Law.com Subscribers SAVE 30%
Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.
Unique Cyber Risks Faced By the Cannabis Industry
All companies face cybersecurity threats, but the legalized cannabis industry's storage of personally identifiable information and reliance on seed-to-sale tracking software can place it firmly within hackers' crosshairs.
To be sure, despite currently being prohibited from storing cash in banks, some cannabis entities do process valuable personally identifiable information (PII).
"Just because there's more physical cash than electronic transactions, doesn't necessarily make these companies less of a target for hackers," wrote Robinson & Cole associate and data privacy and cybersecurity associate Kathryn Rattigan in an email. "Most of the point-of-sale systems automatically report to the state's compliance tracking system, which might include the individual's name, birth date and contact information based on the scanning of a driver's license or state-issued ID card."
Rattigan noted such data could be targeted by cybercriminals, including "ethical hackers" who don't agree with the legalization of cannabis and seek to expose consumers.
Indeed, there have already been hacks of some cannabis platforms containing personal data, including Pennsylvania-based seed-to-sale software MJ Freeway's reported hack in 2018 and security breach in 2017.
When any vendor is under siege, clients' work may be disturbed, but this disruption may be more acute in the cannabis industry given some states' required usage of seed-to-sale software.
"If MJ Freeway goes down, which it does, all marijuana sells comes to a grinding halt," said Steve Schain, a senior attorney at cannabis and hemp law firm Hoban Law Group.
While such an operational disturbance is generally out of clients' hands, Harris Bricken data security attorney Griffen Thorne said most legalized marijuana companies have a higher cyber risk for two reasons. For one thing, many of the startups aren't investing in cybersecurity, he said. In addition, cannabis "companies may be more unwilling to report incidents to the FBI or local law enforcement compared to other industries, that may be a thought cyber attackers have."
Still, while cannabis manufacture Natura Life + Science business development director Manndie Tingler noted that stolen PII is a concern, she said the cannabis industry's top threat is copyright infringers.
"A lot of this is right now coming in the form of a lot of people having counterfeit products including batch number falsification and stealing their copyrighted material and a lot of it is coming from the illicit market," Tingler said.
As cannabis companies attempt to combat bad actors, most won't find data privacy or cybersecurity guidance or requirements in the laws permitting the sale or use of marijuana. Instead, companies are regulated by states' data breach notification laws and possibly the California Consumer Privacy Act (CCPA) when it goes into effect Jan. 1, 2020, if they fall under that law's requirements.
"I think a lot of these companies are moving toward digital, at least some part of the company, and most likely the CCPA will apply to them," Thorne noted.
*****
Victoria Hudgins is a reporter for Legaltech News, an ALM sibling of Cybersecurity Law & Strategy, where she covers national and international legal tech innovations and developments. She can be reached at [email protected].
This premium content is locked for Entertainment Law & Finance subscribers only
ENJOY UNLIMITED ACCESS TO THE SINGLE SOURCE OF OBJECTIVE LEGAL ANALYSIS, PRACTICAL INSIGHTS, AND NEWS IN ENTERTAINMENT LAW.
- Stay current on the latest information, rulings, regulations, and trends
- Includes practical, must-have information on copyrights, royalties, AI, and more
- Tap into expert guidance from top entertainment lawyers and experts
Already a have an account? Sign In Now Log In Now
For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers
In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.
Strategy vs. Tactics: Two Sides of a Difficult Coin
With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.
CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit
Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.
The Article 8 Opt In
The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.