Data, Physical Security Challenges for Canadian Cannabis Stores – UPDATED

By: Lee Rickwood

October 19, 2018

With this week’s legalization of cannabis in Canada, online outlets and physical stores that supply the product have both data protection and physical security challenges to meet.

In fact, the need for customized IT, data security and physical protection services is creating a secondary industry for the Canadian cannabis scene, one that is attracting major international companies to this country.

Ontario and Quebec have given the go-ahead for the sale of recreational marijuana through provincially-owned vendors, and for the time being at least, eliminated the notion of private sector retailers.

(UPDATE: Barely 24 hours after this story was posted, customer concerns over data privacy and security have have led New Brunswick to remove electronic ID scanning devices being used in cannabis outlets in that province.  The privacy commissioner has launched an investigation as a result of reported concerns over data privacy.)

Nova Scotia cannabis webpage

Canadian provinces have different approaches to cannabis sales, but they face similar challenges: Nova Scotia’s splashy website is shown.

On the other hand, British Columbia and Alberta are permitting privately-owned marijuana dispensaries.

While this industry is a new one, it has many safety and security similarities with retail money lenders, liquor stores and prescription drug pharmacies. Canadian companies with track record serving those more established industries are now offering similar services to nascent cannabis vendors.

For storefront operators (and for licensed producers, of course) physical and site security needs are paramount, and in fact are a condition of licensing. Operators must secure all entry and exit points with access control, surveillance and intrusion detection technologies. Card readers or fob systems with electronic locks, remote control and reporting are expected. Product storage, inventory supply and transportation must be securely guarded, and all facilities are expected to have robust monitoring and surveillance. Properly protected cannabis dispensaries are advised to become techno-fortified castles by experienced service providers.

And that doesn’t begin to address the online IT security and data protection requirements that are required by law or expected by consumers.

Cannabis vendors will have an enormous amount of customer data to collect and protect, such as an individuals’ name, address and email; personal purchase histories and patient medical records; customer cash / credit card purchase activities and more. POS (point-of-sale) systems and the networks they connect to must also be protected.

Meeting the need for such customized IT and security protection in the cannabis industry here was a key motivator for GeekTek IT Services, and its ongoing plans to set up shop here and expand its technology and data security offerings.

Based in L.A., founded back in 1999, the company has now set-up what it calls “five practice areas” out west, and launched private managed private cloud facilities in Vancouver and Toronto. It has five offices across the country as part of its announced expansion strategy to meet the demand for cannabis businesses seeking premium technology expertise.

Led by CEO Eric Schlissel, the company has developed scalable solutions tailored for cannabis companies through the strategic application of technology.

“There are high expectations of explosive growth in the cannabis industry in the coming years, and we are uniquely equipped to help businesses reach their full potential,” Schlissel said when announcing the Canadian initiatives. “When contemplating large-scale, staged roll-outs across multiple provinces, it is critical for businesses to have a trusted technology partner to handle their information technology and data security.”

As he says, it’s critical for businesses. And in this country, for this industry, those business may well be public institutions. As such, they have their own critical safety and data protection requirements to meet. Public institutions in Ontario must meet the regulations described in the Freedom of Information and Protection of Privacy Act (FIPPA), which regulates access to information those institutions hold.

“All public institutions are responsible for having strong privacy protections in place to ensure personal information remains secure and protected at all times,” the office of Ontario privacy commissioner Brian Beamish has stated. “Personal information provided to a public institution for the purposes of buying cannabis is no exception.”

The office added that a federally-contracted private company collecting personal information for the government must spell out the terms, use and security of their customers’ information.

“These legal requirements must be met by the institution regardless of where the data resides or who is accessing it,” the office’s statement read.

With any online or data-driven transaction, cannabis-related or not, a security breach or even a routine data transfer to another jurisdiction could put the data at risk.

ontario's cannabis webpage

Ontario’s online cannabis outlet is already facing some shortages and slowdowns, among other challenges.

It’s a point not lost on the cannabis outlets in Canada: the Ontario Cannabis Store (the OCS is for now the only legal way to purchase recreational cannabis in the province) makes a specific point in its website documentation that it stores customer personal information under its custody or control in Canada, and employs organizational, contractual, technical and physical security measures to protect that information.

The OCS goes on to note that “no transmission over the Internet can be guaranteed to be completely secure since ‘perfect security’ does not exist on the Internet. Consequently, OCS does not represent, warrant, covenant or guarantee the complete security of the personal information [users] provide to OCS.

The cautionary language is appropriate because, while OCS is a provincial government agency, the actual online transactions will be handled by Shopify, a publicly-traded e-commerce company based in Ottawa.

Shopify states it will protect customer data, but in its online privacy policy some of the possible gaps in that protection are highlighted: “We provide services to individuals and our technology processes data from users around the world. Accordingly, Shopify may transmit your personal information outside of the country, state, or province in which you are located.”

The policy goes on to state: “Shopify works with a variety of third parties and service providers to help provide you with our Services and we may share personal information with them to support these efforts.”

shopify webpage mock-up

A mock-up of Shopify’s online cannabis shopping service. The company’s privacy policy makes for interesting reading, as well.

Not only are charge card payments and related processing handled by third-parties (for example, Visa and MasterCard are accepted at Ontario’s online cannabis outlet), other online portal partners can include third-party analytic services from companies like Google.

A 2018 Deloitte Report on the budding cannabis industry here identified consumer confidence about data protection to be a critical element in the industry’s success:

“Cannabis consumers worry about the privacy and security of their personal information, and they expect that information to be protected, especially online. Retailers will need to ensure they invest in robust privacy and e-commerce cybersecurity.”

Despite the possible risks and impacts on consumer confidence, the Canadian cannabis business seems to be doing well: Ontario’s online outlet is already noting a high volume of orders that may take up to five (up from three originally) days to fulfill.

So, put data protection, physical security and inventory supply among the challenges that Canada’s cannabis outlets are facing.


webpage shows 404 error message

Response was high on the first day of legal cannabis sales in Canada; Ontario’s online portal faced some initial glitches.


Related:   Cannabis

1 comment

  1.' lee says:

    Canada Post has acknowledged a significant data breach involving data connected with its cannabis deliveries on behalf of the OCS, in a statement released this week that perhaps thousands of customers’ personal information has been accessed improperly:

    “Canada Post notified the Ontario Cannabis Store (OCS) on November 1, 2018 that limited delivery information from approximately 4,500 customer orders had been accessed by an individual OCS customer through our website using OCS reference numbers.

    “Both organizations have been working closely together since that time to investigate and take immediate action. As a result, important fixes have been put in place by both organizations to prevent any further unauthorized access to customer information. We have also shared with OCS that we are confident that the customer who accessed the information only shared it with Canada Post and deleted it without distributing further.

    “We are pleased that OCS has notified their customers of the issue and will continue to work together to provide customers with assurance that this is being fully addressed. We have also notified the Federal Privacy Commissioner and the Ontario Information and Privacy Commissioner.

    “Canada Post takes the privacy of information seriously and continues to work with OCS.”

Leave a Reply

Your email address will not be published. Required fields are marked *