Tag Archives: defense

Facing Cybersecurity Risk? Here are 6 Ways to Minimize it.

By Brian J. Schnese
No Comments

The cannabis industry is the latest target for cybercriminals. Why? Because many cannabis operations employ less than 100 workers and few are equipped with sophisticated IT systems and knowledgeable on-staff IT personnel, so they are often easier to exploit.

Add the all-cash nature of the business, along with the large amounts of protected health data and personally identifiable information medical dispensaries may store and the industry’s shift toward operational automation to increase yields and lower labor costs and you’ve got an industry that’s extremely vulnerable and a prime target for cyber extortion.

Safeguard your corporate networks and internet connections by encrypting information and using a firewall.

Take the cannabis businesses in Ontario that lost millions after a local distributor was hit by a cyberattack and was incapable to process or deliver orders to local retailers. In another cyberattack, hackers stole $3.6 million that an Australian medicinal cannabis firm intended to send to an overseas contractor.

A still prevalent tactic is for hackers to target workers with email-based phishing scams that enable the installation of malware or ransomware to obtain protected health information to sell or lists of high-profile clients to extort.

While there’s a lot to fear and be on the alert for, there’s also a lot that cannabis businesses can do to both reduce their risk of an attack and proactively protect themselves.

Six hallmarks of a strong cyber-defense program:

  1. Assess the risk. One place to start building a comprehensive approach to cybersecurity is to conduct an appropriate cyber vulnerability or risk assessment of your cannabis business. This exercise can reveal gaps, but it also helps prioritize your effort and develop a vision for your goal state.
  2. Train and test. Train employees on the importance of cybersecurity. Make sure employees undergo phishing training and conduct refresher courses at least annually. Then, test them. Are employees retaining the information shared in training? Send simulated phishing emails and track performance to determine if training hits the mark.
  3. Secure the perimeter. Safeguard your corporate networks and internet connections by encrypting information and using a firewall. If your employees work remotely, consider use of a Virtual Private Network (VPN) to allow them to safely connect to your network from out of the office.
  4. Engage protective tools. In addition to using antivirus software and keeping all software updated and patched, multifactor authentication (MFA) and endpoint detection and response (EDR) are crucial for maintaining a secure network. Most carriers require MFA for remote network access, on email, and to protect privileged user accounts. EDR monitoring of devices connecting to the network is also increasingly a minimum requirement for insurance coverage.
  5. Develop a backup strategy. A solid data backup strategy makes companies less susceptible to ransomware attacks by allowing organizations to restore operations. Perform frequent backups — every day if possible — and consider leveraging cloud solutions along with storing backups in an immutable state off-site or off-network.
  6. Build an incident response plan. Cannabis companies should have a plan for responding to an attack, a system for validating what happened and the resources to remediate the issue.

What if a breach occurs?

Even with a great incident response plan in place, the road to recovery from a cyberattack is a complex and rapidly evolving landscape. Should we communicate with the threat actor? Should we pay the ransom demand? How do we capture forensic evidence? What are the laws guiding notification of impacted employees or clients?  When an organization has armed itself with a cyber insurance policy, they not only transfer much of their risk, but they often gain access to a carrier panel of specialized response providers that include breach coaches, forensic investigations firms and privacy attorneys.

In addition to leveraging the specialized post-breach expertise offered by carriers, insureds should also consider familiarizing themselves with and leveraging any pre-breach resources provided, which often include no-cost external vulnerability scans, employee awareness training and discounted technical security solutions.

Top Five Insurances Cannabis Businesses Need in 2022

By Eric Rahn
No Comments

Cannabis remains one of the fastest growing industries with no signs of slowing down. According to a recent article in Forbes Magazine, the legal cannabis market is poised to grow 20-30% per year to the tune of $50 billion by 2026.[1]With great opportunity comes numerous risks. Claims and lawsuits against cannabis businesses are increasing in frequency and magnitude. As an insurance broker who specializes in the cannabis industry and works with a wide variety of cannabis, hemp and CBD businesses in every state where cannabis laws are established, our recent analysis has unveiled the top five insurances your cannabis business needs in 2022.

  1. General Liability

General liability is the most essential coverage your business needs to protect you from a variety of claims including personal injury, bodily harm, property damage and other situations that may arise including slander, libel, copyright infringement and more.

Since general liability is not always required to obtain a cannabis license, many businesses are tempted to forgo the expense. This is one of the biggest mistakes you can make as one single lawsuit has the potential to cripple your business. With a comprehensive, cannabis-specific general liability insurance policy in place, your insurance company, not you, will pay medical expenses and property damage claims from third parties, in addition to hefty legal fees and fines.

  1. Property & Casualty Insurance
P&C insurance is an important part of your security and protection plan.

If you own a dispensary, grow operation, warehouse, testing facility or any other type of cannabis business with inventory, you need to protect your assets from potential loss or damage. Property & casualty (P&C) insurance safeguards your business against common and costly perils such as a fire, lightning, explosion/implosion, and even less common – but still possible – risks like riots, strikes and terrorism.

P&C insurance not only pays for damages to your business property resulting from a covered loss but it also covers the contents within your place of business, including office furniture, computers, inventory and other assets essential to your business operations. There are policies that will also provide the funds required to keep your business afloat until the damages from the loss are repaired. Any cannabis business with a physical property and location(s) should have a comprehensive property and casualty P&C policy in place.

  1. Product Liability/Product Recall

Recently, we’ve seen a dramatic influx of product liability claims, and in particular, product recalls. Lawsuits have ranged from a single plaintiff seeking damages for personal injuries to class action lawsuits where a defective product is tied to an entire group of claimants.

control the room environment
Preventing contamination can save a business from extremely costly recalls. Having the right insurance can prevent a recall from becoming costly in the first place.

As a cannabis business owner, you can be sued for any damage resulting from products that cause harm to others, this includes false advertising, mislabeled or defective products. No matter where you are in the supply chain, your business could be held liable. The process of defending litigation or reaching a settlement agreement can completely drain a company’s resources. You’ll have to deal with regulatory compliance, producing and distributing product warnings, recalling products, claim investigation, product testing and additional risk assessment.

Product liability insurance is often overlooked, especially by small to mid-size businesses. However, your cannabis business needs this type of coverage if you sell any goods or products that end up in the hands of the public. In fact, your business may be contractually obligated to have product liability insurance. One such lawsuit is enough to fold a business due to costly legal fees and fines, as well reputation damage beyond repair.

Product liability insurance is designed to protect your cannabis company from claims that can happen anywhere along the supply chain, including product contamination, mislabeled products, false advertising or defective products. With proper coverage, your insurance company will pay for damages and legal expenses if you are sued, up to your policy limits. Your product liability policy will also cover any medical expenses for those who are harmed by your business. Making sure your insurance policy includes product liability insurance should be a top priority in 2022.

  1. Cyber Defense/Data Breach Insurance

Cyber fraud and data breaches are two of the greatest risks facing cannabis companies in 2022. With so much cash pouring into the space, cannabis businesses of all sizes are bulls-eye targets for cybercriminals. Even the smallest of cannabis businesses are at risk of data breaches because they are part of a larger interconnected network of seed to sale vendors. These types of crimes can have detrimental effects on your business in numerous ways. In the case of a data breach resulting in the disclosure of a third party’s private information, the third party could sue your business. The SEC could also find your company negligent in cyber fraud cases and impose significant fines.

By forgoing cyber defense & data breach insurance, your business will be solely responsible for expensive legal bills, significant revenue losses and hefty fines and penalties from regulators. Cyber defense & data breach insurance is a must-have coverage in 2022, and beyond, to protect your business from cybercrimes.

  1. Directors & Officers Insurance

If you are looking to secure venture capital or funding from investors in 2022, and/or attract and retain qualified leadership, you need directors & officers (D&O) Insurance. D&O protects corporate directors and officers, as well as their spouses and estates, from being personally liable in the event your company is sued by investors, employees, vendors, competitors, customers, or other parties, for actual or alleged wrongful acts in managing the company. In the event of litigation, your D&O insurance will cover legal fees, fines, settlements and other expensive costs.

D&O is often the most overlooked coverage because many cannabis businesses are independently run, and no one foresees the potential for operational failures and mismanagement. However, businesses with any sort of vision for growth should make D&O a top priority. It not only protects your current executives and board members but is critical in attracting leading talent in the space, as well as drawing in new investors to scale up your business. In fact, we’re seeing more prospective investors and board members requiring D&O insurance prior to engaging with a company to ensure they are fully protected in the event of litigation.

When it comes to mitigating risk in this business, the stakes are sky high. Cannabis companies that have not incorporated risk management into their business/operational plans will need to in 2022. It all boils down to the THREE P’s: being “Proactive, Prepared and Protected.”

Implement These Tips to Quickly Fortify Cannabis Dispensaries

By Heather Bender
No Comments

Based on the recent string of cannabis thefts in Portland, Oregon, the spotlight is shining even brighter on the need for enhanced security measures at cannabis dispensaries throughout the country. According to the Oregon Liquor Control Commission, the Portland metro area alone has experienced more than 120 cannabis shop burglaries since March 2020, resulting in a reported total loss of more than $500,000 in cash and products.

Robbing a cannabis dispensary is as lucrative as robbing a bank. Cash is king in the shops until the Secure and Fair Enforcement (SAFE) Banking Act is passed to prohibit federal banking regulators from penalizing depository institutions that provide banking services to legitimate cannabis businesses. Until the Act is passed, it is widely known that all transactions must be done in cash—which makes cannabis dispensaries a prime target for thieves.

Dispensaries are prime targets for burglary. Defending your storefront requires a comprehensive security plan.

While many security protocols—such as product traceability systems and security cameras—are mandated by each individual state, dispensary owners should take measures to actively secure their product, protect their employees and preserve their businesses as theft increases.

One of the quickest and most cost-effective ways to fortify shop security is by implementing rolling security doors. After determining what level of security is needed, consider these four tips to help deter criminal activity and ensure the safety of both employees and products.

Tip 1 – Defend The Storefront
Designed to prevent against looting events and burglaries, heavy-duty rolling steel doors offer cannabis business owners robust security. They can be retrofitted into existing buildings, are exterior mounted and are ideal for storefront defense—including protecting glass windows, which can be expensive to replace. Unlike more common rolling grilles, thieves can’t see merchandise when the rolling door is lowered. In addition to the door giving the building a secure look, blocking sight access is key to deterring criminals.

Heavy-duty steel doors must also be lift- and pry-resistant. Manufacturers put the doors through rigorous testing, and some security doors even meet Department of Defense forced entry standards, which can provide up to an hour of protection against violent attacks against the door to gain entry. Look for rolling security doors that can withstand heavy impact and resist pry attempts with common tools, as well as doors that are lift resistant. Some manufacturers offer doors with robust slide locks and rigid heavy-duty bottom bars, enabling the doors to withstand up to 4,500 lbs of lifting effort.

Tip 2 – Protect While Allowing Visibility and Airflow
If product visibility is desired, but more robust security is needed at the storefront—beyond a security measure such as impact glass—a heavy-duty security grille is an excellent choice. Security grilles are easy to custom order and don’t require structural modifications to fit individual spaces. They are easily installed behind storefront glass, are compact enough to remain out of sight when not in use and require little maintenance.

Strong rolling service doors can protect delivery entrances well

It’s important to work with a manufacturer to select a rolling grille that provides dependable, increased security. Choose grille curtains with rods that are spaced closer together and have heavier links. Security grilles with these features are harder to lift and pry than standard rolling grilles.

Rolling security grilles are also an ideal solution to protect counters inside the dispensary. They can be easily concealed in small headspaces where there is limited ceiling room.

Tip 3 – Fortify A Store Within A Store
For cannabis dispensaries located within high-end retail shops, it is important to consider additional security measures to separate the dispensary from the rest of the store.

A metal grille can be a good barrier for a store within store

A store within a store may be subject to different hours of operation as states often dictate specific operating hours for cannabis dispensaries. Altered operating hours necessitate an easy way to secure only a small section of a larger store.

If aesthetics are of concern inside retail shops, a woven metal mesh grille will provide both beauty and security without imposing looks while securing cannabis products as customers browse throughout the store. Manufacturers offer a variety of patterns and even logo designs as a way to bring more creativity to a grille’s aesthetics—making them rolling pieces of art.

Tip 4 – Secure Deliverables
Dispensary owners sometimes overlook the fact that thieves target deliveries. Deliveries that are made at the back of the store or in receiving areas may be the most at risk. It is of utmost importance to be aware of how deliveries are timed, who is present during them, and how the product is handed off.

Robust rolling service doors provide the best security for delivery entrances and are more secure than traditional rolling sectional doors. Made from slats of formed galvanized steel, aluminum or stainless steel, these rolling doors are completely customizable to meet existing building designs and are ideal for areas with limited overhead room.

Robust Protection
By closely evaluating the levels of security needed, the layout of the building and where deliveries take place, security updates and enhancements are easily implemented with the right rolling doors. Every door is made for a specific opening, so each one is custom-made for its application. Choose a knowledgeable manufacturer that will help determine which rolling closure suits the dispensary’s needs.

Cannabis Contracting: The Potential Invalidity Defense Created By Federal Prohibition

By Brett Schuman, Barzin Pakandam, Jennifer Fisher, Nicholas Costanza
No Comments

The overwhelming majority of Americans now live in a state where cannabis is legal at the state level for at least some purposes.1 However, cannabis (excluding hemp) remains criminal under federal law for all purposes. This conflict between state and federal law presents challenges for participants in the state legal cannabis industry, including enforcing their contractual agreements. This is because a number of federal court rulings have called into question whether contracts involving cannabis are enforceable in federal court.

In this article, we explore how federal courts and state legislatures have addressed the enforceability of contracts relating to cannabis and provide some practical tips for cannabis companies to protect their contractual rights.

The “Illegality Defense” in Federal Courts

“No principle of law is better settled than that a party to an illegal contract cannot come into a court of law and ask to have his illegal objects carried out . . . .” Mann v. Gullickson, 2016 WL 6473215 at *6 (N.D. Cal. Nov. 2, 2016) (quoting Wong v. Tenneco, Inc., 39 Cal. 3d 126, 135 (1985)).

Bart St. III v. ACC EnterprisesApplying this principle, a number of federal courts have refused to enforce contracts relating to state-legal cannabis. For instance, in Bart St. III v. ACC Enterprises, LLC, No. 217CV00083GMNVCF, 2020 WL 1638329 (D. Nev. Apr. 1, 2020), the parties entered into a loan agreement wherein the plaintiff-lender, Bart Street III, loaned the defendant cannabis cultivators in Nevada approximately $4.7 million to fund operating costs, pay down debts and purchase land for a cannabis cultivation facility in Nevada. Id. at *1-2. The loan agreement specified that it was governed by Nevada law. The cannabis cultivators defaulted on the loan, and Bart Street III sued for breach of contract and unjust enrichment. The cannabis cultivators argued that they could not be liable for breach of a contract that is illegal under the Controlled Substances Act of 1970, as amended (the CSA). Id. A federal judge in Nevada ruled that certain provisions of the loan agreement (i.e., a right of first refusal provision and another provision concerning disbursement of operating costs) were illegal under federal law and could not be enforced. The judge was unable to decide on summary judgment whether the illegal provisions could be severed from the other parts of the agreement, so on that basis the cannabis cultivators’ summary judgment motion was denied as to the breach of contract claim. However, the judge granted the cannabis cultivators’ motion as to the unjust enrichment claim based on the following reasoning: “Plaintiff cannot prevail for unjust enrichment because the parties’ contract involves moral turpitude. If the Contract is unenforceable, it is because Plaintiff invested in Defendants’ marijuana cultivation business primarily to obtain a pathway to an equity investment therein . . . . Providing funds in exchange for equity violates the CSA because it would allow the investor to profit from the cultivation, possession, and sale of marijuana . . . . Conspiracy to cultivate marijuana is a crime of moral turpitude.”

Polk v. GontmakherThe illegality defense was also raised in Polk v. Gontmakher, No. 2:18-CV-01434-RAJ, 2020 WL 2572536 (W.D. Wash. May 21, 2020), which involved two business partners—Polk and Gontmakher— who owned a licensed cannabis processing facility and retail store through an entity called NWCS. When Polk decided to leave the business, Gontmakher refused to acknowledge Polk’s ownership interest because Polk had a prior criminal record, which violated ownership requirements for cannabis businesses under Washington cannabis regulations. Polk sued Gontmakher for breach of a verbal partnership agreement and sought to recover past and future profits of the cannabis business. Gontmakher moved to dismiss, and the district judge granted the motion: “Mr. Polk’s claim that his requested relief would not require a violation of the CSA defies logic. He is demanding the future profits of a business that produces and processes marijuana in violation of federal law. How does Mr. Polk anticipate NWCS will generate these future profits? The Court cannot fathom how ordering [Gontmakher] to turn over the future profits of a marijuana business would not require them to violate the CSA. And as this Court has previously explained to Mr. Polk, it cannot award him an equitable interest in NWCS because to do so would directly contravene federal law.” Polk, WL 2572536 at *2.

J. Lilly, LLC v. Clearspan Fabric Structures Int’l, Inc.Certain federal district court judges have addressed the illegality defense directly, even when it has not been asserted by the parties. In J. Lilly, LLC v. Clearspan Fabric Structures Int’l, Inc., No. 3:18-CV-01104-HZ, 2020 WL 1855190 (D. Or. Apr. 13, 2020), a licensed cannabis cultivator in Oregon contracted with Clearspan, a lessor of commercial greenhouse equipment located in Connecticut, to lease greenhouse equipment for the facility and also have the facility constructed. After construction began, the cultivator notified Clearspan (and the sub-contractor) of numerous defects in the facility that were impeding cultivation efforts, and after Clearspan allegedly fixed only one defect, the cultivator sued for breach of the agreements and claimed lost profits due to the inability to cultivate cannabis, in the amount of $5.4 million. While Clearspan moved to dismiss the claims on the basis that the cultivator waived any contractual right to consequential damages, the District Court raised the issue of the illegality of the contracts under federal law sua sponte at oral argument. After supplemental briefing on the issue, the Court held that “awarding Plaintiff damages for lost profits [for the sale of cannabis] would require the Court to compel Defendants to violate the [CSA…and] provides an independent basis to dismiss Plaintiff’s lost profits claim in addition to” the issue of waiver, and other merits issues.  Id. at *11-12.

And in Ricatto v. M3 Innovations Unlimited, Inc., No. 18 CIV. 8404 (KPF), 2019 WL 6681558 (S.D.N.Y. Dec. 6, 2019), Ricato (an investor) and M3 (the intended cannabis operator and licensee) entered into an agreement to purchase a plot of land in California for M3 to develop as a cannabis processing facility. The investor sued to enforce the investment instrument, and M3 moved to dismiss. The court granted M3’s motion to dismiss on other grounds but noted that “it is not readily apparent to the Court that it could [even] enforce such a contract [as] ‘[m]arijuana remains illegal under federal law, even in those states in which medical marijuana has been legalized,’” such as California. Id. at *5, n.4.

Ricatto v. M3 Innovations Unlimited, Inc.However, under some circumstances a federal court may enforce a cannabis contract. In Mann v. Gullickson, Mann loaned Gullickson money to be used in a cannabis-related business. The agreement was governed by California law. When Gullickson defaulted on the promissory note, Mann sued for breach of contract. Gullickson asserted that the contract was illegal under federal law and moved for summary judgment. In an order denying Gullickson’s motion, the court said that “even where contracts concern illegal objects, where it is possible for a court to enforce a contract in a way that does not require illegal conduct, the court is not barred from according such relief.” 2016 WL 6473215, at *7.

Federal courts are wary of parties seeking the enforcement of cannabis contracts. If there is any possibility that the issuance of a court order enforcing the contract would result in a party violating the CSA, federal courts are likely to deny relief.

State Laws Protecting the Enforceability of Cannabis Contracts

At the state level, legislatures in some states that have legalized cannabis for adult use have enacted laws to protect the enforceability of cannabis contracts. These statutes specifically exempt commercial cannabis activities from general laws voiding contracts that are in furtherance of illegal activities. Examples of these state laws include:

Massachusetts: In December 2016, Massachusetts enacted a statute providing that “[c]ontracts pertaining to marijuana enforceable” and providing that contracts entered into by cannabis licensees or their agents, or by landlords of cannabis licensees, “shall not be unenforceable or void exclusively because the actions or conduct permitted pursuant to the license is prohibited by federal law.” (Mass. Gen. Laws ch. 94G, § 10)

California: In January 2019, California enacted a statute providing that “commercial activity relating to medicinal cannabis or adult-use cannabis conducted in compliance with California law and any applicable local standards, requirements, and regulations” shall be deemed the lawful object of a contract and not contrary to law or against public policy, notwithstanding any law that requires all contracts have a “lawful object” under state or federal law. (Cal. Civil Code § 1550.5)

Nevada: In 2016, a ballot initiative was passed in Nevada, which was then codified under state law, declaring “[i]t is the public policy of the People of the State of Nevada that contracts related to the operation of marijuana establishments under this chapter should be enforceable,” and that such contracts “shall not be deemed unenforceable on the basis that the actions or conduct permitted pursuant to the license are prohibited by federal law.” (N.R.S. § 678B.610).

Similar statutes have been enacted in other states, including in Oregon (January 2018), Michigan (December 2018), Illinois (June 2019) and Colorado (January 2020). See Or. Rev. Stat. § 475B.535 (In Oregon, “[a] contract is not unenforceable on the basis that” commercial cannabis activity legal in Oregon is illegal under federal law); Colo. Rev. Stat. § 13-22-601 (similar to Oregon); Mich. Comp. Laws § 333.27960 (Public policy in Michigan is that “…contracts related to the operation of marihuana establishments [are] enforceable.”); 410 Ill. Comp. Stat. § 705/55-75 (similar to Michigan).

However, many states that have legalized cannabis do not have statutes exempting contracts relating to cannabis activities from the illegality defense.

Contracting Tips for Cannabis Companies

Notwithstanding the uncertainty and inherent risks caused by the conflict between federal and state law, there are certain steps parties entering into commercial cannabis agreements can take to protect their contractual rights, including:

  1. Always include a forum selection clause specifying resolution of disputes in state court and waiving any right to remove the dispute to federal court.
  2. If entering into an agreement in a state that has enacted a statutory provision exempting cannabis contracts from the illegality defense, consider selecting that state’s law (as opposed to New York or Delaware law, which are often the jurisdictions of choice for transactional lawyers who don’t know better) in a choice of law provision.
  3. If neither the parties nor the performance of the agreement have any nexus to a state that has enacted a statutory provision protecting the enforceability of cannabis contracts, consider incorporating the contracting entity in one of those states. In the same way that Delaware is the jurisdiction of choice for incorporating most companies, a state like California may on balance be the better choice for cannabis industry participants due to the legal recognition of commercial cannabis activity.
  4. Consider using an arbitration clause in commercial cannabis agreements. These clauses require parties to arbitrate disputes that may arise in connection with the agreement. As a general rule, arbitration is both more efficient and less expensive than litigation, and arbitrators are less likely than federal judges to refuse to enforce an agreement because it relates to federally illegal cannabis activity.

Conclusion

Notwithstanding expanding legalization at the state level, and general federal tolerance of the state-legal cannabis industry, federal courts remain a dangerous place for cannabis companies. If possible, cannabis companies should specify state court (or arbitration) for resolution of disputes in their contracts, and they should choose a state law that expressly excludes cannabis contracts from the illegality doctrine.

References

  1. Cannabis is legal for medical purposes in 33 states plus the District of Columbia; cannabis is legal for adults over 21 in 11 states plus the District of Columbia. Approximately 76.5% of the population of the United States lives in a state with some form of legal cannabis. See https://www.census.gov/data/tables/time-series/demo/popest/2010s-state-total.html#par_textimage_1574439295. This figure excludes Texas, which has a limited medical cannabis program as of this writing. However, if Texas is included, then over 85% of the population lives in a state with some form of legal cannabis.

Processes, Protocols and Layers of Protection: Essential Security Measures for the Medical Cannabis and Hemp Industries

By Joshua Wall
No Comments

As legalization of cannabis products from hemp to medical cannabis takes root across the U.S., there’s a growing need to understand and build good security practices. While many think of security as safeguarding assets like facilities and product, effective security does much more. It protects a business’ workers, providing them secure workplaces and incomes. Ideally, it reaches from supply chain to customers by ensuring consistently safe products.

To truly understand the value of this for a brand or for the industry as a whole, consider the opposite: the destructive effect – on a brand and on the industry at large – of unsafe or tampered product reaching customers, or of crimes occurring, just as the industry seeks to demonstrate its validity and benefits. Security is vital not only to individual farmers, processors or customers but to all who value what the industry brings to those who rely on CBD or medical cannabis products for their wellbeing.

Know the Threats.

Part of the learning process involves understanding the value of the product.Security is all about anticipating and reducing risks. These can include physical threats from natural sources – think flood, fire, tornado or crop fail – or from human threats. Human threats can arise from organized criminals, hackers, amateur thieves, vandals – or insiders.

As regulated industries, hemp and cannabis businesses also face risk of losses, which can be significant, from penalties ranging from fines to being shut down for non-compliance. While rules vary from state to state and continue to change, a disciplined approach to security is foundational to reducing risk at many levels. Rigorous operational processes must incorporate security that addresses risks at multiple points of access, transport and sale of products.

Learn the Rules.

In a rapidly evolving industry, one of the most important things producers can do is to learn. Security requirements vary by region and providers need to be aware of what is available. Get to know your state, local and federal resources for your operating area. California law, for example, specifies use of high-resolution video surveillance in dispensaries, while others do not.

Joshua Wall, Chief Operating Officer at Harvest Connect LLC

Part of the learning process involves understanding the value of the product. With medicinal cannabis, it’s helpful to grasp both its commodity value and the street value that could make it attractive to thieves. In “Why Marijuana Plant Value is So Important for Adjusters,” Canadian Underwriter Magazine gave examples that indicate the size of losses that may occur in growing and processing operations:

“In the medical marijuana space, ClaimsPro has already seen losses primarily between $150,000 and $750,000. These losses, mostly on Vancouver Island, were for fire and water damage, as well as boiler machinery issues, physical damage to buildings and specialized greenhouse equipment, as well as extra expense and business interruption.”

The same article notes a claim over $20 million at another single flower greenhouse. Security needs to reflect what’s present on our premises.

Educating the community can reduce risk as well. Producers of industrial hemp may need to inform would-be thieves that what they are looking at is not street-valued product. To protect the crops, which are generally grown outdoors and do not require a full security detail, a best practice is simply posting signs on the property that say explicitly “No THC.” 

Begin with a Risk Assessment.

Security begins with a professional evaluation of site vulnerabilities, examining key weaknesses that could be exploited by attackers. These include:

  • Monitoring access to the site is a foundational principle of security.
  • Design limited access points into the facility as well as prepare for possible facility breaches with perimeter access control, technological redundancies and ballistic glass for defensive architecture measures.
  • Look at route vulnerabilities as well.
  • Hedge site risk by not limiting your operation to a single site where one incident could wipe out an entire year’s crop.

The nature of threats is always changing. A 2018 Newsweek article described the struggles of legal cannabis farmers against illegal and potentially cartel-backed and violent operations in California. While a 2020 Business Insider report described indications that legalization was prompting some cartels to leave cannabis alone and move on to fentanyl and meth. “While Mexican drug cartels made their money predominantly from marijuana in past decades, the market has somewhat dissipated with the state-level legalization of cannabis in dozens of states across the US.”

Define Levels of Risk and Access.

The best security matches spending to risk in a commonsense way. Are you more at risk from the occasional smash and grab incident or is there reason to anticipate an organized assault? As in many industries, the greatest risk often comes from employee fraud or theft. Hiring carefully, paying fairly and training staff well are important to long term security.

Iron Protection Group in a training session
Image credit: Tampa Bay Times

How will the product be moved around within the facility and beyond it – and what staff are responsible for each part of the journey? Who can enter the cultivation areas and what protocols must they follow? On site staff should be trained on what to look for if they observe a security breach. Consider biometrics such as retinal scans, fingerprint scans or similar.

In cases where valuable product or cash is present, guards can play an important role. Harvest Connect uses only high-level former military or police officers in these roles, an approach recognized by many. Hunter Garth of Iron Protection Group notes they have “the ability to de-escalate a potentially harmful situation and the fortitude to see a mission through to completion, no matter what external circumstances may arise.”

Inventory and Transaction Controls

Inside threats from sloppy processes can be just as insidious as attacks. Poor tracking of inventory by Oregon’s legal cannabis producers made headlines in 2018 as The Oregonian reported, “U.S. Attorney Billy Williams told a large gathering that included Gov. Kate Brown, law enforcement officials and representatives of the cannabis industry that Oregon has an ‘identifiable and formidable overproduction and diversion problem.’’ Discipline, applied by state pressure but carried out by producers themselves, has begun to reduce the diversion of untracked product into the black market a year later.

Cannabis businesses need a professional approach to monitoring all product and money that moves through its systems. These operational processes can include time, date and attendance stamps on all inventory. Similarly, accounting systems and software must follow the highest professional standards. Lastly, when breaches occur, it is essential that fraud and theft are caught, eliminated and prosecuted as appropriate.

Nurturing an Emerging Industry

Security resources are an integral part of maintaining the integrity of a business’ supply chain. As the product moves from the fields to processing centers to consumers, purity assurance becomes an operational objective. Ultimately, protecting the product through secure and professional practices is the optimal way to serve customers, build a brand, and sustain the industry.

Soapbox

Cannabis Growers and Distributors: Your Cyber Risk is Growing Like Weeds

By Emily Selck
No Comments

Cannabis growers and distributors are “green” when it comes to cyber security. Unaware of the real risks, cannabis businesses consistently fall short of instituting some of the most basic cybersecurity protections, leaving them increasingly vulnerable to a cyber-attack.

Cannabis businesses are especially attractive to hackers because of the vast amount of personally identifiable and protected health information they’re required to collect as well as the crop trade secrets they store. With businesses growing by leaps and bounds, and more and more Americans and Canadians purchasing cannabis, cybercriminals are likely to increase their attacks on the North American market in the coming year. Arm your cannabis business with the following best practices for growers and distributors.

Distributor Risk = A Customer’s PII

Cyber risk is the greatest for cannabis distributors, required to collect personal identifiable information (PII), including driver’s licenses, credit cards, medical history and insurance information from patients. State regulatory oversight further compounds the distributor’s risk of cyber-attack. If you’re a cannabis distributor, you’ll want to make sure to:

  • Know where you retain buyer information, and understand how it can potentially be breached. Are you scanning driver’s licenses into a database, or retaining paper files? Are you keeping them in a secure area off site, or on a protected network? Make sure a member of your management team is maintaining compliance with HIPAA and state statutes and requirements for cannabis distribution.
  • Institute strong employee oversight rules. Every employee does not have to have access to every sale, or your entire database of proprietary customer information. Delegate jobs behind the sales desk. Give each employee the access they need to do their job – and that’s it.
  • Distributors have to protect grower’s R&D information too. Most cannabis distributors have access to their grower’s proprietary R&D information so they can help customers understand which products are best for different medical symptoms/needs. Make sure your employees don’t reveal too much to put your suppliers in potential risk of cyberattack.

Grower Risk = Crop Trade Secrets

For cannabis growers, the risk is specific to crop trade secrets, research and development (R&D). If you’re a cannabis grower, you’ll want to:

  • Secure your R&D process. If you’ve created a cannabis formula that reduces anxiety or pain or boosts energy, these “recipes” are your competitive advantage – your intellectual property. Consider the way you store information behind the R&D of your cannabis crops. Do you store it on electronic file, or a computer desktop? What type of credentials do people need to access it? Other industries will use a third party cloud service to store their R&D information, but with cannabis businesses that’s typically not the case. Instead, many growers maintain their own servers because they feel this risk is so great, and because their business is growing so fast, there are not yet on the cloud.
  • Limit the number of people with access to your “secret sauce.” When workers are harvesting crop, or you’re renting land from farmers and planting on it, make sure to keep proprietary information in the hands of just the few who need it – and no one else. This is especially important when sharing details with third party vendors.

Cyber coverage is now ripe for picking

Although cannabis businesses are hard to insure – for just about every type of risk – cyber insurance options for cannabis companies have recently expanded, and come down in price. If you’ve looked for cyber coverage in the past and were previously unable to secure it, now is the time to revisit the market.

Know that cyber policy underwriters will do additional due diligence, going beyond the typical policy application, and ask about the types of proprietary information you collect from customers, as well as how you store and access it at a later date. Have this knowledge at your fingertips, and be ready to talk to underwriters about it when you’re bidding for a new policy – and at renewal time.

MJ Freeway Hardships Linger

By Aaron G. Biros
1 Comment

MJ Freeway, a seed-to-sale traceability software company with a number of government contracts, has been making headlines this year for all the wrong reasons. A series of security breaches, website crashes and implementation delays have beleaguered the software company throughout 2017.

Just this morning, the Philadelphia Inquirer reported the company’s services crashed Saturday night and Monday afternoon. That article also mentions an anonymous hacker tried to sell sensitive information from the Washington and Nevada hacks in September. Back in April, when Pennsylvania awarded the state’s contract to MJ Freeway for its tracking system, Amy Poinsett, co-founder and chief executive officer of MJ Freeway told reporters “I think I can confidently say we are the most secure cannabis company in this particular industry.” It is safe to say this is now being called into question.

Earlier this week, New Cannabis Venture’s Alan Brochstein reported that MJ Freeway is unable to meet Washington’s October 31st deadline to integrate their software with the state, forcing customers to manually report data.

Roughly a month ago, Nevada suddenly cancelled their contract with MJ Freeway, just two years into their five-year deal. Back in June, the company’s source code was stolen and published online. And back in January of this year, the company’s sales and inventory system was the target of a cyber attack.

According to an email we obtained, all of MJFreeway’s clients in Spain experienced an online outage, but that services were restored within 24 hours. In an email sent to clients in Spain, the company told customers that the problems were the result of a system failure. “Our initial analysis indicates that this was a system failure and unfortunately none of the data was able to be successfully retrieved from the backup archive due to an error but we can assure you that none of your data was extracted or viewed at any moment,” reads the email. “We are extremely distressed regarding the event that occurred with the system and the service interruption that occurred yesterday. We recognize that this is a situation that is very serious and negatively impacts your club.” The email says that MJ Freeway is addressing those problems in a few ways, one of which being ongoing audits of their data backups. “The event has led us to reconstruct our “hosting environment” in Europe to use the latest technology from Amazon Web Services with the best redundancy, flexibility and security, using the highest stability measures in the AWS environment,” reads the email. While the site will be restored fully, according the email, historical data is lost. The company is working with their clients to help them get data back into the system. 

Ask the Expert: Straight Talk on Safety, Defense and Security, Part II

By Aaron G. Biros, Bruce E. Lesniak, Lezli Engelking
1 Comment

In this week’s Straight Talk on Safety, Defense and Security, we answer a reader’s question about traceability in quality processes and offer some practical advice for building a safety and security strategy. Travis Lodolinsky from Gleason Technology submitted this week’s question. For a response, we sit down with Lezli Engelking, founder of the Foundation of Cannabis Unified Standards (FOCUS), to help answer your questions. If you have questions about safety, defense and security in cannabis, please ask them in the comments section below and we will address them in the next edition of Straight Talk on Safety, Defense and Security.

T. Lodolinsky: How are safety processes being tracked in the industry to ensure regulations and quality assurance are being uniformly enforced throughout?

Lezli Engelking: In related industries, such as herbal products or pharmaceuticals, the FDA has created guidelines, or current good manufacturing processes (CGMP) that control for the quality, consistency and safety of the products being produced. Businesses must be certified by independent third parties to demonstrate they are following CGMP to protect public health and consumer safety. CGMP is a proactive approach to quality assurance. A basic tenant of CGMP is that quality cannot be tested into a product after it is made; quality must be built into the product during all stages of the manufacturing process. One common misconception is that CGMP only covers the process of manufacturing itself. CGMP actually covers all aspects of the production process including materials, premises, equipment, storage, staff training and hygiene, how complaints are handled and record keeping.

Because cannabis is federally illegal in the US, the FDA has not developed cannabis-specific CGMP guidelines, so lawmakers do not have the benefit of having those guidelines available to base regulations on. So to answer your question, state cannabis regulations do not track processes and procedures used by cannabis businesses to control for safety or quality because they do not have the federal guidelines. Instead, most state cannabis regulations currently take a reactive approach to safety, mandating only for testing of the final product. While testing is an extremely important and valuable part of any quality management program, just analytics is not enough.

This is precisely why FOCUS was created and how they assist business owners and regulators, while fulfilling the mission of protecting public health, consumer safety and safeguarding the environment. The FOCUS standards are a cannabis-specific system of guidelines (cannabis-specific current good manufacturing practices) to ensure products are consistently produced according to quality standards. FOCUS provides detailed guidance and independent, third party auditing services for all key aspects of the cannabis industry including cultivation, extraction, infusion, retail, laboratory, security, packaging, labeling and sustainability.

CannabisIndustryJournal: What advice can you offer to cannabis businesses for product safety, defense and security prior to standardization?

Bruce E. Lesniak: Businesses that make products infused with cannabis (I call these businesses “plus one” companies because they produce products that include one more ingredient than traditional food products), require a carefully written master plan that specifically addresses the unique qualities, sensitivities and critical areas of the business. When building a comprehensive plan I address three questions:

  • Why (identify the why, this is your preventative, overarching strategy)?
  • How (addresses the “why question” with products, services and training)?
  • What (what is your reactive strategy that addresses actions and activities to be performed in the event of a breech)?

First and foremost, consumer-facing businesses must safeguard their products to the public. One product recall or illness related incident could spell disaster. Build your plan correctly the first time. Contact an industry expert to review your facility and help build and implement your plan. This will save you money by quickly exposing vulnerabilities and providing corrective measures specific to your business needs and requirements. Even though product safety and defense are closely related to security and should share a complementary strategy, product safety and defense are unique (due to standards and regulations), and should be treated as such.

Banks not accepting industry money complicates normal business operations and security planning, causing retail operations to handle and store large sums of cash. I asked industry expert and security professional, Tony Gallo of Sapphire Protection LLC, what is the single most important piece of security equipment you are currently providing for the retail and dispensary owner? “Design an air tight policy of handling money,” says Gallo. “Remove money often from cash registers and place it into the best safe for your application!”

Spend time familiarizing yourself with all things product safety and defense (there are volumes written on food safety and food defense, thus the “plus one” reference). This a great starting point and protecting the consumer protects your business. When it comes to designing your security application, consult an expert! Take into account that the cannabis industry is unique due to its “plus one” ingredient. Therefore you need to build your security systems, applications and policies to systematically protect your employees, facility, suppliers, transportation, manufacturing, distribution, warehousing, supply chain and brand.

Ask the Expert Series: Straight Talk on Safety, Defense and Security with Bruce Lesniak

By Aaron G. Biros, Bruce E. Lesniak
3 Comments

This is the first part of a series dedicated to understanding more about defense, security and safety as they relate to the cannabis industry, the importance of having standards and some tips for cannabis business plans. Over the next few weeks, we will hear from multiple industry pioneers discussing those topics and offering practical solutions for problems that many cannabis businesses face daily.

Inconsistent laws across multiple states created a fragmented network of regulations for cannabis. Some third parties are filling the gaps between the industry standards and state regulations. The Colorado Marijuana Enforcement Division (MED) and the Washington Liquor and Cannabis Board’s i-502 rule provide guidance on regulations surrounding packaging and labeling, advertising, pesticide use, retail and other areas.

Still there are many opportunities to fill the gaps. The Foundation of Cannabis Unified Standards (FOCUS), is an independent non-profit founded to develop some consistency in standards governing public health, consumer safety and the environment. In cultivation, the third party certification, Clean Green Certified, works to provide some guidance for growing cannabis organically based on USDA organic standards. For laboratories, Washington’s regulations provide some guidance, but organizations like FOCUS, the American Association for Laboratory Accreditation (A2LA) and the Cannabis Safety Institute seek to fill the gaps in laboratory standards along with the ISO 17025 requirements.

Security and defense is one particular area of the cannabis industry that still needs a benchmark for businesses to follow. In this series, we sit down to discuss security, defense and safety with Bruce Lesniak, president of the Food Safety and Defense Institute and member of the oversight committee for the establishment of standards in the cannabis industry in conjunction with FOCUS.

Cannabis Industry Journal: What changes do you see coming to the cannabis industry related to product safety, defense and security? 

Bruce Lesniak: As in every industry that provides a public consumable product, the primary objective is to protect the consumer by providing products that are consistently safe. The largest change coming to the cannabis industry will be the implementation of enforceable, nationally uniform standards across all states and all product lines. I believe that the standards and regulations developed for the cannabis industry will mirror those of the food industry. Companies are already busy working to develop this uniform standard, one such group is FOCUS. Founded by Lezli Engelking, FOCUS works with diverse professionals from regulatory, quality assurance, medical, law enforcement, business, research, and the government officials, medical and research professionals along with subject matter experts from numerous business disciplines across the industry to develop impartial, comprehensive, cannabis specific standards that will be presented for adoption by state and federal governing bodies. Lezli summarizes the FOCUS Mission as “ To protect public health, consumer safety, and safeguard the environment by promoting integrity within the cannabis industry.” Look for more on this in our next Ask the Expert update, on CannabisIndustryJournal.com or you can contact Lezli Engelking at FOCUS here: 866-359-3557 x101.

This series will highlight important issues involving security, defense and safety in the cannabis industry. Next week, Bruce, along with cannabis security professional, Tony Gallo of Sapphire Protection, will provide some advice on what companies can do to improve their master business plan. Stay tuned for next week’s Part II of Ask the Expert: Straight Talk on Safety, Defense and Security with Bruce Lesniak.