It’s not a place where we recommend you hang out, exchange pleasantries or — heaven forbid — make an illegal purchase. But you will find, after just a few minutes of looking around, that there is no shortage of opportunity to purchase stolen information, from credit card numbers to customer medical records. Wait — customer medical records?

Absolutely. They are a hot commodity, and they’re frequently obtained through cybercriminal intrusion into the systems of medical cannabis dispensaries. Dispensaries are custodians of protected health information (PHI) which is more valuable to bad actors (and more expensive to purchase on the Dark Web) than standard personally-identifiable information (PII).

Although these dispensaries are not covered entities under HIPAA (the Health Insurance Portability and Accountability Act), they are still responsible for complying with state privacy laws. (Across the border, Canadian dispensaries are bound by the PIPEDA, the federal Personal Information Protection and Electronic Documents Act.) So privacy of customer information requires strong vigilance.

Cannabis retailers are under an even greater threat with today’s IoT (Internet of Things) connected devices. Many dispensaries have camera systems and other video surveillance equipment that are accessible through web browsers — and while that brings operational convenience, the security risks are massive. Should a bad actor gain access to a dispensary camera network, the stolen information can be immediately monetized in an old-fashioned, low-tech way — extortion.

If a dispensary is known to have celebrity or high-profile customers — from entertainers and athletes to elected officials and business executives — there’s no question that cybercriminals are trying to hack their way in. These customers certainly want their cannabis usage history to be private, and even with changing attitudes there could be career-harming consequences if, say, video showing them making a purchase went public. If the video is in the hands of an extortionist halfway around the world, there may be little recourse.

The takeaway is that cannabis retailers have to be exceptionally security-conscious and attentive to best practices in combating cybercrime. Passwords must be frequently changed, and default manufacturer’s passwords should never be used, even when testing a device, because cybercriminals know them well. Multi-factor authorization and other security measures must be part of the standard protocol. And whenever possible, data that could be compromised should be stored on local servers, away from vulnerable cloud locations.