Imagine this scenario: Hackers have infiltrated the computer of a new pot shop and now possess sensitive customer data such as names, addresses, birth dates and payment card numbers. Victims include residents of states where some or all types of marijuana are illegal.
Could a data breach notice bring unwanted scrutiny from state attorneys general looking to crack down on dispensaries? Would federal health regulators want to slap a penalty on a medicinal shop for not protecting medical data?
These are the types of legal questions marijuana sellers could be facing if they are lax about protecting the privacy of their customers, attorneys told Bloomberg Law. More law firms are developing cannabis-focused practices and are offering counsel to sellers as more states greenlight both recreational and medical marijuana.
“Privacy law compliance is one piece of the compliance pie that cannabis companies need to stay on top of,” Hilary St. Jean, corporate tech attorney at Rogoway Law Group in San Francisco who work on cannabis industry issues, said in an interview.
Ten states and the District of Columbia now have some form of recreational cannabis rules, and 33 states in total have medical marijuana laws. However, all 50 states and the District of Columbia have data breach notification laws and privacy standards that any consumer-facing company must follow. These laws allow regulators to go after out-of-state cannabis companies that fail on privacy practices.
Retail sellers of recreational marijuana that collect payment card data instead of cash, or collect drivers’ licenses, are likely to face heightened hacking risks due to their troves of sensitive data. Medical dispensaries face similar privacy concerns, but have an extra layer of restrictions due to the federal Health Insurance Portability and Accountability Act and state equivalents.
Cannabis sellers could avoid many privacy lapses simply by following basic privacy and data security protocols in their state, cannabis attorneys said.
To help sellers meet the myriad regulations, large firms such as Dorsey & Whitney LLP, Duane Morris LLP, and Burns & Levinson LLP are offering legal guidance to navigate the shifting rules of a newly booming market. The recreational cannabis industry should bring in roughly $11 billion in sales in 2018, with that expected to reach $75 billion by 2030 as more states legalize marijuana, according to Bloomberg data.
All cannabis companies should have enough data security to prevent breaches in the first place. If a company is hacked, companies could limit their legal headaches by having a comprehensive data breach response plan that alerts regulators for affected consumers, cannabis attorneys said.
“The same data security and privacy laws and regulations apply to businesses generally, regardless of the fact that that cannabis is not legal federally,” St. Jean said.
Medical cannabis businesses must ensure they’re protecting sensitive health information under HIPAA standards and must separate health data from recreational information to stay in line with federal rules, they said.
“Medical records should be treated with the protection medical information in general is required to be treated under applicable” state privacy laws, St. Jean said.
Cannabis companies should know when to notify state regulators after a data breach, privacy and cannabis attorneys said. Even if a company operates in one state, businesses still have to alert consumers in other states that may have different notification periods or standards, they said. Some states, like California, also make cannabis companies follow specified data security standards to protect marijuana consumers’ sensitive personal information, they said.
A data breach could put a cannabis company in a precarious position if it has to alert a consumer in a state where marijuana isn’t legal, Griffen Thorne, tech and cannabis attorney at Harris Bricken, told Bloomberg Law. A state attorney general opposed to marijuana legalization, for example, may target out-of-state marijuana companies for partisan or personal reasons, going after them for minor privacy infractions, like not having updated privacy policies or leaking non-sensitive data, he said.
To lower enforcement risk, companies should alert all state attorneys general as soon as possible after a data breach, privacy attorneys said. They should also have a heightened focus on data security standards because of the sensitive personal information, such as drivers license numbers, payment card data, and cannabis purchase history, that is very enticing to hackers, they said.
Health privacy issues for the U.S. cannabis industry could soon go away as more states seek to legalize marijuana. Michigan voters approved recreational marijuana in November, and weed shops opened in Massachusetts over the Thanksgiving weekend. New York and Connecticut lawmakers said they’ll start to consider legalizing marijuana in 2019.
“This bifurcated approach may phase out more as the industry evolves given that the need for medical referrals have waned in light of the ability to purchase the product recreationally in many areas,” St. Jean said.