Where cybersecurity and the cannabis industry overlap

Operating a cannabis business is inherently risky, and not just because several states still haven’t legalized the drug for medical or recreational use. Even if patients can get access to cannabis for certain medical conditions — like in the state of Pennsylvania — with technology in the equation, there are many things a dispensary owner needs to consider to protect not only their business, but their customers.

Law firm Leech Tishman recently hosted a webinar where attorneys explained the cyber risks for medical cannabis dispensaries and how to mitigate them.

Cannabis dispensaries and data collection

Mike Sampson, a partner at Leech Tishman and an adjunct law professor at the University of Pittsburgh, said it’s imperative that dispensaries safeguard any data they might be gathering.

From phone numbers to state IDs, typically businesses see data as a way to keep track of inventory and track their customers’ purchasing habits so they can figure out ways to make more sales later. Intentions aside, this can get risky quickly if proper precautions aren’t taken. In the event of a data breach, the dispensary risks compromising not only its own information, but that of its customers.

“Anyone who’s savvy enough … and malicious enough could have access to the customer’s information and use them for malicious or wrong purposes,” Sampson said. “It’s incumbent on you as a cannabis-related business to make sure you’re taking steps to protect that data.”

Sampson pointed to a handful of cannabis dispensary data breaches in places like Ontario, Canada to show how real the risk is. For businesses, the consequence could be no longer being able to conduct sales because the needed systems were down. For customers, however, a big concern is privacy. Even in states where medical cannabis is legal, there’s still a stigma around the substance, which could cause customers a host of professional and personal headaches.

“These are real risks,” Sampson said. “And we cannot underscore enough the seriousness with which any cannabis business ought to be taking these risks.”

Jim Paulick, a leader of Leech Tishman’s Data Privacy and Cybersecurity group, added that although businesses are well within their rights to collect data, with that right comes added responsibility. In this case, that means needing to follow certain rules when they collect that data, if and when they sell that data, and how they process the information gathered.

The Telephone Consumer Protection Act and you

A potentially unexpected way that a cannabis dispensary could get into legal trouble is through text messages. The Telephone Consumer Protection Act (TCPA) regulates how a business can use phone calls, or in some cases SMS messages, as a part of its marketing strategy. Namely, it gives the consumer the right to opt out of receiving marketing-related calls or messages, or to not receive these communications at certain times of day. If your dispensary uses text messages to communicate with customers, Sampson said, it’s important to ensure that you’re not messaging individuals on the National Do Not Call Registry.

“If you send messages as part of your marketing program to somebody to a residential number that has been registered on the ‘Do Not Call’ list, you could be subject to liability under the TCPA,” Sampson said.

Another potential hiccup is that within the law, businesses aren’t allowed to use auto dialing without a customer’s prior written consent. Using an autodialer could lead to fines of up to $1,500 per violation of the law or potentially an expensive class action lawsuit.

“Even if you submit just a small list of numbers, if that device is capable of it, you could be in violation of the statute,” Sampson said.

Protecting your customers’ privacy

In the US, privacy laws can differ from state to state, but since some states have their own laws in place — such as the California Customer Privacy Act (CCPA) — businesses have to be careful not to run afoul of them. Beyond the obvious reasons, Paulick explained that it’d matter to a Pennsylvania dispensary because if it did business with a person in the Sunshine State, it would be obligated to honor that law. The CCPA, specifically, gives customers the right to opt out of third-party data sales, the right to be informed of data collection, the right to have collected data disclosed, and the right to have collected data deleted.

“Other states have enacted similar legislation. Not every state has it, but you don’t have to be in that particular state to be covered by these laws,” Paulick said. “If you have an app to run your store, and you’re collecting [data], you’re using fingerprints to authenticate, that’s personal information. Almost any piece of data that can relate to your customers is going to be considered personal information.”

Some states, such as Massachusetts, he added, have mandates saying that a business owner has to inform their customers in cases of data breaches. Thus, in some places, not doing so could land a dispensary on an oversight agency’s bad side.

Both Paulick and Sampson cautioned any dispensary owners to familiarize themselves with the Health Insurance Portability and Accountability Act, aka HIPAA. Why? Because the question of if HIPAA applies to medical cannabis dispensaries is still up in the air.

“If HIPAA applies there are certain rules and requirements specifically with respect to protecting or sharing or not sharing data that are in play,” Sampson said. “The question becomes, who is a healthcare provider and whether in a particular medical cannabis dispensary, might qualify as a healthcare provider.”

In the meantime, since cannabis remains a controversial subject for some, as well as an industry where law enforcement isn’t often inclined to be forgiving, both Sampson and Paulick advised entrepreneurs to become intimately familiar with what their obligations to their customers are.

“The risk is as great as it is for virtually any other business and for a variety of reasons, perhaps even greater,” Sampson said. “And those reasons include both the nature of the business that cannabis-related businesses are involved in, as well as perhaps some of the misconceptions, stereotypes, or stigma that might make the cannabis industry a potential target or particular target for bad actors.”

Watch the full webinar