Cannabis growers and distributors are “green” when it comes to cyber security. Unaware of the real risks, cannabis businesses consistently fall short of instituting some of the most basic cybersecurity protections, leaving them increasingly vulnerable to a cyber-attack.
Cannabis businesses are especially attractive to hackers because of the vast amount of personally identifiable and protected health information they’re required to collect as well as the crop trade secrets they store. With businesses growing by leaps and bounds, and more and more Americans and Canadians purchasing cannabis, cybercriminals are likely to increase their attacks on the North American market in the coming year. Arm your cannabis business with the following best practices for growers and distributors.
Distributor Risk = A Customer’s PII
Cyber risk is the greatest for cannabis distributors, required to collect personal identifiable information (PII), including driver’s licenses, credit cards, medical history and insurance information from patients. State regulatory oversight further compounds the distributor’s risk of cyber-attack. If you’re a cannabis distributor, you’ll want to make sure to:
Know where you retain buyer information, and understand how it can potentially be breached. Are you scanning driver’s licenses into a database, or retaining paper files? Are you keeping them in a secure area off site, or on a protected network? Make sure a member of your management team is maintaining compliance with HIPAA and state statutes and requirements for cannabis distribution.
Institute strong employee oversight rules. Every employee does not have to have access to every sale, or your entire database of proprietary customer information. Delegate jobs behind the sales desk. Give each employee the access they need to do their job – and that’s it.
Distributors have to protect grower’s R&D information too. Most cannabis distributors have access to their grower’s proprietary R&D information so they can help customers understand which products are best for different medical symptoms/needs. Make sure your employees don’t reveal too much to put your suppliers in potential risk of cyberattack.
Grower Risk = Crop Trade Secrets
For cannabis growers, the risk is specific to crop trade secrets, research and development (R&D). If you’re a cannabis grower, you’ll want to:
Secure your R&D process. If you’ve created a cannabis formula that reduces anxiety or pain or boosts energy, these “recipes” are your competitive advantage – your intellectual property. Consider the way you store information behind the R&D of your cannabis crops. Do you store it on electronic file, or a computer desktop? What type of credentials do people need to access it? Other industries will use a third party cloud service to store their R&D information, but with cannabis businesses that’s typically not the case. Instead, many growers maintain their own servers because they feel this risk is so great, and because their business is growing so fast, there are not yet on the cloud.
Limit the number of people with access to your “secret sauce.” When workers are harvesting crop, or you’re renting land from farmers and planting on it, make sure to keep proprietary information in the hands of just the few who need it – and no one else. This is especially important when sharing details with third party vendors.
Cyber coverage is now ripe for picking
Although cannabis businesses are hard to insure – for just about every type of risk – cyber insurance options for cannabis companies have recently expanded, and come down in price. If you’ve looked for cyber coverage in the past and were previously unable to secure it, now is the time to revisit the market.
Know that cyber policy underwriters will do additional due diligence, going beyond the typical policy application, and ask about the types of proprietary information you collect from customers, as well as how you store and access it at a later date. Have this knowledge at your fingertips, and be ready to talk to underwriters about it when you’re bidding for a new policy – and at renewal time.
When it comes to compliance for cannabis startups, the ISO 9000 family of standards reigns supreme. Providing the guidelines for the concepts that make up a quality management system (QMS), the ISO family is composed of five standards: ISO 9000, 9001, 9002, 9003 and 9004. Outside of ISO 9001, ISO 9000 is the most important because it creates the foundation that guides all of the other standards.
ISO 9000 is split into two sections: fundamentals and vocabulary. Fundamentals covers the basic principles of quality management and the vocabulary section is a dictionary of quality management terminology. ISO 9000 is crucial because it provides direction on proper QMS implementation that will lead to achieving an ISO 9001 certification.
While the entire ISO 9000 family is focused on quality management systems that aim to help organizations “ensure that their products and services consistently meet customer’s requirements and that quality is consistently improved,” ISO 9001 is the only standard that lists actual requirements and requires certification.Cloud-based quality management software provides the flexibility and scalability, that cannabis startups need to comply with ISO 9001
Quality Management Systems (QMS)
When conceptualizing “quality management,” it is best to think of it as an organization’s definition of how it will meet the quality requirements of customers and other stakeholders who are affected by its work. Implementing this requires an extensive alignment of company processes and procedural governance.
It’s easiest to think of a QMS as the facilitator of outlined processes that are required to fulfill ISO 9001 requirements. For example, if an organization has defined a change request process, it could use a cloud-based QMS to put that process in place. However, the benefits of a cloud-based QMS don’t have to end at ISO 9001. It can also help organizations comply with other regulations like GxP.
ISO 9001 Requirements
ISO 9001 requirements can sound very generic because they’re meant to be applied to any organization, big or small, in any industry. The key to ISO 9001 is the concept of continuous improvement, which is why specific requirements for what “quality” is are not defined. Rather, companies must create objectives and work toward improving processes to meet those objectives. That said, a certified QMS still must do the following:
Meet the requirements of other stakeholders, for example, customer requirements and regulatory standards
Ensure that employees receive training outlining the quality requirements
Determine and document the processes, their interactions and their results
Be able to produce records to prove that system requirements have been met
From creation to disposal, document protocols must be clear and properly followed.With that in mind, ISO 9001’s purpose is to evaluate whether or not a QMS does a good job of managing processes while also being able to help organizations identify areas that need improvement. In simple terms, ISO 9001 helps companies who were making an excellent product most of the time, make an excellent product every time.
How can cloud quality management software help you get your ISO 9001 certification? Once you create processes that adhere to ISO 9001 quality management standards, you have to put them into practice. Enter: quality management software. But, how exactly does it help?
Optimal Time to Value
First, cloud-based software is the most cost-efficient to implement. Secondly, since a QMS needs to be accessible to every employee regardless of whether they work at HQ or on-site, cloud QMS are built to be mobile-friendly and easily accessed from any location.
Automated Document Lifecycles & Version Control
From creation to disposal, document protocols must be clear and properly followed. As up-to-date documents are an important factor in maintaining high levels of quality, the most recent versions of approved documents should be readily available while previous editions should be hidden away.
With cloud quality management software, workflows can automate the review and approval processes by automatically sharing documents with the right reviewers. Then, after the document has been approved, the changes will automatically be applied to the master document while the obsolete version is archived, helping to remove any chance of it being accidentally used after the update.
Easy Document Location & Metadata
According to ISO 9001, searching through an organization’s documents should be as easy as searching with Google. It’s an added bonus when the quality management software enables users to add custom metadata to documents. Metadata is just extra information that helps to define a document (like file size, type, date modified). With certain cloud-based QMS’, you can add custom metadata fields to make documents easier to find. For example, you can add an “expiration date” field that allows you to look up policies based on when they are set to expire.With the growing number of data breaches happening every year, it’s important to address the security components of a QMS.
In order to pass any ISO 9001 audit, there needs to be a complete audit trail for every document, including active documents and the earlier archived versions. While this might seem like a big ask, cloud quality management software helps make this simple. Every single change to a document, regardless of whether it’s the current or past version, is tracked. When combined with automated workflows, you’re able to produce a precise log of every change made by every user.
Advanced User Permissions & Central File Ownership
With the growing number of data breaches happening every year, it’s important to address the security components of a QMS. Many of these issues can be resolved with user permissions, which is generally related to managing users’ editing and sharing access. The proper view, edit, and approval rights go a long way to reducing the risk of human error.
Another feature that may seem like common sense is central file ownership. When the organization owns all of its documents, there’s no need to worry that important files will be lost or deleted. With one owner, the damage that can be inflicted by malicious third-parties is also limited.
Cloud-based quality management software provides the flexibility and scalability, that cannabis startups need to comply with ISO 9001. With the cloud as a foundation, these systems will continue to be assets for the cannabis industry as it gains momentum and expands more.
By Alison J. Baldwin, Brittany R. Butler, Ph.D., Nicole E. Grimm 1 Comment
With legalization of cannabis for medicinal and adult use occurring rapidly at the state level, the industry is seeing a sharp increase in innovative technologies, particularly in the area of cannabis extraction. Companies are developing novel extraction methods that are capable of not only separating and recovering high yields of specific cannabinoids, but also removing harmful chemicals (such as pesticides) from the concentrate. While some extraction methods utilize solvents, such as hydrocarbons, the industry is starting to see a shift to completely non-solvent based techniques or environmentally friendly solvents that rely on, for example, CO2, heat and pressure to create a concentrate. The resulting cannabis concentrate can then be consumed directly, or infused in edibles, vape pens, topicals and other non-plant based consumption products. With companies continually seeking to improve existing extraction equipment, methods and products, it is critical for companies working in this area to secure their niche in the industry by protecting their intellectual property (IP).
Comprehensive IP protection for a business can include obtaining patents for innovations, trademarks to establish brand protection of goods and services, copyrights to protect logos and original works, trade dress to protect product packaging, as well as a combination of trade secret and confidentiality agreements to protect proprietary information and company “know-how” from leaking into the hands of competitors. IP protection in the cannabis space presents unique challenges due to conflicting state and federal law, but for the most part is available to cannabis companies like any other company.
Federal trademark protection is currently one of the biggest challenges facing cannabis companies in the United States. A trademark or service mark is a word, phrase, symbol or design that distinguishes the source of goods or services of one company from another company. Registering a mark with the U.S. Patent and Trademark Office (USPTO) provides companies with nationwide protection against another company operating in the same space from also using the mark.
As many in the industry have come to discover, the USPTO currently will not grant a trademark or service mark on cannabis goods or services. According to the USPTO, since cannabis is illegal federally, marks on cannabis goods and services cannot satisfy the lawful use in commerce requirement of the Lanham Act, the statute governing federal trademark rights. Extraction companies that only manufacture cannabis-specific equipment or use cannabis-exclusive processes will likely be unable to obtain a federal trademark registration and will need to rely on state trademark registration, which provides protection only at the state-level. However, extractors may be able to obtain a federal trademark on their extraction machines and processes that can legitimately be applied to non-cannabis plants. Likewise, companies that sell cannabis-infused edibles may be able to obtain a federal trademark on a mark for non-cannabis containing edibles if that company has such a product line.
Some extraction companies may benefit from keeping their innovations a trade secretSince the USPTO will not grant marks on cannabis goods and services, a common misconception in the industry is that the USPTO will also not grant patents on cannabis inventions. But, in fact, the USPTO will grant patents on a seemingly endless range of new and nonobvious cannabis inventions, including the plant itself. (For more information on how breeders can patent their strains, see Alison J. Baldwin et al., Protecting Cannabis – Are Plant Patents Cool Now? Snippets, Vol. 15, Issue 4, Fall 2017, at 6). Unlike the Lanham Act, the patent statute does not prohibit illegal activity and states at 35 U.S.C. § 101 that a patent may be obtained for “any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof.”
For inventions related to extraction equipment, extraction processes, infused products and even methods of treatment with concentrated formulations, utility patents are available to companies. Utility patents offer broad protection because all aspects related to cannabis extraction could potentially be described and claimed in the same patent. Indeed, there are already a number of granted patents and published patent applications related to cannabis extraction. Recently, U.S. Patent No. 9,730,911 (the ‘911 patent), entitled “Cannabis extracts and methods of preparing and using same” that granted to United Cannabis Corp. covers various liquid cannabinoid formulations containing very high concentrations of tetrahydrocannabinolic acid (THCa), tetrahydrocannabinol (THC), cannabidiol (CBD), THCa and cannabidiolic acid, THC and CBD, and CBD, cannabinol (CBN), and THC. For example, claim 1 of the ‘911 patent recites:
A liquid cannabinoid formulation, wherein at least 95% of the total cannabinoids is tetrahydrocannabinolic acid (THCa).Properly crafted non-disclosure agreements can help further ensure that trade secrets remain a secret indefinitely.
Although the ‘911 patent only covers the formulations, United Cannabis Corp. has filed a continuation application that published as US2017/0360745 on methods for relieving symptoms associated with a variety of illnesses by administering one or more of the cannabinoid formulations claimed in the ‘911 patent. This continuation application contains the exact same information as the ‘911 patent and is an example of how the same information can be used to seek complete protection of an invention via multiple patents.
An example of a patent application directed to solvent-based extraction methods and equipment is found in US20130079531, entitled “Process for the Rapid Extraction of Active Ingredients from Herbal Materials.” Claim 1 of the originally filed application recites:
A method for the extraction of active ingredients from herbal material comprising: (i) introducing the herbal material to a non-polar or mildly polar solvent at or below a temperature of 10 degrees centigrade and (ii) rapidly separating the herbal material from the solvent after a latency period not to exceed 15 minutes.
Claim 12, covered any equipment designed to utilize the process defined in claim 1.
Although now abandoned, the claims of this application were not necessarily limited to cannabis, as the claims were directed to extracting active ingredients from “herbal materials.”
Other patents involve non-toxic extraction methods utilizing CO2, such as Bionorica Ethics GMBH’s U.S. Patent No. 8,895,078, entitled “Method for producing an extract from cannabis plant matter, containing a tetrahydrocannabinol and a cannabidiol and cannabis extracts.” This patent covers processes for producing cannabidiol from a primary extract from industrial hemp plant material.
There have also been patents granted to cannabis-infused products, such as U.S. Patent No. 9,888,703, entitled “Method for making coffee products containing cannabis ingredients.” Claim 1 of this patent recites:
A coffee pod consisting essentially of carbon dioxide extracted THC oil from cannabis, coffee beans and maltodextrin.
Despite the USPTO’s willingness to grant cannabis patents, there is an open question currently regarding whether they can be enforced in a federal court (the only courts that have jurisdiction to hear patent cases). However, since utility patents have a 20-year term, extractors are still wise to seek patent protection of the innovations now.
Another consideration in seeking patent protection for novel extraction methods and formulations is that the information becomes public knowledge once the patent application publishes. As this space becomes increasingly crowded, the ability to obtain broader patents will decline. Therefore, some extraction companies may benefit from keeping their innovations a trade secret, which means that the secret is not known to the public, properly maintained and creates economic value by way of being a secret. Properly crafted non-disclosure agreements can help further ensure that trade secrets remain a secret indefinitely.
Regardless of the IP strategy extractors choose, IP protection should be a primary consideration for companies in the cannabis industry to ensure the strongest protection possible both now and in the future.
A number of cannabis businesses have pursued federal intellectual property protection for their cannabis-related innovations, such as U.S. patents that protect novel cannabis plant varieties, growing methods, extraction methods, etc. Enforcement of such federal IP rights requires that the IP owner file suit in federal court asserting those rights against another cannabis company. However, given that cannabis is still illegal under federal law, the industry is uncertain about whether a federal court will actually enforce cannabis-related IP rights. This question might be answered soon.
The potential impact of this case goes way beyond the two parties involvedOrochem Technologies, Inc. filed a lawsuit in federal court in the Northern District of Illinois on September 27, 2017, seeking to assert and enforce trade secret rights against Whole Hemp Company, LLC. According to the complaint, Orochem is a biotechnology company that uses proprietary separation methods to extract and purify cannabidiol (CBD) from industrial hemp in a way that produces a solvent-free and THC-free CBD product in commercially viable quantities.
The complaint goes on to say that Whole Hemp Company, which does business as Folium Biosciences, is a producer of CBD from industrial hemp and that Folium engaged Orochem to produce a THC-free CBD product for it. According to the allegations in the complaint, Folium used that engagement to gain access to and discover the details of Orochem’s trade secret method of extracting CBD so that it could take the process and use it at their facility.
The complaint provides a detailed story of the events that allegedly transpired, which eventually led to an Orochem employee with knowledge of the Orochem process leaving and secretly starting to work for Folium, where he allegedly helped Folium establish a CBD production line that uses Orochem’s trade secret process. When Orochem learned of these alleged transgressions, it filed the lawsuit, claiming that Folium (and the specific employee) had misappropriated its trade secret processes for extracting and purifying CBD.
While the particular facts of this case are both interesting and instructive for companies operating in the cannabis industry, the potential impact of this case goes way beyond the two parties involved.
If it moves forward, this case will likely provide a first glimpse into the willingness of federal courts to enforce IP rights that relate to cannabis. Orochem is asserting a violation of federal IP rights established under the federal Defend Trade Secrets Act (DTSA) and is asserting those rights in federal district court. As a result, the federal district court judge will first need to decide whether a federal court can enforce federal IP rights when the underlying intellectual property relates to cannabis.
If the court ultimately enforces these federal trade secret rights, it could be a strong indication that other federal IP rights, such as patent rights, would also be enforceable in federal court. Since the outcome of this case will likely have a far reaching and long lasting impact on how the cannabis industry approaches and deals with intellectual property, it’s a case worth watching.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.