Two of the biggest news drivers in the business world in recent years have been cannabis and data security. But they are usually discussed separately; there has not been much of a sustained focus on data and cybersecurity in the cannabis industry. We hope that changes because the cannabis industry is particularly vulnerable to data security issues.
That vulnerability stems from several sources. First, the cannabis industry collects a lot of data, especially the medical cannabis industry. It is oftentimes sensitive data regarding health conditions and purchases of a product deemed illegal in many jurisdictions (and perhaps stigmatized even in legal jurisdictions). So there is significant low-hanging fruit for hackers and others with bad intentions. Second, federal illegality makes many businesses afraid or unable to work with cannabis companies. This limits the services that are available to cannabis companies, including cybersecurity and data protection services. Federal illegality also limits access to capital, and less access to capital means less spending of that capital on items such as cybersecurity. Third, the cannabis industry is in its infancy, with many companies in the space operating as start-ups. The lack of maturity makes the industry vulnerable in comparison to other developed industries.
A recent article in Vice highlights the data security issues that the cannabis industry faces. Reportedly, an “unencrypted Amazon S3 bucket” owned by a software company that allows cannabis companies and government officials to track cannabis transactions was available on the internet for several weeks. Apparently, 85,000 files were available, with at least 30,000 containing personally identifiable information, medical histories, and/or cannabis purchasing records.
It is not clear yet how wide the fallout will be, but one can imagine pretty serious ramifications for the software company and its customers if this type of information gets into the wrong hands. For other cannabis companies, perhaps this will be a wakeup call regarding the very real data security risks associated with the cannabis industry. We are following cybersecurity and data protection issues in the cannabis space, and will continue to report on them on our blog.
Sign up for our newsletter and get the latest to your inbox.