No longer operating in the margins, the highly profitable, and highly regulated, legalized cannabis industry has ably, as well as nimbly, pushed its sales through to mainstream business. Total legal sales of cannabis in the U.S. are projected by some industry researchers to grow by a double-digit compound annual growth rate of 14% and have forecast revenues to reach an estimated $30 billion by 2025. But the outlook cannot be all roses. The business of legalized cannabis has cybersecurity and data privacy challenges unlike those confronting other industries. Legalized cannabis maintains stores of personalized data and information, which by its very nature requires regulatory compliance with cybersecurity and data privacy laws. There is, however, a layer of complexity for the cannabis industry because of data collection and mandatory retention requirements.

Let us take California for example. The California Cannabis Track-and-Trace (CCTT) system is used to record the inventory and movement of cannabis and cannabis products through the commercial cannabis supply chain. California requires all annual and provisional cannabis licensees, including those with licenses for cannabis cultivation, manufacturing, retail, distribution, testing labs, and micro-businesses, to track cannabis through the supply chain using METRC (Marijuana Enforcement Tracking Reporting Compliance). In fact, California requires each licensee to maintain records related to commercial cannabis activity for a minimum of seven years. California cannabis licensing requires licensees using METRC to track and maintain an enormous amount of valuable data. What type of valuable data you might ask? The type of data hackers are especially looking for, like combinations of personal data and/or health data like names, social security numbers, addresses, copies of driver’s licenses and identification cards, and so forth.