Data Breaches are Coming… Look out, Cannabis Industry

Data Breaches are Coming… Look out, Cannabis Industry

Virtually everyone knows about breaches of companies like Equifax. Massive breaches have happened to established, mega-companies who still took major reputational and monetary hits after they were breached. What many people don’t realize is that it doesn’t take a major breach to devastate a business. Even the most minor breaches still make a significant impact. They are coming, and cannabis companies will be left in the dust. It’s time to prepare.

Data breaches occur in many forms. Sometimes a breach will include a malicious hacking. Other times it could just mean the simple loss of a laptop containing unencrypted “personal information”. In either case, if personal information was accessed or acquired without authorization, the party who held the personal information must provide written notification to the affected individuals within a relatively short period of time. In many cases, they’ll also have to report to other services like credit monitoring. This may seem like a straightforward process. It is not. Just figuring out what kinds of information may have been accessed and whose information may have been accessed could cost tens of thousands—if not hundreds of thousands—of dollars in forensic review.

The Facts 

Breaches are not unique to the cannabis industry —the Breach Level Index (“BLI”) estimates that more than 14 billion data records have been lost or stolen since 2013, with an average frequency of an astounding 6.9 million records per day. However, this industry is particularly susceptible to data breaches and their damaging effects for many reasons. Here are a few examples:

Failure to Report

  • Companies may not be willing to report breaches to federal authorities like the FBI or IRS, who otherwise would likely be notified, in light of the federal illegality of cannabis. Malicious actors may believe that this gives them some sort of advantage—and to some extent, it does if law enforcement is not given notice.

Devastating Digital Currency Loss

  • Given the state of banking in the cannabis industry, some cannabusinesses may use cryptocurrency instead. The right person could breach Crypto keys that are stored on electronic devices. This could expose a cannabis business to financial losses unlike in virtually any other industry.

Negative Exposure

  • The reputational harms to an up-and-coming licensee could then destroy a cannabusiness. Even though many of the stigmas around cannabis have gone away, many people wouldn’t want their employer or the general public to know that they bought cannabis. Imagine what a government employee would think if a cannabis business was the victim of a breach and his or her employer suddenly could find out about the employee’s purchase history. That business probably would not last.

Restricted Computer Usage 

  • The industry is forced to interact with technology in a way that many others are not. In California, as well as most other states with licensing regimes, cannabis companies must implement track-and-trace systems to monitor all commercial cannabis activity. Licensees of the California Bureau of Cannabis Control (“BCC”) are legally prohibited from transporting, transferring, or delivering goods during outages of track-and-track systems—i.e., doing most kinds of business. What happens when they are the victim of a ransomware attack (a situation in which a hacker encrypts all computer systems and demands compensation in cryptocurrency or something similar in exchange for the decryption key, which may take days or weeks to fully restore)? Businesses could literally bleed out while trying to negotiate with–or pay a ransom to–someone across the globe.

Law Enforcement Action

  • State attorneys general may need to be notified of certain data breaches. If an attorney general in a state in which cannabis was not legal receives notice that a number of the attorney general’s home state citizens were the victims of a data breach, that attorney general may want to target that cannabis business with an enforcement action.

These are just a few of the unique pressures the cannabis industry faces.

Breaches are in many senses inevitable. There is still a lot that companies can do to reduce the impact of them or to attempt to prevent them. Below are a few:

  • Having a privacy policy and sticking to it. We’ve written about the need for policies before, and the potential penalties for not complying. We get the sense that a lot of cannabis businesses think of this as unnecessary or just a rote copy-and-paste job. However, this is not accurate. These policies are detailed and designed to identify the information gathering and usage policies of an organization. If an organization follows a policy, then it should, in theory, know what information it has, and where. This could be the difference in whether significant time and resources are spent tracking down potentially accessed information.
  • Complying with relevant information security standards. Many states actually require businesses to follow standards when it comes to information storage. Technical measures can be adopted to reduce the likelihood or impact of breaches.
  • Planning for breaches. Training employees, and strategize plans for what to happen in the event of a breach, could also avoid or lessen the impact of a breach.
  • Considering insurance. Insurance companies are starting to provide cyber liability insurance, which could cover the costs of some breaches. This won’t actually prevent a breach, but may stop a company from spending significant amounts of money in response to a covered breach.

Cannabusiness Owners Need to be Vigilant

The point of this post is to highlight just how significant breaches can be for cannabis businesses. Preparing now, rather than after they occur, could avoid plenty of issues later.

************************************************
Jeffrey Schneider, EA, CTRS, NTPI Fellow has the knowledge and expertise to help you reach a favorable outcome with the IRS. He is the head honcho at SFS Tax Problem Solutions as well as an Enrolled Agent and a Certified Tax Resolution Specialist.
************************************************
Now What? I Got A Tax Notice From The IRS. Help! Defining and deconstructing the scary and confusing letters that land in your mailbox. Jeff defines and deconstructs the scary and confusing letters in a fashion that mixes attention to detail with humor and an intricate clarification of what is what in the world of the IRS.

The book is available in paperback and ebook on https://Amazon.com
************************************************
For more on SFS Tax Problem Solutions, visit: http://sfstaxproblemsolutions.com/
************************************************
738A Colorado Avenue Stuart, FL 34994
************************************************
Phone: (877) 355-8010
************************************************
https://twitter.com/SFSTaxAcct
https://linkedin.com/company/sfs-tax-problem-solutions
************************************************