CannaTech? PotTech? BuzzTech? Doesn’t matter what you call your IT strategy; just know you need one and you need it before you open the doors of your cannabis business. In the same way that you rely on your phone and laptop or tablet to keep track of your personal life, technology is even more critical to running a business – especially one in which the laws, regulations and governmental requirements change almost weekly.
Timing of Your IT Plan
Now! A good strategy that will provide a 360-degree solution for your business takes time. Don’t wait until you have your license in hand, your facility is equipped and stocked and you are about to open the doors. That is NOT the time to realize that your internet connectivity is spotty, your point-of-sale software has crashed, there is a chuckling red skull on your screen and your IT group has decamped to Puerto Vallarta for the next three weeks.
Elements of the Plan
Daily Operations
You won’t be keeping records on paper–not with the myriad reporting requirements of your state and profit/loss information for your business partners and investors. You will need software for point-of-sale, inventory control, customer verifications (age, residence, medical card where applicable) and employee wages, hours, tax withholding and benefits. One application may cover all of these activities, but more likely you will need a few applications.
To obtain this software you must agree to the terms of the software provider (the licensor) in a license agreement. These terms are critical to your business operations and can (and should) be reviewed by your attorney and negotiated so the terms are fair to and provide adequate protections for both sides. This also applies to your engagement of any outside IT group; it is critical to have the terms of their work with you reduced to writing in a service agreement that provides adequate protection for you and accountability by the software provider.
Cybersecurity
The financial information of your business, as well as the personal information of your customers and employees, is a tempting target for cybercriminals, and it only takes a cursory look at news media in this late stage of the pandemic to be aware of how active cybercriminals have been. Protecting this information and keeping it secure is a requirement for customer trust, compliance with state laws and protection of your financial information, and those safeguards must be documented as required by law.
Dispensaries and other retailers are required by applicable state laws to obtain proof of a customer’s age and residence. That is done most frequently by scanning a customer’s driver’s license into a system application with a repository either 1) within computers or servers on premises or 2) into a repository provided by a cloud services provider. Similarly, if the facility is a medical cannabis dispensary, a physician’s prescription or a “medical marijuana” card with health information is also routinely scanned into the facility’s system. Drivers’ license numbers are data protected by state data breach and privacy laws, as is health information in many states. You will need to obtain a license for software that will help you protect this information. Licenses are granted through license agreements that comprise security controls of the software provider (the licensor), but they also require that you make certain representations as to your own security controls. You should review these agreements with an attorney who can, if necessary, negotiate terms in the agreement.
Some software providers do not provide license agreements but, instead, require that you click “I ACCEPT” on their online Terms of Service, similar to the way in which you would download a new app for your phone. However, there is considerable risk in clicking acceptance of online Terms of Service for commercial cybersecurity software because, for the most part, those online Terms are one-sided in favor of the software provider and rarely can be negotiated. These Terms, once accepted, are considered by most courts to be binding contracts so, again, extreme caution is advised when considering whether to license software from a provider who uses online Terms of Service rather than a formal license agreement.
Physical Security/Video Surveillance
Needless to say, security is a paramount concern in a cash-based business. Even if you have a security guard, video surveillance cameras and software provide extra sets of eyes that, if configured properly, can remember everything they see. Yet, like any other software product, the value is in the details, including how the providers offer technical support, guarantees of uptime, security for the images (protected under privacy biometric laws in states such as New York, Illinois, California and Texas), backups for the cameras, system and images and whether the system offers facial recognition software.
Beware of offers of this latter service as there has been a great deal of litigation concerning facial recognition software in platforms that notify law enforcement based on facial recognition analysis. Certain courts and researchers have found these systems unreliable, particularly with regard to images of people of color and women. In addition, certain facial recognition platforms that relate information to law enforcement may be prohibited by local ordinances.
Insurance
Yes, your computer and video equipment should be insured, but what about the information you obtain through the use of that equipment? This information is of no value to you if you cannot access it because of a cyberattack or network outage, and it certainly has a value to cybercriminals if it comprises, as it must, sensitive personal information of your customers such as driver’s license number, name and address.
While many insurance carriers are leery of insuring cannabis businesses while cannabis remains a Schedule One drug, many will extend such coverage. A broker with extensive contacts and experience in the industry can assist, but you should also have counsel review any proposed policy for business interruption (e.g., partial recoupment of losses as a result of cyber incidents, natural events or government-mandated closures such as were experienced during the height of the COVID-19 pandemic) and data breaches to assure that the scope of coverage is adequate (many policies are riddled with exclusions from coverage and other limitations).
Business moves at the speed of the internet. Cannabis business is no different. Make sure your IT plan is in place so you can safely and efficiently ring up sales the minute you open your doors.
If you have any further questions regarding IT and cybersecurity for cannabis businesses, please contact Ken Rashbaum or any member of our Cannabis Law Team.
