All annual cannabis business licensees in California are required to use the California Cannabis Track and Trace METRC system, which helps regulators track cannabis throughout its life cycle and down the supply chain – from cultivator to manufacturer to distributor to lab to retailer and, eventually, to the consumer – and ensure that properly licensed cannabis doesn’t end up in the wrong hands. However, to comply, business operators must maintain a large amount of valuable data, increasing the risk of liability in the event of a cybersecurity incident.
Cannabis Licensee Data Collection The California Department of Food and Agriculture, which regulates the state’s cannabis tracking system, requires that annual cannabis business licensees start using the METRC system within 15 days of licensure. The track and trace program includes an electronic seed-to-sale software tracking system that requires cannabis businesses to capture data points along the entirety of the supply chain, and record the information so that it is accessible online to regulatory authorities in real time.
Employee personnel records also must be maintained and made accessible to authorities. This includes every employee’s full name, social security number or individual taxpayer identification number, and the dates of employment. Local regulations vary by jurisdiction, but often require employment applications to include employee background checks, addresses and financial account information.
Cannabis retailers are responsible for checking each customer’s government-issued identification card and medical recommendation, as applicable, which may contain patient health information and medical condition. All business records must be kept for a minimum of seven years. If a business fails to maintain the requisite data, it could be subject to fines up to $30,000 per incident.
In addition to the above data, cannabis companies are beginning to employ electronic data collection to capture other operational information such as day-to-day operations management, evaluation of growth and productivity, consumer habits and information that the company submitted through the local permitting process.
Legal Implications of Data Retention Under California law, any company that maintains specified types of data in electronic format must implement certain safeguards to ensure the security of the individual’s private information. See Cal. Civ. Code §§ 1798.29, 56.101. Because the state’s cannabis regulations mandate that data be available in real time, business operators are forced to support electronic data access.
More importantly, would-be hackers could wreak havoc on a business’s operations given the volume and variety of data managed by cannabis businesses. For example, when software company MJ Freeway’s system was maliciously hacked in January 2017, business operations at more than 1,000 client dispensaries in 23 states across the country were interrupted. Five months later, a portion of the company’s valuable source code was stolen and posted publicly on Reddit. Incidents such as these will be on the rise as the cannabis industry expands and captures the attention of malicious actors.
Risk Management Obstacles to Cannabis Data Privacy Defense Cannabis companies preoccupied with licensing, regulatory compliance and day-to-day management might lack the time, resources or formal guidance to understand or prioritize data protection. This trend needs to be reversed, with data privacy becoming a primary risk management objective of every cannabis business.
Another major obstacle is the lack of cannabis-specific cyber or data security insurance policies available on the market. We remain optimistic, however, that as data security becomes better understood by the cannabis industry, and as insurance carriers become more comfortable operating in the cannabis space, policies that offer real cyber/data security coverage will become available. California cannabis businesses should be particularly mindful of the state’s information privacy regulations and the California Confidentiality of Medical Information Act.
Minimizing Data Security Risks One important step that a cannabis business can take to limit its exposure to litigation arising from unauthorized data disclosure is to prepare a well-designed breach response plan that identifies how and where valuable data is stored by the company, and delineates clear lines of responsibility and authority in responding to a breach. Breach response plans help to ensure that exposure is minimized at every step. Companies that understand their legal obligations will be best equipped to quickly handle the aftermath, comply with statutory disclosure deadlines and lessen the financial impact of a breach.
Cannabis companies would be wise to consider implementing additional best practices to decrease their exposure to data security threats, including:
- Not sharing passwords and using a complex password at least 12 characters in length to decrease the odds of a successful brute-force attack
- Shredding anything sensitive that is on paper
- Using a secure, private wireless network to keep out intruders seeking to “sniff” data
- Changing system passwords frequently and implementing multifactor authentication
- Training employees to identify digital security risks
- Backing up company data regularly
- Testing system security to identify vulnerabilities
- Obtaining cyber liability insurance when it becomes available for the cannabis industry.
Finally, upon becoming the victim of a breach or attack, it is critical to contact the company’s IT team, legal counsel and cyber liability insurance agent immediately.
The growth of data breach litigation underscores the real and imminent exposure that cannabis operators face from both private litigants and public agencies. No risk management plan is complete without a cannabis business operator acknowledging and preparing for the risks of digital data management.