Data security for the cannabis industry
By Treena Hein
It affects an entire industry when a data breach occurs. In Canada’s cannabis sector, the two most-recent breaches in the news involved personal information – in the second case, very personal.
By Treena Hein
In November, data from 4,500 Ontario Cannabis Store (OCS) customers was stolen using the Canada Post package delivery tracking tool. No more detail on what happened has been presented. At the end of 2018, a medicinal cannabis referral firm located in Calgary, called Natural Health Services, also had a breach involving a whopping 34,000 patients. Although the details are not yet clear, it looks as though this breach went beyond names and addresses to access of private medical information.
The purpose of these attacks – what the thieves might want to do with the data – is also not clear. But whatever the reason, we can be certain that data security is a critical issue in the cannabis sector.
Different types of cannabis businesses must secure different types and amounts of data. Licensed cannabis producers, which generally sell medicinal cannabis online, might sell recreational products in Manitoba and Saskatchewan, and also have physical stores in some provinces. As such, they have a lot of data to secure, including sensitive medical information. Then there are government-run online purchase systems for recreational products, such as OCS in Ontario, which must secure names, delivery addresses and more. Privately-owned and government-run stores selling recreational cannabis in various provinces would have very little client data to manage – and none at all for customers who pay in cash.
However, even in a store scenario where customers use cash customer-specific data, like email addresses, might be requested and subsequently stored for mailing and marketing purposes, such as online newsletters or special offers, says Ryan Lalonde, CEO at Buddi, a Vancouver-based platform for cannabis retailers providing cannabis education and product information.
In the cannabis sector, beyond personal data of customers, data which might be taken from a company could include intellectual property, research results and financially-sensitive information, “all of which make [cannabis firms] especially attractive targets for cyberattacks,” notes business services provider Ernst & Young (EY) in a recent web article. These attacks, which commonly involve ransomware, malware and phishing, “are becoming more prevalent, severe, and sophisticated,” the company adds.
Any discussion of data security must include the fact that while data breaches involving personal information are reported, attacks that don’t generally aren’t. That is, there is no way to know exactly how many data attacks are actually occurring within any industry, or the degree of success of these attacks.
Data security in the cannabis sector is not just about cyber attacks. Indeed, cybersecurity attorney Kathryn Rattigan states in an article in the National Law Review published in January, that “additionally, many of the same threats apply to the cannabis industry as those that affect all other businesses that are collecting data – use of public wi-fi by employees, loss of paper records, connected smart devices to your company’s network, and email phishing scams.”
What to do
Lalonde notes that for each type of data, there is a set of proper corresponding actions to take to secure it. Data on paper, for example, must be locked up (physical security) and when no longer needed, fully destroyed. Access to digital information should be restricted to appropriate personnel (organizational security) and that access should be monitored. All access should require strong passwords and stored in an encrypted format with firewalls in place (technological security). There should also be a regular deletion of digital data that is no longer required.
Precautions aside, since a breach is always a risk, experts also recommend making preparations for that eventuality. “Definitely have a plan in place,” says Lalonde, “to replace the data set, detect what was compromised, notify customers if required, and so on.”
Bryson Tan, EY Canada associate partner (cybersecurity), agrees that a data breach response plan is important, noting also that the design and management of that response plan may be one of the data security tasks that cannabis firms choose to outsource.
“What a company outsources or does in-house depends on the approach it takes and the level of complexity,” he explains. “Firms with a good IT team can certainly do some of the basics in-house, like firewalls, configuration management, encryption and security monitoring (monitoring for malicious activity). A lot of operating systems have encryption included, so a sharp IT person on staff can handle its management.”
However, more complex tasks, such as penetration testing (simulated hacks to test for weaknesses) and breach response, are often outsourced.
“At the point of a breach, you really need an experienced team to call on,” notes Tan. “This team will do everything possible to seal the breach, figure out what happened and take other appropriate actions. It’s invaluable to have access to the right resources and skill set when you need them most. Not only will the situation be handled effectively, but having that expert team takes the pressure off your staff in terms of making the best decisions about what to do next and who needs to be involved, whether that’s certain company IT or HR personnel, external counsel and so on.”
Any breach response plan worth its salt will include steps for accessing back-up data and restoring affected systems. This means that as a standard operating procedure, all pertinent data should be regularly and continuously copied and stored in a separate storage system.
Tan notes that this is quite achievable in a cost-effective manner and may reduce overhead and capital costs. “Moreover, companies should test their incident and crisis management plans on an ongoing basis,” he says, “so that they are adequately prepared in the face of an active cyber attack.”
Not only must firms test their plans, but they also – in Tan’s view – must ensure they do not let their technology become outdated. Allowing this, along with other possible lapses, makes a firm “more susceptible to attacks, with a potentially crippling effect on day-to-day operations. That’s why it’s so important for cannabis companies to implement proactive, ongoing efforts to re-organize and update cybersecurity measures in today’s climate.”
Data storage, insurance and more
In terms of storage security, there are many experts who highly recommend storage on servers only within Canada – as storing data on servers located in the U.S. for example, could put it at risk for access by law enforcement agencies. However, there are others who think it’s perfectly fine, so each company must weight the pros and cons in doing due diligence.
As to whether firms should outsource storage of large data instead of using their own servers, Tan believes there are benefits and challenges to both avenues – but the same warning applies. That is, if you have your data stored with an outside party, it’s critical that ongoing risk assessments as well as other security management duties are being performed through an independent third party. Otherwise, Tan warns, “there could be even greater risk.”
For his part, Balaji Gopalan recommends using the large ‘public’ cloud storage companies to store any digital health-care information: Amazon, Google or Microsoft.
“Smaller providers may not have the security protocol commitments needed,” explains the co-founder of MedStack, a Toronto-based firm offering automated infrastructure management specifically for application developers in health care. “Unless you’re leveraging a platform purpose-built for health-care compliance, you will also need a security ‘DevOps-skilled’ (development and operations) team to create secure infrastructure to interface with these storage systems.”
Cannabis firms should also look into cyber liability insurance to help deal with a breach. “Definitely explore your options to manage risk, just as you do with other forms of insurance,” says Tan. Looking at all sectors of the economy, EY’s 2018-19 Global Information Security Survey (GISS) indicates that 65 per cent of respondents from around the world don’t have cyber insurance.
Gopalan believes every cannabis company should have cybersecurity insurance, and adds that the cost of premiums is related to the degree of security that the insurance company perceives to be present.
“I can’t say that an insurance company will refuse to insure a cannabis or any other firm with poor systems, but your rates will be high because you are a higher risk,” he notes. “We decided to work with an insurance firm to really have them understand the security of our system, and this firm now offers preferential rates to our health-care app developer customers because our platform ensures that their risk of a data breach is so low.”
Tan also believes that executives of all stripes need to boost their data security knowledge level. In EY’s survey, only 16 per cent of respondents believe their boards have sufficient information security knowledge to fully evaluate cyber risks.
“Clearly there is a gap that must be addressed,” he says, “and companies across all industries would be wise to invest accordingly and implement a robust cyber strategy with sophisticated technology and security measures in place.”
“The reality is,” says Tan, “that cyber attacks are a matter of ‘when’ rather than ‘if’ for any company.”
Download a free report from Ernst & Young entitled, ‘Managing cyber risk in Canada’s new cannabis sector’ here: ww.ey.com/Publication/vwLUAssets/EY-cannabis-cyber-risk-en/$FILE/EY-cannabis-cyber-risk-en.pdf
Treena Hein is a freelance writer based in Toronto.