Personal Data and Dispensaries: How Safe Are You?

MJ Freeway, the Denver-based tech company that specializes in cannabis compliance software, has just been hit by its second security breach in less than a year.

In what it calls a ‘theft’, the company’s source code was illegally posted online and was available for a few days before it was taken down.

Source code, which is written by a programmer, is the foundational language of a computer program and is often fiercely protected by private companies as proprietary information.

Although MJ Freeway has reported the theft to the Colorado Bureau of Investigation, they are downplaying the impact of the breach, telling Marijuana Business Daily, “It’s not something that will impact our customers’ or patients’ data in any way, and it doesn’t impact our product because it’s outdated source code. So it’s not a big deal.”

MJ Freeway also had an incident back in January 2017 where its software platform crashed, forcing some of the dispensaries that depended on it to temporarily close for a day or two. The company blamed this outage on a cyberattack, yet emphasized customer data was not affected.

Security breaches- a growing problem

The MJ Freeway story serves to not only underscore the threats and dangers that all businesses that handle customer data and personal information face, it shows the risks that customers take when they hand over that data.

And it affects more than just cannabis companies. No industry is immune.

High profile cases like Target’s 2013 customer data breach cost the company millions of dollars and for something a little closer to home, you may remember when Bell Canada apologized for a data breach last month that affected 1.9 million email addresses.

If you’re interested, check out this timeline of the world’s biggest data breaches to gain a sense of the scale and scope of some of these, which show no signs of stopping anytime soon.

That means that consumers, businesses, governments, and any other organization that handles sensitive or personal information must be vigilant against the ever-present threat of cyberattacks.

Medicinal cannabis and patient privacy

In some ways, medicinal cannabis patients and dispensary customers have even more to worry about when it comes to potential data breaches and their privacy, and sometimes, it’s not even hackers you need to watch out for- it’s your own government!

In November 2013, Health Canada accidentally outed patients with mailed letters that referred to the medical marijuana program and included recipients’ names and addresses clearly visible on the envelope for anyone to see!

Then back in January 2017, veterans who use medical cannabis were outed in a similar way by Blue Cross.

The incidents above angered patients because not only did having their names and addresses clearly visible on the envelope expose them to greater risks of theft and break-ins, it outed them as cannabis users, and as we all know, the stigma surrounding cannabis is still alive and well.

What about dispensaries?

Dispensaries exist in a grey area, as recreational cannabis use is still illegal, for now. That makes the issues of privacy and data security an even bigger concern for dispensary customers as the information that their dispensary has on them could affect anything from their job prospects to travel plans if that data ever got hacked and released.

Although it is worth noting that any private businesses collecting personal information must follow the Personal Information Protection and Electronic Documents Act (aka PIPEDA), regardless if they are regulated by the government or not. That means that if your dispensary collects any of your personal data, it “must take reasonable security measures to protect it”.

On another note, some dispensaries in Vancouver no longer require you to register with them- a driver’s license will do. For those concerned about their privacy, this can help put them at ease if their dispensary is raided by police or if the dispensary’s database gets hacked.

Dispensaries have been involved in privacy breaches before. Back in October 2016, Vancouver’s Pain Management Society listed patient’s medical history and personal info on their website for anyone to see. Although if this was due to carelessness or something more sinister- we don’t know.

For whose eyes only?

What we do with our personal information and who we give it to is a growing concern, and it’s kind of funny that while we may worry about the cameras everywhere that could be filming us at any second, we often don’t hesitate to give up our personal information or credit card to an app or online service if it’s free or promises to make our lives more convenient- and how many people actually read the Terms of Service agreement before they hit ‘agree’?

Everything comes with a cost, and it’s up to us to find out whether the businesses we support, in the cannabis industry or not, are taking the proper safeguards for the data we give them, because if it all goes down, the consequences and ramifications- be it legal, personal, or professional- can affect our lives, too.  

Footnote(s)