Cyber Attacks Plague the Cannabis Industry, Prevention is Key

The cannabis industry has had a huge increase in cyber-attacks in 2020 and 2021 and Law enforcement and regulators grow concerned about criminal activity, fraud, and corruption as hackers target businesses in this emerging industry. In 2019, the FBI announced that it was seeing increased fraudulent activity and bribery of public officials and the U.S. Securities and Exchange Commission issued a similar call, warning about Ponzi schemes and other types of securities fraud. While the U.S. is experiencing an influx of cybercrime, so is the cannabis industry. This is also in part because they are a rapidly growing and emerging industry where there is more focus in other areas within their organization such as BCC compliance and other areas that can keep any cannabis operator busy. 

Cyber Attacks

Data privacy and cybersecurity-related risks account for the fastest-growing risk environment that affects all companies regardless of size.  In fact, Ransomware claims have exploded during the pandemic.

These claims are expensive compared to other risks, regardless of whether they result in litigation. Mere notice of a potential intrusion typically triggers an obligation to perform a forensic investigation on the extent of the intrusion and weather data was exfiltrated to determine whether reporting to proper authorities is required. Even in cases where the forensic investigation concludes that no data was compromised, those investigation costs can be in the tens of thousands of dollars and companies are often unaware that they are either not covered for breach response or have a very low sublimit. If cases do go into litigation, they are often in the form of class actions and are 10X more expensive to litigate.

In its 2020 Data Breach Industry Forecast report Experian predicted that cannabis retailers could become prime targets for cybercriminals since they may not fully invest in protective cyber security measures. “While any retailer is always a target for cybercriminals, cannabis retailers present a bigger target due to the nature of their business,” Experian wrote.

In January, there was a significant data breach involving software that is widely used by cannabis dispensaries. The breach involved an unsecured and unencrypted database containing approximately 85,000 files that included sensitive medical data and was left exposed to anyone who came across it on the internet.

Data of about 30,000 people was exposed in that hack on THSuite, a cannabis point-of-sale provider, including photo IDs, addresses, and protected health information.

What to do – Prevention is Key

Data privacy claims arise most often out of human error, so they are preventable with the proper training.

Ensuring your organization is investing in cyber security in leu of cyber liability insurance is key.  Cyber security is the protection of computer systems and networks from the theft of or damage to hardware, software, and electronic data. Today, there are cyber security companies that will likely do a complimentary audit of your current cyber security and will provide a list of recommendations. 

Cyber liability insurance is also a key tool used to prevent further damage in the event of a cyber hack or loss. Cyber and data risk insurance can cover a scope of losses, some are: 

• Breach costs
• Privacy and network security
• Cyber business interruption 
• Cyber extortion or Ransomeware
• Data Restoration
• Multimedia coverage

The Takeaway

Cannabis is a new industry, which makes it even more vulnerable to cyber-attacks but it doesn’t mean you do not have the tools and resources to be protected. Investing in a strong cyber security program alongside a cyber liability insurance policy will save your company thousands of dollars in potential losses. Investing money in prevention is a far better cost savings then risking the event of a cyber loss. 

CCIA Risk Management Committee

Stephanie Bozzuto, Cannabis Connect Insurance Services

Ian Stewart, Wilson Elser

Eric Schlissel, Cure8

DISCLAIMER

The information provided in this White Paper is not intended to constitute legal advice and therefore should not be relied upon as such. Instead, this White Paper is exclusively intended for general informational and educational purposes. Given the dynamic nature of the industry, this White Paper may not constitute the most up-to-date legal or other information. Use of this document does not create an attorney-client relationship between the reader and any individual at CCIA or CCIA as a whole. Operators should contact their attorney to obtain advice with respect to any particular legal matter. No reader of this White Paper should act or refrain from acting on the basis of information without first seeking legal advice from counsel in the relevant jurisdiction. Only a retained attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. For specific legal needs please contact an attorney. Should you need an attorney recommendation CCIA has several resources, please contact info@cacannabisindustry.org for more information.