With high growth, comes high risk: Is the cannabis industry data protection ready?

Published: November 12, 2018

Author: Paul Saabas, Vice President, Shred-it

The cannabis industry is booming in Canada. As the first G7 country to legalize adult-use cannabis, industry players are moving at a rapid pace. In an industry where reputation is everything, it’s worth asking the question, are cannabis licensed producers (LPs) doing what they can to ensure that customer information is kept confidential? Shred-it’s 2018 State of the Industry Report confirms that 94% of Canadians believe that employee negligence is a contributor to data breaches, which highlights the importance of prioritizing data security and properly training employees on information security.


Many LPs operate clinics and dispensaries that collect personal and confidential medical information from patients. Cannabis players that chose to operate in the recreational space still collect personal information from customers and need to ensure that they hold themselves to the same standards as hospitals and medical clinics when it comes to information protection. A 2017 report from the Ponemon Institute states that healthcare organizations that had a data breach experienced a 6.25% decline in their stocks, lost more than 4% of patients and it took over three months to recover from the financial damages of the breach. It is expected that this same decline in stocks and customers can be seen in both the recreational and medicinal cannabis markets if a breach occurs.


Shred-it’s 2018 Security Tracker, its annual survey conducted by Ipsos, looked at information security practices of both C-suites and small business owners. This year the study also examined millennials and the topic of data security. The results were surprising – and concerning. Despite having grown up in the digital and mobile era, millennials are lagging behind their generation X (35-55) and baby boomer (55+) colleagues when it comes to safe data protection practices – a finding that is particularly concerning for the cannabis industry given the number of millennials in its workforce.

Below are four steps that can be taken by cannabis LPs, dispensaries/clinics, recreational brands and other industry players to avoid data breaches:

1.) Understand privacy laws and regulations: The cannabis industry is heavily regulated, and the slightest violation will have financial and reputational consequences. It is important to educate and continuously train employees on relevant privacy laws that pertain to them and their industry, such as the PIPEDA (Personal Information Protection and Electronic Documents Act), and the Consumer Protection Act (CPA).

2.) Implement a “Clean Desk” and “Shred-it All” Policy: It is essential to ensure that confidential information is not left on desks at the end of the day. Leaving information out in the open is one of the risks of having open concept offices. Documents should be either filed away, or placed in a locked console for shredding if no longer needed. Shred-it’s 2018 Security Tracker Study found that 48% of millennials leave notebooks on their desks when they leave work, and only half of them regularly shred confidential documents.

The report also found that 37% of millennials regularly leave their computers on and unlocked after work compared to 22% of generation X (35-54). Additionally only half of the millennials surveyed regularly shred confidential documents compared to 65% of generation X and 52% of baby boomers.

3.) Destroy unused hard drives: Employers should remind employees that hard drives should always be securely destroyed since confidential information remains on hard drives even after it has been erased, deleted or reformatted.

4.) Emails and Phishing Scams: Email and phishing scams are a frequent and persistent method hackers use to gain access to a company’s sensitive information. Online scams accounted for more than 20,000 complaints, according to the Canadian Anti-Fraud Centre in 2016, and cost Canadians more than $40 million.

It is important for cannabis LPs to protect their investors’ and customers’ personal information as well as other internal documents. When setting up internal operations, it’s valuable to conduct a security risk assessment or do a one-time document clean out. To learn more about how Shred-it can help, visit http://www.shredit.com/.