Insights
Publications

How to Guard Against 3 Cannabis Cyber Attack Risks

September 1, 2021 Articles
mg Magazine

Cyber attacks are now commonplace. Ransomware attacks, in particular, have skyrocketed in frequency and size. High-profile data breaches have cost businesses in the United States millions of dollars in losses and incalculable reputational harm. Just like those in any other industry, cannabis cyber attack risks pose a clear and present danger of financial consequences.

With new data-security legislation, cyber attacks create even more risk. Under the California Consumer Privacy Act (CCPA), for example, attacks can lead to regulatory fines and private actions by affected consumers. Under the CCPA, consumers are not required to prove personal losses or damage. This increased risk of liability for cyber attacks coupled with the increased volume of attacks makes the issue one that must be addressed by every business. Increasing security is step one, but there is no foolproof protection. Thus, it is equally important to consider how best to insulate companies from potential monetary damage resulting from an attack.

Cyber insurance is no panacea, but it can address cannabis businesses’ cyber risks, including the one described above. It also covers the cost of investigating and responding to data breaches and ransomware attacks, as well as some lost profits due to computer system downtime.

As valuable as these basic coverages are, cannabis businesses have unique risks that make them more vulnerable to cyber attacks and their financial consequences. Cannabis producers and retailers should carefully consider their other, possibly bigger, cyber risks and seek to address them when buying cyber insurance.

There is no “standard” cyber insurance policy. Dozens of insurers sell such a product, with each insurer constantly adapting its policy terms to market changes and challenges. As a result, cannabis businesses must carefully review policies offered to them and negotiate the terms in order to address their individual cyber risks. Those that fail to do so may leave some of their biggest risks uncovered.

We focus on three such risks here.

1. Retailers face acute reputational risks associated with data breaches.

Retailers collect and hold highly sensitive personal information, including, in some cases, personal health information. The sensitivity arises not only from the type of information, but also its potential to reveal the relationship between the consumer and retailer. Many customers rely on retailers to keep their purchases hidden from public view. As a result, a data breach publicizing the personally identifiable information from a cannabis retailer’s customer list may cause real-life consequences to those individuals whose information is disclosed. While cyber insurers typically defend lawsuits seeking such damages, cyber insurance policies often do not cover the lost profits the retailer will suffer as consumers flee to its competitors, which may be perceived as better safeguarding confidentiality. Some cyber insurers offer this coverage, though, and cannabis retailers should try to purchase it.

2. Growers and producers may suffer damage to or loss of property that is not easily insured.

Cultivators’ operations may depend, at least in part, on computers. A cyber attack or other event impacting those computers has the potential to damage cannabis crops by interfering with or hampering growth or harvesting operations. Both grape growers and cannabis cultivators lost crops to California wildfires over the past few years, but there is one critical difference between the two groups: Grape
growers can purchase federally backed crop insurance, whereas cannabis growers cannot. Policies that would cover cannabis growers for damages resulting from cyber attacks—cyber insurance—typically exclude coverage for property damage. As a result, cannabis growers and producers should work closely with their insurance brokers and counsel to seek coverage for this risk.

3. Businesses struggle with contradictions created by conflicting state and federal laws.

Insurance is no exception to the federal-state dichotomy cannabis businesses face. Cyber insurance policies may require, as a condition of coverage, the insured business notify law enforcement of a cyber attack, such as a ransomware attack. Cannabis businesses must scrutinize such provisions when they shop for cyber insurance to ensure policies do not place them in a Catch-22 situation when the time comes to make a claim. It is possible to negotiate the deletion, or at least modification, of these kinds of provisions so that they do not create impossible roadblocks to coverage.

Cannabis businesses commonly navigate legal and regulatory minefields. They can successfully navigate this one, too, with advanced planning and reliance on the advice of their insurance brokers and counsel. They should give careful consideration to the types of attacks their particular businesses are likely to suffer and the financial losses such attacks could produce. They should work to prevent and mitigate the potential impact of such attacks by employing up-to-date security practices and remaining constantly aware of their information-technology security. Finally, they should understand their remaining computer security and financial vulnerabilities and proactively seek to address them with cyber insurance.

Firm Highlights

Publication

Cannabis Farms in the Neighborhood: Water, Contaminants and Other Proximate Matters

Farella's Buzz Hines, and guest speakers Kari Campbell-Bohard from EpicVeg and Lompoc Valley Cooling and Robert Schultz from Geo Blue Consulting, for a discussion on "Cannabis Farms in the Neighborhood: Water, Contaminants and Other...

Read More
Publication

How Changes to California’s Fire Regulations Could Affect North Coast Housing Projects

Both the Board of Forestry and the State Senate are considering changes to state fire regulations that would affect real estate development in California. The first set of changes can be found in the...

Read More
News

California Cannabis Industry Moving to Market Where Its Product Is Grown

Ashley Roybal-Reid spoke to the North Bay Business Journal about California's new cannabis appellation program.   Read the full article here .  Related Farella publication:  California Cannabis Appellation Program

Read More
Publication

California Cannabis Appellation Program

The specific location of a product’s origin is more important with some products than others.  Wine is the classic example, as the dirt and surrounding climate in which grapes are grown can have a...

Read More
News

Key Cyber Insurance Issues Hitting the Cannabis Industry

Tyler Gerking was quoted in the article "Key Cyber Insurance Issues Hitting the Cannabis Industry." Read the full article here . View full webinar below.

Read More
News

Farella Braun + Martel Ranked in Legal 500 United States 2021

Read More
Publication

Cyber Insurance for the Cannabis Industry

Farella's Shanti Eagle (moderator), Nate Garhart and Tyler Gerking, along with guest speakers Javier Gonzalez and Michael Peters from PL Risk Advisors, discuss "Cyber Insurance for the Cannabis Industry." Cannabis businesses have cyber security...

Read More
Publication

Complying With the TCPA After the Facebook Supreme Court Decision

Many cannabis dispensaries rely heavily on text messaging marketing programs to reach their customers and to create loyalty in an increasingly competitive market. While text messaging programs may be an effective marketing tool, they...

Read More
News

Cannabis Practice Creates Ethical Traps, Conflicts for Lawyers

Ryan Lowther was quoted in the Bloomberg Law article, "Cannabis Practice Creates Ethical Traps, Conflicts for Lawyers."   Read the full article here .

Read More
Publication

North Coast Cannabis Industry Conference

This is the fourth annual cannabis industry conference underwritten by Farella Braun + Martel and presented by the North Bay Business Journal . Presentations and Speakers: TCPA and Litigation Trends: Cynthia Castillo, Senior Associate...

Read More