As we’ve blogged in the past, the cannabis industry is particularly susceptible to cyberattacks. With threats like a federal crackdown and workplace drug testing, customers have a vested interest in keeping their information private. Unfortunately, the newly-legal cannabis industry has limited experience with data security. While traditional industries have the benefit of expertise and mature regulatory oversight to foster best cybersecurity practices, the cannabis industry is largely forging its own path. This problem is especially stark on the recreational side, where customers aren’t protected by patient confidentiality requirements.
Luckily for consumers, Massachusetts and many other states do not require marijuana retailers to record customer information. Some states have gone even further — like Oregon, with its new law prohibiting cannabis retailers from “recording, retaining or transferring information contained on a passport, driver’s license, military identification card or other identification cards.”
But as Foley Hoag and others have pointed out, the cannabis industry needs data to attract big-ticket investors. Venture capitalists want assurances that their investment will turn a profit, and to have those assurances they need information about brand preferences, strain preferences, buying and consumption habits. In short, they need data collection.
Given the collision course between consumer privacy and the cannabis industry, here are a few tips for new marijuana businesses on how to minimize cybersecurity risks.
1. Protect Your Computers. The most basic step a company can take to protect sensitive information is to secure its computers. This involves conventional security measures like anti-virus software, encryption, firewalls, and other perimeter defenses, but also securing physical access to the computers or servers that contain customer data. Ideally access should be limited to one or two individuals needed to perform critical functions. Companies might also wish to consider additional security measures, such as two-step authentication, limiting access to IP and MAC addresses, and using a Secure Sockets Layer for point-to-point protocol. Finally, in order to keep up with new and innovative cyberattacks, always make sure that your security patches are current.
2. Train Your Employees. Have clear security guidelines, and provide training at regular intervals. Important topics to cover include strong password creation; avoiding phishing and other common email-based schemes; internet safety; USB and other device policies; and generally practicing good machine hygiene by limiting what programs can be installed onto work computers.
3. Conduct Regular Inventories of Sensitive Data. If you don’t know where all your sensitive data is located, you can’t properly secure it. Companies should do a monthly check of sensitive data locations and risks. Important questions to consider include:
What information do you collect?
Where is it stored?
Who has access?
How is it currently protected?
4. Vet Your Service Provider. Whether to use a cloud and/or wed-based computing platform or rely on an onsite server is a matter of ongoing debate in the cannabis industry. Cloud-based platforms are cheaper and don’t require that companies store expensive and delicate equipment onsite. However, recent cybersecurity breaches have led some in the industry to question their security. For example, in January 2017, the national database MJ Freeway, a multi-service compliance program used by medical marijuana dispensaries across the country, was the target of a cyberattack. The attack left over 1,000 marijuana dispensaries unable to track their sales and inventories. Because of state regulations governing marijuana sales, some dispensaries were forced to close early or shut their doors completely. The disruption lasted weeks and meant that many patients could not obtain access to their medication.
Putting your trust and data in the hands of third-party providers is a risk, but it may be a risk that many marijuana companies have to take. According to Intuit, 78 percent of small businesses will be fully adapted to the cloud by 2020. Maintaining an onsite server is simply too costly. To reduce the risk, companies should thoroughly vet potential service providers. Questions to consider include:
Where is the data stored?
What certifications do those data centers hold?
Do they have a published data security disclosure?
Does the information leave the United States?
How long has the company been in business?
Has the company suffered any data breaches?
5. Maintain Your Own Data Backups. No service provider is perfect, even a thoroughly vetted one. MJ Freeway customers that maintained their own uncorrupted data backups were able to restore service quickly. Maintaining your own regular backups is essential.
6. Establish a Response Plan. Cybersecurity breaches are always a possibility, even with the best security practices in place. It’s important for companies to establish a response plan in case the worst happens. The primary objective of a response plan should be to manage a cybersecurity breach quickly and efficiently in a way that limits damage, increases the confidence of customers, and reduces recovery time and costs. It should also include a communication plan regarding how the companyu will alert staff and customers of any threats involving their personal information.