Virtually everyone knows about breaches of companies like Equifax. Massive breaches have happened to established, mega-companies who still took major reputational and monetary hits after they were breached. What many people don’t realize is that it doesn’t take a major breach to devastate a business. We don’t want to be dramatic, but we also don’t want to downplay the significance of breaches—they are coming, and cannabis companies that are not prepared may be left in the dust.
Data breaches can range from anything from malicious hacking to the simple loss of a laptop containing unencrypted “personal information”. In either case, if statutorily defined classes of personal information were accessed or acquired without authorization, the party who held the personal information must provide written notification to the affected individuals within a relatively short period of time, and in many cases to other services like credit monitoring. This may seem like a straightforward process. It is not. Just figuring out what kinds of information may have been accessed and whose information may have been accessed could take tens of thousands—if not hundreds of thousands—of dollars in forensic review.
Take the following example: A human resources manager is the victim of a phishing attack. Typically, forensic review of the affected account may need to be undertaken to determine what part of the manager’s email accounts were accessed—did the attacker review one email, or access the entire mailbox? [Read More @ LexBlog]