Tag Archives: breach

Matt Engle
Soapbox

Insurers Must Play Catch-Up to Meet Cannabis Industry Needs

By Matt Engle
No Comments
Matt Engle

As the cannabis industry continues to grow, demand for insurance products is also increasing. While insurers have been cautious about entering a market that carries the stigma of a Schedule I drug, the cannabis industry is clamoring for insurance coverage options tailored to meet the needs of key players— distributors, growers, processors and retail dispensaries.

The escalating need for insurance products tailored to these cannabis business sectors has not expedited an increase in coverage offerings. The slow entry of insurance carriers into the cannabis sector can be tied to a reluctance to insure an industry with emerging and often unknown risks. This will begin to change as more information becomes available on what loss ratio trends look like in the cannabis industry.

For now, there is a wait-and-see stance held by insurance carriers. This presents a major concern for cannabis-related businesses that are subject to risk at every stage of the supply chain, with particular exposure for theft, general liability, crop loss, and product liability.some degree of crime and theft coverage is needed for these enterprises to help manage the risks associated with a cash-based business

Theft

For cannabis companies, the use of paper currency is a huge part of their risk exposure. Federal banking regulations have limited these businesses to dealing mostly in cash, which makes them a prime target for crime and fraud. Currently, only one carrier will insure coverage for cash and theft risk, and the policy is limited to $1 million for most risks. This is inadequate coverage since many operators have more than that amount on-site.

In states with legislation legalizing cannabis, the cannabis sector will be able to move away from operating in cash if Congress passes the Secure and Fair Enforcement (SAFE) Banking Act, which would protect financial institutions from liability for federal prosecution that could arise from servicing cannabis-related businesses authorized under state law. Until banking regulations give the cannabis industry the ability to operate as legitimate businesses with the stability and safety that would deter criminal activity, some degree of crime and theft coverage is needed for these enterprises to help manage the risks associated with a cash-based business.

General Liability

Cannabis-related businesses need the same general liability coverage as other businesses to protect their premises and operations from lawsuits involving public contact. However, standard general liability policies—which exclude Schedule I substances from coverage—were not created with cannabis businesses in mind. It is still difficult for these businesses to obtain adequate general liability as a result of the legal uncertainty associated with the industry.

Product Liability

Product liability exposures for cannabis businesses encompass a wide range of areas, including edibles, vaporizers, pesticides, mold/fungus, misrepresentation, label claims, breach of warranty, deceptive practices, and failure to warn.

A major area of exposure concerns accidents resulting from impairment. A cannabis cultivator, processor, distributor, or retailer potentially may be considered liable in the event a product defect results in injury after reasonable use or when label defects fail to warn users that a product may have psychoactive effects.

Another area of risk exposure involves products that contain THC, the psychoactive compound that gives cannabis users a high. As the number of THC-containing products such as edibles and tinctures increases, so does the potential exposure to product liability claims for manufacturers and retailers.

The California Cannabis Track-and-Trace (CCTT) system also has implications for product liability. The CCTT is a statewide system used to record the inventory and movement of cannabis and related products through the commercial supply chain. All state cannabis licensees, including those with licenses for cultivation, manufacturing, retail, distribution, testing labs and microbusinesses, are required to use this system. The product liability impact lies in its capacity to determine responsibility along the supply chain from seed to sale.

For example, if a plastic vape pen explodes, a product liability lawsuit could have repercussions for many touch points across the supply chain beyond the manufacturer of the pen–all of which can be identified through CCTT. Entities that touch cannabis products such as soil suppliers or delivery persons also have product liability risk exposure. Personal injury attorneys can find incident-related parties easily and determine liability. This makes it particularly important to add these parties to the policy as additional insureds to help reduce claims exposure.

Crop Loss

Another area of concern for risk exposure is crop loss. Crop insurance is generally hard to obtain due to the significantly different nature of cannabis crops compared to traditional crops like corn or soybeans.

Fires in Sonoma County devastated cannabis crops in Northern California back in 2017.

An indoor crop insurance policy covers cultivators when there is loss resulting from threats such as fire, theft, and sprinkler leakage. However, crop insurance policies generally do not cover losses resulting from mold, rot, disease, changes in climate, or fertilization issues. Many growers forgo this coverage and instead elect to absorb losses and regrow their crops.

Outdoor crop coverage is generally unavailable, or the cost is prohibitive. Any potential for writing outdoor crop insurance for the cannabis industry essentially disappeared as a result of the recent wildfires in California. These devastating fires highlighted the pressing need for property damage and business interruption coverage for growers and dispensaries and other downstream businesses whose supply was disrupted. This lack of available outdoor crop insurance is one of the more notable gaps in available cannabis business insurance coverage.

While cannabis businesses operating in states that have legalized medical and/or recreational cannabis use have challenges getting adequate insurance coverage, there is some good news on the insurance front for those in California. Last year, California’s insurance commissioner announced approval for carriers to offer insurance coverage specifically to cannabis businesses. The state also approved a cannabis business-owners policy (CannaBOP) program that provides a package policy containing both property and liability coverage for qualifying dispensaries, distributors, manufacturers, processors and storage facilities. Colorado is on the verge of being the second state to approve its version of a CannaBOP program.

While more insurance carriers are beginning to write cannabis coverage, the limited insurance options and policies with restrictive plans currently offered todaydo not meet the needs of the cannabis industry. Insurers must catch up to the coverage requirements of this sector by offering more options tailored to growers, retail dispensaries, processors and distributors with better terms and better pricing.

Top 5 Cybersecurity Threats To The Cannabis Industry

By Lalé Bonner
No Comments

Is your cannabis business an attractive target for cyber criminals? With the influx of investment to this market and new businesses opening frequently throughout the United States, the legal cannabis industry is a prime target for cyber criminals.

Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.Cannabis industry hackers pick their targets by vulnerability, exploiting consumer or patient data to darknet black markets and forums. The impact can be devastating to both the business and their consumers. With new laws on protecting consumer and patient data on the horizon, businesses that do not adequately protect that data, could face stiff fines, in addition to losing the trust of their customers.

So, how do these attacks present themselves? Recent studies implicate employees as the “weakest link” in the cybersecurity chain due to a lack of cybersecurity best practices and training. Implementing safeguards and providing employee training is imperative to the cybersecurity health of your business.

Now, let’s identify the top 5 cybersecurity threats to the cannabis industry and some valuable tips for protecting against these criminal hacks:

PhishingPhishing is a form of cyber-attack, typically disguised as an official email from a trustworthy entity, attempting to dupe the recipient into revealing confidential information or downloading malware. Don’t take the bait! 91 percent of cyber-attacks start as phishing scams, with most of these lures being cast through fraudulent emails.

  • Tips: Do not download attachments from unknown senders!
  • Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.

Password ManagementPassword complexity is key to protecting against cyber breaches. When it comes to data hacking, 81 percent of breaches are caused by stolen or weak passwords. With a password often being the only barrier between you and a data breach, creating a complex password will dramatically decrease those password-sniffers from obtaining your sensitive information.

  • Tips: Create passwords that are at least 12 characters in length – include letters, numbers and symbols (*$%^!), and never use a default password. This will fend off brute-force attacks.
  • Change passwords every six months to a year, keeping them complicated and protected. For IT Managers, make using a password manager mandatory for all employees. (Pro-tip: LastPass is free).Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.

Public Wi-FiBeing able to connect in public spaces, while a modern marvel of convenience, leaves us wide open to cyber-attacks. Whether you are in an airport or café, always err on the side of caution.

  • Tips: Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.
  • Browse in a “private” or “incognito” window to avoid saving information. If you have a VPN, use it. If not, then do not handle any sensitive data.

BYOD: Beware of Bad Apps: Using personal devices for work has become the norm. In fact, approximately 74 percent of businesses have bring-your-own-device (BYOD) policies or plans to adopt in the future.

With these platforms providing greater access to mobile apps, comes greater responsibility on the part of the end user.

  • Tips: Password protect devices that will be used for work (and, any device in general).
  • Only download applications from a trusted, authorized app store. Do not use untrusted play apps.
  • Mobile device protection is recommended for any device being used on a business network.

Whether it is an app from an unauthorized website or a lost/stolen device that was not password protected, cyber criminals do not need much to compromise critical data.Avoid logging into a SaaS application on a public computer or public Wi-Fi network.

SaaS Selectively: Keep Sensitive Data Safe: SaaS (Software As A Service) are cloud-based software solutions and chances are you are using one of these SaaS solutions for work purposes. IT is typically responsible for implementing security controls for SaaS applications, but ultimate responsibility falls on IT and the end user jointly. Here is what you can do to help keep these solutions safe:

  • Tips: Avoid logging into a SaaS application on a public computer or public Wi-Fi network.
  • Never share your SaaS login credentials with unauthorized persons over digital format or in person. Lastly, if you need to step away, always lock your screen during an active session.

While these tips will help keep your consumer/patient data from falling into the wrong hands, always have a plan B- backup plan! Your plan B must incorporate saving important data to a backup drive daily. Most likely, there is already a backup protocol in place for your mission-critical work data; however, for sanity’s sake, back up your BYOD devices as well.

OLCC-Logo

Audit Finds Oregon Lacking Regulatory Oversight and Proper Security

By Aaron G. Biros
No Comments
OLCC-Logo

Last week, Oregon Secretary of State Dennis Richardson published his office’s audit of The Oregon Liquor Control Commission (OLCC). The audit uncovered a number of inadequacies with the regulatory agency, most notably the problems with their tracking system, designed to prevent cannabis form being sold on the black market.

The report highlights the need for Oregon to implement a more robust tracking system, citing reliance on self-reporting, overall poor data quality and allowing untracked inventory for newly licensed businesses. The audit also found an insufficient number of inspectors and unresolved security issues. According to The Oregonian, the OLCC only has 18 inspectors, roughly one for every 83 licensed businesses.

Auditors also found inadequacies in the application system, saying the OLCC doesn’t monitor third-party service providers and doesn’t have a process in place for reconciling data between the licensing and tracking systems. The audit found there is a risk that decisions made for the program could be based on unreliable data. It also found a risk of unauthorized access to the systems, due to a lack of managing user accounts.

Oregon Secretary of State Dennis Richardson
Oregon Secretary of State Dennis Richardson

This audit’s publication is very timely. Most notably because U.S. Attorney Billy Williams, who called Oregon’s black market problem “formidable,” convened a summit this week to examine how Oregon can prevent cannabis being exported to other states. According to the Oregonian, Williams said Oregon has an “identifiable and formidable overproduction and diversion problem.” The audit’s findings highlighting security issues are also very timely, given that in the same week, Oregon’s neighbor to the North, Washington, experienced a security breach in its own tracking system.

The problems with the Oregon tracking system’s security features are numerous, the audit says. They found that the OLCC lacks a good security plan, IT assets aren’t tracked well, there are no processes to determine vulnerabilities, servers and workstations not using supported operating systems and a lack of appropriately managing antivirus solutions. “Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets,” reads the report’s summary.

The audit proposes 17 recommendations for the state to bolster its regulatory oversight. Those recommendations intend to address undetected compliance violations, weaknesses in application management, IT security weaknesses and weaknesses in disaster recovery and media backup testing. You can read the full audit here.

Washington Security Breach Delays Traceability System Rollout

By Aaron G. Biros
No Comments

On February 8th, Peter Antolin, the deputy director for the Washington State Liquor and Cannabis Board (WSLCB), sent an email to licensees explaining why the transition to their new traceability system was disrupted. Last Saturday, someone gained access to the sensitive information in Leaf Data Systems, the state’s traceability software that is powered by MJ Freeway.

“A computer vulnerability was exploited on Saturday, allowing unauthorized access to the traceability system,” Antolin told licensees in the email. “There are indications an intruder downloaded a copy of the traceability database and took action that caused issues with inventory transfers for some users. We believe this was the root cause of the transfer/manifest issue experienced between Saturday and Monday.”WSLCB

The email goes on to say that no personally identifiable information was available to the ‘intruder,’ but some sensitive information was clearly accessed. That data includes route information of manifests filed between February 1st and 4th as well as transporter vehicle information including VIN, license plate number and vehicle type, according to the email.

That email leaves much to be desired. For one, they do not exactly have a solution, instead trying to alleviate licensees’ worries with a hollow inanity full of meaningless jargon: “The WSLCB and MJ Freeway continue to implement several strategies to prevent future vulnerabilities to future intrusions,” reads the email. “This includes full logging and monitoring and working with third-party entities. Since this remains an active investigation, details on security are not publicly available.” However, today the WSLCB is hosting a webinar where Peter Antolin, their IT division, the MJ Examiners unit and enforcement will be available to answer questions, according to the email.

WSLCB emailThis is by no means the first security breach that Washington and MJ Freeway have suffered. In May of 2017, Washington originally selected Franwell’s METRC as the contract partner for their traceability software system. Less than a month later in June of 2017, after a mistake in the selection process, Washington selected MJ Freeway instead of Franwell for the traceability contract. Three days later, MJ Freeway’s source code was stolen and published online. Then in September, Nevada cancelled their contract with MJ Freeway after a security breach, their services crashed in Pennsylvania and Spain, and in October it became clear that the company could not meet the October 31 deadline for their new Washington contract.

In November of 2017, BioTrackTHC, the company that held the previous contract for Washington’s traceability software, helped the state through the transition period with a temporary Band-Aid solution to hold the state over until January of 2018. A month after they expected to implement the new MJ Freeway system, the latest security breach occurred this week and disrupting the rollout yet again.

At the end of the email Antolin sent to licensees yesterday, he says there will continue to be attempts to breach the system’s security. “The bottom line is that this incident is unfortunate,” says Antolin. “There will continue to be malicious cyberattacks on the system. This is true of any public or private system and is especially true of the traceability system.” This begs a few questions: why aren’t we hearing about this kind of security breach in other states’ traceability systems? What are other companies doing that prevents this from happening? Why does this keep happening to MJ Freeway?