by Eliyahu S. Scheiman, JD and Stephanie M. Garfield, JD
Even during this unprecedented time, as millions of Americans confine themselves to their homes and companies temporarily shutter their retail operations, cybersecurity incidents will continue to affect the business world. Cannabis companies are particularly attractive targets for hackers because they possess a wealth of personal and healthcare-related information; plus, as smaller businesses, they are more likely to lack adequate cybersecurity frameworks.
Data breaches like the one experienced by point-of-sale software company THSuite earlier this year can reveal an astonishing amount of personal information about cannabis users, including their full names, phone numbers, dates of birth, medical information, signatures, and the amount of cannabis they have purchased. These types of incidents can subject cannabis companies to various state data breach notification laws and the Health Insurance Portability and Accountability Act (“HIPAA”) federal breach notification protocol in some circumstances and can have significant privacy implications for cannabis users due to the disclosure of the fact that they have purchased a federally illegal controlled substance.
Cannabis companies thus have a heightened responsibility to keep consumer’s personal and healthcare-related information private and secure, and complying with state and federal breach notification laws is only the tip of the iceberg.
The Legal Landscape
1. Written Information Security Plans
Because it is impossible to protect someone’s privacy without adequate security, complying with applicable information security requirements can serve as the foundation for a strong data privacy and information security compliance program. In some states, cannabis companies are required by law to have Written Information Security Plans (“WISPs”). For example, any business that owns or licenses “personal information” about a Massachusetts resident must have a WISP applicable to such records. WISPS should demonstrate that an organization will take reasonable steps to protect personal information and reflect the company’s specific risk profile and actual information security practices. Strong WISPs will not just be limited to addressing Information Technology (IT) protections but will also include:
Cannabis companies should ensure that WISPS do not exist merely as “paper programs” and that the processes and controls they describe are actually implemented. They should also regularly review their WISPs (e.g., annually) to determine whether modifications are needed and evaluate their effectiveness after the occurrence of significant events like data breaches.
2. State and Federal Data Breach Notification Requirements
While a comprehensive WISP can help reduce risk, it is nearly impossible to guarantee that a data breach will never occur. This is especially true in the cannabis industry, where the lack of access to reputable banking due to marijuana’s federal illegality may lead companies to use less trustworthy banking services that are vulnerable to breaches. The track-and-trace software that most states require cannabis companies to use to report sales and inventory can also be susceptible to cybersecurity attacks.
Many cannabis companies are not aware that they may be legally obligated to notify affected individuals and state and/or federal regulators within a set timeframe after a data breach. State requirements can apply even if the company does not operate within a specific state and only collects the personal information of its residents. In addition, at the federal level, the HIPAA Breach Notification Rule can be triggered in some cases if medical marijuana dispensaries experience a breach of unsecured Protected Health Information (“PHI”).
Standard Operating Procedures (“SOPs”) that establish an incident response plan for a business to follow in the event of a data breach can enable a cannabis company to quickly investigate the nature and extent of the breach and contain and minimize the related damage. They can also address the need to work with legal counsel to determine what notifications to regulators or residents may be required. Since federal and state breach notification laws differ in terms of scope, notification timeframes and formats, different (and numerous) requirements may apply. Overall, a broad incident response SOP can provide a cannabis company with the procedural framework it needs to investigate and manage a data breach and prepare a timely and compliant response.
3. The “Crazy Quilt” of Data Privacy Laws
Data privacy, the other side of the information security coin, should also be top-of-mind for cannabis companies. The General Data Protection Regulation (“GDPR”), an EU regulation that became effective in May 2018, changed the data privacy landscape by giving individuals more insight into, and more control over, how their personal information is collected, used and shared. Since the GDPR became effective, many US states have passed laws, or have legislation pending, that have incorporated some of the GDPR’s key principles. This area continues to rapidly evolve. The US now has a “crazy quilt” of different state and industry-specific laws and regulations that govern the collection, use and disclosure of personal data.
California, the home of the largest cannabis market in the US, has led the charge to protect the personal information of its residents. The California Consumer Privacy Act (“CCPA”), a GDPR-inspired law, became effective on January 1, 2020 and applies to for-profit entities doing business in California that have annual gross revenue in excess of $25 million. While the CCPA’s requirements are too extensive to fully address here, under the statute covered businesses must update their website Privacy Policies and make other disclosures regarding how they use, collect and share the personal information of Californians. The CCPA also arms California consumers with new rights relating to their personal information (i.e., right to access the personal information, right to request its deletion, and right to opt out of its sale). Cannabis companies subject to the CCPA must therefore be in a position to identify and locate the personal information of Californians in order to respond to consumer requests within the requisite 45-day period.
Most notably, the CCPA will give California consumers the right to sue and seek statutory or actual damages if covered businesses fail to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” The fact that “reasonable security” is not defined in the statute and lacks a clear meaning in California may contribute to more plaintiffs filing suit. In the event of a data breach, a plaintiff could obtain statutory damages between $100-$750 per incident without ever showing that he or she was actually harmed as a result of the incident. Because the potential for damages is high, an increase in class action litigation is inevitable for companies across industry sectors; companies that are sued will then have to defend themselves in costly litigation proceedings.
As the CCPA’s enforcement date of July 1, 2020 looms, cannabis companies should have an understanding of their obligations under the statute, if any, and be compliant with the CCPA’s requirements if they are subject to the law.
While HIPAA is not a new law, its potential applicability to medical marijuana establishments must be considered. If medical marijuana dispensaries collect PHI and meet the definition of “covered entities,” they will be required to comply with HIPAA. The operations of each medical marijuana dispensary will determine the outcome of this analysis. For example, dispensaries that maintain individually identifiable patient information such as name, contact and medical and treatment information are likely to collect and store PHI; however, some dispensaries that operate on a cash basis may not retain individual records and thus may not be subject to HIPAA. In addition, medical marijuana dispensaries require documentation from a healthcare professional to obtain “treatment,” which has led the government to view the dispensaries as “healthcare providers,” and they could be regarded as covered entities if they engage in certain types of electronic transactions (e.g., using point of sale software that transmits and stores PHI in a cloud).
Overall, cannabis companies would benefit from determining which data privacy laws apply to their businesses and preparing a targeted data privacy compliance action plan to address the applicable requirements. These plans should include the development of key policies and SOPs, training for employees, and conducting auditing and monitoring activities in order to detect areas of non-compliance.
Key Elements of a Data Privacy and Cybersecurity Compliance Program for Cannabis Companies
While developing a compliance program to address the myriad state and federal data privacy and cybersecurity requirements may seem daunting, a few key compliance controls can go a long way. Cannabis companies should consider taking the following steps:
Cannabis companies should also periodically monitor and audit the key risk areas related to information security and data privacy.
While establishing a robust information security and data privacy compliance program may seem onerous, cannabis companies may want to capitalize on their customers’ strong desire for privacy. Customers might worry, for instance, that if their cannabis use ever became public, their jobs or insurance benefits might be in jeopardy. If cannabis companies can demonstrate that information security and data privacy are a fundamental part of their business model, not only will they be compliant, they will earn the trust and brand loyalty of their consumers. In this way, compliance can not only mitigate risk but can also become a valuable business asset.
 Data Breach Exposes Personal Details of Over 30,000 US Cannabis Users, available at https://www.newsweek.com/thsuite-data-breach-marijuana-dispensaries-personal-information-leaked-exposed-1483645.
 See 201 C.M.R. 17.00 et seq.
 Cannabis Companies are Overlooking Data Security Laws and Regulations, available at: https://www.jurist.org/commentary/2020/03/griffen-thorne-ccpa-cannibas/
 Cal. Civ. Code § 1798.150(a).
 Medical Marijuana Dispensaries and HIPAA, available at: https://www.marijuanadoctors.com/blog/medical-marijuana-dispensaries-and-hipaa/
This Article Was Co-Authored By:
Stephanie M. Garfield is an associate of Porzio, Bromberg & Newman, P.C. and a member of the firm’s Life Sciences Compliance and Regulatory Counseling Department. She is also a Director of Compliance Services with the firm’s subsidiary, Porzio Life Sciences, LLC (PorzioLS) and regularly advises life sciences and other clients on data privacy laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation and the California Consumer Privacy Act. Stephanie also counsels pharmaceutical, medical device and biotechnology companies on a variety of compliance-related issues, including federal and state fraud and abuse laws, FDA promotional regulations, transparency and aggregate spend, industry standards regarding interactions with healthcare professionals, and sampling requirements. She can be reached at [email protected].
Scheiman concentrates in business litigation, insurance coverage, insurance regulations and compliance, management-side employment counseling and litigation defense, emerging issues associated with state-legalization of cannabis, cannabis licensing, cannabis compliance, and appellate work and defense of private and public entities in tort actions. He co-chairs Porzio, Bromberg & Newman P.C.’s cannabis law practice, and is a member of Porzio Compliance Services, which leverages complementary resources from the law firm and its other subsidiaries, Porzio Governmental Affairs and Porzio Life Sciences, to provide regulatory, legal and business services to cannabis clients. Porzio Compliance Services also regularly performs information and data compliance services. Scheiman is also a member of the International National Cannabis Bar Association, where he chairs the Legislative Advisement Committee.
He is a principal in the firm’s Litigation Practice Group. Scheiman can be reached at [email protected].
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.
Notify me of follow-up comments by email.
Notify me of new posts by email.
Cannabis industry representatives told Oklahoma lawmakers during an interim study Monday that adopting standard practices used by food and drug makers could make medical marijuana cheaper and safer. They tried to sell lawmakers on process validation, a system where data is collected at different stages of manufacturing to ensure safety. Apothecary Farms and Apothecary Extracts…
by Hilary Bricken, Principal, Harris Bricken Back in 2015, we wrote about the U.S. Postal Service (“USPS”) taking issue with companies placing cannabis ads in the mail. In a written notice dated November 27, 2015, issued by the Portland, Oregon, District Mailing Requirements Office, the USPS explained: [i]f a mailpiece contains an advertisement for marijuana,…
The first day of adult-use marijuana sales in Montana will be Jan. 1, 2022. Montana Department of Revenue leaders say they’re confident that they’ll be ready for that important date, but there’s a lot of work to do over the next two months. “The deadlines are aggressive,” said Kristan Barbour, administrator of the department’s Cannabis…
The head of the state’s Cannabis Control Board has declared businesses giving away marijuana as a promotion with the purchase of an overpriced T-shirt, lighter or other item are breaking the law. Tremaine Wright, the former state Assembly member who chairs the regulatory body for New York’s newborn marijuana industry, addressed the increasingly common practice…