposed can be too expensive to ignore and fail to give confidence that their data is secure.
Vice President of ERP Sales, Frank Nisemboum, is a trusted advisor at c2b teknologies who has guided organizations of all sizes enabling them to establish a technology presence and expand their business through technology. His proven ability to analyze the current and future plans of a company and work with team members to subsequently bring technology solutions to the organization result in improved processes and controls that assure continued growth and profitability.
Frank has worked in the ERP and CRM software selection, sales and consulting industry for almost 25 years. His strong ability to understand, interpret and match the needs of an organization to the right solution make him an asset to all of his clients.
c2b teknologies integration and engineering experts have partnered with leading cannabis industry experts to develop a software solution that provides a complete cannabis operations system. The best-in-class solution not only handles tracking of seed-to-sale activities but encompasses your entire cannabis operations with compliance needs handles along the way. Our passion for solving problems drives us to deliver innovative solutions for everyone we work with. Visit c2btek.com for more information.