California Governor Jerry Brown just signed a law that requires marijuana establishments to ensure that consumer information is reasonably protected. The overall risk to a marijuana business of a data breach is significantly enhanced by the fact that the possession and consumption of marijuana is still a federal crime, and employers can fire employees for cannabis use. A breach of personal information, including medical information, can have an immediate and disastrous effect.
Below are some best practices that can help mitigate the risk of a consumer data breach:
Perform a risk assessment of your business to understand where you collect personal information, how it is stored and how it is protected (encryption, password, restricted access).
Retain only digital information that is stored appropriately and protected by a sufficient level of encryption.
Minimize the amount and type of consumer information collected and regularly purge information that is no longer needed.
Restrict access and the ability to download customer lists. This reduces the ability for employees to take the information to new employers.
Adopt an industry data protection standard such as NIST and customize it for your business risks and practices
Review and adopt customer data protection practices by other highly regulated industries such as health care, financial services or retail companies