Is the Data You Give to Cannabis Dispensaries Safe?
Big Weed exists in the age of Big Data, meaning the cannabis industry is vulnerable to all the same attacks and hacks as everyone else.
This was demonstrated with the revelation two weeks ago that an Amazon Web Services storage bucket, containing point of sales data from 30,000 cannabis dispensary customers and more than 85,000 individual data files, was left open, unencrypted, and unsecured. Anyone internet-savvy enough to notice — and malicious enough to use the data — could have accessed the customers’ government IDs as well as personal information like their age, address, driver’s license numbers, phone numbers, and signatures, as privacy and security outlet SC Magazine noted.
Which means this problem is real, it’s big, and it’s not going away anytime soon. And, depending on how your favorite dispensary manages your data, your data is almost certainly being stored digitally, somewhere, and is a potential target.
The open data bucket, first discovered on Dec. 24 and closed on Jan. 14, was managed by THSuite, a Seattle-area point-of-sale system used by dispensaries in Maryland, Ohio, and Colorado. (vpnMentor discovered the data, open and unencrypted, as part of its ongoing web-mapping project; THSuite also didn’t respond to vpnMentor when they were told of the leak, according to SC Magazine.)
More dispensaries who used THSuite could be implicated; the researchers said the data trove was simply too big to quantify and they checked out only a handful of files to see what was exposed.
As vpnMentor pointed out, dispensaries collect loads of personal data from anyone who shops there, because they have to, thus creating an extremely attractive pot of data for hackers. This is a liability for medical-marijuana dispensaries, who might run afoul of federal HIPAA requirements for leaving medical patients’ records unsecured, but it’s probably a wider concern for cannabis dispensary customers — particularly in states where simply being a cannabis user can lead to complications at work and elsewhere.
The problem is that this is at least partially a problem of government. Laws in most states, including California, requires dispensaries to keep customer data in order to ensure that they’re complying with state law and not selling weed to underage customers. Along with that minimum, many dispensaries also record sales trend data.
To manage all this information in a way that’s not paper ledger or shoebox in the attic, dispensaries in many states are turning to cloud-based software solutions like THSuite —to manage inventory but also to comply with onerous state laws including track-and-trace as well as age verification.
Another problem is that many dispensaries appear to interpret state law too broadly and retain too much data.
“Current law and regulation require cannabis licensees retain certain records, including receipts, for seven years,” as the California state legislative analyst noted recently. “The regulations do not explicitly require licensees to retain the personal information that they have collected as part of a sale for seven years, although some licensees may interpret the record retention requirement to apply to that information.”
That prompted state lawmakers to pass and former Gov. Jerry Brown to sign into law a prohibition on selling personal data to third parties, but that data is still out there, somewhere. There are cloud options that are secure and HIPAA compliant such as Truevault. In this instance, it seems THSuite just used a poor solution — an unsecured Amazon S3 bucket — rather than something more secure.
So what do you do with this? Cannabis customers should feel empowered to ask dispensaries what data they collect and where they store it. If they can’t or won’t answer, or you don’t like the answer, you should feel compelled to shop somewhere else. But onerous and often vague state laws requiring dispensaries to hang onto so much personal data ought also be revisited. If liquor stores don’t create huge troves of attractive data, why do dispensaries? As usual, the answer is “because it’s weed,” and that answer is creating extra trouble for everybody.
420 Intel is Your Source for Marijuana News
420 Intel Canada is your leading news source for the Canadian cannabis industry. Get the latest updates on Canadian cannabis stocks and developments on how Canada continues to be a major player in the worldwide recreational and medical cannabis industry.
420 Intel Canada is the Canadian Industry news outlet that will keep you updated on how these Canadian developments in recreational and medical marijuana will impact the country and the world. Our commitment is to bring you the most important cannabis news stories from across Canada every day of the week.
Marijuana industry news is a constant endeavor with new developments each day. For marijuana news across the True North, 420 Intel Canada promises to bring you quality, Canadian, cannabis industry news.
You can get 420 Intel news delivered directly to your inbox by signing up for our daily marijuana news, ensuring you’re always kept up to date on the ever-changing cannabis industry. To stay even better informed about marijuana legalization news follow us on Twitter, Facebook and LinkedIn.