Marijuana Use

 

Not all data breaches are created the same. While every industry has felt their impact in recent years, some industries house data that is sensitive simply by virtue of association with individual consumers. There's no better illustration than the dramatic breach of an online matching service for extramarital affairs in 2015, in which the leak of a simple list of names—relatively non-sensitive data in privacy terms—reportedly resulted in divorces and even suicides.

While extramarital dating services are a far cry from today's mature, legalized cannabis industry, they share this common reality: The mere association of an individual as a cannabis customer can be incredibly sensitive, resulting in potential criminal allegations in certain jurisdictions and moral reprimand from certain corners of American society.

Recently, the cannabis industry felt these effects firsthand when sensitive personal information for thousands of users collected by cannabis software provider THSuite was reportedly exposed. Cannabis-related data is more sensitive than your average dataset: Cannabis remains federally illegal under the Controlled Substances Act of 1970, and cultural and moral issues have traditionally dominated the conversation over cannabis legalization in America. And because licensed cannabis operators are heavily regulated and required to retain vast amounts of personal information, the potential impact of a data breach on cannabis businesses is not due to the sensitivity of the information alone.

As such, it is incumbent on those in the cannabis sector to take special care, with the aid of legal counsel, in addressing the privacy and security risks inherent to their cannabis business. The unique data security issues that the cannabis industry must recognize include:

1. Massive Amounts of Data = Massive Hacks

Industry-specific legal requirements require cannabis businesses to collect and retain massive amounts of data on their consumers. In California, all records related to commercial cannabis activity must be kept for a minimum of seven years. These records include receipts/invoices of every sale made, including the name and address of the purchaser; the date of the sale; the invoice number; the kind, quantity, size and capacity of cannabis products sold; the cost to the purchaser; and more. These requirements alone set the industry apart from most other consumer-facing retail sectors.

It doesn't end there. Cannabis retailers must obtain and retain copies of their customers' government-issued IDs in order to comply with minimum age requirements. For medical cannabis users, the data collected includes sensitive medical information. Further, in a scan of some of the major California dispensaries, we found that it is common practice for dispensaries to use audio/video recording to surveil their stores, and then to keep these recordings for their records.

For privacy and security practitioners committed to the principle of data minimization, the breadth of this mandatory dataset is dizzying. Data minimization is simply not an option here. In California, failing to maintain or provide all of the records required by law can subject cannabis businesses to fines of up to $30,000 per individual violation.

The sheer amount of data cannabis businesses collect means a data breach could be crippling in its scope and impact, and the scenarios that could cause a privacy violation are too numerous to count. What's more, the cannabis industry is already under heavy governmental and licensing scrutiny, which means that data breaches are more likely to be noticed and investigated by the government, to say nothing of the reputational risks associated with breach-related publicity.

2. Sensitive Nature of Data = Serious Consequences

Although cannabis use may not be as scandalous on a personal level as adultery, adultery is not traditionally criminalized. Thus, the information collected by the cannabis industry is sensitive on its face. Additionally, selling cannabis products requires the collection of more sensitive consumer personal information than the average retailer needs to collect.

A data breach in the cannabis industry can lead to serious consequences for consumers. First, sensitive medical information is collected from those using medical cards to purchase cannabis products. A leak of this information could range from being mildly embarrassing to having significant psychological effects.

Second, even data not traditionally considered sensitive personal information could be sensitive given its ability to associate individuals with the cannabis industry. For example, a leak involving a mere list of consumer names could create rifts in families with conflicting politics or beliefs on cannabis use.

Such a leak could also have negative ramifications for people who have jobs with cannabis use restrictions. Federal employees would be fired—even for medical marijuana use—as would those in certain industries (e.g., other public servants, transit drivers, those who operate heavy machinery). Although in some places the legal tide is turning when it comes to cannabis and employment (for example, Nevada and the city of New York recently passed laws on pre-employment marijuana testing), in other states cannabis is still completely illegal—if an employee name shows up on a leaked cannabis consumer list, private employers could ostensibly use this as grounds for testing and termination.

A data breach in the cannabis industry carries serious consequences for businesses, as well. Data breaches lead to heavy fines, reputational damages and costly lawsuits.

For example, a 2016 data breach by an American healthcare provider that allowed threat actors to access the private health data of 2.9 million people led to a class action lawsuit resolved in 2019 by a $6 million dollar settlement. And in the cannabis industry, one such lawsuit has already occurred: Two Canadian companies have been sued in parallel class action lawsuits as a result of a 2018–19 breach of 34,000 medical cannabis patients' personal information, during which diagnostic results, healthcare identification numbers, names, ages, addresses, phone numbers and other medical information may have been exposed.

In California, the California Consumer Privacy Act (CCPA), which became effective on January 1, 2020, gives consumers a private right of action for data breaches with damages from $100 to $750 per consumer per incident, or actual damages—whichever is greater. This creates a powerful class action case for large breaches that could cost impacted businesses hundreds of thousands of dollars. But California is not the only state a business needs to worry about regarding data breaches: Over a dozen other states and territories also have private rights of action for data breaches (District of Columbia, Hawaii, Illinois, Louisiana, Maryland, Minnesota, New Hampshire, North Carolina, Puerto Rico, Tennessee, U.S. Virgin Islands, Virginia, and Washington).

In addition to data breach laws, lawsuits could also arise under civil laws such as privacy torts, and potentially HIPAA. Under HIPAA regulations, it is a federal crime for health services providers to expose protected health information that could be used to identify an individual. HIPAA violations can result in fines up to $50,000 per exposed record, and even jail time.

3. What To Do

While no security measure can prevent 100% of data breaches, cannabis businesses can take measures to (1) mitigate data breaches and (2) set a record of due diligence for potential lawsuits if there is a breach. Appropriate measures include implementing strong digital security systems and engaging expert counsel experienced in preparing their clients to avoid breaches and to limit exposure if there is one.

The cannabis industry must take the security risks inherent to the field seriously and ensure baseline protections for consumer data. Cannabis businesses should look to state-specific protections, such as those laid out in the CCPA, and ensure compliance. In the 21st century, a digital robbery is as real a risk as a storefront robbery, and it can have consequences just as devastating. Cannabis businesses should keep this in mind as they determine the most appropriate security measures to take to protect their customers' data, which may include conformance with various industry standards such as ISO/IEC 27001 and 27002, NIST's Cybersecurity Framework, and Center for Internet Security's controls as endorsed by the California attorney general. Industry businesses should also actively evaluate their incident response protocols and work with experienced legal counsel to develop and implement routine trainings to ensure they are ready in the event of a breach.

Conclusion

The cannabis industry is faced with a unique combination of two overarching factors increasing its data security risks: data sensitivity brought on by federal illegality and lingering cultural divisiveness, and massive, mandated data footprints brought on by intense state and local regulatory scrutiny. These features pose unique challenges to the privacy and security of consumer data.

With strategic defensive tools and due diligence, the cannabis industry can not only work to protect consumer data, but can also continue to lead the business world forward by demonstrating a strong commitment to data protection. These data security challenges are also part of the broader hurdles the industry is facing in today's evolving regulatory environment, which further underscores the need for cannabis companies to invest in and prioritize compliance and legal counsel.

 

Anita Sabine is a partner and the leader of Manatt's cannabis and CBD practice. She represents both public and private cannabis businesses on corporate structuring; joint venture formations; strategic partnerships; celebrity licensing deals; financings; farm and dispensary acquisitions; development and land use matters; leasing; Internet, media, advertising and FDA advisement; and licensing matters.

Brandon Reilly is a partner in Manatt's privacy and data security practice. He counsels clients on a wide array of consumer protection and privacy matters, including data privacy and security compliance and procedure and data breach response.