Publications

Data Breach Exposes Cannabis Industry Security Vulnerabilities

February 25, 2020Alerts

A significant data breach involving software that is widely used by cannabis dispensaries spotlights the industry's critical need to secure its customers' personally identifiable information. The incident involved an unsecured and unencrypted database containing approximately 85,000 files that included sensitive medical data and was left exposed to anyone who came across it on the internet.

As their operations grow, and they collect and process more data, Cannabis businesses should prioritize the enhancement of their security practices. Due diligence, compliance with proper data security protocols and regular guidance from legal and technology experts are emerging as necessary ingredients for keeping cannabis enterprises on the path to growth.

About the Data Breach

THSuites, which makes point-of-sale and management software used by dispensaries across the United States, recently experienced a vulnerability that exposed customers' full names, dates of birth, phone numbers, emails, addresses, signatures, cannabis varieties and quantities purchased, amount of money spent and transaction dates. According to cybersecurity firm vpnMentor, the data was unsecured and accessible to anyone on the internet who could find it, and even included medical marijuana patient names and medical ID numbers. An estimated 85,000 files were exposed.

It's too early to determine if anyone with nefarious intentions came across the unsecured data. Nevertheless, the THSuites breach should send a wake-up call to an industry for which regulations are still in their infancy. Under applicable state and federal laws, data breaches can expose companies to significant penalties and in limited circumstances, may expose company officials to jail time. Businesses face a growing number of state data privacy laws such as the California Consumer Protection Act (CCPA), many of which have a private right of action or hold potential to support an individual (or class action) claim under state unfair and deceptive practices laws. In addition, medical cannabis businesses likely must comply with the federal Health Insurance Portability and Accountability Act (HIPAA). But even when neither affected individuals nor regulators take action, data breaches have significant reputational consequences and can cool demand if consumers believe that their information is not protected the way it would be by a well-established business or industry.

The fact that cannabis remains illegal under federal law and its use is prohibited by many employers adds to the reputational risks of a data breach involving the cannabis industry. Few consumers of this quasi-legal substance would want their use of marijuana or cannabis products exposed on the internet for everyone to see. Exposure of an individual’s personally identifiable information and cannabis-related data can have unintended consequences, and breaches like the one involving THSuites don't give consumers confidence that their personal information and data is secure.

Lessons can be drawn from the 2016 FriendFinder Network breach in which hackers collected and exposed the personal information of consumers using the various websites that were part of the FriendFinder adult dating and entertainment network. To avoid a similar reputational hit, it is imperative that the cannabis industry focus on data security just as much as it focuses on other aspects of its business, such as marketing and branding. Cannabis businesses dealing with a range of personal data should ensure that their information security processes are scaled and encrypted properly to avoid the damaging consequences stemming from leaks of consumer data.

For any questions about this alert or cannabis industry cybersecurity practices, please contact Matthew R. Kittay at 212.878.7978 or at [email protected], Alexander Kerzhner at 646.601.7656 or at [email protected], Elizabeth Litten at 609.895.3320 or at [email protected], Mark McCreary at 215.299.2010 or [email protected], or any member of Fox Rothschild’s national Cannabis Law and Privacy & Data Security practice groups.