6 April 2017
Interesting piece authored by Rachel Hutchinson an associate in the firm’s Administrative Law and Litigation departments. Her bio informs us that she works on general litigation matters, including government investigations and complex commercial disputes.
Legal marijuana is America’s fastest-growing industry. According to ArcView Market Research, cannabis revenue is expected to exceed $22 billion by 2020—nearly double that of the NFL. This past year, Colorado saw its sales reach over $1 billion. Here in Massachusetts, sales are expected to grow to $900 million within three years. Given the nationwide trend toward legalization (at the time of writing, seven states and the District of Columbia have legalized recreational use, while twenty-nine states have legalized marijuana in some form), cannabis is becoming an attractive investment.
But the industry faces significant challenges. Marijuana is still illegal at a federal level, and state regulations are constantly shifting. As Jennifer Carney of the Signal writes, imagine trying to build a viable business model when the rules change from month to month, you can’t write off your business expenses, and your customers can’t use credit cards.
One particular challenge facing the industry is data privacy. Legalization has led to increased oversight and monitoring, as well as to the collection and storage of personally identifiable information. But there is pushback from consumers. Data-collection practices are viewed with suspicion, even ones as routine as email-based rewards programs. The threat of a federal crackdown leaves most customers resistant to creating any sort of paper trail.
Anonymity cannot continue forever. Investors, especially big-ticket investors that bring the kind of legitimacy the industry craves, want data. Brand preferences, strain preferences, buying and consumption habits—all are waiting to be mined, tracked, and exploited. As more consumer information is collected, data security will play an increasingly important role. To protect their customers, cannabis retailers will need strong privacy policies, up-to-date security measures, and data-breach response plans.
Below are just some of the ways data privacy and the cannabis industry intersect.
Cybersecurity Breaches Abound
Customers have good reason to worry about data security—multiple medical marijuana databases across the country have already faced cybersecurity breaches.
For example, in June 2016, The Washington State Liquor and Cannabis Board suffered a breach when the agency accidentally disclosed license applicants’ personal information in response to a public records request. The leak included tax records, social security numbers, driver’s licenses, and financial information. The information was posted online before the agency could correct its mistake.
In late 2016, the Nevada Division of Public and Behavior Health suffered a similar blow when its medical marijuana database was hacked. Over 11,000 cannabis retail owners and employees had their information published online, a data dump that included names, social security numbers, races, addresses, and citizenship information. The Division had to shut down its database for over a month. In the meantime, dispensaries were forced to handwrite patient information in order to stay compliant with Nevada regulations.
Centralized compliance systems are especially vulnerable. In January 2017, the national database MJ Freeway, a multi-service compliance program used by medical marijuana dispensaries across the country, was the target of a cyberattack. Although no client data was reported stolen, the database itself was disabled for days, forcing 1,000 marijuana retailers in 23 states to handle sales, patient records, inventory tracking, and regulatory compliance issues alone. Many retailers had to close temporarily as a result.
Here in Massachusetts, the medical marijuana industry has seen its own share of privacy issues. Back in 2015, the health department confirmed the approval of over 6,800 patients via email. The emails contained detailed personal information, including patients’ names, email addresses, and state-assigned program ID numbers—everything needed for a hacker to gain access to the state’s medical marijuana database and access sensitive personal information. The health department was heavily criticized for sending the confirmations via an unsecured channel.
Privacy Concerns Loom Larger with Marijuana
When it comes to privacy, marijuana is different, both as a product and as a medical treatment. While patient information of any kind must be safeguarded, there is special sensitivity surrounding marijuana use. Stigma about cannabis, as well as fears about federal oversite, make marijuana-related data especially vulnerable to breaches.
This sensitivity extends to the recreational marijuana industry. Few people look over their shoulder walking into a liquor store, but many customers think twice before walking into a dispensary. People are worried about data falling into the hands the federal government, but also the hands of their employers. As Foley has noted, legalization does not always spell the end of workplace drug tests.
Legislators are beginning to recognize the danger. For example, in Oregon, concerns about a potential crackdown from the Trump administration prompted legislators to propose a law that would require cannabis dispensaries to destroy customers’ personal information within 48 hours.
Data Collecting Practices Are Growing
But such laws are at odds with the needs of investors and retailers, who want more information about customers, not less. As Jennifer Carney points out, we are at the dawn of quantified cannabis. While the industry has resisted using technology in the past, largely due to legal concerns, the “green rush” toward legalized marijuana has created an opportunity for Silicon Valley to step in. Data science is poised to bring marijuana products out of the dark ages and into the 21st century.
Tech companies are already taking advantage. For example, Weave, a software company based in Boulder Colorado, uses data science to provide product analytics for dispensaries and point-of-sale menus for consumers. Flowhub, a Denver-based start up, offers a mobile device for scanning RFID plant tags and a cloud-based point-of sale system for dispensaries. The system automatically reports sales to state’s compliance databases, and allows dispensaries to scan their customers’ ID’s for age and state of residency to confirm what they can buy based on state-specific regulations.
For better or worse, the trend in the industry seems to be towards cloud-based operations. In 2016, Microsoft announce that it was partnering with Los Angeles-based start-up Kind Financial to create software that will help states, counties, and municipalities track marijuana compliance. Microsoft has offered up its Azure cloud platform for the project. And as every industry expert knows, as goes the cloud, so goes the data breaches.
For Marijuana Companies, Robust Cyber Security Is a Must
Technology and cannabis will continue to intersect as the industry grows. E-commerce, advertising, and increasingly sophisticated data collection and analytics are all on the horizon.
Right now, the needs of consumers and companies seem to be at odds—consumers want less data collection, while tech companies and investors want more. If companies are to maintain consumer trust, strong cyber security measures are a must. After decades of criminalization, many customers remain skittish about the product they are consuming. Even in legal retail stores, shoppers will often give a fake name at the check-in counter after showing their real ID, so that their first names are not spoken aloud by staff. Others resist providing cellphone numbers or emails, even when doing so garners them significant discounts by way of coupons and insider-only deals. Cyber security will be essential to bridge the gap between consumers and companies.
The marijuana industry has a long future ahead of it, and data privacy and cybersecurity are bound to play a starring role. Watch this space for updates.