The state-legal cannabis industry has been slowly crawling into existence over the past decade. Despite federal illegality, most states have legalized medical cannabis and about a dozen states have legalized adult-use cannabis. For compliant cannabis businesses, becoming operational is no easy endeavor and may lead to myopic compliance that fails to consider essential business practices, such as compliance with data security laws.
For background, in almost all states that have medical or recreational cannabis programs, becoming licensed and operational is a grueling process that can easily cost hundreds of thousands of dollars. Prospective cannabis businesses will need to negotiate and secure leases, undergo facility build outs and improvements, endure local land-use and permitting processes, navigate state licensing processes, pay state and local application and annual license fees, compile dozens of business plans and standard operating procedures, and comply with regulations from usually at least a few different state agencies and local governments. Licensing is also often competitive, exponentially raising the cost on applicants.
All of the foregoing combined can impose tunnel vision on licensing applicants when it comes to regulatory compliance. Meaning, given what it takes to just get licensed, licensees often overlook other, important laws and regulations that apply to any other business, especially if they are not directly incorporated directly into cannabis laws and regulations.
This kind of thinking can be incredibly dangerous for new cannabis companies. For example, companies who do not consider the impact of federal employment laws risk serious and costly employee litigation. The same goes for virtually any other kind of federal or state law that applies to every single business in the U.S. One such area where cannabis companies are likely to face a host of issues in the next few years is data security. The U.S. does not have an omnibus data protection law, and because most states and local jurisdictions do not impose independent data protection requirements on cannabis licensees, cannabis companies oftentimes do not even consider data security. The likely result of this will be (1) data breaches, (2) consumer litigation, and (3) government enforcement actions.
Data breaches are the most likely thing that will occur for cannabis businesses. A breach can range from anything from malicious hacking to the simple loss of a laptop containing certain protected categories of “personal information”. For example, California’s data breach statute protects information such as Social Security and driver’s license numbers, as well as medical information and bio-metric information.
If protected information is the subject of a data breach, the breached business has a duty to notify the data subject and provide certain statutory services to them. Because each state’s laws are different, the time to notify, manners in which notification much be given, requirements to provide supplemental notices to state regulators, and services (i.e., identity theft mitigation services) that need to be provided can range significantly. Simply figuring out what kinds of, and whose, information may have been accessed could take tens—if not hundreds—of thousands of dollars in forensic review.
It was estimated that in the first half of 2018, 4.5 billion records were exposed in data breaches generally, meaning that breaches are a phenomenon that are not unique to the cannabis industry. However, unlike in traditional industries, cannabis companies may be particularly susceptible to data breaches for a host of reasons.
First, cannabis companies may be unwilling to report breaches to federal authorities in light of the federal illegality of cannabis. This may result in further damages to the company or the failure to apprehend cyber criminals.
Second, given the lack of access to banking throughout the cannabis industry because of federal illegality and federal anti-money laundering laws, cannabis businesses may use less-than-reputable electronic banking sources that are susceptible to breaches or ransomware attacks. Likewise, states generally adopt track-and-trace requirements for cannabis businesses (to track inventory and cash) that force businesses to use software that itself could be the subject of an attack. In California, businesses generally cannot operate if they cannot access the track-and-trace software, so even minor breaches could lead to chaos.
Third, state attorneys general may need to be notified of certain data breaches. If an attorney general in one state in which cannabis was not legal receives notice that attorney general’s state citizens were the victims of a data breach by a cannabis business in an entirely different state, the notified attorney general may want to target that cannabis business with an enforcement action.
Fourth, it is unlikely that a wide array of cannabis companies will have cyber liability insurance, which could save large costs of forensic review or providing required services in the event of a data breach. A large-scale breach requiring significant forensic review and consumer services could destroy a cannabis business.
In addition to data breaches, cannabis companies—at least in California—are likely to soon face consumer litigation. California’s new Consumer Privacy Act (the “CCPA”) creates private rights of action with statutory damages of $100 to $750 or actual damages for consumers whose data was breached, if the company holding that data failed to implement reasonable data security measures. Given that data breaches are all but guaranteed to occur in the cannabis industry, so too will consumer class-action litigation.
Consider the following example: a dispensary with personal information of 5,000 customers is the victim of a data breach, and the dispensary has not taken any steps to secure the customers’ personal information. Statutory damages in a class-action lawsuit could be up to $3,750,000. This would be fatal to many cannabis businesses given the already astronomical costs of regulatory compliance and licensing fees.
Not only is consumer litigation likely, but so too are governmental enforcement actions. As noted above, many states’ data breach laws require reporting to state attorneys general, who can decide whether to follow up with investigations or who may initiate enforcement actions. This could mean that a cannabis business located exclusively in Southern California that served tourists from Indiana or Louisiana, for example, could find itself subject to an enforcement action by Indiana or Louisiana regulators if those states’ citizens were at all compromised in the breach.
In sum, though data security obligations are traditionally not imposed on cannabis companies as part of the permitting or licensing processes in most jurisdictions, they are still imposed on such companies by operation of law. Narrow consideration of only those cannabis regulations which immediately affect cannabis businesses will lead to devastating but avoidable losses for cannabis businesses. In turn, cannabis businesses should prepare now for the data security laws that already apply to them before they’re bankrupted by a breach, litigation, or an enforcement action.
Griffen Thorne is an attorney at Harris Bricken in Los Angeles, California. He represents companies in the cannabis industry and also work in the data security industry.
Suggested citation: Griffen Thorne, Cannabis Companies are Overlooking Data Security Laws and Regulations, JURIST – Professional Commentary, March 17, 2020, https://www.jurist.org/commentary/2020/03/Griffen-Thorne-CCPA-Cannibas
This article was prepared for publication by Brittney Zeller, Deputy Managing Editor for JURIST Commentary. Please direct any questions or comments to her at commentary@jurist.org