Illinois Cannabis Compassionate Care ActIllinois Cannabis Dispensaries and Their Vendors Should Pay Close Attention to Upcoming Compliance Deadlines

Illinois Cannabis Dispensaries and Their Vendors Should Pay Close Attention to Upcoming Compliance Deadlines

The Illinois Department of Financial and Professional Regulation (IDFPR) recently provided guidance interpreting data privacy and security requirements in Illinois’ Compassionate Use of Medical Cannabis Program Act (A280). Specifically, IDFPR recently published an FAQ outlining its interpretation of, and deadlines associated with, the Act’s requirement that Illinois cannabis dispensaries comply with certain sections of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The guidance from IDFPR describes steps dispensaries must take to protect the security and privacy of health information, consistent with requirements in the HIPAA Privacy and Security Rules. As of August 1, 2021, dispensaries are required to provide customers with a Notice of Privacy Practices. The FAQ directs dispensaries and many of their vendors to conduct a security risk analysis that identifies risks to health information, and the likelihood and impact of such risks, by December 1st. Dispensaries must also adopt administrative, technical, and physical controls consistent with HIPAA standards by December 1, 2021.

Fines of up to $10,000 per violation may be issued against dispensaries and their agents. Examples of violations cited in the FAQ include sharing computer passwords, discussing health information with third parties, not using an industry-standard firewall, and not encrypting computers or networks that store health information.

Dispensaries and technology vendors that host health information on behalf of dispensaries should meet with counsel to discuss how these new requirements can be efficiently incorporated into existing compliance programs.  Specifically, dispensaries and vendors should confirm that their compliance programs include:

  1. Administrative safeguards: Under HIPAA these include a security management process, assigned security responsibility, workforce security, information access management, security awareness training, security incident procedures, a contingency plan, and an evaluation.
  2. Physical safeguards: Under HIPAA these include facility access controls, workstation use procedures, workstation security, and device and media controls.
  3. Technical safeguards: Under HIPAA these include access controls, audit controls, integrity controls, person or entity authentication, and transmission security.

Two HIPAA safeguards that IDFPR focuses on in its guidance are security risk analysis and encryption of health information at rest and in transit.  Although HIPAA has no prescriptive timeframe for a security risk analysis, the IDFPR FAQ states that medical cannabis dispensing organizations should conduct a security risk analysis annually to identify areas of high-security risk to health information and implement security measures to address these risks.

Below are just a few key questions cannabis dispensaries and vendors should ask themselves as they evaluate readiness for these new requirements:

  1. Do I need to update my Notice of Privacy Practices or website privacy policies?
  2. Do I need to appoint additional privacy and security personnel?
  3. Is my training program appropriate and adequate?
  4. Do I need to consider additional administrative, technical, or physical controls to prevent unauthorized access (e.g., encryption, multi-factor authentication, heightened password requirements, access controls)?
  5. Is my annual risk analysis sufficient?
  6. Do I need to change my vendor management protocols or contract documents?
  7. Does my incident response plan consider relevant notification requirements?
  8. How should I document these compliance measures?


As the cannabis industry continues to grow, attention from state legislators and regulators increases.  Cannabis dispensaries (and technology vendors operating in Illinois) should review their privacy and security programs to confirm compliance with HIPAA’s standards, which the state incorporated into the Compassionate Use of Medical Cannabis Program Act (A280).

Octillo focuses on the tech and privacy side of Cannabis so companies can grow smarter and more secure.  We work closely with IT teams, general counsel, and executive leadership to accomplish these results.  For more information regarding the Compassionate Use of Medical Cannabis Program Act (A280), email Octillo Cannaprivacy Team Lead Daniel P Greene, Esq., CIPP/US, CIPP/E at dgreene@octillolaw.com or call 716.898.2102.

*Attorney advertising: prior results do not guarantee similar outcomes.

Subscribe to our newsletter.





Dan Greene Cannabis & Tech Today ArticleDaniel P. Greene, Esq. Was Published in ‘Cannabis & Tech Today’

Daniel P. Greene, Esq. Was Published in ‘Cannabis & Tech Today’

Octillo CannaPrivacy and Incident Response Team Lead, Daniel P. Greene, Esq., CIPP/US, CIPP/E was published in Cannabis & Tech Today‘s Summer 2021 issue for his article, ‘The Cannabis Industry’s Growing Threat of Business Email Compromise.’


Cannabis PrivacyRecent Cannabis Industry Data Breach Highlights Importance of Risk Mitigation Through IT Contracting & Insurance

Recent Cannabis Industry Data Breach Highlights Importance of Risk Mitigation Through IT Contracting & Insurance

When it comes to cyber security threats, everyone is at risk – regardless of the size or industry of the business. We see this as the cannabis industry was hit hard last week when a software vulnerability, which revealed data from at least 30,000 people from multiple dispensaries across the U.S., was exposed.

Although it remains unclear by whom the data was accessed by, this incident highlights the particular risk that businesses in the cannabis industry face: legal requirements to collect detailed personal records from clients and a fluid regulatory landscape. This incident also highlights that a proactive cyber security plan can help shift legal risk, and likewise well-drafted liability protections if a data breach does happen.

What is Cyber Liability Insurance?

Similar to other types of liability insurance, cyber liability policies protect businesses in the case of a data breach, ransomware attack, or other cyber security failure. These types of policies cover expenses or losses incurred when a network or database has been hacked, ransomed, or otherwise compromised. Coverage typically includes:

• Notification costs – including investigating, responding to and resolving an actual or suspected data breach, and alerting potentially affected people. You might need mailings, call centers, or even additional staff.

• Credit monitoring costs – companies trying to mitigate a security breach often provide free credit reports or monitoring, as well as identity theft insurance costs to defend claims by state or federal regulators.

• Ransom payments – sadly, hackers can (and have) taken networks and databases hostage. Liability insurance would cover ransom payments, as well as costs for data recovery and restoration and loss from business interruption.

• Fines and penalties – with new data privacy laws emerging, the penalties for failing to protect consumer data could be substantial.

• Third party liability – if allegations of negligence or failure to take reasonable measures to prevent a security breach arise then, a third party business could be held responsible.

• Crisis management costs – to track and contain both the cyber threat and the fallout, you may need forensic investigators, professional crisis management, or strategic communications support.

Cyber liability insurance is an increasingly important risk management tool that organizations rely on as a part of a larger, comprehensive cyber security and privacy breach response plan. Take note that cyber liability insurance is different from technology errors and omissions (tech E&O) insurance, which is designed to protect companies that provide technology products and services, such as computer software manufacturers. Cyber liability insurance covers the fallout from a particular breach of customer or client data.

Why Cannabis Businesses Need It

Any business that collects personal data could face substantial liability in the event of a breach, however the cannabis industry faces even more risk, because of the unique amount and often type of information dispensaries and other businesses are required to collect. In addition, due to constantly shifting industry and regulatory landscape, many cannabis businesses may find themselves in uncharted territory and are likely to have questions about cyber liability risks. It is also important to note that while general liability insurance policies may cover some cybercrime losses, they generally will not provide the comprehensive coverage needed to mitigate the damage from a data breach. Some general liability policies may even contain exclusions for cyber liability losses and claims.

One thing is for certain: data is becoming increasingly valuable. Our Octillo CannaPrivacy Team understands the importance steps businesses should implement to protect this valuable data. If the worst happens, it is critical to have the right liability coverage to minimize losses and disruption. Our team can help assess liability coverage, using their expertise to help map out a nuanced cyber liability insurance plan for any business in the cannabis industry.

*Attorney Advertising. Prior results do not guarantee future outcomes.

Subscribe to the Newsletter

Understanding the Landscape of Education Law & EdTech: FERPA, COPPA and Other ConsiderationsUnderstanding the Landscape of Education Law & EdTech: FERPA, COPPA and Other Considerations

Understanding the Landscape of Education Law & EdTech: FERPA, COPPA and Other Considerations

Technology has transformed the way in which students are learning. Schools increasingly integrate IoT devices and third-party applications into the everyday delivery and management of education. This incorporation of education and technology, or EdTech, increases the amount of student data that is collected, stored, shared,and used—making student data privacy an issue of critical importance to educational institutions and their stakeholders.

Read More