Guest post written by Beckage
In the cannabis industry, where some state governments have determined access to cannabis as an essential service, the resulting mix of some employees working from home while others are on site and serving patients and customers in dispensaries, has added a complicated situation for data security managers and response plans.
Incident Response for the Cannabis Industry
What is an Incident Response Plan? A company’s strategy for tackling potential setbacks is its playbook for deploying a rapid, proportional response to a potential security threat, with the goal of complying with applicable data privacy and security laws while maintaining client services. Creating a proactive strategy for potential data breaches starts with listing the roles and responsibilities of staff positions as they work through phases of: Detection, Analysis, Containment and Eradication, Recovery and Reporting. This collection of key staff members designated to run point in a crisis is called the Incident Response Team (IRT). Their ability to execute a quick and comprehensive incident response is often key to a company’s success in a crisis.
Here are some important considerations in evaluating your current Incident Response Plan, particularly in a time of a distributed workforce and in the world of working from home.
4 Incident Response Tips for Cannabusinesses
Evaluate Your Team’s Capabilities to Detect an Incident
When considering your new work from home environment, it is time to consider how your IT staff will be available in the earliest moments after a potential incident is reported. Wherever possible, it may be time to consider end point detection and response solutions – an addition to your IT management environment that can provide remote insight and management of laptops being used by employees from their homes. Such a solution can speed the collection of important forensic details while hastening the containment and wider response, while helping avoid or mitigate any costly interruption to dispensary or online sales. Since there is heightened risk with operating a cannabis dispensary in terms of cash and data collection, your ability to respond to critical situations should be equally heightened.
Maintain Privilege and Confidentiality in Remote Communications
With your company’s team members working from home, which communication methods yield lower risk of interruption, are more secure, and are available to all members? Be careful of using free platforms or apps to communicate. Many are not secure, there is no expectation of privacy, and the data stored can be discoverable or subject to subpoena. Public companies should be especially mindful of this. When applicable, legal counsel should be part of calls to help protect sensitive communications under the attorney-client privilege.
In situations where staff are on site in dispensaries or facilities, it is key to update and retrain teams about any new reporting requirements tied to incident detection. In other words, if an employee notices something is amiss on a dispensary or facility system, cannabis companies do not want that employee following an outdated communication plan where they call an unattended office phone number or contact a help desk that is not online. Monitoring systems for indicators of compromise starts with your employees, and your company should establish SOPs for how employees communicate threats and when their initial response should be escalated to the proper internal security team.
Do Not Put Off Your Annual Table-Top Exercise
Incident Response Plan rehearsal reminds all security team members of the importance of communication and how critical legal determinations, such as what constitutes a data breach, whether customer notification or government agency reporting is required. Where a potential incident interrupts any dispensary’s verification process for medicinal customers or the online ordering process of a web-based service, Incident Response Plan practice allows the responders space to practice their efforts to avoid or mitigate interruption to operations. Outside counsel can run the table top exercise to help protect attorney-client privilege, and can introduce scenarios to best test the team on current threats.
Now that your cannabis company’s team is working from home, how will they make use of your Incident Response Plan and communicate threats? The best way to find out is to schedule time to run a remote tabletop exercise. The updated exercise can provide insight into new strengths or weaknesses created by a distributed team. Such practice can highlight the differences created by an at-home response, such as does everyone on the team have a hard copy of the Incident Response Plan in the event one is not accessible online? Don’t assume your cloud software will be available at all times – protect yourself with hard copy backups of crucial SOPs.
New Laws Require Updates to Policies
Updating your Incident Response Plan is key, but it should be done in coordination with new emerging data security and privacy laws and current threats. In parallel with rolling out new work-from-home measures, companies should consider adjusting relevant policies, such as the Acceptable Use Policy, and assess how new access controls or encryption measures, such as virtual private networks, multi-factor authentication and other controls can help mitigate risks to security. By remaining vigilant and keeping continuous focus on the issues of security and privacy, companies stitch best practices into the cultural fabric of their team.
Cannabis companies are no different than other companies in the pressure they’re feeling with a distributed workforce during the global COVID-19 pandemic. Is your company prepared for any potential security or data threats due to this new digital workplace? Don’t wait for an incident to be prepared, there’s no better time than now to run a digital exercise to keep your company safe and secure.
If you have questions about creating a legally defensive Incident Response Plan contact sophisticated tech counsel, we would be happy to help. Beckage is a law firm focused only on tech, data security and privacy. Its lawyers are also technologists and former tech business owners. Beckage is also proud to be a certified Minority and/or Women-Owned Business Enterprise (MWBE).