Data Privacy and Security in the Cannabis Industry


CLE credits earned: 2 GENERAL (or 2 LAW & LEGAL for WA state)

The legalization of marijuana has created a multitude of business opportunities, but it has also created many questions and uncertainties for businesses. Beyond the regulatory requirements, businesses must also consider the data privacy and security risks to their business.

In November, cannabis won big in the midterm elections–in Michigan, the legalization of recreational cannabis passed, the legalization of medical cannabis passed in Utah and Missouri, and several states elected governors who back legislation for the legalization of cannabis. Now, there are 33 states that allow some form of medical marijuana and 10 states (plus D.C.) that have legalized recreational use. Additionally, the shift of the U.S. House of Representatives to Democratic control could also help the push for legalization at the federal level, as well as Attorney General Jeff Sessions’ resignation.

So, while the industry is clearly on the rise as more and more states pass laws legalization the use of cannabis, the industry also needs to consider the privacy and security of its systems and networks from the ground up. Because this industry is so heavily regulated and tracked, there is also a heavy amount of data collection and storage of personally identifiable information and other sensitive data. Many businesses in this industry offer customers the ability to make purchases online or through a mobile app, use point-of-sale (POS) systems for their dispensaries and maintain their data on cloud-based software-as-a-service (SaaS) platforms. These POS systems automatically report to states’ compliance tracking systems using application programming interfaces (APIs), and all of a business’s daily sales can be uploaded automatically into the state’s database in one simple step. In many instances, the dispensary scans their customers’ ID for birth date and state of residency, and to check them into the system and confirm what (and how much) the customer can buy. When you think about it, marijuana dispensaries are hot spots for personally identifiable information –the goal is to track every plant, product, and person associated with the production and sale of marijuana.

It is not only important for companies in the cannabis industry to keep up with the constantly-changing legislative landscape but also with the cyber threats that pose a substantial risk to their businesses and their customers as well.

This course is co-sponsored with myLawCLE.
Key topics to be discussed:

•   The current landscape for medical and recreational use of marijuana across the country
•   The types of sensitive—and protected—information that the cannabis industry collects and possesses
•   The recent and continued risks and threats to data
•   Tips and mitigation for protecting and securing the data collected by these businesses

Date / Time: May 7, 2019

•   10:00 am – 12:00 pm Eastern
•   9:00 am – 11:00 am Central
•   8:00 am – 10:00 am Mountain
•   7:00 am – 9:00 am Pacific

Choose a format:

•   Live Video Broadcast/Re-Broadcast: Watch Program “live” in real-time, must sign-in and watch program on date and time set above. May ask questions during presentation via chat box. Qualifies for “live” CLE credit.
•   On-Demand Video: Access CLE 24/7 via on-demand library and watch program anytime. Qualifies for self-study CLE credit. On-demand versions are made available 7 business days after the original recording date and are view-able for up to one year.

Select your state to see if this class is approved for CLE credit.

Choose the format you want.


Original Broadcast Date: May 7, 2019

Kathryn Rattigan, Esq. is a member of the firm’s Business Litigation Group and Data Privacy + Cybersecurity Team. She advises clients on data privacy and security, cybersecurity, and compliance with related state and federal laws. Kathryn also provides legal advice regarding the use of unmanned aerial systems (UAS, or drones) and Federal Aviation Administration (FAA) regulations. She represents clients across all industries, such as insurance, health care, education, energy, and construction.

Data Privacy and Cybersecurity Compliance
Kathryn helps clients comply with all state and federal regulations related to data privacy and cybersecurity. She counsels clients facing government investigations over alleged non-compliance. She advises clients on the development of privacy and security plans, and how to best handle high-risk data to avoid breaches and cyber intrusions. Kathryn helps clients review, revise, and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA), Telephone Consumer Protection Act (TCPA), the Children’s Online Privacy Protection Act (COPPA), Family Educational Rights and Privacy Act (FERPA), and other federal and state laws and regulations. She assists businesses and organizations with measures to protect the security and confidentiality of personal and sensitive information. She provides guidance regarding privacy and data protection in connection with mobile devices, data storage technologies, mobile applications, and location-based services. Kathryn assists with the development of website and mobile app privacy policies and terms and conditions of use. She also advises clients on social media policies and practices, and ‘Bring Your Own Device’ in the workplace. She is a member of the firm’s Financial Services Cyber-Compliance Team.

Unmanned Aerial Systems and FAA Compliance
Kathryn is a member of the firm’s Drone Compliance Team. As such, she advises clients on all legal issues surrounding the use of commercial drones, including navigation of Federal Aviation Administration regulations, commercial registration requirements, and Part 107 waivers. She reviews and prepares employee and subcontractor agreements for the piloting and use of drones. She advises commercial businesses on insurance options for adequate coverage for drone use. Kathryn is well versed on various local and state laws, regulations, and ordinances which apply to a business’ drone use. She assists clients with privacy and cybersecurity policies, procedures and programs to mirror the National Telecommunications and Information Administration’s voluntary best practices, as well as other industry standards. Kathryn also handles drone-related litigation, such as claims involving manufacturing defects, personal injury, or property damage. She has given numerous presentations about implementing UAS into company infrastructure and privacy and cybersecurity issues related to drone use.

HIPAA Compliance
Kathryn counsels clients on HIPAA compliance, including assisting with employee training, and providing guidance on the implementation of required and recommended Privacy Rule and Security Rule policies and procedures.

Data Breach Preparedness and Emergency Response
Kathryn provides clients with the information needed to effectively handle potential and confirmed data breaches, including insight into state and federal regulations and requirements. If a client suffers a data breach, she assists with the follow-up response, including notification, remediation, and litigation.

Privacy and Class Action Litigation and Enforcement
If a data breach or cybersecurity issue results in litigation or an enforcement action, Kathryn represents clients in court and before government regulatory agencies. This includes assisting clients with matters related to the unauthorized access, use or disclosure of health, financial, or personally identifiable information.

Pro Bono and Community Involvement
Kathryn is committed to doing pro bono work and being involved in the community. Her recent efforts include assisting Inner Explorer, a non-profit which works to help students focus and succeed through mindfulness practice in the classroom, and College Visions, which helps low-income students pursue a college education.

Accreditation Policy
myLawCLE seeks accreditation for all programs in all states. (Accreditation for paralegals sought thru NALA and NFPA paralegal associations.) Each attending attorney/paralegal will receive a certificate of completion following the close of the CLE program as proof of attendance. In required states, myLawCLE records attorney/paralegals attendance, in all other states attorney/paralegal is provided with the approved CLE certificate to submit to their state bar or governing association.

    Automatic MCLE Approvals

All myLawCLE CLE programs are accredited automatically either directly or via reciprocity in the following states: AK, AR, CA, CT, FL, HI, ME, MO, MT, ND, NH, NM, NJ, NY, WV, and VT. (AZ does not approve CLE programs, but accepts our certificates for CLE credit.)

    Live Video Broadcasts

Live video broadcasts are new live CLE programs being streamed and recorded for the first time. All of these programs qualify for “Live” CLE credit in all states except NV, OH, MS, IN, UT, PA, GA, and LA —these states require in-person attendance to qualify for “Live” CLE credit.

    “Live” Re-Broadcasts

“Live” Re-broadcasts are replays of previous recorded CLE programs, set on a specific date and time and where the original presenting speakers calls in live at the end of the event to answer questions. This “live” element allows for “live” Re-broadcast CLEs to qualify for “Live” CLE credits in most states. [The following states DO NOT allow for “live” CLE credits on re-broadcast CLEs: NV, OH, MS, IN, UT, PA, GA, and LA]

Many states allow for credit to be granted on a 1:1 reciprocal basis for courses approved in another mandatory CLE jurisdiction state. This is known as a reciprocity provision and includes the following states: AK, AR, HI, CT, FL, ME, MO, MT, ND, NH, NM, VT, NJ, NY, and WV. myLawCLE does not seek direct accreditation of live webinars or teleconferences in these states.

Section I. Introduction to medical and recreational use regulations

Section II. Identifying high-risk data in the business

Section III. Recent Risks and Threats to Data

Section IV. Tips for Mitigation

Section V. Implementation of an enterprise-wide data privacy and security compliance program

Section VI. Federal Data Privacy and Security Laws

Section VII. How can the Health Insurance Portability and Accountability Act (HIPAA) be applied

Section VIII. State by State –Data Privacy and Security Laws including Written Information Security Plans

Section IX. Discuss the California Bureau of Cannabis Control regulations

Section X. 50-State Data Breach Notification Laws

Section XI. Employee Training Modules and tabletop breach exercises

Section XII. Risks of cryptocurrency for banking

Section XIII. Website and mobile app Privacy Policies and Terms of Use

Section XIV. Cyberliability insurance