In the US, cannabis is fully legal (medical and recreational) in 11 states and Washington, DC. For medical use, it is legal in 33 states. This is a flourishing industry, with one study conservatively estimating it will reach $30 billion by 2025. As dispensaries set up shop, they face many of the same risks as other businesses.
The fast-growing cannabis industry will become a prime target for cybercriminals:
The recent news of a data breach at point-of-sale vendor THSuite also shines a light on third-party risk management and customer privacy.
THSuite is not the first vendor in this industry to experience issues. MJ Freeway, a "seed-to-sale" tracking and business software for the legal cannabis industry, experienced a data breach exposing customer data in 2016, an attack involving theft of source code in mid-2017, and another cyberattack that disrupted operations in late 2017. MJ Freeway is a third-party POS system provider for many dispensaries. The 2017 cyberattack disrupted service for many of its customers, causing a ripple effect across the legal marijuana industry and sending profits up in smoke.
Third-party relationships such as vendors, service providers, suppliers, and, in this case, growers are critical for business growth and innovation. For the cannabis industry, third-party technologies connect growers with dispensaries and help dispensaries better service customers and more efficiently comply with rigorous state regulations. However, companies should remember that they are fully accountable and responsible for any negative consequences that may result from third-party relationships. Whether it's an outage, a breach, a ransomware attack, or any number of other incidents, your customers will blame you when things go wrong.
Cannabis has become a viable medical product for treating conditions such as Parkinson's disease, cancer, arthritis, and neurological disorders. Dispensaries that distribute medical marijuana to treat illnesses are considered healthcare providers under HIPAA. The Department of Health and Human Services, the agency that enforces HIPAA, takes the position that a medical marijuana dispensary may be a healthcare provider because a medical "prescription" is necessary to obtain "treatment." By this application, the patient medical data exposed in the THSuite breach could be subject to HIPAA violations, which can result in hefty financial penalties; in recent years, HIPAA settlements have reached the multimillion-dollar range.
Dispensaries that operate as cash-only carry risks, too. They are a target for theft and require greater investment in physical security measures and added labor costs to manage and oversee this type of business. But regardless of whether a dispensary is cash-only or relies on a cannabis POS vendor to process payments, the current asymmetry between US federal and individual state laws is an additional complication. You can legally sell cannabis but cannot move the money electronically, so traditional financial institutions won't touch these transactions.
Wall Street is getting high on cannabis investment. For institutional investors, private equity, and venture capital firms, the cannabis industry offers tremendous growth potential. However, failure to implement privacy, security, and risk management best practices will be costly and could impact future legislation.
Whether it's your business that experiences a security incident or breach directly or whether it's a third-party partner that does, the reputational risk is there -- for you. Customers may go to competitors if they don't trust you to protect their privacy, especially in states where there is choice and competition, such as California. Dispensaries in states where legalization is relatively new aren't immune to reputational risks either, whether that's the result of an IT outage, overly long lines, or running out of stock and being unable to handle demand.
Also, a data breach is one thing; mishandling consumer data is another. This is a privacy risk and a breach of trust. If you collect customer data for the purpose of marketing to them, do you have their consent to do this? Consider how you inform customers about their privacy rights, what data you collect, and why. How you protect data and your approach to privacy is a differentiator for business today.
Join Forrester's complimentary webinar to hear how IT leaders can transform their organizations with a customer-first mindset while their competitors play wait-and-see this year.
This post was written by Analyst Alla Valente and Principal Analyst Heidi Shey, and it originally appeared here.