cannabis data breach
Cannabis businesses may be especially vulnerable.

Virtually everyone knows about breaches of companies like Equifax. Massive breaches have happened to established, mega-companies who still took major reputational and monetary hits after they were breached. What many people don’t realize is that it doesn’t take a major breach to devastate a business. We don’t want to be dramatic, but we also don’t want to downplay the significance of breaches—they are coming, and cannabis companies that are not prepared may be left in the dust.

Data breaches can range from anything from malicious hacking to the simple loss of a laptop containing unencrypted “personal information”. In either case, if statutorily defined classes of personal information were accessed or acquired without authorization, the party who held the personal information must provide written notification to the affected individuals within a relatively short period of time, and in many cases to other services like credit monitoring. This may seem like a straightforward process. It is not. Just figuring out what kinds of information may have been accessed and whose information may have been accessed could take tens of thousands—if not hundreds of thousands—of dollars in forensic review.

Take the following example: A human resources manager is the victim of a phishing attack. Typically, forensic review of the affected account may need to be undertaken to determine what part of the manager’s email accounts were accessed—did the attacker review one email, or access the entire mailbox? If the forensic vendor determines that the entire account was or could have been accessed, the entire account may need to be “data mined” at a high per-gigabyte cost to see whether emails contain personal information that could require reporting. This could potentially involve tens of thousands of dollars in expenses for one account. Now imagine this happens to five employees.

Not only is this piecing together of events time consuming and expensive, but it only gets half the job done. Once a list is made of the affected individuals and reportable information, notification (often drafted by lawyers) needs to be provided to individuals. This requires engaging companies to ensure that the individuals live where they are thought to live, and to physically mail notification letters out. Then, usually at a certain price per enrollee, credit or identity theft monitoring is provided.

It’s not difficult to see why this process is expensive, and the fact that it needs to occur in such a short period of time can cause intense pressure on an enterprise. To boot, in many states, attorneys general need to be given notification if a certain threshold of citizens of those states were notified of a breach. These attorney generals can (and sometimes do) request detailed summaries of how the breach happened and can even bring administrative actions against the companies who were the victims of the data breach.

Breaches are not unique to the cannabis industry —the Breach Level Index (“BLI”) estimates that more than 14 billion data records have been lost or stolen since 2013, with an average frequency of an astounding 6.9 million records per day. However, this industry is particularly susceptible to data breaches and their damaging effects for many reasons. Here are a few examples:

  • Companies may not be willing to report breaches to federal authorities like the FBI or IRS, who otherwise would likely be notified, in light of the federal illegality of cannabis. Malicious actors may believe that this gives them some sort of advantage—and to some extent it does if law enforcement is not given notice.
  • Given the state of banking in the cannabis industry, cannabis businesses may use cryptocurrency, which could have keys that are stored on electronic devices that are capable of breach. This could expose a cannabis business to financial losses unlike in virtually any other industry.
  • The reputational harms to an up-and-coming licensee could destroy a cannabis business. Even though many of the stigmas around cannabis have gone away, many people wouldn’t want their employer or the general public to know that they bought cannabis. Imagine what a government employee would think if a cannabis business was the victim of a breach and his or her employer suddenly could find out about the employee’s purchase history. That business probably would not last.
  • The industry is forced to interact with technology in a way that many others are not. In California, as well as most other states with licensing regimes, cannabis companies must implement track-and-trace systems to monitor all commercial cannabis activity. Licensees of the California Bureau of Cannabis Control (“BCC”) are legally prohibited from transporting, transferring, or delivering goods during outages of track-and-track systems—i.e., doing most kinds of business. What happens when they are the victim of a ransomware attack (a situation in which a hacker encrypts all computer systems and demands compensation in cryptocurrency or something similar in exchange for the decryption key, which may take days or weeks to fully restore)? Businesses could literally bleed out while trying to negotiate with–or pay a ransom to–someone across the globe.
  • State attorneys general may need to be notified of certain data breaches. If an attorney general in a state in which cannabis was not legal receives notice that a number of the attorney general’s home state citizens were the victims of a data breach, that attorney general may want to target that cannabis business with an enforcement action.

These are just a few of the unique pressures the cannabis industry faces.

Breaches are in many senses inevitable. There is still a lot that companies can do to reduce the impact of them or to attempt to prevent them. Below are a few:

  • Having a privacy policy and sticking to it. We’ve written about the need for policies before, and the potential penalties for not complying. We get the sense that a lot of cannabis businesses think of this as unnecessary or just a rote copy-and-paste job. This is not accurate. These policies are detailed, and are designed to identify the information gathering and usage policies of an organization. If an organization follows a policy, then it should in theory know what information it has, and where. This could be the difference in whether significant time and resources are spent tracking down potentially accessed information.
  • Complying with relevant information security standards. Many states actually require businesses to adopt certain standards when it comes to information storage. Technical measures can be adopted to reduce the likelihood or impact of breaches.
  • Planning for breaches. Training employees, and having plans for what to happen in the event of a breach, could also avoid or lessen the impact of a breach.
  • Considering insurance. Insurance companies are starting to provide cyber liability insurance, which could cover the costs of some breaches. This won’t actually prevent a breach, but may stop a company from spending significant amounts of money in response to a covered breach.

The point of this post is to highlight just how significant breaches can be for cannabis businesses. Preparing now, rather than after they occur, could avoid a great deal of issues later.

california cannabis marijuana privacy policy
No longer optional for your canna business website.

Unless you’ve been living under a rock for the past few months, you’ve probably read about the host of sweeping new laws in California, like its new Internet of Things law, cannabis privacy law, or net neutrality law, to name just a few. California has long been regarded a trailblazer when it comes to making people who are outside of California do things to comply with California law. So it probably comes as no surprise that website operators outside of California may need to comply with a privacy policy law in California: the California Online Privacy Protection Act.

Pursuant to this law, any business that owns or operates a website that advertises to, services, or in many cases is simply accessible by California residents will almost certainly need to conspicuously post (and—importantly—actually follow) a privacy policy containing statutorily defined disclosures. This requirement applies when a website collects “personally identifiable information” about California consumers, including first and last name, home or other address, email address, telephone number, Social Security number, or any other information that would permit a person to contact a website user (either physically or online). Moreover, a policy may be required even for businesses located in distant areas of the United States just by virtue of the fact that its website can collect this information.

If a company fails to create or adhere to a privacy policy and does so either intentionally or in a material and negligent way, that company may be in violation of the law. The law does state that website operators will not be in violation until 30 days after being notified that their website does not contain a privacy policy, but it does not specify where notification can come from (i.e., the state or any source), which means that reliance on this window may be risky. The law is enforced by the California Attorney General, with penalties of up $2,500 per violation. These penalties could be a severe for businesses that offer mobile apps, as the California Attorney General has taken the position that a new (potentially $2,500) violation occurs each time a non-compliant app is downloaded.

You may be wondering how this applies to your cannabis business. The fact is that there are numerous ways in which even seemingly passive websites collect protected information from and about users. Even if your website does not sell any products, it may include “Contact Us” or mailing list subscription portals which collect protected information. If your website sells or ships any sort of product, it may collect at least some protected information. Even if your business has not collected information about any California residents in the past but simply could do so, the mere possibility may mean it needs to comply.

Furthermore, there are other good business and legal reasons to post and adhere to a privacy policy. Customers appreciate when businesses are transparent about their privacy practices. For obvious reasons, ensuring that cannabis customers’ privacy is maintained is important. Additionally, in the event of a data breach which requires notification to state or federal authorities, the fact that a company took steps to maintain customer privacy may be important considerations in determining if any enforcement actions should be taken.

The good news is that, unlike some laws or regulations that cannabis companies face, California’s privacy policy law is relatively straightforward in that it specifies what a company needs to disclose in a privacy policy and how that policy needs to be displayed on a website. That said, ensuring that a privacy policy accurately describes a company’s current and future privacy practices can be a challenge, and inaccurate or gratuitous statements in a privacy policy could expose a company to additional liability. In other words, a policy needs to be tailored to a company’s specific practices, and so copying language from other privacy policies could cause even more trouble for a company.

Cannabis companies have enough to worry about. They shouldn’t add to the problem by failing to address privacy or data security laws. A good place to start is engaging counsel to draft a comprehensive privacy policy. After all, at least according to California, one is required.

cannabis marijuana IOT
Cannabis things included.

Two years ago, we published a series of posts about the cannabis industry’s embrace of the Internet of Things (“IoT”)—the network of physical objects connected through the Internet—for use in everything from garden sensors to dispensers. In that same series, we also discussed some of the potential legal risks and ramifications of using the IoT in the cannabis business—particularly some of the privacy and security risks inherent in the IoT.

Just last week, California Governor Jerry Brown approved of SB-327, the first information security law in the U.S. specifically targeting the IoT. SB-327 takes effect on January 1, 2020, and will require manufacturers of connected devices—essentially, devices in the IoT—to equip them with “reasonable” security measures. These security measures must be appropriate to the nature of the devices and information they collect and contain, and must be designed to protect the devices from unauthorized access, destruction, use, modification, or disclosure. SB-327 also requires devices that can be accessed outside of a local area network either to be equipped with a unique password or to allow a user to generate its own password.

It’s important to emphasize that SB-327 does not impose any requirements on users of IoT devices, but rather to manufacturers. So, for many businesses in the cannabis space that rely on the IoT, no real changes in operations may be necessary. Both plant-touching and ancillary marijuana companies that manufacture qualifying devices, on the other hand, may need to re-do or even re-invent their products.

It’s also important to note that the law applies to more than just California manufacturers. It applies so long as a business manufactures—either itself or through a contracting third party—qualifying devices that will be sold or offered for sale in California. Crucially, there is no threshold for product sales in California. Consequently, any manufacturer, anywhere, could be subject to SB-327.

Complying with SB-327 may be as simple as assigning randomly generated passwords to each device or re-tooling software or firmware to provide more robust security protection. But for some manufacturers—especially of devices that gather or contain sensitive information—compliance may be more involved and may require a ground-up reinvention. Consultation with counsel is always the best step towards compliance.

oregon marijuana cannabis data securityLast week we discussed the data breach notification laws with which cannabis companies doing business in Oregon must comply following a cyber intrusion. Today, we discuss the safeguards these companies must adopt to protect the security, confidentiality and integrity of customers and employee (collectively, “Consumer”)’s personal information, who reside in Oregon.

Pursuant to Oregon Revised Statutes (“ORS”) § 646A.622 any business that “owns, maintains or otherwise possesses, and has control over or access to,” written and electronic data that includes personal information used for business purposes, must develop, implement, and maintain reasonable safeguards to protect the personal information.

Generally, “personal information” means a Consumer’s first name or first initial and last name in combination with, for example, a Consumer’s social security number, driver license number or financial account information, if (1) encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and (2) the data element or combination of data elements would enable a person to commit identity theft against a consumer.

The company must act in accordance with this law by:

(1) Complying with:

  • State or federal laws with greater protections for personal information than ORS § 646A.622;
  • Gramm-Leach-Billey Act as of January 1, 2016 as of June 2018, if the company is subject to this act; or
  • Requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as of June 2018, if HIPAA applies to the company;

and

(2) Implementing a security program that includes:

Administrative Safeguards, such as:

  • Frequently identifying reasonably foreseeable internal and external risks;
  • Frequently training and managing employees in security program practices and procedures; and
  • Selecting service providers that are capable of maintaining appropriate safeguards and adhering to procedures and protocols to which you and the service provider agree, but also requiring the service providers by contract to maintain the safeguards, procedures and protocols.

 Technical Safeguards, like:

  • Assessing risks and vulnerabilities in network and software design;
  • Taking reasonably timely action to address the risks and vulnerabilities; and
  • Applying security updates and a reasonable security patch management program to software that might reasonably be at risk of or vulnerable to a breach of security;

and

 Physical Safeguards, including but not limited to:

  • Monitoring, detecting, preventing, isolation and responding to intrusions timely and frequently; and
  • Disposing of personal information after you no longer use it for business purposes, pursuant to local, state and federal law.

So what does all of this mean? Simply put, business owners with 100 or fewer employees (which includes almost all Oregon cannabis businesses), will comply with these statutory requirements if their information security and disposal program contains administrative, technical and physical safeguards and disposal measures that are appropriate to: (1) the size and complexity of their business; (2) the nature and scope of their activities; and (3) the sensitivity of the personal information collected from or about a Consumer.

Cannabis business should take these safeguard standards seriously. Each violation if subject to a penalty of up to $1,000. Note that each day of a continuing violation is a separate violation, but the maximum penalty for any occurrence is $500,000. Civil penalties under ORS § 183.745 may also apply.

Complying with ORS § 646A.222 is not only required by law, it is also a very good idea for all cannabis business. Indeed, developing a vetted, comprehensive plan of action is the best way to effectively respond to an attack and to reduce the amount of damage to your company. Be safe out there!

oregon marijuana data breach cyberA few weeks ago, we mentioned that cannabis companies that fall victim to a data breach are required, under state law, to inform employees and customers whose data was compromised by the intrusion. However, not every stolen piece of information demands notification. This post further dives into these laws—all 50 states have now enacted breach notification laws—by addressing the notification requirements imposed by the State of Oregon.

Oregon Revised Statutes (“ORS”) 646A.602 defines “breach of security” as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” “Personal information” means an Oregon resident’s:

  • Social security number;
  • Driver license number or state identification card number;
  • Passport number or other identification number;
  • Financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account;
  • Physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction;
  • Health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the resident; or
  • Any information about their medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment information.

Personal information also includes any of the data elements listed above, without the resident’s name, if the data elements, alone or in combination with others, would enable a person to commit identify theft against the resident.

However, the breach of a resident’s personal information does not, in and of itself, prompt the notification requirement. In Oregon, notification is not mandated if, after an appropriate investigation or consultation with law enforcement agencies, the company reasonably determines that the resident has not and is not likely to be harmed from the breach. Such determination must be documented in writing and maintained by the company for a minimum of 5 years.

If the company determines that the stolen data will harm or is likely to harm the resident, then the company must notify the resident “in the most expeditious manner possible, without unreasonable delay,” but no later than 45 days after discovering or receiving notification of the breach. Notification may only be delayed if the notice were to impede on a criminal investigation.

The notification, which must be made in writing, by phone or electronically, must include, at a minimum:

  • A description of the breach in general terms;
  • The approximate date of the breach;
  • The type of personal information that was subject to the breach;
  • The company’s contact information;
  • The contact information for national consumer reporting agencies; and
  • Advice to the consumer to report suspected identity theft to law enforcement, including the state Attorney General and the Federal Trade Commission.

Moreover, if more than 250 residents are notified, the company will be required to submit, in writing or electronically, a copy of the notification to the Attorney General. If more than 1,000 residents are notified, then the company will also have to notify all nationwide Consumer Reporting Agencies.

Data breach notification laws are demanding on hacked companies, but they are not the only laws with which these business entities must comply following a cyber attack. State and federal laws, including employment, medical, and financial laws, usually apply. In addition, states like Oregon impose pre-data breach measures, also known as information security standards—we will further cover this issue in our next post—on any company doing business in the state to protect the security, confidentiality and integrity of personal information before a breach. (California just passed one such law, specifically targeted at marijuana businesses.)

Cannabis companies affected by a data breach should always consult with experienced cyber security attorneys to avoid any civil penalty, but also to retain public confidence and maintain their competitive edge in this high-risk cyber environment.

Hacking back isn’t the answer, unfortunately.

As I have discussed for the last two weeks, cannabis businesses have become increasingly vulnerable to cyberattacks. It is natural for a company victimized by data breaches to want to retaliate by hacking back. However, under current U.S. law, which is codified under the Computer Fraud and Abuse Act (“CFAA”), it is strictly prohibited to intentionally access another’s computer without authorization.

Legislators have given some thought to this problem. Most recently, the re-introduction in October 2017 of the Active Cyber Defense Certainty (“ACDC”) Act, a bill sponsored by Congressman Tom Graves (R-Ga) and Congresswoman Krysten Sinema (D-Az), raised questions about the legality of counter attacking. Indeed, the ACDC Act proposes to amend the CFAA and enable victims of cyberattacks to adopt active defensive measures to identify the hackers, destroy information originally stolen from the victims’ networks, and attack the intruders’ servers to interrupt the ongoing attack. Although an eye-for-an-eye form of justice is appealing, unauthorized access to networks is not a good idea. Here is why.

First and foremost, the ACDC Act has not be enacted. This means that the CFAA remains the law of the land, and accessing others’ computer systems without their permission is a criminal offense. Every state law punishes hacking under the computer crime statutes. These crimes carry serious penalties ranging from a class B misdemeanor (punishable by up to six months in prison, a fine of up to $1,000, or both) to a class B felony (punishable by up to 20 years in prison, a fine of up to $15,000, or both).

Second, even if retaliation were legal, most companies would lack the expertise required to safely conduct an offensive cyber operation. It is incredibly difficult to identify individuals and entities behind cyberattacks. Most intruders cover their tracks very carefully by using encryption and by routing strikes through others’ computers. Given this, counter hacking would most certainly result in attacking computer systems and destroying data belonging to innocent third parties.

Then, there is the issue of whether victim companies have the technical proficiency required to effectively take counter measures against cyber intruders. Indeed, the internal tools needed to effectively hack back represent a major undertaking: a high level of expertise, constant vigilance, and huge financial resources. Moreover, it is highly unlikely that companies that could not prevent the intrusion of their networks would manage to take on their attackers on their own digital turf.

Lastly, retaliation by companies that fell victim of a data breach would most certainly impede law enforcement investigations and delete or temper with evidence that could be useful in a prosecution. Unlike law enforcement agencies, companies do not have the relevant technical expertise or diplomatic tools to pursue hackers. Most companies ignore how to preserve a chain of custody that would enable the introduction of untampered evidence at trial. In addition, counter hacking is an incredibly dangerous endeavor because it is very difficult, if not impossible, to see what a company would be up against. In retaliating, a company would run the risk of escalating the situation and of further injuring itself.

As I have discussed before (here and here), no one and no company is immune to cyberattacks. It is understandable that companies, including cannabis companies, are getting tired of being passive and of merely defending against these breaches. However, hacking back is not a feasible option given its illegality and the negative consequences it could have on the retaliating company. When faced with a data breach, don’t let your emotions dictate your actions; instead, stick with a comprehensive plan of action that will help you minimize your damages and let skilled, experienced law enforcement agents do the job of tracking and investigating your attackers.

cannabis marijuana cyber attack security
Be prepared!

As I discussed last week, hacked devices, breached networks, and stolen proprietary information have become commonplace in the cannabis industry. Because cybercrime variants are continually emerging, no company can achieve totally assured cybersecurity. Consequently, we strongly encourage all our clients to adopt a cyber incident plan for responding to attacks before they occur. Developing a vetted, comprehensive plan of action is the best way to effectively respond to an attack and to reduce the amount of damage to your company.

This post highlights some of the best practices for preparing and responding to a cyberattack.

Before falling prey to a cyberattack, your company should:

  1. Identify Valuable Assets. Depending on your needs, it may be cost prohibitive to protect your entire business. Therefore, before creating a cyber incident plan, you should determine which data, assets, and device warrant the most protection.
  2. Develop a Plan of Action. Cyber incident plans will differ in size and structure, but at a minimum, your plan should:
    (i) Name those who have lead responsibility for different aspects of the response;
    (ii) determine ways to contact critical personnel at all times;
    (iii) identify how to preserve your most valuable assets, data, and device in a forensically sound manner; and
    (iv) develop notification plan for customers and data owners whose data would be compromised during an intrusion.
  3. Adopt Appropriate Technology and Services. Adopting off-site data back-up, intrusion detection capabilities, and data loss prevention technology will help you detect intrusions soon after they occur and help minimize the loss of valuable information.
  4. Implement Internal Preventative Policies. You must assist your employees with recognizing internal and external vulnerabilities to prevent security breaches but also to effectively react to attacks. Employee training should address issues such as safe password management, cryptographic communications, secure browsing practices and proper system configuration.

Following a breach, you will need to focus on mitigating damages and working with law enforcement. Specifically, you will need to:

  1. Assess the Nature and the Scope of the Incident. You will first need to determine whether your company is faced with a malicious act or a technical glitch.
  2. Capture the Extent of the Damage. If you detect a cyberattack, you should immediately make a forensic image—an image or exact, sector by sector, copy of a hard disk—of the affected computer(s), which will be used for later analysis and may possibly serve as evidence at trial.
  3. Implement Measures to Minimize Damage. To contain the attack and prevent it from spreading, you will need to stop ongoing traffic caused by the attacker. Some measures include rerouting network traffic and isolating all or parts of the compromised network.
    Regardless of the option you select, be sure to keep detailed records of all steps taken. This information may be relevant for recovering damages from responsible parties.
  4. Notify. The notification list includes:
    (i) Relevant Personnel: You should inform the relevant personnel (i.e., managers, IT department, security department, and legal department) of the attack and keep them informed of the preliminary analysis.
    (ii) Law enforcement: Generally, you will need to contact law enforcement authorities to assist with investigating the intrusion. Law enforcement can also help coordinate statements to the news media concerning the incident, ensuring that information harmful to the company’s interest won’t unnecessarily be disclosed.
    (iii) Customers: All 50 states have now enacted breach notification laws that require companies faced with a cyberattack to inform customers whose data was compromised by the intrusion. Accordingly, soon after the attack, you should prepare a statement that explains to the customers the scope of the breach of security and which remedial efforts were adopted.

Cyberattacks can raise unique legal questions. Therefore, you should consult with attorneys who are accustomed to addressing these types of issues to assist you with decisions, such as how to interact with government agents, the types of preventative technologies you can lawfully use, your obligations to report the loss of customer information, and your potential liability for taking specific remedial measures when faced with a cyberattack.

cannabis cybercrime
Protect your business and its data from theft.

To our surprise, many of our clients remain convinced that they are immune to cyberattacks. Yet, cannabis businesses house incredibly valuable information, making them exceedingly vulnerable to these attacks. This misplaced confidence has led numerous cannabis companies to operate without the necessary protective measures. Given the fact that more than 4,000 attacks occur daily, this post briefly discusses how cybercrime is affecting the cannabis industry and provides basic precautions companies should take to reduce the risk of falling prey to cyber hackers.

The most common type of cybercrime is known as ransomware. Ransomware is a form of malware that targets a business’s sensitive information for extortion purposes. This information may include customer lists, trade secrets, financial information and research and development information. Specifically, hackers block access to a database or system until the user agrees to pay a ransom. Not only does the temporary, and potentially permanent, loss of critical data disrupts a business’s regular operations, it also creates massive financial losses associated with restoring systems—assuming the business pays the ransom and that the hacker provides access back to the database—and severely damages the business’s reputation.

Bringing about awareness and training your team is a paramount preventative measure. Indeed, effective precautionary measures can significantly mitigate the risk of falling victim to a cyber infection. Here are a few simple precautions cannabis businesses should take:

  1. Educate Your Personnel: Attackers often enter a business by deceiving an internal user to disclose a password or click on a virus-laden email attachment. You should therefore remind your employees to never click or open unsolicited email attachments. In addition, you should emphasize the importance of not sharing personal passwords to be able to determine how your system was compromised in the event of an attack.
  2. Use Complex Passwords: You should use 12-character or longer passwords and change your passwords regularly.
  3. Enable Strong Spam Filters: Strong spam filters will prevent phishing emails, which purport to be from reputable companies to induce individuals to reveal personal information, from reaching the end users and will authenticate incoming emails.
  4. Set Anti-Virus and Anti-Malware Programs: Setting anti-virus and anti-malware programs will automatically and frequently scan your database and system to detect threats and filter files from reaching end users.
  5. Shred Physical Documents Containing Sensitive Information: Avoid old fashioned dumpster diving by shredding all sensitive information you may have printed or written down.

Although ransomware is the most commonly known and used technique, it is no longer the sole method of attack used against cannabis businesses. You may recall the precarious situation in which MJ Freeway, the giant cannabis compliance software system, found itself in 2016 and again in 2017. The company’s databases were hacked, preventing MJ Freeway from processing transactions and precluding over 1,000 dispensaries from tracking sales and inventories for weeks. These cyberattacks against MJ Freeway revealed a new kind of cybercrime where no extortion demands are made, but rather are used by competitors to destroy valuable data to gain a competitive advantage.

The MJ Freeway case highlights the concerning fact that cybercrime variants are continually emerging, making companies, including cannabis businesses, increasingly more vulnerable to these attacks. Accordingly, cannabis businesses must stop underestimating the value of their data and must protect it by putting in place a comprehensive data security system that will minimize their risk of attack and ensure the continuation of their financial success in this high-risk cyber environment.