Insights
Publications

How to Guard Against 3 Cannabis Cyber Attack Risks

September 1, 2021 Articles
mg Magazine

Cyber attacks are now commonplace. Ransomware attacks, in particular, have skyrocketed in frequency and size. High-profile data breaches have cost businesses in the United States millions of dollars in losses and incalculable reputational harm. Just like those in any other industry, cannabis cyber attack risks pose a clear and present danger of financial consequences.

With new data-security legislation, cyber attacks create even more risk. Under the California Consumer Privacy Act (CCPA), for example, attacks can lead to regulatory fines and private actions by affected consumers. Under the CCPA, consumers are not required to prove personal losses or damage. This increased risk of liability for cyber attacks coupled with the increased volume of attacks makes the issue one that must be addressed by every business. Increasing security is step one, but there is no foolproof protection. Thus, it is equally important to consider how best to insulate companies from potential monetary damage resulting from an attack.

Cyber insurance is no panacea, but it can address cannabis businesses’ cyber risks, including the one described above. It also covers the cost of investigating and responding to data breaches and ransomware attacks, as well as some lost profits due to computer system downtime.

As valuable as these basic coverages are, cannabis businesses have unique risks that make them more vulnerable to cyber attacks and their financial consequences. Cannabis producers and retailers should carefully consider their other, possibly bigger, cyber risks and seek to address them when buying cyber insurance.

There is no “standard” cyber insurance policy. Dozens of insurers sell such a product, with each insurer constantly adapting its policy terms to market changes and challenges. As a result, cannabis businesses must carefully review policies offered to them and negotiate the terms in order to address their individual cyber risks. Those that fail to do so may leave some of their biggest risks uncovered.

We focus on three such risks here.

1. Retailers face acute reputational risks associated with data breaches.

Retailers collect and hold highly sensitive personal information, including, in some cases, personal health information. The sensitivity arises not only from the type of information, but also its potential to reveal the relationship between the consumer and retailer. Many customers rely on retailers to keep their purchases hidden from public view. As a result, a data breach publicizing the personally identifiable information from a cannabis retailer’s customer list may cause real-life consequences to those individuals whose information is disclosed. While cyber insurers typically defend lawsuits seeking such damages, cyber insurance policies often do not cover the lost profits the retailer will suffer as consumers flee to its competitors, which may be perceived as better safeguarding confidentiality. Some cyber insurers offer this coverage, though, and cannabis retailers should try to purchase it.

2. Growers and producers may suffer damage to or loss of property that is not easily insured.

Cultivators’ operations may depend, at least in part, on computers. A cyber attack or other event impacting those computers has the potential to damage cannabis crops by interfering with or hampering growth or harvesting operations. Both grape growers and cannabis cultivators lost crops to California wildfires over the past few years, but there is one critical difference between the two groups: Grape
growers can purchase federally backed crop insurance, whereas cannabis growers cannot. Policies that would cover cannabis growers for damages resulting from cyber attacks—cyber insurance—typically exclude coverage for property damage. As a result, cannabis growers and producers should work closely with their insurance brokers and counsel to seek coverage for this risk.

3. Businesses struggle with contradictions created by conflicting state and federal laws.

Insurance is no exception to the federal-state dichotomy cannabis businesses face. Cyber insurance policies may require, as a condition of coverage, the insured business notify law enforcement of a cyber attack, such as a ransomware attack. Cannabis businesses must scrutinize such provisions when they shop for cyber insurance to ensure policies do not place them in a Catch-22 situation when the time comes to make a claim. It is possible to negotiate the deletion, or at least modification, of these kinds of provisions so that they do not create impossible roadblocks to coverage.

Cannabis businesses commonly navigate legal and regulatory minefields. They can successfully navigate this one, too, with advanced planning and reliance on the advice of their insurance brokers and counsel. They should give careful consideration to the types of attacks their particular businesses are likely to suffer and the financial losses such attacks could produce. They should work to prevent and mitigate the potential impact of such attacks by employing up-to-date security practices and remaining constantly aware of their information-technology security. Finally, they should understand their remaining computer security and financial vulnerabilities and proactively seek to address them with cyber insurance.

Firm Highlights

News

Farella 2024 Partner Elevations: Cynthia Castillo and Greg LeSaint

Northern California legal powerhouse Farella Braun + Martel is pleased to announce the election of two lawyers to partnership effective Jan. 1: Cynthia Castillo and Greg LeSaint. “We are thrilled to elevate Cynthia and...

Read More
Publication

Navigating Cannabis in the Workplace: A Guide for California Corporations

The landscape surrounding cannabis in the workplace is rapidly evolving, posing challenges for California corporations and businesses to establish effective policies and procedures. As the use of cannabis, both medical and recreational, becomes more...

Read More
Publication

A Summary of New Laws Coming for California Employers in 2024

In 2023, California has adopted several new employment laws either introducing new employee protections or codifying existing practices into state law. With these changes, employers will need to examine and adjust some of their...

Read More
Publication

Reporting Dispute Claims Within Closely Held Wineries

Many wineries operate as closely held companies, meaning they’re owned by an individual or small group of shareholders, who are often members of the same family. Disputes regarding ownership interests can arise, particularly when directors...

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
News

Who’s Who Legal 2023 Recognizes Farella Lawyers

Six Farella Braun + Martel lawyers have been recommended by Who’s Who Legal 2023 as leading practitioners in their fields. Who’s Who Legal – Environment 2023 James Colopy Robert Hines David Lazerwitz Chris Locke...

Read More
Publication

A Simpler Approach To Expanding Banking Access

While the cannabis community anxiously awaits what feels like Congress’ hundredth attempt to pass the SAFE Banking Act, there is one simple step that can be taken today to improve access to banking services...

Read More
News

Farella Braun + Martel Earns 2024 Best Law Firms® Rankings

Read More
Publication

When Can an Insurer Pursue a Malpractice Claim Against Defense Counsel Retained for an Insured? (Part Two)

By Jalen M. Brown, Kristin Davis, Shanti Eagle, Peter J. Georgiton, and J. Mark Hart Part 1 of our two-part article addressed the circumstances in which an insurer can directly pursue malpractice claims against...

Read More
Publication

Regulatory Changes Underway To Address Dwindling California Property Insurance Market

We keep hearing about how difficult it is for our clients to get property insurance these days, both for homes and businesses in Northern California’s wildfire-prone areas. Which, of course, is most of Northern...

Read More