Cyber Liability: The Ticking Time Bomb of Cyber Liability in Cannabis

In July 2017, the personal data of 143 million Americans was hacked from consumer credit reporting agency Equifax — including social security numbers, birth dates, home addresses and credit card numbers. The Equifax breach is now considered the largest in U.S. history and the company is still working to clean up the mess, secure data and earn back consumer confidence. According to Wired Magazine, Equifax has recently invested over $200 million over the coming years to beef up cyber security and prevent another catastrophic breach.

A breach has the potential to ruin a company, large or small, but especially one in a newer and high-risk industry like cannabis, where medical records and private HIPAA-compliant information often comes into play with business data collection. The average cost of a data breach  to a business runs in the millions. Robert Gillette, an IT specialist with Berkeley, California-based Endsight says Equifax’s big mistake was to reduce resources to the IT department.

Endsight is an outsourced IT provider that currently works with hundreds of businesses in the Bay Area, including some in the cannabis industry.

“Simple things were missed, and that is how that happened… When the organization does not consider IT to be the oxygen of their Maslow’s hierarchy of needs, if they think it is not important or not a foundation of their business, they make compromises. That’s when we see these compounding problems that end in a single big noticeable breach,” said Gillette.

Gillette says the cyber-security problems he sees in the cannabis industry are the same ones seen in the broader business community, but due to federal prohibition, the mistakes can be that much more complex to address and the consequences much more catastrophic.

Insurance Mitigates Risk

According to Martin Fox-Foster, director of claims for Emergent Risk, the cannabis industry is “woefully underinsured” when it comes to cyber liability.

“Not enough companies are purchasing cyber insurance. Simple as that. They either don’t think about it, treat it as a luxury or have never been educated by their broker on it. Cyber coverage will respond to a breach of data, a ransomware attack, a breach of payment card industry data and phishing scams,” Fox-Foster says.

Fox-Foster points out that large cannabis companies have already experienced breaches in cyber security, including delivery service Eaze and seed-to-sale tracking and point-of-sale software company MJ Freeway, which has been breached twice.

“For medical marijuana customers there is a larger issue in that some of the information held on these customers may be protected by HIPAA and is personal health information. The reputational harm of such a breach can also be devastating for a business. Companies in this space need to improve their cyber security, review their contracts with third party vendors and purchase robust insurance to assist them in the event of a claim,” he said.

Fox-Foster suggests implementing a defensive IT strategy to protect the company from breaches, but more importantly, purchasing an insurance policy that can cover legal costs and business interruption costs that could incur due to a breach.

“Not enough companies are taking cyber security seriously. For those that do, they aren’t considering insurance despite the fact there is broad coverage with minimal cost. Cannabis businesses could fall victim to numerous breaches and need brokers that understanding placing good coverage and providing risk management beyond this,” he said.

Defense is the Best Offense

According to research done by IBM, 95 percent of business hacks are a result of human error. Gillette says that if a business really wants to make sure they are doing everything possible to be secure, especially in the emerging legal cannabis industry, what they need is a business process with a technology mindset that is anticipating and addressing the shifts in the industry itself, and instituting best practices.

“When most people think of cyber security what they want and what they are looking for is a piece of software, a single simple process piece of hardware that they can implement that is going to layer in the security they are looking for. This is the real challenge,” he says. “Unfortunately, there are thousands of ways to break into a castle. I can talk until I am blue in the face about appropriate password policies and dual authentication, but at the end of the day, if someone is writing down their password on a post-it note, that is a greater security breach than can be accommodated or mitigated by those types of solutions.”

Endsight works with its cannabis clients to pick the right processes and make sure that, from the top down, the best practices and policies are in place to build and maintain a secure network. Gillette says that oftentimes the solutions businesses have put in place aren’t actually appropriate because they are overlooking the risk of not taking the time to create well-managed internal controls. This includes everything from policies about employees joining and leaving the organization and evaluating what he calls “acceptable risk.” He says the challenge is that these businesses are not thinking about security until it is too late.

“They simply implement [security software] and assume because they haven’t felt the pain, their measures were appropriate,” he said.

Gillette points out that a lot of cannabis businesses are using point-of-sale software systems that are 100% hosted in the cloud. If the service provider goes down for any period of time, the business would have no recourse to challenge it. If these businesses decided that the loss of revenue from any outage would be too high to be considered an acceptable risk, they need to prepare for the worst now by putting a control in place to minimize it.

Gillette says the investment up front prevents the possibility of an Equifax-style disaster.

“If a CEO or the venture capital group has a mindset right out of the gate of investing in security tools as a business practice, all levels of the organization will be more secure and reduce their cyber liability. The challenge is when a business thinks of their IT as an …operational overhead to be minimized, that’s where we see compromises that lead to individual issues,” Gillette says.


Kirk is a proven compliance, risk analysis and business strategy leader with more than 20 years of cannabis consulting and insurance industry experience.