Paul Saabas, Vice President, Shred-it


Cannabis licensed producers (LPs) in Canada are currently facing a unique economic opportunity. As the first G7 country to legalize adult-use cannabis, industry players in this market are moving at a rapid pace. Amidst seemingly boundless opportunities, media excitement and landmark legal decisions, the question remains: are cannabis LPs doing everything to ensure that customer and stakeholder information is kept confidential?

Understandably, many LP’s are focused on ensuring that demand is met with the appropriate supply, and fierce competition keeps cannabis marketers on their toes. As a result, data protection practices are at risk of being overlooked and not prioritized. This is problematic given that many LP’s operate clinics and dispensaries that collect personal and confidential medical information from patients. Recreational cannabis companies also collect personal information from customers. All industry players must hold themselves to the highest standards of information security or they could face steep fines and reputational damage.

A 2017 report from the Ponemon Institute, The Impact of Data Breaches on Reputation and Share Value states that healthcare organizations that experienced a data breach saw a 6.25% decline in their stocks, lost more than 4% of patients, and it took over three months to recover from the financial damages of the breach. Therefore, it is safe to assume that medicinal and recreational cannabis companies will face similar consequences if they don’t take immediate steps to prioritize information security.

From a human resources perspective, it is essential that employees are trained with the proper information security protocols and procedures. Shred-it’s 2018 Security Tracker, its annual survey conducted by Ipsos that looks at information security practices of both C-suites and small business owners, confirms that millennials are lagging behind their generation X (35-55) and baby boomer (55+) colleagues when it comes to safe data protection practices. This is worrisome since the cannabis industry attracts a large number of millennials to work in the sector. This is a stark reminder that cannabis companies need to properly train their employees and develop comprehensive internal privacy and information security policies, or they could risk losing customer trust and take a hit to their bottom line.

Regulators are already cracking down on cannabis companies and their security practices. Provincial regulators along with the privacy commissioner in Prince Edward Island confirmed that cannabis stores in the province are no longer allowed to use electronic ID scanners due to privacy concerns from customers.

In this fiercely regulated and highly competitive industry, reputation is everything. One slip with patient or investor information can cost companies millions of dollars. The same 2017 study conducted by the Ponemon Institute confirmed that the average cost of a data breach can cost a company up to seven million dollars in fines, penalties, and lost revenue, not to mention the reputational damages associated.

The question then remains, how do cannabis LPs incorporate data protection practices into their business? As a starting point, below are four common information security risks that every company should address:

1.) Paper documents: Despite the trend towards ‘paperless’ offices, paper is still widely used by employees. Shred-it’s 2018 Security Tracker study found that 48% of millennials (18-34) leave notebooks on their desks after they leave work and only half of millennials regularly shred confidential documents.  All kinds of printed documents – presentation decks, business plans, client strategy documents – could compromise your company if they fall into the wrong hands.

It’s important for cannabis LP’s to implement various policies, such as a Clean Desk policy and a Shred-it All policy, to ensure no confidential information gets into the wrong hands.

2.) Public Wi-Fi: Any time an employee connects to public Wi-Fi, whether working at a coffee shop or in a public workspace, they run the risk of exposing their company’s device to a hacker tapping into the open network. More than half (53%) of Canadians don’t know how to identify an unsecured Wi-Fi connection, and at least 88% have potentially put themselves at risk by logging into sensitive sites on open networks, according to a 2017 risk report by Norton.

It is important to equip employees with the knowledge to reduce the risk of a data breach occurring over a public network. Shred-it’s Security Tracker data confirms that only 27% of small businesses offer employee training on using public Wi-Fi. If your company has a Virtual Private Network (VPN), regularly remind employees to use the VPN to stay secure when surfing the web.

3.) Smart devices: The introduction of new smart devices, wearable tech and the internet of things (IoT) means technology is expanding – and with it the number of access points that exist for a data breach. Most employees don’t realize that personal devices such as smart watches or connected cars could pose a risk if they’re connected to your company’s network. Data security for smart devices is something all employers will have to address in the near future, as it’s predicted that more than 25% of cyber-attacks will involve IoT by 2020, according to technology research firm Gartner.

Shred-it’s Security Tracker survey found that 38% of small business owners have no protocols in place when employees use electronic devices containing confidential information and 37% of millennials regularly leave their computer on and unlocked after work. This makes confidential information easily accessible to intruders.

Even if your company has security measures in place for internet-connected devices, such as password requirements or separate networks to pass sensitive data, it’s critical that your employees know which devices could pose a security risk and how to properly use them.

4.) Email scams: Email and phishing scams are a common and persistent method hackers use to gain access to a company’s sensitive information. Online scams accounted for more than 20,000 complaints to the Canadian Anti-Fraud Centre in 2016, and cost Canadians more than $40 million. It’s important to help employees build up the skills to easily identify a potential email threat, wherever and whenever they happen to check their emails.

It is important for emerging companies and licensed producers to protect their confidential data, not only to ensure a strong growth strategy, but to stay compliant in the cannabis industry’s constantly changing legislative landscape. To get more data protection tips that are easy to incorporate into your business strategy, visit the Shred-it resource centre.