Ever since California passed Proposition 64 legalizing marijuana for recreational use, the market has exploded with more dispensaries and farmers joining the green growth. Statista’s forecast of marijuana sales projects that in 2020, annual sales will reach 5.62 billion dollars, by 2025, that number reaches 6.59 billion dollars.
If you look at the total national projected growth for 2020, at 8.22 billion dollars, it’s important to note that California’s projected sales make up the vast majority of the nation’s projected growth.
Despite coming into the market later than Washington, Oregon, or Colorado, California has well surpassed annual sales and will continue to do so as the numbers above show. With a steady medical marijuana market and a growing recreational market in California, what does this mean for the customers who purchase weed at a legal dispensary?
Data Protection at Legal Dispensaries
Marijuana use is separated into two different categories: medicinal and recreational use. Medicinal use requires a physician’s recommendation or county-issued medical marijuana identification card. Recreational use requires a valid ID indicating the buyer is 21 years of age or older. The data obtained from the different types of use varies and thus have different weed dispensary cybersecurity protections in place.
Medicinal Marijuana Use
In 1996, California passed Proposition 215, the Compassionate Use Act which details circumstances under which certain patients could use marijuana for medicinal purposes. Although the recreational use of marijuana was legalized, the medical market maintains a solid portion of the total market value of marijuana sales.
Image Source: https://newfrontierdata.com/marijuana-insights
There are several reasons why medicinal marijuana use maintains strong sales which include:
- You can be under 21 and still purchase medicinal marijuana with a physician’s recommendation
- If you have a county-issued medical marijuana identification card you do not pay sales tax
- You can purchase and carry more grams of marijuana at a time
Medicinal Marijuana and HIPAA
So is your data protected by HIPAA laws? The answer is complicated.
First, here is a brief refresher of HIPAA laws and rights. This law, first established in 1996 forbids healthcare providers from disclosing protected health information (PHI) and requires those providers to take necessary steps to safeguard that information. Read more about what rights you have under HIPAA in our full guide.
HIPAA regulations define a healthcare provider as, “any person or organization that furnishes or is paid for care, services, or supplies related to the health of an individual.” Because the medical distribution center provides marijuana for treating illnesses, they would be defined as a healthcare provider and thus technically required to protect client data.
Now, this is where things get more complicated. HIPAA requires that any electronically transmitted health records be kept private, but because most health insurance companies do not cover medicinal marijuana expenses, the distribution center would not be exchanging the information with an insurer. Therefore, they do not need to meet compliance standards.
The distribution center would most likely maintain patient records indicating personal information including reasons for why the patient is receiving care, yet they wouldn’t be required to protect that data from hackers or accidental data leaks.
Of course, each distribution center is different, with some centers selling marijuana for cash only and do not maintain patient records while others may be required to transfer patient data to state record offices which would subject them to HIPAA laws.
The best course of action for the business owner who runs a dispensary (whether they must meet HIPAA requirements or not) is to enlist basic data protection for their customers. There are many options available to protect data within the cloud or on a server. Even if federal regulations do not detail that the business owner complies with HIPAA law, there may be other state regulations that an owner must follow.
For the patient who is looking to purchase medicinal marijuana, it would be beneficial to consider the dispensary’s status as a healthcare provider. By learning how the dispensary maintains patient data, one can determine whether their data is being protected or not.
Recreational Marijuana Use
As of January 1, 2018, adults 21 years and older in California are allowed to purchase both weed for consumption and buds for growing the plant. A valid ID is the only requirement necessary for purchasing recreational marijuana.
You might be asking yourself, what data am I giving up if the only thing I need to legally purchase weed is my ID? Since this is not a medical transaction there isn’t an exchange of protected health information. True, but the data that a consumer does provide can be just as valuable to marijuana distributors and advertisers.
Consider what data a distribution center could gather from you as a customer. This data may include but is not limited to:
- What strains of marijuana you purchase
- The brand of marijuana you purchase
- The time of day you purchase marijuana
- How frequently you purchase marijuana
- How you purchase marijuana: in-store, online, mobile device, etc.
Investors want this data so they can track your spending habits and get you to buy more. With weed’s legalization for recreational use, many vendors paid little mind to this rich data mine. More vendors are looking to jump in the fray and take a piece of the profitable sale of recreational marijuana with little thought to their customer’s data protection.
Advertisers would want to know what else you purchase with your weed. Perhaps you also tend to buy soda, flavored chips, or another product. By piecing together this data, they can get a clear picture of your purchasing and consumption habits which are worth a lot of money.
How much data a client gives to a dispensary is dependent upon the conditions created by the vendor. For example, a client may choose to sign up for an email alert that gives them access to new shipment updates, special discounts, or other information.
What are the Risks?
Even so, the potential for losing your data would rest upon a number of variables. For example, if the dispensary from which you purchase weed only operates in cash and keeps a physical leger of customer purchases, you wouldn’t have to worry about any data being stolen.
Should the dispensary keep a record of all customer purchases for their own in-house marketing and those records are stored on the computer’s hard drive, a hacker would have to physically access that drive to obtain those records. Most hackers aren’t going to go through all that trouble for what will most likely be a small payout.
However, more companies are turning to the cloud for services ranging from communication to data storage. In a survey conducted by RightScale with 997 participating IT professionals, nearly all have adopted the cloud in some way.
Image source: https://blogs.flexera.com/cloud/cloud-industry-insights
This graph shows just how frequently the cloud is adopted and why it is important that companies pay close attention to cloud security. There is a strong possibility that many legal dispensaries (and the chances increase if it is a larger company) are also using the cloud in some way.
You can simply ask the dispensary if they use cloud services or how they keep customer records to find out more information. One important way in which to protect your information is to take an active charge of who gets to see that data, how they use that data, and how that data is deleted when you no longer participate with the service.
As more and more data breaches or malicious intent from large companies profiting off private date become commonplace, people are paying closer attention to the data they provide and how it is used.
It’s becoming more common for companies, even with more robust cybersecurity, to face breaches and lose customer data. In April, Facebook faced another data breach resulting in a loss of 146 gigabytes of Facebook user data. This valuable data is then traded to the highest bidder on the dark web or exposed to the public for “sport.”
Another element to consider is that it isn’t always a nefarious hacker who decides to expose data. Sometimes data breaches occur simply because a company doesn’t update their security or from an insider attack.
An insider attack described in the five cloud security concerns could come in many forms from a malicious third party who has access to the server, a careless employee, or a disgruntled employee. Crowd Research Partners survey reports that 53% of companies experienced one of these types of attacks in the last 12 months and they are only becoming more commonplace.
Mobile Device Data Breach
Sometimes hackers will target an app to gain information or access to a server. If a developer doesn’t spend as much time with mobile security for their app, it is possible for a hacker to gain access. Mobile security is fundamentally different from network security as RSI Security points out in their guide to mobile security trends for 2019.
With the mobile threat landscape rapidly evolving, it is no wonder that data breaches are going to occur. Facebook partnered with an app called, At the Pool, which was hacked, exposing unprotected Facebook passwords, location IDs, photos, and friend information. CBS reports in a Facebook data breach report that the app was designed to connect users interested in meeting up with others at outdoor activities. Something seemingly innocuous became a big data spill.
With 24% of Americans who smoke marijuana belonging to the group of 18-29 year-olds, marijuana dispensaries understand how valuable creating mobile-friendly options are for their success. New apps are popping up every day: apps that let the user review various strains of weed, apps to help the user locate dispensaries, apps that help you connect with other users who consume weed, and apps that deliver marijuana directly to your doorstep.
If companies do not understand the mobile security network, they run the serious risk of putting their client’s data at risk. The proliferation of apps across the market makes mobile phones a target for hackers who know that rapidly developing companies may pay less attention to fully fleshing out security and smart user interface in favor of establishing solid suppliers and meeting demand.
Controlling Your Data
With a constantly changing threat landscape, new technological developments, and breaking news stories on yet another data breach, users across the globe are asking themselves the question if their data is safe. The simple answer is — albeit one that doesn’t reassure you — it’s complicated.
The only way your data will be one hundred percent protected from thieves is that you never give it out. But unless you live up in the mountains unconnected from the rest of the world, chances are you already share a lot of your data—after all, you are reading this article which indicates you are connected to the world in some way.
Sharing data is one of the realities of being connected to the world. The question you should be asking before you even ask if your data is safe is whether you want to share your data with a specific app, company, or website.
Let’s use the following example of signing up for a social networking platform like Facebook. When you decide to sign up for Facebook, you have to consider several factors. The platform is designed to help you connect with friends and family, make new friends, perhaps play games or read the news. The first question you have to ask yourself is: do I want to do all those things? If the answer is yes, then you have to ask: what does Facebook require in order for me to exist on its platform. Your birthday, name, and email address are a few examples.
Is the good/service you are receiving worth the information you give up? If it is, then you can move forward and participate, understanding that you are not tied to the service for life or obligated to provide any additional information. When the platform does not have pay barriers like Facebook, you should be aware that they operate through other methods, mainly advertising.
Bob at 61 with a wife and one adult son is more likely to be interested in a timeshare, cruise, or cooking lessons for two than a bungee jumping course or apartments for rent. Bob’s identifiable information helps Facebook determine how to best advertise to his interests and demographics. Think of each interaction with a company as a transaction. Bob profits from seeing his son post about his grandchildren. Facebook profits from selling space to advertisers. The advertisers hope that Bob buys one of their products.
At the end of the day, you control what you share and what you keep private. Take time to consider if the benefits outweigh the costs.
When you decide to purchase weed from a dispensary, use an app, or sign up for a newsletter telling you about all the new strains of weed, ask yourself if the personal information you provide is worth the product or service you receive. Take a close look into how that company secures your data (if they do at all) and look into how they respond to breaches of personal information.
Your data is in your control. When you decide to share it, make sure those you share it with are partnered with excellent cybersecurity companies like RSI Security who make security their priority. Look for companies that have verifications, security certifications, and follow federal and state compliances.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.