Becoming the 17thstate to legalize Adult-Use Cannabis, on March 31, 2021, New York enacted the “Marijuana Regulation and Taxation Act” (“MRTA”) anticipated to generate $1.2 billion in annual sales by 2023.
Because of the sensitive and protected health information that those growing, processing and selling Marijuana (“Marijuana Related Businesses” or “MRBs”) are required to collect and retain, Cannabis data privacy and cybersecurity challenges are severe, expensive but often preventable.
Through identifying data’s source, status, collection/storage methods and access, and adhering drafting a comprehensive written information security program, Marijuana Related Businesses can reduce data privacy and cybersecurity costs, manage and reduce risk, and deploy an effective “cyber response plan” in the event of a breach.
New York’s Adult-Use Cannabis Program
New York’s 19,336,776 population is currently serviced by a Medical Marijuana Program comprised of 143,000 card holders and 10 vertically-integrated grower-processor-dispensary licensees (“Medical Marijuana Licensees”).
MRTA separately licenses those creating, distributing, and selling retail Cannabis and Cannabis Products (“Cannabis Products”) as follows:
– Cultivator to grow, clone, harvest, dry, cure and trim Cannabis;
– Processor to process, extract, infuse, package, and label Adult-Use Cannabis Products;
– Distributor to acquire, possess, distribute and sell Cannabis from a licensed cultivator, processor or Medical Marijuana Licensee to retail dispensaries and on-site consumption licensees;
– Retail dispensary to sell Adult-Use Cannabis at up to 3 separate retail locations;
– On-site consumption allowing Cannabis Product consumption at up to 3 locations; and
– Delivery to deliver Cannabis Products directly to consumers.
– The Office of Cannabis Management (“OCM”) to launch/oversee a regulatory framework encompassing Adult-Use, Medical and Hemp programs governed by a 5 member Cannabis Control Board (“Board”);
– Expanded “qualifying medical conditions” conferring eligibility to purchase Medical Marijuana and increased per-patient-caregivers;
– A social and economic equity plan assisting those impacted by Cannabis enforcement awarding 50% of licenses to minority or women-owned business enterprise, service-disabled veterans or distressed farmers;
– Imposing a “per milligram of tetrahydrocannabinol (“THC”) based tax” on wholesalers/distributors at $.005/mg of THC for flower, $.008/mg of THC for concentrates, and $.03/mg of THC for edibles;
– At the retail level, a 9% state tax and 4%-of-retail-price local tax (split 25%/75% between county and municipality);
– That those over 21 may grow 3 mature and 3 immature plants for personal use (with up to 6 mature and 6 immature plants per household); and
– A Cannabis Revenue Fund apportioning tax proceeds to education, community reinvestment grants, and drug treatment and public education.
MRTA also consolidates existing Medical Marijuana and Hemp, and newly created Adult-Use, programs tasking the Board with creating regulations for each while the OCM is responsible for issuing licenses and implementing and enforcing the regulations.
Seed-To-Sale Tracking and Data-Privacy/Cybersecurity Concerns
Following a dispensary’s January 2020 database breach, 30,000 individuals’ confidential and protected personal and health care information was exposed demonstrating the immensity of legalized Marijuana’s data privacy and cybersecurity liability.
1. Health-Care and Protected Data Collected/Stored By MRBs
Under its Medical Marijuana Program, all New York MRB’s are required to track and record all Cannabis Products inventory and movement from seed-to-sale via software vendor Helix Bio-Track and maintain these records for at least 5 years. Medical Marijuana Program Regulations, Volume (Title 10) Chapter XIII, §1004.10.
Beyond the personal data required to be culled on Bio-Track (i.e., names, social security numbers, addresses, driver’s licenses and identification cards), MRBs also collect health-related information data including medical diagnosis.
Once a health-care provider shares its medical data, a MRB may fall within the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”). Stated another way, because HITECH empowers state Attorneys General to enforce HIPAA, prudent state-licensed MRBs should comply with HIPAA obligations for all their health-related data.
Additionally, because MRTA expands Medical Marijuana’s parameters (i.e., adding conditions conferring medical Cannabis access, increasing number of per-patient-caregivers, and allowing home cultivation), the avalanche of protected patient/consumer health-related data MRBs are required to collect and store will soon be overwhelming.
Further, Cannabis licensing regulations require Marijuana Related Businesses to maintain employee records (including background checks and financial information) and, like any other customer-facing business, MRB’s capture and use sales and marketing driven data detailing consumer purchasing habits.
Thus, based on the types and range of information they are required to collect and maintain, MRBs make a particularly attractive target to hackers and fall within extensive federal and state data laws.
2. New York’s SHIELD Act
Due to a lack of comprehensive federal governance, data privacy and cybersecurity is regulated through state law and New York’s “Stop Hacks and Improve Electronic Data Security Act, N.Y. G.B.L. §899 et seq.(“SHIELD Act”) imposes both requirements on those collecting residents’ personal data and duties following a data breach.
First, the SHIELD Act expands “protected personal or sensitive data’s” scope beyond a combination of first/last name, social security number, and driver’s licenses to encompass:
○ account number, credit or debit card number: (a) in combination with any required security code, access code, password or other information permitting access to individual’s financial account; or (b), security code, access code, or password in circumstances where such data could be used to access an individual’s financial account without additional identifying information;
○ “biometric information” data generated by electronic measurements of an individual’s unique physical characteristics, such as a fingerprint, voice print, retina or iris image, other unique physical representation or digital representation used to authenticate or ascertain individual’s identity; or
○ a username or e-mail address in combination with a password or security question and answer permitting access to online account.
SHIELD Act, §3(b)(1)-(5).
Because MRTA requires confirming Cannabis purchasers’ age by means including driver’s license, identification card, or passport, the personal data dispensaries collect places them squarely within the SHIELD Act.
Second, regardless of where the business is located, the SHIELD Act expands data breach notification laws requiring an entity experiencing a “data breach” (including both unauthorized access to, and unauthorized acquisition of, data) to notify New York residents whose personal information may have been comprised and, if involving more than 500 residents, notifying New York’s Attorney General within 10 days of a breach. SHIELD Act, §3(c)(1)-(5).
Third, the SHIELD Act provides a “safe harbor” in which companies with fewer than 50 employees or less than $3 million in annual revenue may launch a modified security program based on: (i) business’ size and complexity; (ii) nature and scope entity’s activities; and (iii) sensitivity of personal information collected from or about consumers. However, this exception does not form a SHIELD Act exemption and, regardless of size and complexity, all Marijuana Related Businesses require a written information security program.
How to Craft WISPs (Data Privacy and Cybersecurity Programs)
According, to IBM Security’s 2020 “Cost of a Data Breach Report”, the average per-data-breach cost is $3.86 million globally and $8.64 million domestically. Because of the intertwining “mandatory data collection/storage” requirements and “confidentiality demanding patients, customers and employees”, crafting, deploying and updating data privacy and cybersecurity programs, i.e., “WISPs, has never been more critical for MRBs.
First, clarify what data is required and valuable for the Marijuana Related Businesses to collect and store. Does MRTA require that MRB’s collect names, social security numbers, and drivers’ license numbers? Would amassing patient/consumer product choices and purchasing patterns drive sales and marketing?
After reviewing the applicable regulations and defining Marijuana Related Businesses’ objectives, delve into each data point to discern: (1) from where will data be collected; (2) how will data be collected; (3) where, and for how long, will data be stored; and (4) with whom will data be shared. Beyond addressing compliance requirements and business targets, identifying data’s source, status, collection/storage methods and access will reduce operating and compliance costs, help manage and reduce risk, and facilitate a “cyber response plan” in the event of a breach.
Second, after fully comprehending data’s source, collection/storage methods and access, document data privacy and cybersecurity policies and procedures in a WISP comprehensive written information security program. What safeguards must be implemented to ensure that a patient, customer or employee’s private information is secure? What types of insurance and range of coverage should be maintained and how will the MRB vet vendors?
Beyond creating an action plan that can be understood, executed, and updated by the Marijuana Related Business internally, documenting “data privacy and cybersecurity practices” empowers regulators, insurers and vendors to comprehend how data is treated and steps that will be followed in the event of a breach.
Third, as part of an overall “risk management plan”, draft arsenal of agreements addressing data privacy and cybersecurity needs. Have risk transferring documents been deployed like “Hold Harmless Agreements” (ensuring that third parties are contractually responsible for own negligence and/or errors and omissions) and “Statements of Financial Responsibility” like certificates of insurance confirming that third parties have sufficient insurance and list Marijuana Related Businesses as an “additional insured”. Do MRB’s standard contracts (like employment agreement and statements of work) contain data processing addendums thoroughly addressing data privacy and cybersecurity needs?
To be compliant, efficient and profitable, Marijuana Related Businesses must integrate data privacy and cybersecurity into every aspect of their operations. Creating and updating a WISP is fundamental aspect of any risk management policy particularly for MRBs housing sensitive and protected personal and health data.
Reprinted with permission from the May 3, 2021 edition of the Legal Intelligencer © 2021 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-257-3382 or [email protected].