Cannabis companies should remain mindful of the importance of creating and maintaining a comprehensive written data security program. No cannabis company should aspire to being subject to response costs, regulatory fines, and potential lawsuits that follow the theft or inadvertent disclosures of legally protected or commercially sensitive data or, even worse, harming customers by enabling disclosure to the public that they purchased a federally controlled substance. Here are three tips about data security requirements that all cannabis licensees should consider.

1.   Cannabis Companies Should Have a Written Data Security Plan.

Written information security plans (WISPs) are required for certain cannabis operations by federal or state law (including medical cannabis providers under the HIPAA-HITECH federal health data law and all Massachusetts cannabis companies under its broad 201 CMR 17.00 data rules), and are highly recommended for all businesses. Cannabis companies hold high-value data, including:

• personal information (PI) from employees and customers. PI includes an individual’s name plus a confidential number, such as social security, bank account, or debit/credit card;
• non-PI but commercially sensitive customer list information; and
• for medical cannabis companies, personal health information (PHI). PHI is information, such as prescriptions and insurance information that identifies an individual and is used to determine appropriate health care.

A comprehensive data security program and WISP safeguards all of this protected and sensitive data in a manner commensurate with its importance.

2.   The Written Security Plan Should Be Comprehensive.

Many existing WISPs focus narrowly on information technology (IT) protections, such as firewalls, virus protections, and controlling access to sensitive information. A sound WISP should address non-IT components as well. Key elements in developing a comprehensive WISP include:

• identifying one or more responsible persons charged with maintaining and updating the WISP (usually a top official, office manager, IT manager, or HR manager);
• conducting a risk assessment to identify the locations of, and assess risks to, the security, confidentiality, and integrity of all electronic or paper records containing PI/PHI;
• establishing and enforcing disciplinary measures for employees who commit WISP violations, up to and including termination;
• preventing terminated or disgruntled employees from accessing and misusing records containing PI/PHI;
• overseeing service providers possessing your PI/PHI by retaining responsible providers and requiring contractual clauses that specify security obligations and contract remedies;
• maintaining reasonable restrictions on access to paper records containing PI/PHI, including use of clean desk policies and locked cabinets and offices; and
• reviewing the WISP annually – or when material business occurs that that might require an upgrade, including any security breach.

With respect to IT protections at the heart of a WISP, requirements should include:

• employee user ID and password controls;
• controls restricting access to PI to authorized employees;
• use of encryption on outgoing emails containing PI/PHI;
• use of laptop encryption for personnel with access to employee or customer PI/PHI;
• up-to-date firewall protection and either automatic or scheduled installation of operating system security patches;
• malware protection and reasonably up-to-date patches and virus definitions that are set to receive security updates on a regular basis; and
• employee education and training (periodically or as needed) on the computer security system and importance of PI/PHI security.

3.   Written Plans Should Include Breach Response Provisions.

Developing an effective incident response plan may be as important as having a WISP. Many harms caused by a breach can be attributed to slow moving or ineffective company responses. Consequently, WISPs should have sections or separate addenda addressing incident response planning in order to guide company personnel at all levels in managing a potential data breach, including the following key elements:

• Identify an Internal Team. The response team’s size will depend on the company’s geographic reach, sophistication, and data loss exposure, but can include:
  • a top company official (to authorize expenditures);
  • the WISP responsible manager(s);
  • legal counsel (both internal and outside counsel);
  • an IT manager;
  • an HR manager;
  • an operations manager; and
  • corporate communications or government affairs personnel.

• Identify External Data Security Resources. Breach developments can get out of hand before the company can identify, interview, and hire experts necessary to minimize liability. A good plan will identify each outside resource, along with day and weekend contact information. In addition to legal counsel, the following should be considered:
• computer forensics experts who can image a potentially compromised computer server or network, confirm and analyze the extent of a breach, and fix the problem;
• outside public relations professionals who can help with public statements and press contacts;
• operations personnel who can help with dissemination of written or electronic materials to customers or creation of website notices; and
• insurance brokers who can identify available breach-related benefits and help file loss claim notices.

• Create an Action Item Checklist. Response plans should include a checklist of prioritized action items to be commenced immediately following a potential significant data breach, including:
• recording the date and time the breach is discovered;
• finalizing and activating both the internal and outside response teams for the type of breach;
• establishing a secure perimeter around equipment or systems believed to be part of a breach and taking potentially compromised systems off-line to avoid additional incursions;
• conducting initial interviews using counsel of those with critical knowledge of the potential breach;
• getting forensics personnel on site to make a secure copy of affected systems, so they can be fixed without compromising assessment of the manner of breach;
• discussing action items to be undertaken over the next days or weeks, including identifying individuals affected by the breach and complying with breach notice requirements for their states of residency; and
• importantly, for hacked computer systems, avoiding making public statements until forensics confirms an unauthorized incursion has occurred – insofar as a false alarm can do serious and unnecessary harm to the company’s reputation.

As cyber threats and data breaches continue to increase, businesses remain targets for cyber criminals. Implementing a robust, comprehensive WISP and developing an effective incident response plan will help ensure that your cannabis business minimizes chances of experiencing a harmful data breach, and preserve your financial resources, customer loyalty, and reputation.