Digital Privacy News: Cannabis Sales Rising — and so Are Questions About Privacy, Security

Retail marijuana is big business, with retail pot sales expecting to approach $30 billion by 2023.

By comparison, the entire U.S. market for organic fruits and vegetables was $5.8 billion last year.

Cannabis has been decriminalized in 27 U.S. states — and adult-use recreational marijuana is available for purchase in 12 of them.

Both recreational cannabis users and medical marijuana customers must provide a government-issued identification card to prove they are at least 21 or have a prescription to access dispensaries.

The collection, storage and security of that data raises many privacy and security concerns, cannabis industry and data-privacy experts tell Digital Privacy News.

“There is a lot of data collected in cannabis policy,” said Lewis Koski, chief operating officer of Metrc, a cannabis track-and-trace system based in Lakeland, Fla. Metrc is deployed in 13 states and the District of Columbia.

“Government is tasked with strictly enforcing laws and regulations — and to monitor that efficiently, industry participants report certain data points to make sure licensees and others adhere to all the requirements,” he said.

Collecting Information

Dispensaries and the production facilities that supply them provide vast amounts of data about their operations to Metrc and other companies to ensure they adhere to government reporting regulations.

Consumers, meanwhile, provide an equally large amount of personally identifiable information every time they enter a dispensary to buy pot.

That data includes customer or patient names, dates of birth, addresses, driver’s license or medical ID card numbers and signatures. Other information could include cellphone numbers and email addresses, if customers sign up for dispensary loyalty-rewards programs.

Collection of the information varies by state.

Illinois, for instance, bars dispensaries from storing any personally identifiable information. Other states, including Colorado and Ohio, house the data on third-party software platforms that are used to track and manage inventory or for retail point-of-sale operations.

That data, however, has been breached several times in recent years.

Safeguarding Data

Protecting client data is as paramount as safeguarding consumer information at point of sale, said Artem Pasyechnyk, co-founder and chief technology officer of Canix. The San Francisco company makes software for businesses across the cannabis supply chain to track products from seed to sale.

Pasyechnyk told Digital Privacy News that dispensaries generate vast amounts of data, including sales volume across various forms of cannabis consumption, top-selling strains — as well as additional insight that could help others quickly establish competing businesses.

“You don’t want other customers seeing how much you are making, your top customers, top strains and inventory,” Pasyechnyk said. “That is not fair.”

Security measures are woven throughout Canix’s data stack, he added.

Huge Data Breaches

Cannabis is a nascent industry, yet it’s already experienced several high-profile data and security breaches.

Last December, privacy researchers from the security firm vpnMentor uncovered a breach at THSuite, a cannabis point-of-sale software provider, that exposed more than 30,000 customer records.

The stolen data included scanned government-issued ID cards, as well as purchase histories, costs, dates and purchase quantities.

THSuite’s oversight, researchers at vpnMonitor told Digital Privacy News, was failing to properly secure and encrypt the Amazon “simple storage service” bucket where the data was stored.

“In general, misconfigured buckets are quite common, said Lisa Taylor, a researcher at vpnMentor’s research lab. “We find two or three leaks per month that are exposing critical data — and we can expect more and more of these happening until legislation catches up with technology.”

Messages to multiple email addresses listed on THSuite’s site were returned as undeliverable. The company is based in Illinois.

But THSuite was not the only industry data breach.

The State of Nevada in 2016 leaked the personal data of more than 11,000 people who applied to open or work at cannabis establishments throughout the state. Three years later, a Canadian cannabis company exposed electronic medical records of more than 34,000 customers.

In addition, MJ Freeway, the cannabis-tracking software provider, experienced significant data breaches in 2016 and 2018.

Those breaches, however, helped MJ Freeway enact more stringent data-security protocols, company officials told industry publication Leafly last year.

Established in 2010, MJ Freeway merged with MTech Acquisition Corp. in June 2019 to form Akerna Corp., the first cannabis technology company listed on the Nasdaq exchange.

Few Investment Dollars

Oftentimes, cannabis retailers fail to properly invest in cybersecurity measures as a core tenet of their business model, Experian, the consumer-credit reporting agency, wrote in its data breach forecast for this year.

Dispensaries also present ripe targets for hackers, according to Experian, because they house sensitive personal consumer information and patient records for medical cannabis users.

Trave Harmon, CEO of New England-based Triton Computer Corp., told Digital Privacy News that many dispensary owners failed to consider the full scope of network and internet security when establishing operations.

The company works with dispensaries, production and cultivation facilities.

“Even the orientation of the screens and how they may be gleaned from the public has to be positioned, secured, managed and monitored,” Harmon said.

“Wireless, digital signage, printers — and how people interact with the public are all paramount when deploying a dispensary.

“All point-of-sale machines should have endpoint protection, encryption, encrypted backups and true network segmentation to prevent any data leakage,” he said.

Taylor, the vpnMentor researcher, told Digital Privacy News that the onus of implementing stricter consumer-protection protocols falls upon dispensary operators.

Data must be well encrypted and access screened through multi-factor authentication, she said. Failure to enact these protocols could have wide-ranging effects for cannabis users, Taylor added.

“Patients whose personal information was leaked may face negative consequences, both personally and professionally,” she said. “Many workplaces have specific policies prohibiting cannabis use.

“Customers and patients may face hardships at work due cannabis use being exposed — and some could lose their jobs if they work for a federal agency.”