The cannabis industry is known to be plagued with many challenges. From federal intervention to banking issues, it’s certainly not a stress-free business to get into. One dilemma in particular that the cannabis industry has been facing lately is cyber security.
Due to the stigma associated with cannabis, even in legal states, consumers have always valued the anonymity that went along with shopping at dispensaries. While medical patients’ and recreational users’ information can both be at risk, the chances of a data breach are higher in the recreational market because of patient confidentiality agreements providing additional securities.
Many states with recreational programs have some type of amendment written into law that gives retail locations the option whether or not to store personal customer information; it’s not actually required that they do. However, the data collected from is a valuable source of information for marketing and inventory purposes. Not to mention, all the high dollar investors looking to throw their money into a thriving business will without a doubt, want to see some data.
Privacy protection vs. investment security
Venture capitalists won’t just skim the surface; they want to know the nuts and bolts of the process to have the assurance that their investment will turn a profit. In addition to possibly having your basic info (name, phone number, address, etc.), they’ll also be monitoring things like brand and strain preferences, buying and consumption habits, and consumer demographics.
This is definitely a reasonable way of thinking, from an investors’ standpoint. Who wouldn’t want to 110% confident in a company they’ll be providing a substantial amount of money too? Despite that, consumers are understandably skeptical about releasing personal information, especially with threats of a federal crackdown looming. So where does the fine line lie? Customers are entitled to their privacy, but as the industry legitimizes, technology will inevitably play a much larger role.
“You have to find a healthy balance. How do we capture information that is pertinent to the success of our new retail business, versus the privacy of adults who now have this right and are able to shop at our stores? At our stores, the answer for now, is to go no further than inviting customers to punch their cellphone numbers or e-mails into tablet computers at the counter to receive promotional offers.” Brooke Gehring, co-owner of Bud Med and a chain of recreational and medical marijuana outlets.
Online attacks with real life repercussions
As it stands, multiple cannabis companies have found themselves in the midst of cyber security breaches. In June 2016, The Washington State Liquor and Cannabis Board accidentally released the personal information of hundreds of medical license applicants when responding to a public records request. Social security numbers, driver’s licenses and financial records were all posted online before they were finally able to correct the leak.
Similarly, the Nevada Division of Public and Behavior Health also publicly posted the personal information of over 11,000 dispensary owners and medical marijuana patients. The Division resolved the issue quickly, in only 24 hours, but nevertheless, it’s very uneasy knowing your information was posted online, even briefly, for everyone to see.
And perhaps the most notable cannabis cyber security issue over the years, the MJ Freeway hack. MJ Freeway is a national, multi-service database used by thousands of medical cannabis dispensaries throughout the US. Thankfully, no patient data was stolen, but the program was forced to shut down for close to a week, causing a ripple effect of dysfunction and complications throughout the industry.
Ten simple ways to protect yours, and most importantly your customers’, information
- Create secure usernames and passwords that include capital and lowercase letters, numbers, and special characters.
- Back up your data, apps, and files.
- If possible, use two-step authentication.
- Use a firewall for all your networks.
- Limit access to your IP Address and Mac Address.
- Only permit necessary people to have access to accounts.
- Use a virtual private network or reverse proxy to hide your real IP address.
- Use a Secure Sockets Layer for point-to-point protocol.
- Run Tests to verify your security measures are working
- Have a backup plan, in case things go awry anyway.
Not only are consumers and businesses worrying about security dangers, legislators are starting to take notice. Most famously, Oregon Governor Kate Brown signed S.B. 863 into law which prohibits cannabis retailers from “recording, retaining or transferring information contained on a passport, driver’s license, military identification card or other identification cards,” plus it required retailers to destroy any previously collected information.
Final Thoughts: Cannabis Cyber Security
If more states follow suit and pass similar legislation, that will be great news for consumers who will have guaranteed obscurity when making purchases. But it will be an upward battle for capitalists who will need to find a new way to research their prospective investment opportunities.
For more stories like this one, subscribe to the CBD Business Weekly Newsletter.