For the past several years, cyberattacks on private businesses and public agencies alike have been on the rise. What that means, specifically, varies from case to case, but generally these events compromise a company’s data or hold certain information “hostage” for a proposed ransom.
With the ratcheting war in Ukraine, warning signs are flashing over the threat of even more cyberattack activity in the weeks and months to come.
Businesses remain vulnerable to attacks that remain hard to predict and hard to perceive.
Michael Sampson, partner at Leech Tishman and member of the firm’s litigation practice group, says that cannabis businesses (and businesses of all stripes) would do well to assess the risk of those attacks to the best of their ability—and to prepare. He outlines three ways to think about that.
“Cyber risk remains very significant across the cannabis industry and across the U.S. commercial landscape generally, because this is really an area where the cannabis industry faces the same types of risks that many other businesses face,” he says. “The risk to the cannabis industry may be greater in some respects, but it's certainly no less than any other business.”
The first step, after registering one’s shock at being attacked by a certain cyber threat, is to communicate transparently with law enforcement. Cyberattacks are indeed occurring more frequently, but that doesn’t mean they are any less significant or potentially damaging to victims. Get onboard with law enforcement right away to keep the matter transparent—and to secure any hope of a clear recovery.
This is also just a practical matter. Without communicating the attack to a law enforcement agency, your business may be missing out on possible insurance benefits—like payment of a cyber ransom.
“There is certainly, in many cyber policies, a requirement that the policyholder provide notice to the appropriate authorities—which is often the FBI in the case of a cyberattack—in order to access and have the right to insurance coverage,” Sampson says. “Regardless of whether or not the FBI actively chooses to investigate a cyberattack affecting the cannabis industry, it's still incumbent on an affected cannabis-related business to give the requisite notice to the FBI. The forms are available, so go ahead and fill those out so that the FBI has the ability to look into the crime—and also so that the preconditions for insurance coverage are satisfied. Keep in mind that what we've seen recently is an attack or attacks that are affecting multiple businesses at once.”
Cannabis businesses may not be caught in a silo in the event of a cyberattack. It can be very helpful to an investigation for all affected parties to have their names thrown into the ring for further communication on the ramifications of the attack.
And don’t get scared off by those letters: F. B. I. Just because cannabis remains a federally illegal industry, the FBI is not necessarily precluded from investigating crimes like this. Consider the IRS during tax season.
Have a Plan of Action
Two-factor authentication can be a helpful tool—and a helpful phrase to keep in mind. One segment of the growing variety of cyberattacks is the phishing scam or the social engineering scam. The general idea is that a cyberattacker will target a company’s employees with requests for wire transfers or even some sort of business transaction related to, say, cannabis product distribution. These enticements can end up drawing employees into a trap wherein corporate information is compromised—opening the company to a potential data breach.
Authenticating any unusual requests—either through software or through an old-fashioned phone call to your telecom provider—can cut those attacks off at the pass.
“Companies need to do a health and welfare check of their cybersecurity and data privacy infrastructure and protocols,” Sampson says. “With a hurricane, you don't want to find out that your windows were warped only after the hurricane passes through. Some of these steps will be important to your insurance company, because they'll be looking for evidence—whether you have certain safeguards in place—and that can result in the lower premiums.”
Those health and welfare checks can provide action items for shoring up security. Identify red flags now—not later.
Read Your Third-Party Agreements Closely
That might go without saying, but the nuance here is in the data security details.
A third-party text message marketing vendor might be a terrific partner for your business. But that opens the door to digital risks and TCPA compliance needs.
Much like the health and welfare check your business will perform internally, it helps to communicate clearly with those third-party vendors about the safeguards that may or may not be in place to protect against cyberattacks or legal liabilities.
“If you're a cannabis-related business and you are negotiating a service agreement with a third-party provider who’s going to have access to your data or store your data or have access to your systems, you as the cannabis-related business want to know what the other party’s contracting systems look like,” Sampson says. “What type of safeguards do they have in place?”
In the event of a data breach, your own cannabis-related business could easily be brought into the legal ramifications. Consider the insurance and indemnification clauses that might surround partnerships like that.