When it comes to cyber security threats, everyone is at risk – regardless of the size or industry of the business. We see this as the cannabis industry was hit hard last week when a software vulnerability, which revealed data from at least 30,000 people from multiple dispensaries across the U.S., was exposed.
Although it remains unclear by whom the data was accessed by, this incident highlights the particular risk that businesses in the cannabis industry face: legal requirements to collect detailed personal records from clients and a fluid regulatory landscape. This incident also highlights that a proactive cyber security plan can help shift legal risk, and likewise well-drafted liability protections if a data breach does happen.
What is Cyber Liability Insurance?
Similar to other types of liability insurance, cyber liability policies protect businesses in the case of a data breach, ransomware attack, or other cyber security failure. These types of policies cover expenses or losses incurred when a network or database has been hacked, ransomed, or otherwise compromised. Coverage typically includes:
• Notification costs – including investigating, responding to and resolving an actual or suspected data breach, and alerting potentially affected people. You might need mailings, call centers, or even additional staff.
• Credit monitoring costs – companies trying to mitigate a security breach often provide free credit reports or monitoring, as well as identity theft insurance costs to defend claims by state or federal regulators.
• Ransom payments – sadly, hackers can (and have) taken networks and databases hostage. Liability insurance would cover ransom payments, as well as costs for data recovery and restoration and loss from business interruption.
• Fines and penalties – with new data privacy laws emerging, the penalties for failing to protect consumer data could be substantial.
• Third party liability – if allegations of negligence or failure to take reasonable measures to prevent a security breach arise then, a third party business could be held responsible.
• Crisis management costs – to track and contain both the cyber threat and the fallout, you may need forensic investigators, professional crisis management, or strategic communications support.
Cyber liability insurance is an increasingly important risk management tool that organizations rely on as a part of a larger, comprehensive cyber security and privacy breach response plan. Take note that cyber liability insurance is different from technology errors and omissions (tech E&O) insurance, which is designed to protect companies that provide technology products and services, such as computer software manufacturers. Cyber liability insurance covers the fallout from a particular breach of customer or client data.
Why Cannabis Businesses Need It
Any business that collects personal data could face substantial liability in the event of a breach, however the cannabis industry faces even more risk, because of the unique amount and often type of information dispensaries and other businesses are required to collect. In addition, due to constantly shifting industry and regulatory landscape, many cannabis businesses may find themselves in uncharted territory and are likely to have questions about cyber liability risks. It is also important to note that while general liability insurance policies may cover some cybercrime losses, they generally will not provide the comprehensive coverage needed to mitigate the damage from a data breach. Some general liability policies may even contain exclusions for cyber liability losses and claims.
One thing is for certain: data is becoming increasingly valuable. Our Beckage CannaPrivacy Team understands the importance steps businesses should implement to protect this valuable data. If the worst happens, it is critical to have the right liability coverage to minimize losses and disruption. Our team can help assess liability coverage, using their expertise to help map out a nuanced cyber liability insurance plan for any business in the cannabis industry.
*Attorney Advertising. Prior results do not guarantee future outcomes.