Why marijuana legalization could impact cyber risk

Commercial brokers looking to place insurance for cannabis providers should be paying close attention to the information their clients keep on medical marijuana patients.

Cannabis regulations announced last week will supersede the Access to Cannabis for Medical Purposes Regulations once the regulations take effect this October.

What may be interesting to cyber insurance providers is the fact that cannabis companies providing medical marijuana “will have a lot of information on the clients that are users and are purchasing the cannabis,” said Richard Provost, a partner with Langlois lawyers LLP in Montreal.

There is some question as to “what extent the cannabis producer will have details on the patient information,” Provost, whose specialties include insurance law, said Friday in an interview. “For instance, does the producer know if indeed the customer has a mental health issue or a cancer issue?”

Medical marijuana has been legal with restrictions in Canada for more than 18 years. Recreational marijuana will remain illegal until Oct. 17, when a federal law passed in June takes effect. The regulations published July 11 are intended to “improve patient access and reduce the risk of abuse of the system,” the federal government says. Other sections of the regulations stipulate conditions for obtaining licenses to produce and sell cannabis.

Companies that fail to keep sensitive personal information secure can face lawsuits under the head of damage of “intrusion upon seclusion,” recognized in 2012 by the Court of Appeal for Ontario as a tort. In essence, this means that a plaintiff whose personal information was compromised could be awarded thousands of dollars even if there was no economic loss.

In the healthcare field, Peterborough Regional Health Centre is being sued in a class-action arising from alleged improper access of about 280 records.

The new federal cannabis regulations will bring in a new “cannabis drug licence,” which applies to the production, distribution and sale of drugs containing cannabis.

It will also bring in a “licence to sale for medical purposes.” Companies wanting to sell medical marijuana will need to retain information on clients, including a “medical document,” defined in the regulations as one “provided by a health care practitioner to support the use of cannabis for medical purposes.”

The new regulations do not explicitly mandate that medical marijuana providers retain information on a patient’s medical conditions. But in theory it is still conceivable that a cannabis producer could have “sensitive” medical information on a client, Provost suggesetd.

The new regulations also require marijuana producers to retain key information on investors. Required investor information includes the name, mailing address, amount of money provided, conditions under which money was provided and what degree of control (if any) the investor has over the cannabis company.

Some information required – on loan agreements, for example – is “perhaps a little sensitive, but I do not think that this necessarily would require some special attention for policy drafting for cyber [insurance],” Provost noted.