Cannabis dispensaries: Security and risk considerations for continued growth

In the US, cannabis is fully legal (medical and recreational) in 11 states and Washington, DC. For medical use, it is legal in 33 states. This is a flourishing industry, with one study conservatively estimating it will reach $30 billion by 2025. As dispensaries set up shop, they face many of the same risks as other businesses.

The fast-growing cannabis industry will become a prime target for cybercriminals:

1. It's a young yet rapidly growing industry that hasn't fully implemented risk management or security strategy or thinks it's too small to need one.
2. State law requires point-of-sale systems to track every plant, product, and person associated with the production and sale of marijuana.
3. Digitally enabled operations and sales conducted primarily online or through a mobile app for convenience must address compliance, as well as compliance with advertising restrictions.

The recent news of a data breach at point-of-sale vendor THSuite also shines a light on third-party risk management and customer privacy.

• What happened: Researchers at vpnMentor discovered an unsecured Amazon S3 bucket owned by THSuite.
• Where did this data come from: 85,000 files of sensitive data from various marijuana dispensaries around the US and their customers, including personally identifiable information (PII) for over 30,000 individuals.
• What data was exposed: Scanned government and employee IDs, full names of patients and staff members, dates of birth, phone numbers, physical addresses, email addresses, medical ID numbers, cannabis used, price, quantity, and receipts. For some dispensaries, this also included information like product lists, taxes paid, sales, returns, and discounts.
• What makes it a target: Mostly small businesses, little or no cybersecurity protection, and a trove of payment card industry (PCI) PII. For those handling medical transactions, protected health information (PHI).

Third-Party Risk

THSuite is not the first vendor in this industry to experience issues. MJ Freeway, a "seed-to-sale" tracking and business software for the legal cannabis industry, experienced a data breach exposing customer data in 2016, an attack involving theft of source code in mid-2017, and another cyberattack that disrupted operations in late 2017. MJ Freeway is a third-party POS system provider for many dispensaries. The 2017 cyberattack disrupted service for many of its customers, causing a ripple effect across the legal marijuana industry and sending profits up in smoke.

Third-party relationships such as vendors, service providers, suppliers, and, in this case, growers are critical for business growth and innovation. For the cannabis industry, third-party technologies connect growers with dispensaries and help dispensaries better service customers and more efficiently comply with rigorous state regulations. However, companies should remember that they are fully accountable and responsible for any negative consequences that may result from third-party relationships. Whether it's an outage, a breach, a ransomware attack, or any number of other incidents, your customers will blame you when things go wrong.

Regulatory risk

Cannabis has become a viable medical product for treating conditions such as Parkinson's disease, cancer, arthritis, and neurological disorders. Dispensaries that distribute medical marijuana to treat illnesses are considered healthcare providers under HIPAA. The Department of Health and Human Services, the agency that enforces HIPAA, takes the position that a medical marijuana dispensary may be a healthcare provider because a medical "prescription" is necessary to obtain "treatment." By this application, the patient medical data exposed in the THSuite breach could be subject to HIPAA violations, which can result in hefty financial penalties; in recent years, HIPAA settlements have reached the multimillion-dollar range.

Financial and investment risk

Dispensaries that operate as cash-only carry risks, too. They are a target for theft and require greater investment in physical security measures and added labor costs to manage and oversee this type of business. But regardless of whether a dispensary is cash-only or relies on a cannabis POS vendor to process payments, the current asymmetry between US federal and individual state laws is an additional complication. You can legally sell cannabis but cannot move the money electronically, so traditional financial institutions won't touch these transactions.

Wall Street is getting high on cannabis investment. For institutional investors, private equity, and venture capital firms, the cannabis industry offers tremendous growth potential. However, failure to implement privacy, security, and risk management best practices will be costly and could impact future legislation.

Reputational and privacy risk

Whether it's your business that experiences a security incident or breach directly or whether it's a third-party partner that does, the reputational risk is there -- for you. Customers may go to competitors if they don't trust you to protect their privacy, especially in states where there is choice and competition, such as California. Dispensaries in states where legalization is relatively new aren't immune to reputational risks either, whether that's the result of an IT outage, overly long lines, or running out of stock and being unable to handle demand.

Also, a data breach is one thing; mishandling consumer data is another. This is a privacy risk and a breach of trust. If you collect customer data for the purpose of marketing to them, do you have their consent to do this? Consider how you inform customers about their privacy rights, what data you collect, and why. How you protect data and your approach to privacy is a differentiator for business today.

Join Forrester's complimentary webinar to hear how IT leaders can transform their organizations with a customer-first mindset while their competitors play wait-and-see this year.

This post was written by Analyst Alla Valente and Principal Analyst Heidi Shey, and it originally appeared here.