Difference between revisions of "User:Shawndouglas/sandbox/sublevel10"

From CannaQAWiki
Jump to navigationJump to search
Tag: Reverted
Tag: Reverted
Line 1: Line 1:
[[File:Programmer writing code with Unit Tests.jpg|right|450px]]Now that you have a rudimentary understanding of informatics in the cannabis testing lab, as well as the value of having a solution that is flexible, it's time to discuss the core of what makes a cannabis testing LIMS really shine. What are those vital features that distinguish a cannabis testing LIMS from an all-purpose solution? What challenges is the system truly poised to help you with in the lab?
In the fall of 2018, Canada legalized the purchase, growth, and consumption of marijuana in small amounts across the country.<ref name="PorterCanada18">{{cite web |url=https://www.nytimes.com/2018/11/11/world/canada/marijuana-legalization-teenagers.html |title=Canada’s Message to Teenagers: Marijuana Is Legal Now. Please Don’t Smoke It |author=Porter, C. |work=The New York Times |publisher=The New York Times Company |date=11 November 2018 |accessdate=07 July 2021}}</ref> Ahead of and after the official date of legalization, concerns were being raised about the protection of Canadian cannabis consumers' personally identifiable information (PII)<ref name="StollerLegal18">{{cite web |url=https://www.bna.com/legal-canadian-pot-n57982093971/ |archiveurl=https://web.archive.org/web/20190102164241/https://www.bna.com/legal-canadian-pot-n57982093971/ |title=Legal Canadian Pot Sales Spur Data Privacy Concerns |work=Bloomberg BNA |author=Stoller, D.R. |date=18 November 2018 |archivedate=02 January 2019 |accessdate=07 July 2021}}</ref>, particularly in regards to data processed and stored in the United States.<ref name="BlinchHowPriv18">{{cite web |url=https://theconversation.com/how-privatized-cannabis-sales-threaten-your-privacy-101870 |title=How privatized cannabis sales threaten your privacy |work=The Conversation |author=Blinch, M. |date=27 August 2018 |accessdate=07 July 2021}}</ref><ref name="DeloitteASociety18">{{cite web |url=https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/consulting/ca-cannabis-2018-report-en.PDF |format=PDF |title=A society in transition, an industry ready to bloom: 2018 Cannabis Report |publisher=Deloitte LLP |date=2018 |accessdate=07 July 2021}}</ref><ref name="MooreCova18">{{cite web |url=https://thecannabisindustry.org/member_news/cova-software-announces-plan-to-retain-retail-cannabis-data-in-canada/ |title=Cova Software Announces Plan to Retain Retail Cannabis Data in Canada |author=Moore, B. |work=NCIA News |publisher=National Cannabis Industry Association |date=27 September 2018 |accessdate=07 July 2021}}</ref> In truth, comparisons of Canada's [[Privacy law|privacy laws]] with those of the United States existed well before the vote, with resources such as FindLaw detailing risks to any Canadian data transferred to the United States.<ref name="FLCanada04">{{cite web |url=https://corporate.findlaw.com/law-library/canada-s-privacy-laws-vs-the-usa-patriot-act.html |title=Canada's Privacy Laws vs. the USA PATRIOT ACT |work=FindLaw |publisher=Thomson Reuters |date=02 August 2004 |accessdate=07 July 2021}}</ref> However, concerns grew that Ontario's mandated use of the e-commerce platform Shopify (until private retail outlets opened in April 2019) would put Canadian cannabis consumers' data at risk.<ref name="BlinchHowPriv18" /><ref name="AbrahamCannabis18">{{cite web |url=https://www.independent.co.uk/voices/cannabis-canada-legal-sale-buying-online-risks-a8589716.html |title=Cannabis may be legal in Canada – but this is why it's still not safe to buy it online |work=Independent |author=Abraham, E. |date=18 October 2018 |accessdate=07 July 2021}}</ref> In particular, Canadian consumers remain worried that if their purchase history becomes available to United States government officials, who function in an environment of criminalization of cannabis use, they will not be allowed entry into the U.S. at minimum, or be treated as criminals upon attempting entry at worst. As such, some developers of cannabis data management software—such as Cova Software—have publicly acknowledged that any cannabis retail data for Canadian customers will remain in Canada "over and above the current legal requirements."<ref name="MooreCova18" /> Yet even with data providers' intentions to follow Canadian privacy rules and recommendations, data breaches still occur, as happened with the Canada Post in November 2018.<ref name="StollerLegal18" /><ref name="PerkelCanadaPost18">{{cite web| url=https://www.ctvnews.ca/canada/canada-post-admits-cannabis-privacy-breach-involving-4-500-ontario-customers-1.4167149 |title=Canada Post admits cannabis privacy breach involving 4,500 Ontario customers |work=CTV News |author=Perkel, C. |date=07 November 2018 |accessdate=07 July 2021}}</ref>, further emphasizing the need for strict protocols and protections for cannabis consumer data.


A broad all-purpose LIMS will fill many a laboratory's needs; however, the cannabis testing laboratory requires a little more out of the LIMS it implements. A purposeful cannabis testing LIMS will address a number of important needs, described in Table 2.<ref name="BirosUsing15">{{cite web |url=https://cannabisindustryjournal.com/feature_article/using-lims-in-cannabis-laboratories/ |title=Using LIMS in Cannabis Laboratories |author=Biros, A.G. |work=Cannabis Industry Journal |publisher=Innovative Publishing Co. LLC |date=23 October 2015 |accessdate=07 July 2021}}</ref><ref name="AudinoManag18">{{cite web |url=https://cannabisindustryjournal.com/feature_article/managing-cannabis-testing-lab-workflows-using-lims/ |title=Managing Cannabis Testing Lab Workflows Using LIMS |author=Audino, S. |work=Cannabis Industry Journal |date=07 February 2018 |accessdate=07 July 2021}}</ref><ref name="PaszkoSelecting18">{{cite web |url=https://www.labcompare.com/10-Featured-Articles/354722-Selecting-a-LIMS-for-the-Cannabis-Industry/ |title=Selecting a LIMS for the Cannabis Industry |author=Paszko, C. |work=LabCompare |date=27 November 2018 |accessdate=07 July 2021}}</ref>
In the United States, despite cannabis' federal prohibition, many states have been taking on various levels of legalization of cannabis. As Rachel Hutchinson of Foley Hoag LLP noted in March 2017, much like Canada, "[l]egalization has led to increased oversight and monitoring, as well as to the collection and storage of personally identifiable information ... [and the] threat of a federal crackdown leaves most customers resistant to creating any sort of paper trail."<ref name="HutchinsonMari17">{{cite web |url=https://www.securityprivacyandthelaw.com/2017/03/marijuana-and-privacy-a-primer/ |title=Marijuana and Privacy: A Primer |author=Hutchinson, R. |work=Security, Privacy and the Law |publisher=Foley Hoag LLP |date=22 March 2017 |accessdate=07 July 2021}}</ref> In this sort of environment, where federal threats still exist, a patchwork collection of state-based laws have sprung up, including Oregon's Senate Bill 863, which prevents retailers of recreational cannabis from collecting and sharing customers' PII.<ref name="MarumSmoke17">{{cite web |url=https://www.oregonlive.com/marijuana/2017/04/marijuana_user_data_protected.html |title=Smoke pot in Oregon? Your name now protected from feds |author=Marum, A. |work=The Oregonian |date=19 April 2017 |accessdate=07 July 2021}}</ref> California has also implemented a variation of this type of protection for both recreational and medical cannabis consumers.<ref name="SherryClient18">{{cite web |url=https://www.nelsonhardiman.com/client-alert-new-california-privacy-law-ab-2402-specifically-targets-cannabis-licensees/ |title=Client Alert: New California Privacy Law, AB-2402, Specifically Targets Cannabis Licensees |work=Nelson Hardiman Newsroom |author=Sherry, K. |publisher=Nelson Hardiman LLP |date=04 October 2018 |accessdate=07 July 2021}}</ref> Of note is California's classification of medical marijuana identification cards as "medical information," which lends additional credence to the idea that medical marijuana consumers' PII held in dispensaries should be protected by U.S. [[Health Insurance Portability and Accountability Act]] (HIPAA) regulations.<ref name="DroletCannabis17">{{cite web |url=https://www.cannabisbusinessexecutive.com/2017/05/hippa-cannabis-and-privacy-compliance/?utm_source=CBE+Master+List&utm_campaign=3dd8f01b21-CBE+Policy+%26+Legal&utm_medium=email&utm_term=0_1f64189714-3dd8f01b21-264215833 |title=Cannabis and privacy compliance: Is your health information protected? |author=Drolet, M. |work=Cannabis Business Executive |date=15 May 2017 |accessdate=07 July 2021}}</ref> However, without a unified policy and legal framework for cannabis use and its associated data, its difficult to foresee what future data collection and privacy regulations will look like in the United States. Despite this, some software development companies are betting on further demand for privacy of PII with the development of "personal privacy and HIPAA complaint cannabis consumer transaction solution[s]."<ref name="PRNewswireUSMJ18">{{cite web |url=https://www.prnewswire.com/news-releases/usmj-and-landstar-plan-to-bring-data-privacy-and-hipaa-compliance-to-marijuana-consumers-831506836.html |title=USMJ and Landstar Plan to Bring Data Privacy and HIPAA Compliance to Marijuana Consumers |work=PR Newswire |date=14 November 2018 |accessdate=07 July 2021}}</ref>


{|
Additionally, like Canada, concerns still abound concerning data privacy in the United States. Companies such as THSuite, LLC have already been found to inadvertently expose sensitive personal data—and possible even [[protected health information]] (PHI)—from multiple U.S. cannabis dispensaries, potentially violating HIPAA regulations.<ref name="FawkesReportCanna20">{{cite web |url=https://www.vpnmentor.com/blog/report-thsuite-breach/ |title=Report: Cannabis Users’ Sensitive Data Exposed in Data Breach |author=Fawkes, G. |work=vpnMentor Blog |date=24 January 2020 |accessdate=07 July 2021}}</ref><ref name="ShaghaghiLeak20">{{cite web |url=https://www.cohnreznick.com/insights/leak-of-30000-cannabis-customer-records-heightens-need-for-effective-data-security |title=Leak of 30,000 cannabis customer records heightens need for effective data security |author=Shaghaghi, S.; Weinstein, I. |work=Insights |publisher=CohnReznick LLP |date=18 February 2020 |accessdate=07 July 2021}}</ref> As the anonymous author of the original report concerning THSuite points out, "most legal experts agree that dispensaries must follow HIPAA regulations just like any other health care provider," and even in a realm without legal risk, exposed data could mean "individuals may suffer backlash if their families, friends, and colleagues find out that they use cannabis."<ref name="FawkesReportCanna20" /> Again, these issues firmly fall at the feet of the main problem of not having unified cannabis legislation, let alone not having a federally recognized legalized status of cannabis. With the unclear and mismatched state of law regarding cannabis user data protection, the onus still remain firmly with software developers and data managers in regards to thoroughly testing software and implementing (as well as enforcing) stricter controls such as [[encryption]], intrusion detection, and [[authentication]] mechanisms.<ref name="ShaghaghiLeak20" />
| STYLE="vertical-align:top;"|
{| class="wikitable" border="1" cellpadding="5" cellspacing="0" width="90%"
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;" colspan="2"|'''Table 2.''' What a purposeful cannabis testing LIMS will address for a lab
|-
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Cannabis testing need
  ! style="background-color:#e2e2e2; padding-left:10px; padding-right:10px;"|Details
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Configurable sample registration screens optimized for the cannabis testing industry''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Even though some LIMS already provide the ability for users to define their own sample registration screens and fields, it doesn't necessarily mean the vendor will also include pre-loaded screens and preferences for a specific industry or scientific discipline. Those vendors tailoring sample registration screens and preferences specifically to cannabis testing lab requirements for launch-day deployment have a step up on other LIMS vendors.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Pre-loaded cannabis testing protocols, labels, and analytical reports''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|End users of a cannabis testing LIMS will appreciate having a wide array of pre-loaded testing protocols, label templates, and report templates that support the testing of acid and neutral forms of cannabinoids, potency, strain, water activity, moisture content, pesticides, solvents, heavy metals, microbiological contaminates, fungi, mycotoxins, and foreign matter. This includes the ability to configure measurement units, as well as customize analytical reports such as certificates of analysis (COAs) for multiple state- and locally regulated testing scenarios.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Support for the creation and management of additional protocols, labels, and analytical reports''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|As with pre-loaded protocols, labels, and analytical reports, providing users the ability to create and manage their own protocols, labels, and reports—including COAs—as the industry changes is critical.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Flexible specification limit sets for quality control''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|A vital component of testing protocols that should not be overlooked is how flexible their test parameter/specification limit sets are. As regulations and standards concerning cannabis testing—across many different substrates/matrices—may change rapidly at the federal, state, and local level, adjustments to the limits declared within testing protocols must be easy to make. Additionally, the system should be capable of retaining older historic limit sets, such that past results can later be accurately linked to their original limit sets.<ref name="LabLynx5.4LIMS">{{cite web |url=https://www.limswiki.org/index.php/LabLynx_KB:SysAdmin_-_5.4_LIMS_system_setup |title=LabLynx KB:SysAdmin - 5.4 LIMS system setup |author=LabLynx, Inc |work=LIMSwiki.org |date=13 October 2011 |accessdate=07 July 2021}}</ref> These limit sets can help improve quality control and the reporting of out-of-specification (OOS) samples and results.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Third-party system integration, with strong support for APIs for track-and-trace and other legally mandated reporting systems''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Seed-to-sale systems, like METRC, or other types of government-mandated reporting systems may have a web-based user interface (webUI) for manual entry of results data, or they may even support a .csv upload of data. However, manual entry of results can be time consuming and result in a higher likelihood of errors. As such, the more efficient way to report data to those types of systems is through more automated means, connecting your LIMS with a web-based application programming interface (API), typically provided by the vendor of the seed-to-sale or reporting software. This means the LIMS must either be pre-configured to connect with all the necessary APIs or be equipped to handle connection with any API.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Instrument integration with the instrument data systems common to cannabis testing''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|From mass spectrometers and chromatography equipment to quantitative polymerase chain reaction (qPCR) systems and moisture balances, being able to accurately and securely transfer analytical data automatically improves turnaround time (TAT) and better ensures the accuracy of entered results (versus manual data entry). This is particularly important in the highly regulated industry that is cannabis testing.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Granular chain-of-custody at every step''
  | style="background-color:white; padding-left:10px; padding-right:10px;"| A seed-to-sale or "track-and-trace" system means always knowing the who, what, where, when, and how much of cannabis materials and related products in the industry life cycle. This concept is often referred to as the "chain of custody" of cannabis related material. This chain of custody is not limited to received cannabis samples, either; it also includes any subsamples and aliquots generated in the testing laboratory, as well as any disposed materials. As such, it's vital the LIMS be able to accurately document the chain of steps that received cannabis materials go through, from reception and retention to delivery and destruction.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Inventory reconciliation, including sample weight reconciliation''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Related to the "how much" of chain-of-custody tracking, sample weight reconciliation is an important element of avoiding regulatory violations.<ref name="MoberlyAvoid20">{{cite web |url=https://www.rockymountaincannabisconsulting.com/cannabis-business-blog/2020/5/14/avoid-infractions-top-5-metrc-cultivation-violations |title=Avoid Infractions: Top 5 METRC Cultivation Violations |author=Moberly, R. |work=RMCC Blog |date=14 May 2020 |accessdate=07 July 2021}}</ref> The LIMS should be able to either automatically deduct sample and inventory quantities when consumed as part of a test (including subsamples and aliquots), or it should allow manual entry of such changes with background validation checks or warnings. For example, the system would need to clearly warn the user when attempting to pull more weight from a sample than exists, which would create a negative value.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Real-time alerts and issue tracking''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|The requirement for maintaining quality testing outcomes for consumer safety and client satisfaction drives the need for prompt real-time alerts. Users must clearly and promptly be notified of errors and OOS results (via limit sets and other triggers) in order to, for example, identify health risks associated with a tested product or discover mislabeled product. These OOS results, as well as any other problems, should be tracked not only to notify clients but also to guide corrective action. Alerts and issue tracking are also useful for ensuring scheduled tasks are completed before they are due, or correcting processes if tests inadvertently become overdue.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Capacity and performance monitoring''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Whether an R&D cannabis lab or a quality assurance lab for cannabis, monitoring workloads, instrument allocations, scheduled tasks, OOS results, and any lab-specific performance indicators is vital for ensuring quick turnaround time (TAT), accurate results, productive workflows, and positive regulatory outcomes. Similar to issue tracking, capacity and performance tracking also help maintain quality testing outcomes and client satisfaction. Custom key performance measure (KPM) creation and management is also useful towards those efforts.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Strong data security and confidentiality''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|When it comes to cannabis and protected health information (PHI), dispensaries are the most likely to require careful attention to consumer information.<ref name="FawkesReportCanna20">{{cite web |url=https://www.vpnmentor.com/blog/report-thsuite-breach/ |title=Report: Cannabis Users’ Sensitive Data Exposed in Data Breach |author=Fawkes, G. |work=vpnMentor Blog |date=24 January 2020 |accessdate=07 July 2021}}</ref><ref name="ShaghaghiLeak20">{{cite web |url=https://www.cohnreznick.com/insights/leak-of-30000-cannabis-customer-records-heightens-need-for-effective-data-security |title=Leak of 30,000 cannabis customer records heightens need for effective data security |author=Shaghaghi, S.; Weinstein, I. |work=Insights |publisher=CohnReznick LLP |date=18 February 2020 |accessdate=07 July 2021}}</ref> However, that does not preclude laboratories from making strong efforts to protect sensitive personal data related to clients and their analyses (let alone to protect the lab's own validated methods and documentation). As such, cannabis testing labs should rely on a LIMS that uses industry-standard communication protocols and encryption methods to protect not only the data housed in the LIMS but also data moving in and out of it.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Accounting and billing support, including quoting and invoicing''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Carefully tracking expenditures and payments received related to cannabis activities is vital. This is especially true given that the non-hemp (low-THC) ''Cannabis'' plant is still technically illegal to grow and process in the eyes of U.S. federal law. As such, some business taking in money from cannabis-related activities have had problems with managing the financial aspects of their operations.<ref name="KovaleskiUS14">{{cite web |url=https://www.nytimes.com/2014/02/15/us/us-issues-marijuana-guidelines-for-banks.html |title=U.S. Issues Marijuana Guidelines for Banks |author=Kovaleski, S.F. |work=The New York Times |publisher=The New York Times Corporation |date=14 February 2014 |accessdate=07 July 2021}}</ref><ref name="FinCEN_BSA14">{{cite web |url=https://www.fincen.gov/resources/statutes-regulations/guidance/bsa-expectations-regarding-marijuana-related-businesses |title=BSA Expectations Regarding Marijuana-Related Businesses |author=Financial Crimes Enforcement Network |publisher=U.S. Department of the Treasury |date=14 February 2014 |accessdate=07 July 2021}}</ref><ref name="AngellMoreBanks18">{{cite web |url=https://www.forbes.com/sites/tomangell/2018/06/14/more-banks-working-with-marijuana-businesses-despite-federal-moves/#4d828ed21b1b |title=More Banks Working With Marijuana Businesses, Despite Federal Moves |author=Angell, T. |work=Forbes |publisher=Forbes Media, LLC |date=14 June 2018 |accessdate=07 July 2021}}</ref><ref name="BoomsteinCali19">{{cite web |url=https://www.manatt.com/insights/newsletters/financial-services-law/california-dbo-offers-guidance-on-cannabis-banking |title=California DBO Offers Guidance on Cannabis Banking |author=Boomstein, A.L.; Miller, C.D.; Owen, J.L. |publisher=Manatt, Phelps & Phillips, LLP |date=30 October 2019 |accessdate=07 July 2021}}</ref> Given the remaining uncertainty of cannabis legalization in the U.S., and the natural benefits of managing accounting and billing within the LIMS, it makes sense that a LIMS should be able to accurately track receipts and more, down to the penny.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Secure web portal for client results review and test ordering''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Clients appreciate being able to submit test orders and view the results of their tests on a relatively independent basis. The secure web portal makes a useful time-saving and customer-friendly tool in that effort. However, the "secure" part of this requirement must be emphasized. Web-based attacks remain some of the most popular cybersecurity attacks, targeting the likes of online customer portals and WordPress sites for credentials and sensitive information.<ref name="TalalevWebsite20">{{cite web |url=https://patchstack.com/website-hacking-statistics/ |title=Website Hacking Statistics You Should Know in 2021 |author=Talalev, A. |work=WebARX Blog |date=22 February 2021 |accessdate=07 July 2021}}</ref><ref name="EnsightenTop20">{{cite web |url=https://www.ensighten.com/blog/top-five-cyberattacks-targeting-your-website-in-2020 |title=op Five Cyberattacks Targeting Your Website in 2020 |author=Ensighten |work=Ensighten Blog |date=11 February 2020 |accessdate=07 July 2021}}</ref> As indicated previously, a vendor that focuses on strong data security will have an advantage in the implementation of such a web portal.
|-
  | style="background-color:white; padding-left:10px; padding-right:10px;"|''Functionality supporting ISO/IEC 17025, NELAC, ORELAP, ELAP, and Patient Focused Certification (PFC) compliance''
  | style="background-color:white; padding-left:10px; padding-right:10px;"|Cannabis testing laboratories and their necessary focus on quality is driven by standards and regulations, as well as accreditation to those standards and regulations. That burden can at times be heavy for laboratories, so having automation elements like a LIMS that provides functionality that assists with complying with those standards and regulations is immensely helpful. For example, ISO/IEC 17025 has a requirement that documents be managed in a specific way, an area where a well-designed LIMS is able to help.
|-
|}
|}


==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}

Revision as of 17:44, 19 August 2021

In the fall of 2018, Canada legalized the purchase, growth, and consumption of marijuana in small amounts across the country.[1] Ahead of and after the official date of legalization, concerns were being raised about the protection of Canadian cannabis consumers' personally identifiable information (PII)[2], particularly in regards to data processed and stored in the United States.[3][4][5] In truth, comparisons of Canada's privacy laws with those of the United States existed well before the vote, with resources such as FindLaw detailing risks to any Canadian data transferred to the United States.[6] However, concerns grew that Ontario's mandated use of the e-commerce platform Shopify (until private retail outlets opened in April 2019) would put Canadian cannabis consumers' data at risk.[3][7] In particular, Canadian consumers remain worried that if their purchase history becomes available to United States government officials, who function in an environment of criminalization of cannabis use, they will not be allowed entry into the U.S. at minimum, or be treated as criminals upon attempting entry at worst. As such, some developers of cannabis data management software—such as Cova Software—have publicly acknowledged that any cannabis retail data for Canadian customers will remain in Canada "over and above the current legal requirements."[5] Yet even with data providers' intentions to follow Canadian privacy rules and recommendations, data breaches still occur, as happened with the Canada Post in November 2018.[2][8], further emphasizing the need for strict protocols and protections for cannabis consumer data.

In the United States, despite cannabis' federal prohibition, many states have been taking on various levels of legalization of cannabis. As Rachel Hutchinson of Foley Hoag LLP noted in March 2017, much like Canada, "[l]egalization has led to increased oversight and monitoring, as well as to the collection and storage of personally identifiable information ... [and the] threat of a federal crackdown leaves most customers resistant to creating any sort of paper trail."[9] In this sort of environment, where federal threats still exist, a patchwork collection of state-based laws have sprung up, including Oregon's Senate Bill 863, which prevents retailers of recreational cannabis from collecting and sharing customers' PII.[10] California has also implemented a variation of this type of protection for both recreational and medical cannabis consumers.[11] Of note is California's classification of medical marijuana identification cards as "medical information," which lends additional credence to the idea that medical marijuana consumers' PII held in dispensaries should be protected by U.S. Health Insurance Portability and Accountability Act (HIPAA) regulations.[12] However, without a unified policy and legal framework for cannabis use and its associated data, its difficult to foresee what future data collection and privacy regulations will look like in the United States. Despite this, some software development companies are betting on further demand for privacy of PII with the development of "personal privacy and HIPAA complaint cannabis consumer transaction solution[s]."[13]

Additionally, like Canada, concerns still abound concerning data privacy in the United States. Companies such as THSuite, LLC have already been found to inadvertently expose sensitive personal data—and possible even protected health information (PHI)—from multiple U.S. cannabis dispensaries, potentially violating HIPAA regulations.[14][15] As the anonymous author of the original report concerning THSuite points out, "most legal experts agree that dispensaries must follow HIPAA regulations just like any other health care provider," and even in a realm without legal risk, exposed data could mean "individuals may suffer backlash if their families, friends, and colleagues find out that they use cannabis."[14] Again, these issues firmly fall at the feet of the main problem of not having unified cannabis legislation, let alone not having a federally recognized legalized status of cannabis. With the unclear and mismatched state of law regarding cannabis user data protection, the onus still remain firmly with software developers and data managers in regards to thoroughly testing software and implementing (as well as enforcing) stricter controls such as encryption, intrusion detection, and authentication mechanisms.[15]

References

  1. Porter, C. (11 November 2018). "Canada’s Message to Teenagers: Marijuana Is Legal Now. Please Don’t Smoke It". The New York Times. The New York Times Company. https://www.nytimes.com/2018/11/11/world/canada/marijuana-legalization-teenagers.html. Retrieved 07 July 2021. 
  2. 2.0 2.1 Stoller, D.R. (18 November 2018). "Legal Canadian Pot Sales Spur Data Privacy Concerns". Bloomberg BNA. Archived from the original on 02 January 2019. https://web.archive.org/web/20190102164241/https://www.bna.com/legal-canadian-pot-n57982093971/. Retrieved 07 July 2021. 
  3. 3.0 3.1 Blinch, M. (27 August 2018). "How privatized cannabis sales threaten your privacy". The Conversation. https://theconversation.com/how-privatized-cannabis-sales-threaten-your-privacy-101870. Retrieved 07 July 2021. 
  4. "A society in transition, an industry ready to bloom: 2018 Cannabis Report" (PDF). Deloitte LLP. 2018. https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/consulting/ca-cannabis-2018-report-en.PDF. Retrieved 07 July 2021. 
  5. 5.0 5.1 Moore, B. (27 September 2018). "Cova Software Announces Plan to Retain Retail Cannabis Data in Canada". NCIA News. National Cannabis Industry Association. https://thecannabisindustry.org/member_news/cova-software-announces-plan-to-retain-retail-cannabis-data-in-canada/. Retrieved 07 July 2021. 
  6. "Canada's Privacy Laws vs. the USA PATRIOT ACT". FindLaw. Thomson Reuters. 2 August 2004. https://corporate.findlaw.com/law-library/canada-s-privacy-laws-vs-the-usa-patriot-act.html. Retrieved 07 July 2021. 
  7. Abraham, E. (18 October 2018). "Cannabis may be legal in Canada – but this is why it's still not safe to buy it online". Independent. https://www.independent.co.uk/voices/cannabis-canada-legal-sale-buying-online-risks-a8589716.html. Retrieved 07 July 2021. 
  8. Perkel, C. (7 November 2018). "Canada Post admits cannabis privacy breach involving 4,500 Ontario customers". CTV News. https://www.ctvnews.ca/canada/canada-post-admits-cannabis-privacy-breach-involving-4-500-ontario-customers-1.4167149. Retrieved 07 July 2021. 
  9. Hutchinson, R. (22 March 2017). "Marijuana and Privacy: A Primer". Security, Privacy and the Law. Foley Hoag LLP. https://www.securityprivacyandthelaw.com/2017/03/marijuana-and-privacy-a-primer/. Retrieved 07 July 2021. 
  10. Marum, A. (19 April 2017). "Smoke pot in Oregon? Your name now protected from feds". The Oregonian. https://www.oregonlive.com/marijuana/2017/04/marijuana_user_data_protected.html. Retrieved 07 July 2021. 
  11. Sherry, K. (4 October 2018). "Client Alert: New California Privacy Law, AB-2402, Specifically Targets Cannabis Licensees". Nelson Hardiman Newsroom. Nelson Hardiman LLP. https://www.nelsonhardiman.com/client-alert-new-california-privacy-law-ab-2402-specifically-targets-cannabis-licensees/. Retrieved 07 July 2021. 
  12. Drolet, M. (15 May 2017). "Cannabis and privacy compliance: Is your health information protected?". Cannabis Business Executive. https://www.cannabisbusinessexecutive.com/2017/05/hippa-cannabis-and-privacy-compliance/?utm_source=CBE+Master+List&utm_campaign=3dd8f01b21-CBE+Policy+%26+Legal&utm_medium=email&utm_term=0_1f64189714-3dd8f01b21-264215833. Retrieved 07 July 2021. 
  13. "USMJ and Landstar Plan to Bring Data Privacy and HIPAA Compliance to Marijuana Consumers". PR Newswire. 14 November 2018. https://www.prnewswire.com/news-releases/usmj-and-landstar-plan-to-bring-data-privacy-and-hipaa-compliance-to-marijuana-consumers-831506836.html. Retrieved 07 July 2021. 
  14. 14.0 14.1 Fawkes, G. (24 January 2020). "Report: Cannabis Users’ Sensitive Data Exposed in Data Breach". vpnMentor Blog. https://www.vpnmentor.com/blog/report-thsuite-breach/. Retrieved 07 July 2021. 
  15. 15.0 15.1 Shaghaghi, S.; Weinstein, I. (18 February 2020). "Leak of 30,000 cannabis customer records heightens need for effective data security". Insights. CohnReznick LLP. https://www.cohnreznick.com/insights/leak-of-30000-cannabis-customer-records-heightens-need-for-effective-data-security. Retrieved 07 July 2021. 
Retrieved from "https://www.cannaqa.wiki/index.php?title=User:Shawndouglas/sandbox/sublevel10&oldid=17120"