Blossoming cannabis industry faces unique cyber risks
Some states' seed-to-sale tracking and identification requirements make the legalized cannabis industry easy prey for hackers.
All companies face cybersecurity threats, but the legalized cannabis industry’s storage of personally identifiable information and reliance on seed-to-sale tracking software can place it firmly within hackers’ crosshairs.
To be sure, despite currently being prohibited from storing cash in banks, some cannabis entities do process valuable personally identifiable information (PII).
“Just because there’s more physical cash than electronic transactions, doesn’t necessarily make these companies less of a target for hackers,” wrote Robinson & Cole associate and data privacy and cybersecurity associate Kathryn Rattigan in an email. “Most of the point-of-sale systems automatically report to the state’s compliance tracking system, which might include the individual’s name, birth date and contact information based on the scanning of a driver’s license or state-issued ID card.”
Rattigan noted such data could be targeted by cybercriminals, including “ethical hackers” who don’t agree with the legalization of cannabis and seek to expose consumers.
Indeed, there have already been hacks of some cannabis platforms containing personal data, including Pennsylvania-based seed-to-sale software MJ Freeway’s reported hack in 2018 and security breach in 2017.
When any vendor is under siege, clients’ work may be disturbed, but this disruption may be more acute in the cannabis industry given some states’ required usage of seed-to-sale software.
“If MJ Freeway goes down, which it does, all marijuana sells comes to a grinding halt,” said Steve Schain, a senior attorney at cannabis and hemp law firm Hoban Law Group.
While such an operational disturbance is generally out of clients’ hands, Harris Bricken data security attorney Griffen Thorne said most legalized marijuana companies have a higher cyber risk for two reasons. For one thing, many of the startups aren’t investing in cybersecurity, he said. In addition, cannabis “companies may be more unwilling to report incidents to the FBI or local law enforcement compared to other industries, that may be a thought cyber attackers have.”
Still, while cannabis manufacture Natura Life + Science business development director Manndie Tingler noted that stolen PII is a concern, she said the cannabis industry’s top threat is copyright infringers.
“A lot of this is right now coming in the form of a lot of people having counterfeit products including batch number falsification and stealing their copyrighted material and a lot of it is coming from the illicit market,” Tingler said.
As cannabis companies attempt to combat bad actors, most won’t find data privacy or cybersecurity guidance or requirements in the laws permitting the sale or use of marijuana. Instead, companies are regulated by states’ data breach notification laws and possibly the California Consumer Privacy Act (CCPA) when it goes into effect Jan. 1, 2020, if they fall under that law’s requirements.
“I think a lot of these companies are moving toward digital, at least some part of the company, and most likely the CCPA will apply to them,” Thorne noted.
See also: