User:Shawndouglas/sandbox/sublevel10

From CannaQAWiki
Jump to navigationJump to search

In the fall of 2018, Canada legalized the purchase, growth, and consumption of marijuana in small amounts across the country.[1] Ahead of and after the official date of legalization, concerns were being raised about the protection of Canadian cannabis consumers' personally identifiable information (PII)[2], particularly in regards to data processed and stored in the United States.[3][4][5] In truth, comparisons of Canada's privacy laws with those of the United States existed well before the vote, with resources such as FindLaw detailing risks to any Canadian data transferred to the United States.[6] However, concerns grew that Ontario's mandated use of the e-commerce platform Shopify (until private retail outlets opened in April 2019) would put Canadian cannabis consumers' data at risk.[3][7] In particular, Canadian consumers remain worried that if their purchase history becomes available to United States government officials, who function in an environment of criminalization of cannabis use, they will not be allowed entry into the U.S. at minimum, or be treated as criminals upon attempting entry at worst. As such, some developers of cannabis data management software—such as Cova Software—have publicly acknowledged that any cannabis retail data for Canadian customers will remain in Canada "over and above the current legal requirements."[5] Yet even with data providers' intentions to follow Canadian privacy rules and recommendations, data breaches still occur, as happened with the Canada Post in November 2018.[2][8], further emphasizing the need for strict protocols and protections for cannabis consumer data.

In the United States, despite cannabis' federal prohibition, many states have been taking on various levels of legalization of cannabis. As Rachel Hutchinson of Foley Hoag LLP noted in March 2017, much like Canada, "[l]egalization has led to increased oversight and monitoring, as well as to the collection and storage of personally identifiable information ... [and the] threat of a federal crackdown leaves most customers resistant to creating any sort of paper trail."[9] In this sort of environment, where federal threats still exist, a patchwork collection of state-based laws have sprung up, including Oregon's Senate Bill 863, which prevents retailers of recreational cannabis from collecting and sharing customers' PII.[10] California has also implemented a variation of this type of protection for both recreational and medical cannabis consumers.[11] Of note is California's classification of medical marijuana identification cards as "medical information," which lends additional credence to the idea that medical marijuana consumers' PII held in dispensaries should be protected by U.S. Health Insurance Portability and Accountability Act (HIPAA) regulations.[12] However, without a unified policy and legal framework for cannabis use and its associated data, its difficult to foresee what future data collection and privacy regulations will look like in the United States. Despite this, some software development companies are betting on further demand for privacy of PII with the development of "personal privacy and HIPAA complaint cannabis consumer transaction solution[s]."[13]

Additionally, like Canada, concerns still abound concerning data privacy in the United States. Companies such as THSuite, LLC have already been found to inadvertently expose sensitive personal data—and possible even protected health information (PHI)—from multiple U.S. cannabis dispensaries, potentially violating HIPAA regulations.[14][15] As the anonymous author of the original report concerning THSuite points out, "most legal experts agree that dispensaries must follow HIPAA regulations just like any other health care provider," and even in a realm without legal risk, exposed data could mean "individuals may suffer backlash if their families, friends, and colleagues find out that they use cannabis."[14] Again, these issues firmly fall at the feet of the main problem of not having unified cannabis legislation, let alone not having a federally recognized legalized status of cannabis. With the unclear and mismatched state of law regarding cannabis user data protection, the onus still remain firmly with software developers and data managers in regards to thoroughly testing software and implementing (as well as enforcing) stricter controls such as encryption, intrusion detection, and authentication mechanisms.[15]

References

  1. Porter, C. (11 November 2018). "Canada’s Message to Teenagers: Marijuana Is Legal Now. Please Don’t Smoke It". The New York Times. The New York Times Company. https://www.nytimes.com/2018/11/11/world/canada/marijuana-legalization-teenagers.html. Retrieved 07 July 2021. 
  2. 2.0 2.1 Stoller, D.R. (18 November 2018). "Legal Canadian Pot Sales Spur Data Privacy Concerns". Bloomberg BNA. Archived from the original on 02 January 2019. https://web.archive.org/web/20190102164241/https://www.bna.com/legal-canadian-pot-n57982093971/. Retrieved 07 July 2021. 
  3. 3.0 3.1 Blinch, M. (27 August 2018). "How privatized cannabis sales threaten your privacy". The Conversation. https://theconversation.com/how-privatized-cannabis-sales-threaten-your-privacy-101870. Retrieved 07 July 2021. 
  4. "A society in transition, an industry ready to bloom: 2018 Cannabis Report" (PDF). Deloitte LLP. 2018. https://www2.deloitte.com/content/dam/Deloitte/ca/Documents/consulting/ca-cannabis-2018-report-en.PDF. Retrieved 07 July 2021. 
  5. 5.0 5.1 Moore, B. (27 September 2018). "Cova Software Announces Plan to Retain Retail Cannabis Data in Canada". NCIA News. National Cannabis Industry Association. https://thecannabisindustry.org/member_news/cova-software-announces-plan-to-retain-retail-cannabis-data-in-canada/. Retrieved 07 July 2021. 
  6. "Canada's Privacy Laws vs. the USA PATRIOT ACT". FindLaw. Thomson Reuters. 2 August 2004. https://corporate.findlaw.com/law-library/canada-s-privacy-laws-vs-the-usa-patriot-act.html. Retrieved 07 July 2021. 
  7. Abraham, E. (18 October 2018). "Cannabis may be legal in Canada – but this is why it's still not safe to buy it online". Independent. https://www.independent.co.uk/voices/cannabis-canada-legal-sale-buying-online-risks-a8589716.html. Retrieved 07 July 2021. 
  8. Perkel, C. (7 November 2018). "Canada Post admits cannabis privacy breach involving 4,500 Ontario customers". CTV News. https://www.ctvnews.ca/canada/canada-post-admits-cannabis-privacy-breach-involving-4-500-ontario-customers-1.4167149. Retrieved 07 July 2021. 
  9. Hutchinson, R. (22 March 2017). "Marijuana and Privacy: A Primer". Security, Privacy and the Law. Foley Hoag LLP. https://www.securityprivacyandthelaw.com/2017/03/marijuana-and-privacy-a-primer/. Retrieved 07 July 2021. 
  10. Marum, A. (19 April 2017). "Smoke pot in Oregon? Your name now protected from feds". The Oregonian. https://www.oregonlive.com/marijuana/2017/04/marijuana_user_data_protected.html. Retrieved 07 July 2021. 
  11. Sherry, K. (4 October 2018). "Client Alert: New California Privacy Law, AB-2402, Specifically Targets Cannabis Licensees". Nelson Hardiman Newsroom. Nelson Hardiman LLP. https://www.nelsonhardiman.com/client-alert-new-california-privacy-law-ab-2402-specifically-targets-cannabis-licensees/. Retrieved 07 July 2021. 
  12. Drolet, M. (15 May 2017). "Cannabis and privacy compliance: Is your health information protected?". Cannabis Business Executive. https://www.cannabisbusinessexecutive.com/2017/05/hippa-cannabis-and-privacy-compliance/?utm_source=CBE+Master+List&utm_campaign=3dd8f01b21-CBE+Policy+%26+Legal&utm_medium=email&utm_term=0_1f64189714-3dd8f01b21-264215833. Retrieved 07 July 2021. 
  13. "USMJ and Landstar Plan to Bring Data Privacy and HIPAA Compliance to Marijuana Consumers". PR Newswire. 14 November 2018. https://www.prnewswire.com/news-releases/usmj-and-landstar-plan-to-bring-data-privacy-and-hipaa-compliance-to-marijuana-consumers-831506836.html. Retrieved 07 July 2021. 
  14. 14.0 14.1 Fawkes, G. (24 January 2020). "Report: Cannabis Users’ Sensitive Data Exposed in Data Breach". vpnMentor Blog. https://www.vpnmentor.com/blog/report-thsuite-breach/. Retrieved 07 July 2021. 
  15. 15.0 15.1 Shaghaghi, S.; Weinstein, I. (18 February 2020). "Leak of 30,000 cannabis customer records heightens need for effective data security". Insights. CohnReznick LLP. https://www.cohnreznick.com/insights/leak-of-30000-cannabis-customer-records-heightens-need-for-effective-data-security. Retrieved 07 July 2021. 
Retrieved from "https://www.cannaqa.wiki/index.php?title=User:Shawndouglas/sandbox/sublevel10&oldid=17120"