Last week we discussed the data breach notification laws with which cannabis companies doing business in Oregon must comply following a cyber intrusion. Today, we discuss the safeguards these companies must adopt to protect the security, confidentiality and integrity of customers and employee (collectively, “Consumer”)’s personal information, who reside in Oregon.
Pursuant to Oregon Revised Statutes (“ORS”) § 646A.622 any business that “owns, maintains or otherwise possesses, and has control over or access to,” written and electronic data that includes personal information used for business purposes, must develop, implement, and maintain reasonable safeguards to protect the personal information.
Generally, “personal information” means a Consumer’s first name or first initial and last name in combination with, for example, a Consumer’s social security number, driver license number or financial account information, if (1) encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and (2) the data element or combination of data elements would enable a person to commit identity theft against a consumer.
The company must act in accordance with this law by:
(1) Complying with:
- State or federal laws with greater protections for personal information than ORS § 646A.622;
- Gramm-Leach-Billey Act as of January 1, 2016 as of June 2018, if the company is subject to this act; or
- Requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as of June 2018, if HIPAA applies to the company;
(2) Implementing a security program that includes:
Administrative Safeguards, such as:
- Frequently identifying reasonably foreseeable internal and external risks;
- Frequently training and managing employees in security program practices and procedures; and
- Selecting service providers that are capable of maintaining appropriate safeguards and adhering to procedures and protocols to which you and the service provider agree, but also requiring the service providers by contract to maintain the safeguards, procedures and protocols.
Technical Safeguards, like:
- Assessing risks and vulnerabilities in network and software design;
- Taking reasonably timely action to address the risks and vulnerabilities; and
- Applying security updates and a reasonable security patch management program to software that might reasonably be at risk of or vulnerable to a breach of security;
Physical Safeguards, including but not limited to:
- Monitoring, detecting, preventing, isolation and responding to intrusions timely and frequently; and
- Disposing of personal information after you no longer use it for business purposes, pursuant to local, state and federal law.
So what does all of this mean? Simply put, business owners with 100 or fewer employees (which includes almost all Oregon cannabis businesses), will comply with these statutory requirements if their information security and disposal program contains administrative, technical and physical safeguards and disposal measures that are appropriate to: (1) the size and complexity of their business; (2) the nature and scope of their activities; and (3) the sensitivity of the personal information collected from or about a Consumer.
Cannabis business should take these safeguard standards seriously. Each violation if subject to a penalty of up to $1,000. Note that each day of a continuing violation is a separate violation, but the maximum penalty for any occurrence is $500,000. Civil penalties under ORS § 183.745 may also apply.
Complying with ORS § 646A.222 is not only required by law, it is also a very good idea for all cannabis business. Indeed, developing a vetted, comprehensive plan of action is the best way to effectively respond to an attack and to reduce the amount of damage to your company. Be safe out there!