Cannabis Incident Response Template
The Complete Playbook for Handling Cybersecurity Incidents, Data Breaches & Compliance Emergencies
When the breach happens, you won't have time to figure out what to do. This template tells you exactly how to respond—minute by minute, hour by hour.
HOW TO USE THIS TEMPLATE
Before an incident:
- Customize all sections with your business information
- Fill in contact information for your team
- Print physical copies (digital may be inaccessible during incident)
- Store copies in multiple locations (office, home, cloud)
- Review and update quarterly
- Conduct tabletop exercises annually
During an incident:
- Open this template immediately
- Follow the phase-by-phase instructions
- Use the checklists to ensure nothing is missed
- Document everything in the Incident Log
- Communicate using the pre-written templates
This template covers:
- Ransomware attacks
- Data breaches
- POS system compromises
- Metrc/compliance system failures
- Insider threats
- Physical security incidents with cyber components
SECTION 1: INCIDENT RESPONSE TEAM
1.1 Internal Team Contacts
Complete this section NOW, before any incident occurs.
| Role | Primary Contact | Phone | Backup Contact | Phone | |
|---|---|---|---|---|---|
| Incident Commander | |||||
| IT Lead | |||||
| Operations Lead | |||||
| Compliance Officer | |||||
| Communications Lead | |||||
| Legal Counsel | |||||
| Owner/Executive |
1.2 External Contacts
| Resource | Company/Name | Phone | Account # | |
|---|---|---|---|---|
| IT Support/MSP | ||||
| Cybersecurity Firm | ||||
| Cyber Insurance | Policy #: | |||
| Legal Counsel | ||||
| PR/Communications | ||||
| POS Vendor Support | ||||
| Metrc Support | (877) 566-6506 | support@metrc.com | License #: | |
| BioTrack Support | License #: |
1.3 Regulatory Contacts
| Agency | Contact Info | When to Contact |
|---|---|---|
| State Cannabis Regulator | ||
| Name: | ||
| Phone: | ||
| Email: | ||
| State Attorney General | Data breach notification | |
| Phone: | ||
| Website: | ||
| FBI Cyber Division | ic3.gov | Major cybercrime |
| Local Field Office: | ||
| Local Police | Physical security component | |
| Non-emergency: |
1.4 Role Definitions
Incident Commander (IC)
- Overall authority during incident
- Makes final decisions on response actions
- Coordinates between all teams
- Authorizes communications and notifications
- Typically: Owner, GM, or designated senior manager
IT Lead
- Technical investigation and containment
- System isolation and recovery
- Evidence preservation
- Coordinates with external IT/security vendors
- Typically: IT manager, MSP primary contact
Operations Lead
- Maintains business continuity
- Manages staff during incident
- Coordinates manual workarounds
- Ensures customer service continues
- Typically: Store manager, operations director
Compliance Officer
- Regulatory notification requirements
- Documentation for auditors
- Metrc/BioTrack communication
- State regulator liaison
- Typically: Compliance manager, license holder
Communications Lead
- Internal staff communications
- Customer notifications
- Media inquiries
- Social media monitoring
- Typically: Marketing manager, owner
Legal Counsel
- Legal notification requirements
- Liability assessment
- Law enforcement coordination
- Contract review (insurance, vendors)
- Typically: Outside attorney
Cannabis Business Security Tools | cannabisrisk.diy
Comprehensive security tools, checklists, and compliance resources for cannabis businesses. Estimate breach costs, audit PoS, review vendor security, and more.
