How Cannabis Operators Can Improve Their Data Security

Internal controls are procedural safeguards put in place to protect access to financial information and transactions. 

Setting up internal controls is critical for any business to prevent fraud, but it is even more important for cannabis operators–as the industry is especially susceptible to fraud. 

We discuss internal controls in detail in this webinar with Partner Ryan Guedel, CPA and Principal of LKP Impact Consulting Laurie Parfitt. 

One element of your internal controls should involve not only financial data security–but data security throughout your cannabis organization, from your standard operating procedures (SOPs), to your customer lists, marketing strategies and other important information that makes up a company’s “secret sauce.” 

Protecting proprietary information is important to maintain a competitive advantage, but the dissemination of customer lists, or individuals’ purchase history, for example, could also be unlawful by violating Health Insurance Portability and Accountability Act (HIPAA) regulations if your operation is medically licensed. 

If this happens, cannabis businesses could face fines, penalties, or worse. Plus, these types of data breaches could be newsworthy events, and perpetuate negative stigma about the cannabis industry as a whole. 

For these reasons and more, cannabis operators must be serious about data security and take steps to protect their internal information. Here are some ways to strengthen your data security operations: 

1. Employ Data Encryption

Encrypting data means converting information from plain text to cryptographic algorithms. It makes the information technically unreadable without an encryption key. Cannabis dispensaries would be wise to take steps to encrypt medical patient data stored in databases, data that is being transmitted, as well as to make sure data is only unencrypted for the intended recipient of information. 

2. Set Up Access Controls

Access controls ensure only authorized personnel can access information or perform certain actions. Access controls can be physical–meaning, biometrics, keycard, and security personnel, or they can be role-based–meaning that employees with different roles will have varying access to information. These types of access controls ensure employees only have information that is necessary to their job function, as well as monitor activity to identify any suspicious behavior. 

3. Individual Log-Ins

Individual log-in protocols are access controls that are helpful in pinpointing who was viewing or performing actions around specific data, as well as what actions were taken and what dates/times the information was accessed. For example, if a company creates a log-in with a username that multiple people have access to (like ), it could be difficult to specifically point out who could have been logging in. Each user should have a unique log-in to prevent this. 

4. Multi-Factor Authentication

Multi-factor authentication (MFA) requires a user to provide multiple forms of identification to access data. Perhaps in addition to a username and password, users also provide a unique code texted to their phone or sent to them in an email, for example. This provides an additional layer of security in the event that one of a user’s logins or devices was stolen or compromised

5. Vendor Management

In addition to ensuring your cannabis business is operating with robust data security protocols, it is also important to understand if your vendors are handling protocols properly to avoid any third-party risk. By conducting due diligence and risk assessments, as well as formalizing contractual agreements that outline confidentiality, security standards, and exit strategies once the relationship has ended–cannabis operators can further minimize their risk with those they need to share sensitive data with. 

6. Incident Response Plans

In the event of a data breach, cyber attack, or unauthorized use of data, cannabis operators should have a system in place to address that event so that action can be taken swiftly and damage can be minimized. These plans should include reporting, identifying personnel to handle the response, communications strategies, escalation strategies, containment, investigation, as well as recovery. Incident response plans should be evolving to address emerging technologies and threats. 

Implementing these data security strategies within your cannabis operation will add another layer of protection against any intentional or unintentional misuse of internal and sensitive information. 

At CJBS, we pride ourselves on being Cannabis CPAs Who Care. We work with companies to help them ensure their financial data is secure, and have developed several trusted relationships with third-party vendors that help businesses secure information outside of their financials. 

To learn more about our services, contact the CJBS team here.