Good morning; we are here today with Dan Goldstein of cannabisprivacyandsecurity.com, which is quite a mouthful. Welcome, and we appreciate you spending some time with us. Can you tell us a bit of when you started the business and why you started it?
I’ve been consulting in the privacy and data security area for many years and recently started cannabis privacy and security because we’ve seen a need in that industry, which I believe isn’t even recognized by many industry people. That need is the need to protect purchasers’ data, particularly cannabis products, and make sure that they’re informed of the use of their data and that they’re protecting the rights they have.
We’ve seen this in Europe, where we have GDPR, and we’ve seen California enact privacy laws and the right to be removed and the right to be forgotten. But yet, I would think that most smaller operators, for the most part, probably are not in compliance.
That’s right, and it depends – you mentioned small operators, a lot of small operators probably figure they can fly under the radar, and they may be right, but if they do get caught and there is scrutiny in this area, then there could be problems. The California law, California Consumer Privacy Act “CCPA” only applies to certain businesses. one of the thresholds is 25 million dollars in revenue. So there may be many small dispensaries in particular that don’t hit that bar, and they may think that they’re not subject to any compliance obligations. But in fact, there’s something called the FTC a – Federal Trade Commission Act, and section five of that act prohibits deceptive business practices.
If you are not informing an individual of the intended use of their data and you’re using it for purposes they’re not aware of, that could be seen as unfair or deceptive. So that’s just one issue.
Even if you’re not subject to a law like CCPA, another concern is the various breach notification laws across the country.
One of the significant challenges that we’re seeing is that many dispensaries are using SMS in violation of the disclosure laws because they need to get consent to do that. The consumers don’t particularly mind it, but in reality, they’re not in compliance.
That’s right, and it’s all fine until the consumers do mind. The question is, what’s going to trigger that? It might be the fact that they’re getting inundated with SMS marketing messages. Further, it might be that somebody’s capturing data from those SMS messages, and they’re going to disclose it. That’s a big issue because if there is a disclosure or breach of this data, even though we see that cannabis is more and more accepted in the US, some taboo is associated with it. So if there’s a breach of that data or unauthorized disclosure of that data, it can impact people’s employment can impact their ability to get insurance and any number of other kinds of reputational factors, so keeping that data secure becomes essential.
Exactly, it’s still not legal on the federal level, so there’s still that concern. But, furthermore, another particularly big piece is that the product is being sold as a medicinal product then puts you in a different classification as far as the data is concerned.
That’s right, and that might be different in various jurisdictions. If you’re in a state where it’s legal for medicinal purposes or even in California, for example, I know some of California’s counties ban the use. At the same time, it’s legal on the state level recreationally, or some counties are limiting it to medicinal.
So if you’re a dispensary and you’re medicinal, you’ve got HIPAA requirements; if you’re collecting health information, you would be in this instance. So with HIPAA, there’s a whole slew of requirements for privacy and data security that you need.
What are the big cybersecurity challenges that are facing the cannabis industry?
We’ve seen some breaches to date where personal data has been exposed. That’s always the big cybersecurity challenge. In a nutshell, you’re going to be breached, and data will be exposed. Now, when you dig into that a little bit deeper, this is a burgeoning industry where dispensaries, in particular, are gathering a lot of information about individuals.
They’re gathering driver’s license information when somebody enters a dispensary. They’re gathering purchase information. They’re possibly building profiles of individuals so that they can support loyalty programs. So when you’re gathering that much data, you target the bad actors out there who have perpetrated these breaches for years.
They’re going to start to pay attention, so this cybersecurity risk is just that – that more and more data the industry is collecting makes it a more attractive target.
It’s not only that they obtain that data, but what they do with it. Maybe bad actors sell that data or expose that data, but it’s also things like ransomware. We see a lot of ransomware across industries, not just cannabis, but across multiple industries. We read about it in the news all the time.
We’re also seeing many bigger players entering the space, meaning we’re aggregating more data into one place. For example, big entities like Tilray and some of those other companies, so if any of those smaller entities deal with the more prominent entities, they’re likely sharing the data across multiple channels.
That’s another excellent point. When the smaller entities share their data with the bigger entities, they should be doing diligence before sharing that data to ensure that bigger entities can secure it appropriately.
The questions that they might want to ask are:
- How is that data making its way over to these bigger entities?
- Is there a secured tunnel?
- Is there a VPN that is encrypted along the way?
- Is that larger entity encrypting the data when it’s at rest with them?
- Are they sharing it further with other companies?
All of these questions should be asked because if you’re the dispensary and it’s your data originally, and you’re sharing it with a third party and that third party is breached, there’s a good chance that some of the liability or responsibility is going to flow back to you.
Privacy and Data Security for Cannabis Businesses
Then how do cannabis businesses go about beginning to protect themselves? Hiring you, obviously. But, tell us more.
Several things should be done. The first thing is you want to be transparent with your customers about what you’re doing. This means that when they enter your dispensary,
there should be privacy notice available to them. Particularly if you’re collecting information just upon entering. If you’re collecting driver’s license information, your clients should know why you’re doing that and where that information will go.
There are questions about the effectiveness of notice because some dispensaries may post something that nobody will read. Still, there should be an effort to ensure that visitors know what will be done with the data.
Furthermore, if you are doing things like tracking purchases, point-of-sale systems automatically track and compile purchase information to support loyalty programs; those should be opt-in. Clients should not suddenly be receiving emails from a dispensary saying, “Hey, you have x amount of points because you made this purchase in that purchase” without their consent. You want to make sure that you’re getting their agreement to participate in those kinds of things.
Also, things that you should be doing on the back end are ensuring that you have a good security policy in place and that that can be implemented. Typically you know you had a policy at one level procedures. Another level down tells people on the security side responsible for your systems precisely what needs to be done.
Operators should have access controls in place, ensure the sensitive data is encrypted, and ensure that those policies are implemented and audited. Also, it is essential to train staff on the importance of data privacy and security on the privacy and security side.
Data Privacy Compliance
I know if you’re a small to medium-sized dispensary, these probably seem like intensive obligations, but they’re essential. But, on the other hand, they’re not very much when you consider that if your data is breached, you’re going to have a state attorney general breathing down your neck potentially, or you might be a party to lawsuits under California CCPA for private rights of action for breaches, so you want to take it seriously.
How much responsibility does the consumer have because the organization or the dispensary has provided the appropriate paperwork? Most of us sign the bottom line without reading it because we want what we want? Does that relieve the organization of any obligation because they’ve given us the policy?
It’s a great question, and the answer is that yes, it does relieve them of some responsibility because they’ve done what they’re meant to do. They’ve informed the consumer of what’s going to happen with the data. At that point, it’s really up to the consumer. The consumer has to be responsible. I understand the mindset of I want what I want, and I’m just going to either check the box or not read this, and I’ve been involved in privacy for 20 years.
If there’s an app that I know I want or need and a privacy statement comes up, I’m going to click through it.
My understanding of security and privacy in these systems is only as good as whether or not you actually audit them and check them. Many organizations will paper their files and go through the initial effort of setting up systems to meet compliance, but are they following up with testing them to ensure they’re secure? Do they conduct audits? What do you see?
That depends on the individual entities. It’s difficult for a single dispensary that’s maybe running everything off a very simplistic network, and they have maybe one person, or perhaps it’s an outsourced IT person. It’s difficult for them to do those audits, but it’s necessary.
You want to look back. You want to check your logs. You want to make sure that things are as they’re meant to be. That isn’t any unusual activity or intrusions. You need to toe the line
you can’t just say we’re doing this; you have to do it.
An easy example is access controls; here’s the type of thing that might escape a small dispensary. An employee has access to their systems; then that an employee gets fired or quits, and you know they don’t have an IT person on-site and they forget about it for a week or two weeks and in this week or two weeks that person goes back into the system and takes a whole bunch of data and does something with it they shouldn’t be doing.
Companies need to walk the walk if you talk the talk.
The other thing we commonly see is sharing credentials or sharing information. They may share a badge to gain access or share a password because it is quicker. I’ve come up through the banking industry, which is very highly regulated and very much understands data compliance and stuff like that. I think that would be overkill for the cannabis industry. Especially at this stage, but will it move to that?
It might, and I think that the driver will be what we see in terms of breaches. Whether or not it will be regulated at a state level or a federal level will be some industry association that creates some self-regulation.
I do think that as we see more and more breaches, something’s going to happen on that front, and there will be requirements, whether mandatory state, federal, or voluntary, and highly recommended by an industry group. So I think we’ll see that happen.
One of the challenges is the changing nature of the breaches. It used to be that there would be a breach at your company, and the bad actors would steal the credit card information, and within 24 hours, you could start to see activity online trying to use the stolen data. so at least you knew when it
The challenge now is the schemes’ sophistication has changed what they do with the data obtained during those breaches. The information won’t readily appear online, which is how we typically become aware whether or not there’s been a breach; we see it somewhere else.
Now, they are using data from disparate sources to build even bigger, targeted profiles. And because we don’t immediately recognize these new profiles, we may miss a breach that had occurred. So what happens is we learn that you know that data was breached a year and a half ago, and they’ve had that data for a year and a half.
That’s a changing nature of the breaches that we see. none of the stand-alone breaches in themselves seemed all that vulnerable, and we didn’t see them online. So, for example, we saw a breach of healthcare data, saw breaches of financial data, and saw bank data breaches. Yet we didn’t see the activity online, which as a security person you’re like, you know they’ve taken it why aren’t they using it?
What happened was is they did numerous breaches and then what they did was they aggregated these three pieces of information because now you have the health record, the medical records, the financial records, and their financial statements. So you can start to target people, as you said with ransomware or other types of things, and you know you get a much bigger and better profile.
When you start to see data sources from three or four places, there’s no question that the perpetrators of these breaches are getting more and more sophisticated; it’s becoming more challenging to catch them because they’re operating in cryptocurrencies, so it’s harder to track them.
The volume of data available is attractive, and if they have a large retailer, that volume of data in and of itself might be enough for the perpetrator to get the value they want. As you said, they might aggregate across, I don’t know, multiple dispensaries in a region and optimize the value of the data they can get there. When I say optimize, it depends, I suppose, on what their goal is, whether it’s to sell it, whether it’s to expose it and cause damage to these individuals, or whether it’s do something like lock it up and do a ransomware-type scenario.
Another challenge is that we talk about these people collecting this data like they’re these various individuals. Still, for the most part, many of these people are big tech Every day, we read about Big tech violating our data privacy regularly. Companies that are just using it and selling it.
There’s no question. I mean, look at the biggest ones. Google wants to control all things data. I shouldn’t say all data, but they want as much data as they can get, and I’m not saying this to be disparaging to google. It’s their business model to be the source of data for the world.
It’s just kind of an example; maybe the extreme case of what you’re saying is the big tech companies want data, and the source of that data you know may or may not be necessary to them. But still, certainly, I think that there’s a legitimate argument to be made that this type of data could be important to a huge aggregator.
What makes the cannabis industry different when it comes to data security and privacy?
To me, the biggest thing that makes it different is the risk to the individuals. So you go into a dispensary, and maybe it’s your regular dispensary. You know you’ve been there five times or ten times or 20 times in a year, and there’s a lot of information about your purchases which imply something about your habits and things that you like and don’t like.
As I said before, if that’s disclosed, that poses a significant risk to the individuals. So that’s what makes it different to me: the risk to the people who are to the customers.
On the dispensary side, what makes the difference is the flip side of the same coin: there’s a lot of data, and there’s a lot of value to that data. So there may be entities that think, in fact, maybe I should say there are entities that canvas users likely to be customers of their product. So they’re going to want to access that data whether it’s purchasing that data or you know if somebody makes it available on, you know the black market or whatever it might be, then they can use it there as well.
There are risks on both sides – risk to the dispensary, risk to the individual. If someone hires a firm like yours, what are you typically providing for them?
It depends on what they need, but the starting point for us is knowing your data, knowing where it’s going, and knowing what’s happening with it. So we would generally want to sit down with stakeholders and say, okay, what is it that you’re collecting? Are you collecting driver’s license numbers? Are you collecting purchase information? Where is it being stored? How is it being stored? What third parties is it going out to? Do you have a loyalty program service provider that you’re sharing the data with, and how is it secured along the way.
Once we understand that data environment, then we can help them put controls in place. The most basic controls that everybody is going to need are starting with a privacy policy. A publicly facing privacy policy, so individuals are aware of how their data is being used.
Also, internally facing privacy and security policies, building out procedures, and implementing things like access controls or supporting them if they don’t have an encryption solution. Ensure that they know what their options are and helping implement them—from kind of the administrative point of view, knowing your data and putting the right controls in—down to the technical controls and helping them make selections and implement controls.
Is data privacy and security something that the industry is aware of? are they seeking this, or are they ”we’ll get to it once we have a problem?”
My perception is that they are looking at it much more in that second way. There is a big rush in this business to sales and profitability, which is understandable. People see the cannabis opportunity as a bit of a gold rush and comply with laws or protect themselves against what may seem like a remote possibility of a breach that’s not the first thing in their mind. The first thing on their mind is getting sales and generating revenue, so I see that as the huge risk factor for this industry. The fact that it’s a rush to profitability.
Well, Dan, we very much appreciate you spending some time today. I think you will be busy shortly because I believe that we will, unfortunately, see these breaches. But, as you said, once cannabis businesses become vulnerable, they finally understand they should have done something about it.
About Cannabis Privacy and Security
Privacy and Security Solutions for the Cannabis Industry
Rapidly evolving cyber and privacy risks must be managed in an industry where privacy and data security are paramount.
The Cannabis industry is booming. But with the influx of money and high-value data comes unwanted attention from those who would seek to gain access to your data and monetize it for their purposes.
These risks are compounded by new and evolving laws, such as the California Consumer Privacy Act (CCPA), which the State Attorney General enforced and gave consumers a private right of action if their personal information is exposed in a security breach.
Businesses in the cannabis industry are just beginning to recognize the extent of the challenge they face in containing and proactively managing multi-directional threats to their data and their ability to meet their continually evolving compliance obligations. The challenge is further complicated by the scarcity of professionals with the right skills to assess the risks and design and implement effective responses.
In this environment, businesses need privacy and data security solutions that make a real difference. Cannabis Privacy and Security offers sophisticated yet practical solutions designed to minimize data risk while considering your business’s operational needs. Our team of privacy and data security professionals provides a full array of services that deliver meaningful outcomes to help your organization meet its privacy and data security obligations and business needs.
Our team of privacy and data security professionals can assist you in all aspects of building or improving your company’s privacy and security program. Services include:
- CCPA Readiness
- Personal Data Inventory and Mapping
- Consumer Request Management and Response
- Incident Response Program Development
- Virtual CISO Services
- Privacy Back Office Services
- Data Security Strategy and Design
- Data Governance Strategy and Design
- Security and Privacy Organizational Development
- Security and Privacy Assessments
- Identity and Access Management
- Third-Party Risk Management
- Security and Privacy Training
