Tag Archives: oversight

Soapbox

Cannabis Growers and Distributors: Your Cyber Risk is Growing Like Weeds

By Emily Selck
No Comments

Cannabis growers and distributors are “green” when it comes to cyber security. Unaware of the real risks, cannabis businesses consistently fall short of instituting some of the most basic cybersecurity protections, leaving them increasingly vulnerable to a cyber-attack.

Cannabis businesses are especially attractive to hackers because of the vast amount of personally identifiable and protected health information they’re required to collect as well as the crop trade secrets they store. With businesses growing by leaps and bounds, and more and more Americans and Canadians purchasing cannabis, cybercriminals are likely to increase their attacks on the North American market in the coming year. Arm your cannabis business with the following best practices for growers and distributors.

Distributor Risk = A Customer’s PII

Cyber risk is the greatest for cannabis distributors, required to collect personal identifiable information (PII), including driver’s licenses, credit cards, medical history and insurance information from patients. State regulatory oversight further compounds the distributor’s risk of cyber-attack. If you’re a cannabis distributor, you’ll want to make sure to:

  • Know where you retain buyer information, and understand how it can potentially be breached. Are you scanning driver’s licenses into a database, or retaining paper files? Are you keeping them in a secure area off site, or on a protected network? Make sure a member of your management team is maintaining compliance with HIPAA and state statutes and requirements for cannabis distribution.
  • Institute strong employee oversight rules. Every employee does not have to have access to every sale, or your entire database of proprietary customer information. Delegate jobs behind the sales desk. Give each employee the access they need to do their job – and that’s it.
  • Distributors have to protect grower’s R&D information too. Most cannabis distributors have access to their grower’s proprietary R&D information so they can help customers understand which products are best for different medical symptoms/needs. Make sure your employees don’t reveal too much to put your suppliers in potential risk of cyberattack.

Grower Risk = Crop Trade Secrets

For cannabis growers, the risk is specific to crop trade secrets, research and development (R&D). If you’re a cannabis grower, you’ll want to:

  • Secure your R&D process. If you’ve created a cannabis formula that reduces anxiety or pain or boosts energy, these “recipes” are your competitive advantage – your intellectual property. Consider the way you store information behind the R&D of your cannabis crops. Do you store it on electronic file, or a computer desktop? What type of credentials do people need to access it? Other industries will use a third party cloud service to store their R&D information, but with cannabis businesses that’s typically not the case. Instead, many growers maintain their own servers because they feel this risk is so great, and because their business is growing so fast, there are not yet on the cloud.
  • Limit the number of people with access to your “secret sauce.” When workers are harvesting crop, or you’re renting land from farmers and planting on it, make sure to keep proprietary information in the hands of just the few who need it – and no one else. This is especially important when sharing details with third party vendors.

Cyber coverage is now ripe for picking

Although cannabis businesses are hard to insure – for just about every type of risk – cyber insurance options for cannabis companies have recently expanded, and come down in price. If you’ve looked for cyber coverage in the past and were previously unable to secure it, now is the time to revisit the market.

Know that cyber policy underwriters will do additional due diligence, going beyond the typical policy application, and ask about the types of proprietary information you collect from customers, as well as how you store and access it at a later date. Have this knowledge at your fingertips, and be ready to talk to underwriters about it when you’re bidding for a new policy – and at renewal time.

Farm Bill Analysis: Is Hemp Legal Now?

By Aaron G. Biros
No Comments

On December 20, President Trump signed the Agriculture Improvement Act of 2018 (the Farm Bill) into law, which included an important change to the way federal agencies regulate hemp farming and production. The Farm Bill essentially removes hemp-derived cannabidiol (CBD) from the Controlled Substances Act in states that choose to regulate it. It strips the Drug Enforcement Agency’s (DEA’s) authority from outlawing hemp and gives states the ability to regulate hemp markets on their own, with approval from the United States Department of Agriculture (USDA).

This gives the USDA the authority to regulate hemp farming, providing for things like access to banks, insurance, grants, certifications and gets rid of the need for a pilot program, which was previously the case under the 2014 Farm Bill. It also defines hemp a little better, to include cannabinoids, derivatives and extracts.

According to Aaron Smith, executive director of the National Cannabis Industry Association (NCIA), the signing of the Farm Bill is a crucial step towards full legalization. “The lifting of the federal ban on non-psychoactive hemp is a concrete sign that the ‘reefer madness’ which first led to its criminalization is finally coming to an end,” says Smith. “This Farm Bill is a step in the right direction for comprehensive cannabis policy reform and will help fuel discussions in Congress about the best ways to end federal prohibition and create a regulated national cannabis market.”

FDAlogoHowever, one particularly important caveat needs to be mentioned: The Food and Drug Administration (FDA) still retains regulatory authority over CBD products. In a statement released the same day that the Farm Bill was signed, the FDA addressed their oversight capabilities. “We’ll take enforcement action needed to protect public health against companies illegally selling cannabis and cannabis-derived products that can put consumers at risk and are being marketed in violation of the FDA’s authorities,” reads the FDA statement. “The FDA has sent warning letters in the past to companies illegally selling CBD products that claimed to prevent, diagnose, treat, or cure serious diseases, such as cancer. Some of these products were in further violation of the FD&C Act [Federal Food, Drug and Cosmetics Act] because they were marketed as dietary supplements or because they involved the addition of CBD to food.”

The Farm Bill signing opened the doors for hemp cultivation and production in the United States.What the FDA said in their statement is crucial information for those developing hemp-derived products. They recommend that companies use traditional pathways to get approval from the FDA to market their products, providing the Epidiolex example where the drug manufacturer used clinical studies to prove the drug’s efficacy.

The FDA also notes that there are circumstances “in which certain cannabis-derived compounds might be permitted in a food or dietary supplement.” That means they are exploring opportunities for companies to develop, manufacture and market legal CBD products without going through the extensive drug approval process.States need to establish programs approved by the USDA and companies need to cooperate with the FDA, taking the necessary steps to get their products and marketing approved.

In the food ingredients realm, they have already taken steps to approve hulled hemp seeds, hemp seed protein and hemp seed oil as generally recognized as safe (GRAS). “Therefore, these products can be legally marketed in human foods for these uses without food additive approval, provided they comply with all other requirements and do not make disease treatment claims,” reads the FDA statement.

The Farm Bill signing opened the doors for hemp cultivation and production in the United States. It allows farmers to access the same goods and services extended to other commodities farming, it makes conducting business easier across state lines, it will pave the way for more research into hemp as an effective medicine and helps to end the debate over hemp’s legality. But this doesn’t mean any business can just start producing and selling CBD products. States need to establish programs approved by the USDA and companies need to cooperate with the FDA, taking the necessary steps to get their products and marketing approved.

In the coming months and years, we will see which states decide to develop hemp cultivation programs and how the proliferation of hemp-derived products will evolve under FDA regulatory oversight.

OLCC-Logo

Audit Finds Oregon Lacking Regulatory Oversight and Proper Security

By Aaron G. Biros
No Comments
OLCC-Logo

Last week, Oregon Secretary of State Dennis Richardson published his office’s audit of The Oregon Liquor Control Commission (OLCC). The audit uncovered a number of inadequacies with the regulatory agency, most notably the problems with their tracking system, designed to prevent cannabis form being sold on the black market.

The report highlights the need for Oregon to implement a more robust tracking system, citing reliance on self-reporting, overall poor data quality and allowing untracked inventory for newly licensed businesses. The audit also found an insufficient number of inspectors and unresolved security issues. According to The Oregonian, the OLCC only has 18 inspectors, roughly one for every 83 licensed businesses.

Auditors also found inadequacies in the application system, saying the OLCC doesn’t monitor third-party service providers and doesn’t have a process in place for reconciling data between the licensing and tracking systems. The audit found there is a risk that decisions made for the program could be based on unreliable data. It also found a risk of unauthorized access to the systems, due to a lack of managing user accounts.

Oregon Secretary of State Dennis Richardson
Oregon Secretary of State Dennis Richardson

This audit’s publication is very timely. Most notably because U.S. Attorney Billy Williams, who called Oregon’s black market problem “formidable,” convened a summit this week to examine how Oregon can prevent cannabis being exported to other states. According to the Oregonian, Williams said Oregon has an “identifiable and formidable overproduction and diversion problem.” The audit’s findings highlighting security issues are also very timely, given that in the same week, Oregon’s neighbor to the North, Washington, experienced a security breach in its own tracking system.

The problems with the Oregon tracking system’s security features are numerous, the audit says. They found that the OLCC lacks a good security plan, IT assets aren’t tracked well, there are no processes to determine vulnerabilities, servers and workstations not using supported operating systems and a lack of appropriately managing antivirus solutions. “Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets,” reads the report’s summary.

The audit proposes 17 recommendations for the state to bolster its regulatory oversight. Those recommendations intend to address undetected compliance violations, weaknesses in application management, IT security weaknesses and weaknesses in disaster recovery and media backup testing. You can read the full audit here.

National Association of Cannabis Businesses Announces Launch

By Aaron G. Biros
No Comments

According to a press release, the National Association of Cannabis Businesses (NACB) launches today, becoming the first self-regulatory organization (SRO) for the cannabis industry. With their mission to help compliance, transparency and growth of cannabis companies, they will lead member businesses in establishing voluntary national standards, addressing issues like advertising and financial integrity.

A team of experienced legal regulatory professionals will lead member businesses through a process of developing those standards. Andrew Kline, president of the NACB, was a senior advisor to Vice President and then-Senator Joseph Biden, served as an Assistant United States Attorney in the District of Columbia and in the Enforcement Bureau of the FCC. Their chief executive officer, Joshua Laterman, began working on NACB three years ago, but before that he had two decades of experience as general counsel at global financial and investment institutions. Doug Fischer, their chief legal officer and director of standards, spent the past nine years in cannabis law and financial regulation and enforcement at the law firm Cadwalader Wickersham and Taft.

Andrew Kline, president of NACB

According to the press release, SROs have proven to be effective in other industries at limiting government interference and overregulation, while preserving public safety. FINRA (Financial Industry Regulatory Authority) is an example of an SRO that serves the financial industry. It is a non-governmental organization that helps regulate member brokerage firms and exchange markets, working to help their members stay compliant with regulations set by the Securities and Exchange Commission. Much like the rapid growth of the financial markets over the past 30 years, the cannabis industry is experiencing exponential growth while regulators try to keep up.

“The cannabis industry is on a historical growth trajectory that is expected to continue for years to come, but even the most established, well-run businesses recognize that the future favors the prepared,” says Josh Laterman, CEO of NACB. “As other industries have experienced with their SROs, establishing and committing to voluntary national standards will enable cannabis business owners to demonstrate impeccable business and compliance practices to consumers, regulators, banks and investors.”

According to Doug Fischer, chief legal officer and director of standards, they will focus on a variety of topics that align with the federal enforcement priorities. So these standards might not cover some of the product safety and quality aspects that ASTM International and FOCUS touch on, rather addressing issues like advertising, financial integrity, preventing diversion across state lines, prevention of youth use and corporate responsibility. Another important distinction to make is that an organization like ASTM International sets standards, but the NACB as an SRO is tasked with enforcing them as well.

Doug Fischer, director of standards and chief legal counsel

“From our perspective, businesses have been having a hard time navigating the complex state regulations, particularly those operating in multiple states,” says Fischer. “That is further complicated by the current administration not solidifying their stance on recreational cannabis.” The Cole Memo put out under the Obama Administration set clear federal enforcement priorities, allowing cannabis businesses and states to identify ways to avoid federal government interference or prosecution.

The current administration has done nothing but fuel regulatory uncertainty. This is particularly important given this week’s news regarding the leaders at the Justice Department making inflammatory and threatening statements regarding legal medical cannabis. “It causes these businesses, who should be focused on their own day-to-day operations, instead focusing on complying with what they think the federal government wants and regulatory compliance with state regulations,” says Fischer. “We can help solve that problem by making it easier for companies to become compliant, not only with state regulations but federal guidance as well. This has been proven by other SROs, that if we set our own standards and abide by them, federal regulators might be guided by the industry’s self-policing in determining how to regulate the cannabis industry.” According to Andrew Kline, it could also provide a window of opportunity for better banking access.

The founder and CEO, Joshua Laterman, used to work in the banking industry and recognized the need for a cannabis industry SRO. “He saw an incredible opportunity in a projected $50 billion market by 2026, and as a former banker he saw the opportunity for banks to do business in the industry, but they don’t know who to trust,” says Kline. “Starting a self regulatory organization can help fill that void, allowing companies to identify and put a stamp of approval on a segment of the population that is uber-compliant, therefore giving banks a view into who they should and shouldn’t do business with.” While it won’t immediately resolve the many issues associated with cannabis businesses’ accounting, the NACB could be a major help to smaller businesses looking to prove their worth. “The important point here is that based on the experience of our team, we know what is important to the federal government, and we understand that members will be shaping standards with us, so we will also guide them to federal priorities,” says Kline.

Fischer says a self-regulatory organization is always driven by the industry and needs of the members, but they have the added unique challenge of working in a web of competing governmental interests. “Self-regulatory organizations can shape the future of regulation; we don’t know if or when federal prohibition will end, but if it does, the government is going to look at a variety of areas for regulations,” says Fischer. “We might be able to help shed light on our self-regulating nature and if we can demonstrate the best practices for specific areas, states and even the federal government could look to that, giving our members an advantage.” According to their press release, licensed cannabis growers, dispensaries or any other ancillary business may apply to become members. Some of the founding members include Buds & Roses, Etain, Green Dot Labs, Local Product of Colorado, Matrix NV, Mesa Organics, among others.

Biros' Blog

Washington Changes Course, Selects MJ Freeway as New ASV

By Aaron G. Biros
3 Comments

Two weeks ago, we reported on the State of Washington choosing Franwell as their apparent successful vendor (ASV) for their seed-to-sale traceability system contract. Late last week, the Washington State Liquor and Cannabis Board (WSLCB) sent out an email explaining that they are no longer going with Franwell and the new ASV is MJ Freeway.

The email (left) consisted of a letter sent by Peter Antolin, Deputy Director of the WSLCB, to licensees “who had written to the Board and staff regarding the marijuana traceability Apparent Successful Vendor and RFID tags.” Apparently, the reason behind switching the ASV to MJ Freeway is because Franwell’s system requires only one method for tagging plants- RFID tags. According to the letter, Deputy Director Antolin says the initial request for proposal (RFP) stated that the traceability system needs to support a variety of tagging methods, including bar codes and RFID. “The RFP requirements did not allow a vendor to make any assumptions regarding use of a single tagging methodology or allow vendors to include any such costs affecting the state or our licensees in their proposal,” says Antolin. As they made clear in the previous press release, the ASV is not the official contract winner until they complete negotiations and sign the contract.

On June 7th, Franwell withdrew their proposal for the state’s traceability system, thus Washington went with the second highest scoring vendor, MJ Freeway. Deputy Director Antolin says they submitted a strong bid, but there are still many questions left unanswered. How could such a glaring mistake be overlooked when the state named Franwell the highest scoring bidder? Is MJ Freeway’s system robust enough and capable of handling the state’s cannabis licensees’ traceability requirements even though they were not the highest scoring bidder? The deadline for the new system to be in place is October 31, 2017, which is quickly approaching for such a massive systems overhaul.

The WSLCB’s oversight highlights a few inadequacies with the state’s regulatory agency, particularly their indecision and lack of foresight. So much of the concept behind seed-to-sale traceability rests on Cole Memo compliance. A big reason why some states seek to implement a robust tracking system is to remain compliant with the Cole Memo; preventing diversion to crime organizations with regulatory oversight is a key tool that states use to tell the federal government they are complying with their directive and intend to protect their state’s legal cannabis operations from federal prosecution. Without a proper system in place, the state runs the risk of exposing their entire cannabis market to threats of federal enforcement, a scenario that seems unlikely but could be disastrous to cannabis businesses and the local economy.

The WSLCB needs to get their act together fast.

Pennsylvania to Legalize Medical Cannabis

By Aaron G. Biros
No Comments

HARRISBURG, PAOn Wednesday, the Pennsylvania Legislature approved a bill to legalize medical cannabis. Pennsylvania will be the 24th state to legalize cannabis in the United States. The House voted 149-46, passing bill SB3 and sending it to Governor Tom Wolf, who signed the bill into law on Sunday.

The bill, with a list of seventeen qualifying conditions, will allow for certifying physicians by the Pennsylvania Department of Health and licensing growers and dispensaries. The bill also requires standards for traceability in regulatory oversight, establishing criminal penalties for diversion or falsification of identification cards issued to caregivers and patients.

davereed
House Majority Leader Rep. Dave Reed

House Majority Leader, Rep. Dave Reed (R-Indiana), believes the bill allows for robust regulatory oversight. “[…] I am confident Senate Bill 3 provides all the necessary protections to prevent the abuse of medical cannabis, including its unavailability in leaf form,” says Reed. “This new health care program will be closely monitored and if there are found to be weaknesses in the law down the road, we can certainly make any necessary revisions.”

The measure’s prohibiting the distribution of cannabis in dry flower form follows New York’s policy of only allowing patients to use it in forms other than smoking, such as vaporizing or consuming orally in capsules.

PAMCS

Tom Santanna, director of government relations at the Pennsylvania Medical Cannabis Society, is confident the PA Department of Health is the right organization to regulate medical cannabis. “An important part of the regulatory process includes providing for the safety of cannabis via laboratory testing, and it is our feeling that the PA Department of Health is the correct agency for that task,” says Santanna. “The legislation gives the Department of Health the authority to create standards for safety and it is our goal as an organization to work with them to make sure the proper safeguards are in place.”

State Senator Daylin Leach introduced the bill
State Senator Daylin Leach introduced the bill.

The passing of this legislation will undoubtedly encourage more doctors to consider recommending cannabis as a treatment option in Pennsylvania. Dr. David Casarett, professor of medicine at the Perelman School of Medicine, University of Pennsylvania, believes this could help a number of his patients. “When it becomes legal in Pennsylvania, I will certainly discuss it as an option for some of my patients,” says Casarett. “If it is legal, then at least I will know my patients are getting it from a safe and reliable source, without supporting the illegal drug trade and organized crime.”

State Senator Daylin Leach (D- Montgomery/Delaware) introduced the bill and has introduced medical cannabis legislation in every session since 2009. Steve Hoenstine, spokesperson for State Senator Leach, believes the measure will have the most intensive protections for safety in the country. “Our goal was to create a system that helps as many patients as possible, as soon as possible and as safely as possible,” says Hoenstine. “The seed-to-sale tracking system and the bill’s other protections do just that.” State Senator Leach will deliver the keynote speech at the Innovation in the Cannabis Industry; Technology, Medical & Investment Conference in Philadelphia on April 30.

It is expected to take up to two years to begin the implementation of regulations and allow retailers to open their doors to patients.