by Eliyahu S. Scheiman, JD and Stephanie M. Garfield, JD
Even during this unprecedented time, as millions of Americans confine themselves to their homes and companies temporarily shutter their retail operations, cybersecurity incidents will continue to affect the business world. Cannabis companies are particularly attractive targets for hackers because they possess a wealth of personal and healthcare-related information; plus, as smaller businesses, they are more likely to lack adequate cybersecurity frameworks.
Data breaches like the one experienced by point-of-sale software company THSuite earlier this year can reveal an astonishing amount of personal information about cannabis users, including their full names, phone numbers, dates of birth, medical information, signatures, and the amount of cannabis they have purchased. These types of incidents can subject cannabis companies to various state data breach notification laws and the Health Insurance Portability and Accountability Act (“HIPAA”) federal breach notification protocol in some circumstances and can have significant privacy implications for cannabis users due to the disclosure of the fact that they have purchased a federally illegal controlled substance.
Cannabis companies thus have a heightened responsibility to keep consumer’s personal and healthcare-related information private and secure, and complying with state and federal breach notification laws is only the tip of the iceberg.
The Legal Landscape
1. Written Information Security Plans
Because it is impossible to protect someone’s privacy without adequate security, complying with applicable information security requirements can serve as the foundation for a strong data privacy and information security compliance program. In some states, cannabis companies are required by law to have Written Information Security Plans (“WISPs”). For example, any business that owns or licenses “personal information” about a Massachusetts resident must have a WISP applicable to such records. WISPS should demonstrate that an organization will take reasonable steps to protect personal information and reflect the company’s specific risk profile and actual information security practices. Strong WISPs will not just be limited to addressing Information Technology (IT) protections but will also include:
- Designating an individual to maintain, update and oversee the program;
- Conducting a risk assessment to identify any foreseeable risks related to the security, confidentiality, or integrity of electronic, paper, or other records containing personal information;
- Restricting access to paper and electronic forms of personal information; and
- Overseeing third-party service providers that process personal information on an organization’s behalf and ensuring that the related agreements contain data security-related provisions, including indemnification clauses and contract remedies.
Cannabis companies should ensure that WISPS do not exist merely as “paper programs” and that the processes and controls they describe are actually implemented. They should also regularly review their WISPs (e.g., annually) to determine whether modifications are needed and evaluate their effectiveness after the occurrence of significant events like data breaches.
2. State and Federal Data Breach Notification Requirements
While a comprehensive WISP can help reduce risk, it is nearly impossible to guarantee that a data breach will never occur. This is especially true in the cannabis industry, where the lack of access to reputable banking due to marijuana’s federal illegality may lead companies to use less trustworthy banking services that are vulnerable to breaches. The track-and-trace software that most states require cannabis companies to use to report sales and inventory can also be susceptible to cybersecurity attacks.
Many cannabis companies are not aware that they may be legally obligated to notify affected individuals and state and/or federal regulators within a set timeframe after a data breach. State requirements can apply even if the company does not operate within a specific state and only collects the personal information of its residents. In addition, at the federal level, the HIPAA Breach Notification Rule can be triggered in some cases if medical marijuana dispensaries experience a breach of unsecured Protected Health Information (“PHI”).
Standard Operating Procedures (“SOPs”) that establish an incident response plan for a business to follow in the event of a data breach can enable a cannabis company to quickly investigate the nature and extent of the breach and contain and minimize the related damage. They can also address the need to work with legal counsel to determine what notifications to regulators or residents may be required. Since federal and state breach notification laws differ in terms of scope, notification timeframes and formats, different (and numerous) requirements may apply. Overall, a broad incident response SOP can provide a cannabis company with the procedural framework it needs to investigate and manage a data breach and prepare a timely and compliant response.
3. The “Crazy Quilt” of Data Privacy Laws
Data privacy, the other side of the information security coin, should also be top-of-mind for cannabis companies. The General Data Protection Regulation (“GDPR”), an EU regulation that became effective in May 2018, changed the data privacy landscape by giving individuals more insight into, and more control over, how their personal information is collected, used and shared. Since the GDPR became effective, many US states have passed laws, or have legislation pending, that have incorporated some of the GDPR’s key principles. This area continues to rapidly evolve. The US now has a “crazy quilt” of different state and industry-specific laws and regulations that govern the collection, use and disclosure of personal data.
California, the home of the largest cannabis market in the US, has led the charge to protect the personal information of its residents. The California Consumer Privacy Act (“CCPA”), a GDPR-inspired law, became effective on January 1, 2020 and applies to for-profit entities doing business in California that have annual gross revenue in excess of $25 million. While the CCPA’s requirements are too extensive to fully address here, under the statute covered businesses must update their website Privacy Policies and make other disclosures regarding how they use, collect and share the personal information of Californians. The CCPA also arms California consumers with new rights relating to their personal information (i.e., right to access the personal information, right to request its deletion, and right to opt out of its sale). Cannabis companies subject to the CCPA must therefore be in a position to identify and locate the personal information of Californians in order to respond to consumer requests within the requisite 45-day period.
Most notably, the CCPA will give California consumers the right to sue and seek statutory or actual damages if covered businesses fail to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” The fact that “reasonable security” is not defined in the statute and lacks a clear meaning in California may contribute to more plaintiffs filing suit. In the event of a data breach, a plaintiff could obtain statutory damages between $100-$750 per incident without ever showing that he or she was actually harmed as a result of the incident. Because the potential for damages is high, an increase in class action litigation is inevitable for companies across industry sectors; companies that are sued will then have to defend themselves in costly litigation proceedings.
As the CCPA’s enforcement date of July 1, 2020 looms, cannabis companies should have an understanding of their obligations under the statute, if any, and be compliant with the CCPA’s requirements if they are subject to the law.
While HIPAA is not a new law, its potential applicability to medical marijuana establishments must be considered. If medical marijuana dispensaries collect PHI and meet the definition of “covered entities,” they will be required to comply with HIPAA. The operations of each medical marijuana dispensary will determine the outcome of this analysis. For example, dispensaries that maintain individually identifiable patient information such as name, contact and medical and treatment information are likely to collect and store PHI; however, some dispensaries that operate on a cash basis may not retain individual records and thus may not be subject to HIPAA. In addition, medical marijuana dispensaries require documentation from a healthcare professional to obtain “treatment,” which has led the government to view the dispensaries as “healthcare providers,” and they could be regarded as covered entities if they engage in certain types of electronic transactions (e.g., using point of sale software that transmits and stores PHI in a cloud).
Overall, cannabis companies would benefit from determining which data privacy laws apply to their businesses and preparing a targeted data privacy compliance action plan to address the applicable requirements. These plans should include the development of key policies and SOPs, training for employees, and conducting auditing and monitoring activities in order to detect areas of non-compliance.
Key Elements of a Data Privacy and Cybersecurity Compliance Program for Cannabis Companies
While developing a compliance program to address the myriad state and federal data privacy and cybersecurity requirements may seem daunting, a few key compliance controls can go a long way. Cannabis companies should consider taking the following steps:
- Develop a robust WISP that outlines effective procedural, administrative, technological and physical safeguards for protecting personal information and ensure that the practices it describes are implemented;
- Consider developing a Data Privacy Compliance Policy to establish their minimum standards regarding the collection and use of personal information as well as their commitment to keeping personal information private and secure;
- Ensure that website Privacy Policies are compliant with all applicable laws and accurately reflect the company’s practices with regard to the collection, use and dissemination of personal information;
- Develop a strong Data Breach/Incident Response SOP that addresses the need to obtain advice from counsel regarding potential federal and state breach notification requirements;
- Train all employees, vendors and agents on applicable company policies, laws and regulations; and
- Ensure that contracts with third parties contain provisions requiring the third parties to comply with all applicable information security and data privacy requirements.
Cannabis companies should also periodically monitor and audit the key risk areas related to information security and data privacy.
While establishing a robust information security and data privacy compliance program may seem onerous, cannabis companies may want to capitalize on their customers’ strong desire for privacy. Customers might worry, for instance, that if their cannabis use ever became public, their jobs or insurance benefits might be in jeopardy. If cannabis companies can demonstrate that information security and data privacy are a fundamental part of their business model, not only will they be compliant, they will earn the trust and brand loyalty of their consumers. In this way, compliance can not only mitigate risk but can also become a valuable business asset.
 Data Breach Exposes Personal Details of Over 30,000 US Cannabis Users, available at https://www.newsweek.com/thsuite-data-breach-marijuana-dispensaries-personal-information-leaked-exposed-1483645.
 See 201 C.M.R. 17.00 et seq.
 Cannabis Companies are Overlooking Data Security Laws and Regulations, available at: https://www.jurist.org/commentary/2020/03/griffen-thorne-ccpa-cannibas/
 Cal. Civ. Code § 1798.150(a).
 Medical Marijuana Dispensaries and HIPAA, available at: https://www.marijuanadoctors.com/blog/medical-marijuana-dispensaries-and-hipaa/
This Article Was Co-Authored By:
Stephanie M. Garfield is an associate of Porzio, Bromberg & Newman, P.C. and a member of the firm’s Life Sciences Compliance and Regulatory Counseling Department. She is also a Director of Compliance Services with the firm’s subsidiary, Porzio Life Sciences, LLC (PorzioLS) and regularly advises life sciences and other clients on data privacy laws and regulations such as the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation and the California Consumer Privacy Act. Stephanie also counsels pharmaceutical, medical device and biotechnology companies on a variety of compliance-related issues, including federal and state fraud and abuse laws, FDA promotional regulations, transparency and aggregate spend, industry standards regarding interactions with healthcare professionals, and sampling requirements. She can be reached at [email protected].