Six Data Protection Recommendations for Your Cannabis Business

California Governor Jerry Brown just signed a law that requires marijuana establishments to ensure that consumer information is reasonably protected. The overall risk to a marijuana business of a data breach is significantly enhanced by the fact that the possession and consumption of marijuana is still a federal crime, and employers can fire employees for cannabis use. A breach of personal information, including medical information, can have an immediate and disastrous effect.

Below are some best practices that can help mitigate the risk of a consumer data breach:

• Perform a risk assessment of your business to understand where you collect personal information, how it is stored and how it is protected (encryption, password, restricted access).

• Retain only digital information that is stored appropriately and protected by a sufficient level of encryption.

• Minimize the amount and type of consumer information collected and regularly purge information that is no longer needed.

• Restrict access and the ability to download customer lists. This reduces the ability for employees to take the information to new employers.

• Adopt an industry data protection standard such as NIST and customize it for your business risks and practices

• Review and adopt customer data protection practices by other highly regulated industries such as health care, financial services or retail companies