{"id":41027,"date":"2020-02-03T06:00:00","date_gmt":"2020-02-03T14:00:00","guid":{"rendered":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/2020\/02\/03\/is-the-data-you-give-to-cannabis-dispensaries-safe\/"},"modified":"2020-02-03T12:49:45","modified_gmt":"2020-02-03T20:49:45","slug":"is-the-data-you-give-to-cannabis-dispensaries-safe","status":"publish","type":"post","link":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/2020\/02\/03\/is-the-data-you-give-to-cannabis-dispensaries-safe\/","title":{"rendered":"Is the Data You Give to Cannabis Dispensaries Safe?"},"content":{"rendered":"<\/p>\n<p>Big Weed exists in the age of Big Data, meaning the cannabis industry is vulnerable to all the same attacks and hacks as everyone else.<\/p>\n<p>This was demonstrated\u00a0<a href=\"https:\/\/www.vpnmentor.com\/blog\/report-thsuite-breach\/\" target=\"_blank\" rel=\"noreferrer noopener\">with the revelation two weeks ago that an Amazon Web Services storage bucket<\/a>, containing point of sales data from 30,000 cannabis dispensary customers and more than 85,000 individual data files, was left open, unencrypted, and unsecured.\u00a0 Anyone internet-savvy enough to notice \u2014 and malicious enough to use the data \u2014 could have accessed the customers\u2019 government IDs as well as personal information like their age, address, driver\u2019s license numbers, phone numbers, and signatures,\u00a0<a href=\"https:\/\/www.scmagazine.com\/home\/security-news\/database-security\/privacy-takes-a-hit-as-storage-bucket-leaks-cannabis-dispensary-pos-data\/\" target=\"_blank\" rel=\"noreferrer noopener\">as privacy and security outlet SC Magazine noted<\/a>.<\/p>\n<p>Which means this problem is real, it\u2019s big, and it\u2019s not going away anytime soon. And, depending on how your favorite dispensary manages your data, your data is almost certainly being stored digitally, somewhere, and is a potential target.<\/p>\n<p>The open data bucket, first discovered on Dec. 24 and closed on Jan. 14, was managed by THSuite, a Seattle-area point-of-sale system used by dispensaries in Maryland, Ohio, and Colorado. (vpnMentor discovered the data, open and unencrypted, as part of its ongoing web-mapping project; THSuite also didn\u2019t respond to vpnMentor when they were told of the leak, according to SC Magazine.)<\/p>\n<p>More dispensaries who used THSuite could be implicated; the researchers said the data trove was simply too big to quantify and they checked out only a handful of files to see what was exposed.<\/p>\n<p>As vpnMentor pointed out, dispensaries collect loads of personal data from anyone who shops there, because they have to, thus creating an extremely attractive pot of data for hackers. This is a liability for medical-marijuana dispensaries, who might run afoul of federal HIPAA requirements for leaving medical patients\u2019 records unsecured, but it\u2019s probably a wider concern for cannabis dispensary customers \u2014 particularly in states where simply being a cannabis user can lead to complications at work and elsewhere.<\/p>\n<p>The problem is that this is at least partially a problem of government. Laws in most states, including California, requires dispensaries to keep customer data in order to ensure that they\u2019re complying with state law and not selling weed to underage customers. Along with that minimum, many dispensaries also record sales trend data.<\/p>\n<p>To manage all this information in a way that\u2019s not paper ledger or shoebox in the attic, dispensaries in many states are turning to cloud-based software solutions like THSuite \u2014to manage inventory but also to comply with onerous state laws including track-and-trace as well as age verification.<\/p>\n<p>Another problem is that many dispensaries appear to interpret state law too broadly and retain too much data.<\/p>\n<p>\u201cCurrent law and regulation require cannabis licensees retain certain records, including receipts, for seven years,\u201d as the California state legislative analyst noted recently. \u201cThe regulations do not explicitly require licensees to retain the personal information that they have collected as part of a sale for seven years, although some licensees may interpret the record retention requirement to apply to that information.\u201d<\/p>\n<p>That prompted state lawmakers to pass and former Gov. Jerry Brown to sign into law a prohibition on selling personal data to third parties, but that data is still out there, somewhere. There are cloud options that are secure and HIPAA compliant such as\u00a0<a href=\"https:\/\/www.truevault.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Truevault<\/a>. In this instance, it seems THSuite just used a poor solution \u2014 an unsecured Amazon S3 bucket \u2014 rather than something more secure.<\/p>\n<p>So what do you do with this? Cannabis customers should feel empowered to ask dispensaries what data they collect and where they store it. If they can\u2019t or won\u2019t answer, or you don\u2019t like the answer, you should feel compelled to shop somewhere else. But onerous and often vague state laws requiring dispensaries to hang onto so much personal data ought also be revisited. If liquor stores don\u2019t create huge troves of attractive data, why do dispensaries? As usual, the answer is \u201cbecause it\u2019s weed,\u201d and that answer is creating extra trouble for everybody.<\/p>\n<p><strong>TELL US,\u00a0<\/strong>do you trust places where you buy marijuana to keep your information safe?<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/cannabisnow.com\/is-the-data-you-give-to-cannabis-dispensaries-safe\/\">Is the Data You Give to Cannabis Dispensaries Safe?<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/cannabisnow.com\">Cannabis Now<\/a>.<\/p>\n<p>&#013;<br \/>\n&#013;<br \/>\nRead More: <a href=\"https:\/\/cannabisnow.com\/is-the-data-you-give-to-cannabis-dispensaries-safe\/\" target=\"_blank\">Is the Data You Give to Cannabis Dispensaries Safe?<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Big Weed exists in the age of Big Data, meaning the cannabis industry is vulnerable to all the same attacks and hacks as everyone else. This was demonstrated\u00a0with the revelation two weeks ago that an Amazon Web Services storage bucket, containing point of sales data from 30,000 cannabis dispensary customers<span class=\"more-link\"><a href=\"https:\/\/cannabiscultivatornews.com\/home\/index.php\/2020\/02\/03\/is-the-data-you-give-to-cannabis-dispensaries-safe\/\">Continue Reading<\/a><\/span><\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"false","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[50,9895,99,141,13184],"tags":[],"_links":{"self":[{"href":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/wp-json\/wp\/v2\/posts\/41027"}],"collection":[{"href":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/wp-json\/wp\/v2\/comments?post=41027"}],"version-history":[{"count":1,"href":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/wp-json\/wp\/v2\/posts\/41027\/revisions"}],"predecessor-version":[{"id":41028,"href":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/wp-json\/wp\/v2\/posts\/41027\/revisions\/41028"}],"wp:attachment":[{"href":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/wp-json\/wp\/v2\/media?parent=41027"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/wp-json\/wp\/v2\/categories?post=41027"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cannabiscultivatornews.com\/home\/index.php\/wp-json\/wp\/v2\/tags?post=41027"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}