As 2019 came to a close, tens of thousands of customers across multiple U.S. cannabis dispensaries were impacted by a data breach linked to a point-of-sale software company.
Cannabis businesses are particularly vulnerable to cyberattacks due to the vast amount of personally identifiable and protected health information that they are required to collect and store, as well as any trade secrets they maintain in their company databases.
Here, HUB International, an insurance broker that provides business and personal insurance as well as employee benefits across North America, outlines some cybersecurity best practices for cannabis cultivators and distributors to help them combat cybercriminals.
1. Limit the number of people that have access to your secret sauce.
This is especially important when sharing details with third-party vendors. When workers are harvesting crops, or a cultivator is renting land from farmers and planting on it, proprietary information should be kept in the hands of just the few who need it—and no one else.
2. Secure your R&D process.
If cultivators have created a cannabis formula that boosts energy, or reduces anxiety or pain, these “recipes” are their intellectual property—it’s what gives them a competitive advantage. Growers should consider the way they store the information behind the R&D of their cannabis crops. Is it on an electronic file, or a computer desktop? What type of credentials do people need to access it? While most businesses will use a third-party cloud service, many growers maintain their own servers because of this risk.
Distributors must also do their part to protect cultivators’ R&D information. Many cannabis distributors have access to their grower’s proprietary R&D information so they can speak intelligently about the product, and understand which products are best for buyers with different medical symptoms. Cultivators should ensure their employees don’t reveal enough to open their supplier to a potential cyberattack.
3. Institute strong employee oversight rules.
Every employee does not need to have access to every sale, or the entire database of proprietary customer information. Businesses should consider delegating jobs behind the sales desk. Give each employee the access they need to do their job—and that’s it.
4. Know where and how your buyer information is stored, and understand how it can potentially be breached.
If employees are scanning driver’s licenses, or even if the business keeps paper files, consider where they are stored. Maybe it’s in a secure area off site, or on a protected network. Maintain compliance with HIPAA, state statutes and requirements for cannabis distribution.
5. Explore your cannabis cyber insurance coverage options.
Cannabis businesses are hard to insure for every type of risk. Although this will continue to some extent as long as cannabis remains illegal at the federal level in the U.S., cyber insurance options for cannabis business have opened up and prices have recently come down. Know that cyber policy underwriters will conduct additional due diligence, going beyond the typical policy application, asking cannabis companies what types of information they collect from their consumers, how they store it and how they access that information at a later date.
Editor’s Note: This article was adapted from HUB International’s blog post titled “Cyber Risk: Growing Like Weeds for Cannabis Growers and Distributors."
