Although every business with online operations should take steps to protect themselves from a potentially crippling data breach - this holds especially true for those operating in the Canadian cannabis industry. From the storage of confidential patient information to conducting sales online, both marijuana producers and ancillary businesses are likely targets for hackers around the world.

In 2018, a year after this article was written - we experienced some of the largest cyber-attacks in history. From Equifax's data breach which affected nearly 45% of the U.S population, to Canada’s very own Bell media, 2017 exposed the vulnerability even some of the most secure corporations are exposed to.

Determining Your Liability

Every Canadian entity collecting personal information must abide by Canada’s Personal Information Protection and Electronic Documents Act or “PIPEDA”, which establishes rules and regulations surrounding the collection and use of personal information. However, licensed producers and cannabis clinics involved in the medicinal marijuana space also face the added regulations imposed under the “PHIPA” or the Personal Health Information Protection Act. Because they would be classified as an “information custodian” under the act, they are held to a much higher standard with respect to the collection, use and disclosure of patient information.

Consequently, those involved in the medical marijuana industry face significant exposure in terms of their cyber liability.

How to Reduce Your Exposure

By taking a proactive stance on cyber security, companies can significantly reduce the likelihood of an attack. In fact, most insurers will require that controls be in place before they will even consider offering a cyber-policy.

Below, we’ve outlined a list of controls every company operating in the industry should enact in order to reduce their cyber-exposure:

• Install an anti-virus software on all work computers, laptops and mobile phones

• Utilize a firewall and intrusion detection software

• Use data encryption on local servers

• Require that all service providers with access to sensitive information demonstrate adequate security policies and procedures

• Periodically update employee passwords

• Upgrade security software as new releases and improvements are made available

• Conduct a periodic cyber audit and security test

What Coverage Is Available?

With over half the world’s population having access to the internet, a cyber-breach can come in many forms from nearly anywhere in the world. Below, we’ve identified some of the main types of cyber coverage and why they are needed:

• Extortion coverage - denial of services (DDoS) due to a ransomware attack

• Business Interruption - lost revenue due to a cyber-attack

• Fraudulent funds - fraudulent transfer of money or securities

• Defense for regulatory claim - violating Canadian online regulatory law

• Information Security - release of confidential client or patient information

• E-commerce coverage - rerouting of customer payments & information

• Crisis Management - cost of forensic and PR consultants

• System Recovery - cost to repair and restore computer systems after a breach

Is a Cyber Policy Necessary?

Regardless of the industry, cyber security should be a top concern for companies of all sizes. Predictions from the world's leading experts suggest that these attacks will become even more pronounced in 2018 as attackers leverage machine learning and AI to launch more potent attacks.

Given the current medical marijuana regime in Canada, it is clear as to why licensed producers and ancillary businesses need to have adequate levels of cyber liability coverage. Whether it be an accidental release of patient information, stolen employee laptop or full-scale ransomware attack – cyber breaches can have huge implications on your bottom line.

Don’t act until it’s too late. Give us a call and let’s discuss what level of cyber coverage is right for you. Whether you’re a multinational licensed producer, cannabis clinic or just starting out – we can craft a cyber-package tailored to the scope of your operations. Give us a call at (833) 422-6837 and let’s discuss how we can help protect your business and what matters most.