Do you have a sense of how much customer (or patient) information is in your custody—known and unknown? Odds are there is more than you think and you are responsible for protecting it under an alphabet soup of rules, regulations, and guidelines.Some are intended to protect individuals from the risks of identity theft, fraud, and others designed to prevent exposure of an individual’s data that can put them in harm’s way. If you really think about it, it is a monutenous responsibility, fraught with milt-million dollar liabilities.
Too often, small and medium sized businesses aren’t aware of the requirements, or don’t believe they apply to them—please they do. The harsh reality is data breaches are not new, are happening daily, and big businesses aren’t the only targets—just the most publicized.
The cannabis industry is not unique in its exposure to data breaches; in fact it is a rapidly escalating target as highlighted by the POS systems THSuite and MJ Freeway events. As debit card payments, online pre-ordering and delivery expand, the number of attack vectors grow exponentially, and a purely defensive approach isn’t enough. With the stage set, let’s take a look at some of the areas that need to be considered and what the heck they mean.
- What is PII, CHD, HIPAA, PHI, PCI?
Don’t let the alphabet barrage confuse you, it all distills down to any information that by itself, or in conjunction with other relevant data, can identify an individual. This is referred to as “PII” (Personally Identifiable Information). A great example is ‘non-sensitive PII’ can be found easily from public sources, but when combined with a driver’s license number, puts an individual—and the business that exposed the data—at risk. Here are some translations and their application (we just covered PII):
HIPAA ‘Health Insurance Portability and Accountability Act’ – This was designed to provide privacy standards to protect patients medical records and other health information.
PHI ‘Protected Health Information’ – This is any information in a medical record that can be used to identify an individual, and that was created, used, or disclosed in the course of providing a health care service, such as a diagnosis or treatment.
PCI ‘Payment Card Industry’ compliance – Payment card industry compliance refers to the technical and operational standards that businesses must follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions.
CHD ‘Cardholder Data’ – This consists of the primary account number (PAN), card holder name, card expiration date, and the Card Verification Value (CVV) which is encoded on the magnetic stripe and/or card chip.
- How do you know what applies?
It all applies – period. Which guideline, regulation or compliance standard is the only distinction. Keep in mind that a key area of exposure is an individual’s ID information being inappropriately held or retained.
As a retailer, there is often a prevailing misconception that their card processor holds all of the liability in the case of a data loss—they don’t. Keep in mind that the PCI rules do apply to any card product including debit cards and ID verification, so don’t fall into the trap that your business is immune to the responsibilities of proper management of PII.
In addition to any card-related data compliance, a medical dispensary falls under HIPAA regulation which adds another layer of complexity. Plus, don’t forget your responsibilities around employee information protections.
- Consequences of bad practices are, well…bad.
If you’re not feeling squeamish, or at least a bit anxious by now, that means you’ve got this buttoned up or you are in the camp of ‘it doesn’t apply to me’. In either case, the odds are stacked against you if you are not taking proactive steps.
While the risk of suffering a fine resulting from a data breach is relatively low, the cost is staggering. Analysis of the cost impact of a data breaches reflects the fiscal implications of such an event—a chilling at $3.92 million…each! Because the cannabis industries products are classified as age restricted, a variety of ID check requirements have been instituted. This is a largely overlooked risk of PII being captured in some fashion without proper data management. There are many questions to ask in assessing your risk, but the following 3 are a good starting point:
- Does your POS store an image of a customer’s ID or ID number?
- Do you make a copy of a patient’s ID for your files?
- Does a customer’s ID ever leave their line of sight?
If there was a ‘yes’ or ‘maybe’ to these questions – take action now.
- Protection in a Digital Age
Being held responsible for the exposure of information that may not be fully in your control is scary, and as pointed out, there is more exposure then you might realize. Taking steps to reduce exposing sensitive information is an important part of protecting your customers and starts with anonymization.
It may feel contradictory to say digitally validation and verifying a person’s identity is a means to make it anonymized, but it really isn’t. Applying a digital process provides a series of layers of obfuscation and the encryption of all identifying information rendering the result unusable to bad-actors, therefore, preventing inappropriately accessed or breached. These protective layers simply aren’t possible in an analog environment or in a poorly executed digital one, i.e. photocopies of an ID.
The responsibility to protect your customer and patient information is a serious one. Leveraging technology that enables identity matching and age verification with multi-layer anonymization and dual-key liveness biometric authentication far exceeds any established regulations and protects your customers and business.
A digital solution can streamline operations, protect and nearly eliminate risk.