Oh boy. The Washington State Liquor and Cannabis Board (WSLCB) has made an incredibly embarrassing mistake: the accidental disclosure of a bunch of sensitive personal data on pot license applicants. The WSLCB admitted the mistake to the Cannabist on June 7, and said the leaked information may include tax records, social security numbers, driverâs license numbers, attorney-client privileged communications, financial information, and guilty musical pleasures. (Just kidding, your Katy Perry addiction is still a secret!)
The leak happened in early May as a result of a public records request filed by John Novak of the Washington cannabis watchdog site 420 Leaks. Novak was seeking information on I-502 retail applications from medical collectives. According to the Cannabist, the WSLCB first sent Novak the wrong records and asked him to delete them. But then, instead of sending the requested licensee information with appropriate redactions, the WSLCB accidentally sent the un-redacted versions of those files.
Novak said he posted the records online without realizing just how much sensitive information they contained. He had also sent a link to the files to various people in the media.
As soon as it discovered the breach, the WSLCB asked Novak to remove the records, which he did. Regardless, the genie is out of the bottle, so now the WSLCB is doing damage control. Brian Smith, the WSLCBâs communications director, told the Cannabist that the agency is currently contacting all affected licensees to alert them of the breach.
But Novak said personal information is still at risk because the original batch of records contained various active links to the WSLCBâs DocuSign account, which is used to process I-502 applications and contains the same sensitive personal data as the un-redacted emails.
âNo password protections at all,â he said. âThat means that anybody in the past who has gotten any of these public records would potentially have received the same links that I got and the WSLCB obviously doesnât realize that these links are live, going to these completely un-password-protected documents.â After a cursory look, he said he found about six links in about 100 emails, and noted that there were more than 1,300 total emails. He said it would take only basic hacking skills to gain access to other documents on that DocuSign server.
âThose unprotected files are pretty much open season for anybody who has half a brain as far as hacking goes,â he said. âOnce a hacker knows the server that documents are located on, they can use different hacking tools to then find other unprotected documents and unprotected folders on the server. Thatâs where the possibility is that a massive leak has occurred.â
However, the WSLCB does realize that the links are live, they just canât do anything about it yet. âDocuSign has refused to remove their live links while they are still in queue,â Smith said. âWe contacted the three individuals who were affected by the DocuSign links still being active yesterday and worked with them to disable the links on their end. These links are restricted to three individuals and four files.â As for Novakâs concerns about hacking, Smith said the WSLCBâs IT department has assured him that all other licensee data is safe.
Novak is a vocal opponent of the soon-to-be-implemented Cannabis Patient Protection Act, which folds the stateâs medical marijuana system into the recreational one, including the management of a state-run registry of medical marijuana patients. Novak characterized the data breach as an argument against the lawâs implementation. âIf the LCB canât keep the personal information of 502 applicants safe,â he wrote in an announcement, âthereâs no way the state is ready to handle a huge new database of medical documents inside retail marijuana stores.â
However, itâs important to note that the WSLCB has no direct control over the patient registry. The registry is actually run by the state Department of Health (DOH), and held to a much higher standard of privacy than records subject to the average WSLCB public records request, according to Kristi Weeks, the DOHâs legal services director and one of the registryâs chief architects.
âThe database is exempt from public disclosure, and the information is only released after very careful scrutiny,â she said. Records, she continued, âmay [only] be released in aggregate form with all personally identifying information redacted for the purpose of statistical analysis and oversight of agency performance and actions.â As for the WSLCBâs level of access to the database, Weeks says itâs limited.
âThe law grants the LCB access to the database for two reasons only,â she said. âThe first is in their role of law enforcement, which allows them to validate a card that is presented to them. The second is to verify that sales-tax-free sales were actually made to a patient with a card. This will entail the patientâs database ID number (and no other information) being entered at the point of sale.â
Novak said he still isnât comfortable with the stateâs handling of sensitive records. He noted that a recent data breach affected 91,000 patients in the stateâs Apple Health program. He added that one of the major points of vulnerability in the patient registry is at the level of cannabis retailers, which will be responsible for entering sensitive data into the system.
âIf the WSLCBâs public records officers are having this kind of problem, what kind of faith should we be putting in these 502 recreational shops where weâre supposed to take in our authorization form and hand it over to them?â he said. âIf the WSLCB canât keep track of their own information, how are we supposed to have any faith in those stores to handle our documents?â
To be fair, retail cannabis employees handling sensitive authorization documents will have to complete a twenty-hour Medical Marijuana Consultant (MMC) training course that includes at least two hours of privacy training. Seattle Centralâs MMC course includes instruction by Nicole Li, an attorney with extensive experience in medical cannabis and a noted patient-privacy advocate. Hopefully, the stateâs medical marijuana consultants are properly trained and protect patientsâ sensitive data. But, as Novak noted, âItâs all theory right now.â