THE INFORMATION THEY SEEK
GeekTek CEO and data security expert Eric Schlissel discusses the critical need for cannabis businesses to protect customer data.
Taking their cue from the eight-point directives of the Cole Memo, state-level medical/adult use cannabis regulatory programs have prioritized the physical safety components of the industry. What are the contours of the track-and-trace program? What is the proper distance of a cannabis retail outlet from a school, park or day care center? How do we prevent organized crime from gaining licenses?
While these questions all must be answered, neither the Cole Memo nor any single state-level cannabis program to date has even bothered to address, much less mandate an answer for, another difficult question about protecting the public and consumers: how will the cannabis industry protect its intellectual property and customer data from its natural predators? For a heavily scrutinized industry looking to prove its legitimacy in these uncertain times, this lack of oversight may prove fatal if it remains so.
A CAUTIONARY TALE
The recently revealed hack of the Securities and Exchange Commission will suffice for a suitable cautionary tale. SEC Chairman Jay Clayton revealed that a 2016 hack of the agency’s EDGAR public filing system yielded data which “may have provided the basis for illicit gain through trading.” The Department of Homeland Security compounded the agency’s woes with an internal report in January which identified five “critical” cybersecurity weaknesses within the SEC. Not surprisingly, the Investment Company Institute, an investment group which represents 95 million shareholders, has requested a suspension of the SEC’s demand for monthly performance data until the SEC conducts an independent investigation.
Now consider that the SEC already has robust cybersecurity countermeasures in place, from employee training to “penetration testing of its internal and public-facing systems.” Unlike the cannabis industry, such internal policies are mandated by law through the Federal Information Security Modernization Act of 2014 - yet this hack STILL happened. And as many in this industry know, the breaches have already commenced. In June, for instance, one of the industry’s largest software providers found its source code posted online. A month later, a prominent West Coast delivery service revealed the theft of patient data through an affiliated service provider. These may be the first - that we know of, at least - but they certainly won’t be the last.
One can easily calculate a sobering estimate of the reputational and operational cost a particularly ambitious attack would deliver to this industry. The theft of IP from either competitors or a hostile former employee in an unsecured network can significantly diminish the sizable investment poured into a cannabis startup. The spectre of identity theft hanging over the existence of filched customer data has formed the basis of several class action lawsuits against the credit agency Equifax.
THE INDUSTRY MUST CHART ITS OWN COURSE
However, poor data security practices are not hard-wired into this industry. Cannabis operators
can easily implement the best elements of other industries which have developed strong solutions to the data security challenge. We can utilize what works, for instance, within the HIPAA guidelines. Enacted in 2003, HIPAA dictates how medical providers and affiliated independent contractors can securely use and share patient data, or Protected Health Information. This includes device encryption, mandatory lock-out policies for devices, password management and other specifications mandating that only authorized personnel can read data. “Single sign-on” user IDs and passwords can further centralize access to applications and data systemwide. Two-factor authentication and proper employee training on data security practices can also improve the integrity of a business’s network. And finally, one can leverage the expertise of managed IT, security and cloud services which will oversee 24/7 network monitoring and intruder detection/prevention that will make securing growing businesses easier.
Because the federal government still has not determined its ultimate cannabis policy and the states have not provided guidance, the cannabis industry will have to chart its own course on data security. In no more than a generation, a business from this industry will surely take its place in the Fortune 500, but it will not achieve this status unless it can reliably safeguard its sensitive information. During Prohibition, the activists, patients and entrepreneurs who have sought and fought for legalization have shown extraordinary ingenuity in developing a resilient industry against all odds. Compared to its prior travails, the mandate to develop robust data security protocols on its own is a much easier lift, especially since many of its solutions merely need to be onboarded and not invented outright. But it can no longer be ignored if the industry wants to grow in a way that protects its customers.