Tag Archives: privacy

Keep ‘em Safe: Cash, Records, Products, People – Technology Helps Cannabis Businesses Succeed

By Dede Perkins
No Comments

It wasnt that long ago that cannabis was underground, sometimes literally, and operators protected what was theirs any way they knew how. Before legalization, cannabis operators needed to secure their plants, cash, supplies and equipment not just from people who wanted to steal them, but also from law enforcement. The legacy cannabis market is now transitioning into a legal one, and licensed operators are joining the industry at an incredible rate, but security is still part of the success equation. Like before, operators need to protect plants, products, equipment and cash, but they now also need to protect records, privacy and data, and do so in a manner that complies with state regulations.

Cannabis regulatory authorities set security guidelines that cannabis business owners must follow in order to obtain and renew operational licenses. For instance, there are state-specific security regulations regarding video surveillance, camera placement, safes, ID verification, and more. While security measures help protect the business, they also protect the public. Its a win-win for everyone involved. Here are five best practices and techniques to protect cash, records, products and people.

Hybrid cloud storage

State regulations call for reliable video surveillance footage that is accessible, in most cases, 24/7 and upon demand by cannabis regulatory authorities and local law enforcement acting within the limits of their jurisdiction. SecurityInfoWatch.com reports that video data is the industrys next big investment, meaning there will be an increased demand and need to store video surveillance footage. Most states require video surveillance footage to be retained for a specific amount of time, often 45-90 days or longer if there is an ongoing investigation or case that requires the footage. While some businesses only retain video data for the state-required length of time, others choose to keep it longer.

Storing data on-site can become expensive and precarious. Best practices call for a hybrid cloud storage solution model as it provides on-site and both public and private cloud data storage solutions. This model provides users with the ability to choose which files are stored on-site and which files live in the cloud. Doing so improves file accessibility without impacting or compromising on-premises storage. In addition, its helpful to have two methods of digitizing data, for safetys sake. In the event an on-site storage method crashes—though hopefully this wont ever happen—theres a version available off-site via the cloud. That said, with cloud-based storage solutions come cybersecurity threats that must be managed.

Cybersecurity

Dispensaries are prime targets for burglary. Defending a storefront requires a comprehensive security plan

Due to the ongoing COVID-19 pandemic, more businesses are online than ever before. Unsurprisingly, cyberthreats are on an upward trend, including in the cannabis industry. Earlier this year, MJBizDaily reported that a data breach exposed personal information of current and former employees of Aurora Cannabis. The incident involved unauthorized parties [accessing] data in (Microsoft cloud software) SharePoint and OneDrive”. Although this breach involved only employees, confidential customer information is also at risk of being compromised during a data breach. 

On a separate occasion, an unsecured Amazon S3 data storage bucket caused a large-scale database breach that impacted almost 30,000 people across the industry, according to the National Cannabis Industry Association. The breach included scanned versions of government-issued ID cards, purchase dates, customer history and purchase quantities. Unlike the Aurora Cannabis breach, this one included customer data. 

Just like other more established industries, the cannabis industry needs to protect and secure confidential data. If you dont have a cybersecurity expert on your team, consider hiring a consultant to evaluate your risk or partnering with a credible cybersecurity technology company to implement proactive solutions. Before signing a contract, do your due diligence. Does the consultant and/or technology company understand the compliance regulations specific to the cannabis industry? Do their solutions meet the regulations in the state(s) where your facility operates? Taking the time to protect your companys data before a breach occurs is proactive, smart business.

Smart Safes 

A smart safe like this one can helps secure cash handling

Smart safes help secure cash handling, which given the difficult banking environment for cannabis companies, means theyre on the list of best practice security technology products. What is a smart safe? A smart safe is a device that securely accepts, validates, records and stores cash and connects to the other cash management technology solutions such as point of sale systems. They connect to the internet and provide off-site stakeholders visibility into a facilitys cash position.

A high-speed smart safe counts cash by hand faster than a human and is an overall more secure way to deliver cash bank deposits. At the end of the night, making a deposit at a physical bank location can be dangerous, exposing your cash and the individuals responsible for making the deposit to unsecured threats. Using a smart safe reduces that threat and also helps cannabis operators comply with financial recordkeeping and documentation requirements. Due to federal cannabis prohibition, many cannabis businesses lack enough insurance to fully cover their exposure to cash theft, which has led to a trending industry-wide investment in smart safes.

Advanced access control

Best practice access control means more than a ring of keys hanging off the facility managers belt. Advanced access control gives cannabis business owners and managers the ability to manage employee access remotely via the cloud. This feature can limit access areas within a facility, enabling an individual to revoke access instantly from a remote location making it a useful tool in the event of a facility lockdown or emergency. A mobile app and/or website can be used to lock or unlock secure doors, monitor access in real time and export access logs.

Advanced access control devices arent a standard in the industry yet. Although many state regulators dont require cannabis businesses to utilize advanced electronic access control, using this technology is a best practice and may be required in the future.

Compliance software 

Understanding the ramifications and keeping up with state-mandated compliance is challenging. While state regulations can be found online, theyre often in pieces, leaving operators unsure about whether or not they have them all. Once an operator is confident that they have the most current version of all the laws, rules, and regulations that apply to their cannabis business, making way through the dense legal jargon can be exhausting. Even after multiple readings, it can be unclear about how to apply these guidelines to the operators cannabis business, which is one reason cannabis businesses work with a trusted legal counsel to meet compliance requirements. For trusted advisors and cannabis business licensees and operators alike, cannabis compliance software solutions are designed to not just check boxes for a cannabis business, but to help everyone involved understand how the regulations apply to the operation. These solutions improve accessibility so that employees at all organizational levels understand the rules and requirements of their position and the products they work with.

In addition, compliance software can help licensees and operators establish and implement best practice SOPs to meet regulatory requirements. Because the cannabis industry is young and many operators are moving fast, many cannabis businesses are vulnerable to security breaches and threats. Prioritizing security and compliance can help cannabis leaders protect against potential threats. Investing in the latest and most innovative security technology solutions—beyond what is required by state regulations—can help operators outsmart those who seek to steal from them and position their companies as industry leaders that prioritize safety and compliance, protecting not just cash and products, but the people who work in their facilities and the customers who purchase their products.

Cannabis Registry Reality Check: Privacy Must be Paramount

By Shadrach White
No Comments

The task of preserving privacy for any records platform, especially a cannabis registry, cannot simply be relegated to ones and zeros lurking in some forgotten codebase. This past year taught us many lessons, especially related to the trauma unleashed by vulnerabilities in government domains. We learned time and again that a registrant’s privacy must be the first order of business for the architects of registries.

But the first order of business isn’t the last order of business. That intention and effort to secure privacy must then be communicated and reinforced through real-world reality checks.

Lapses in data security and rising distrust for government institutions block the efficacy of well-intentioned and vital registries. Those states launching new registries in 2021 are at a precarious crossroads as public trust erodes.

As I write this, we’ve just learned illicit operators hacked a third-party service provider for the Washington State Auditor’s office. The attack compromised the personal data of 1.4 million users seeking unemployment benefits. Security hacks are a cautionary tale, whose impact is felt too often.

But many in the government sector are staring at a once-in-a-generation challenge to launch new registries – those related to cannabis – with privacy top-of-mind from the initial Request For Bid.“The question isn’t when these privacy-first registries will be implemented, it’s a question of whether they’ll be implemented proactively ahead of hacks or after the damage is done.”

Here’s how:

Table Stakes for New Cannabis Registries

These suggestions are just the beginning, and I see them as the minimum buy-in to begin the architecture of a new cannabis registry. They include:

  • End-to-end data encryption while in transit and within the system while the data is at rest.
  • A solution that is a cloud-native web application which is managed as a service for maximum uptime and strong security posture.
  • Registries should also leverage algorithms and machine learning to ensure accurate data entry by analyzing incorrect or duplicate data before it is saved within the system.

Beyond HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) requires privacy and security measures to protect Personal Health Information (PHI). Debate exists on whether compliance is a requirement for all entities transacting in the medicinal cannabis space. While some state registries are exempt from HIPAA, others choose to provide HIPAA compliance not just for the optics, but the known benefit to users’ privacy and confidence. New cannabis registries should commit to HIPAA-compliance to set a trusted new privacy standard for medical patient credentials and legal authorization for the use of cannabis for medical purposes.

That’s just the start. Registries should also ensure SOC2 Type II certification, which safeguards security, site availability, confidentiality and privacy through independent third-party auditors.

Connect with Confidence

Registries function as a hub of information in an often-confusing cannabis space. The California Bureau of Cannabis Control displays more than 25 links wired into its top navigation bar alone. Each link sends the curious to new resources. Registries must establish themselves as credible resources, especially when directing users to third-party sites.

One example is for cannabis registries to provide secure access to healthcare professionals who are verified by the Drug Enforcement Agency (DEA). These healthcare professionals are licensed to distribute controlled substances including cannabis. Each third-party link should offer the same high-level of scrutiny to enshrine confidence and credibility in the registry.

Next-Generation ID Cards

A cannabis registry card should not just be a document, but a toolset that attests to the identity and the authority of the carrier represented. An illicit counterfeiting market seeks to exploit registry card vulnerabilities. Next generation ID cards present the best defense against counterfeiting and illegal use with robust security measures. That starts with assuring that any credential is mobile ID compatible with iOS Wallet and GooglePay for mobile identification.

ID cards should also include:

The automated modification of the document bearer’s photograph to ICAO (International Civil Aviation Organization) standards. This critical modification makes the photograph easier to use for ID verification; it also facilitates the detection of photograph substitution.

A two-dimensional barcode compiles information contained in a one-dimensional barcode. It also delivers confirmation of other data shown on the card or in the system such as license authorization and limitations. Adding additional material to the physical document such as holograms, UV image, micro-printing or laser perforations offers another level of protection against illicit use or counterfeiting.

While cannabis registries are the beginning, they’re not the end. Driving efficacy for government registries needed for COVID19 track-and-tracing, cannabis plant track-and-tracing and vaccine distribution require the same attention to privacy, security and ultimate useability. A sea change is required – not just for the sake of those who use the registries but also for those who must implement, deploy and maintain those registries. The question isn’t when these privacy-first registries will be implemented, it’s a question of whether they’ll be implemented proactively ahead of hacks or after the damage is done. I believe the government sector leaders exploring new cannabis registries offer the wisdom and foresight to choose the proactive approach.

Why Does GDPR Matter for The Cannabis Industry?

By Marguerite Arnold
2 Comments

The global cannabis industry is hitting thorny regulatory challenges everywhere these days as the bar is raised for international commerce. First it was recognition that the entire production industry in Canada would basically have to retool to meet European (medical and food) standards. And that at least for now for the same reasons, American exports are basically a no go.

However, beyond this, the battle over financial reporting and other compliance of a fiscal kind has been a hot topic this year on European exchanges.

As of this summer, (and not unrelated to the other two seismic shifts) there is another giant in the room.

If you haven’t heard about it yet, welcome to the world of EU GDPR (European Union General Data Privacy Regulation).

The German version is actually Europe’s highest privacy standard, which means for the cannabis industry, this is the one that is required for operations here across the continent if you are in this business.

What is it, and what does it mean for the industry?

GDPR – The Elevator Pitch

Here is why you cannot ignore it. The regulation affects bankers as much as growers, distributors as much as producers and of course the entire ecosystem behind medical production and distribution across Europe and actually far beyond it. Starting of course, with patients but not limited to them. The law in essence, applies to “you” whoever you are in this space. That is why it becomes all that much more complicated in the current environment.

While this is complex and far reaching, however, there are a couple of ways to think about this regulation that can help you understand it and how to manage to it (if not innovate with it).

The first is, to American audiences at least, that GDPR is sort of like HIPAA, the federal American privacy civil rights statute that governs medical privacy law. Except, of course, this being Europe, it is far more robust and far reaching. It touches every aspect of electronic privacy including data storage, retention, processing and security that is applicable to modern life. And far, far, beyond just “patients.”

On the marketing side, GDPR is currently causing no end of headaches. Broadly, the legislation, which came into force this year, with real teeth (4% of global revenues if you get it wrong), applies to literally every aspect of the cannabis industry for two big reasons beyond that. Medical issues, which are the only game in town right now in Europe (and thus require all importers to also be in compliance) and financial regulatory requirements.

The requirements in Germany are more onerous than they are in the rest of Europe. Therefore, they also affect the cannabis industry in a big way, especially since there is at this point a great deal of European cultivation with the German (and now British) medical market in mind. Further Germany is becoming European HQ for quite a few of the Canadian LPs. That means German standards apply.

The UK, for those watching all Brexit events with interest, will also continue to be highly affected by this. Whether it stays in the EU or not, it must meet a certain “trusted nation” status to be able to transact with the continent in any kind of favoured nation status.

Bottom line? It is big and here and expensive if you screw it up. If considering doing any kind of business with European customers, start hitting the books now. Large mainstream media organizations in the United States and Canada right now are so afraid of the consequences of getting this wrong that they have blocked readership from Europe for the present. Large financial institutions also must not only be in compliance but compliance of companies also guides their investment mandates on the regulatory front.

For all of these reasons, the cannabis industry would do well to take note.

What Does This Mean for The Cannabis Industry?

The Canadian and rest of the global industry is still struggling with compliance and this will have some interesting repercussions going forward.patient data must be handled and stored differently

Immediately, this means that all websites that are targeted to German eyes (read Canadian LPs and international, even English-only press) should hire German side compliance experts for a quick GDPR audit. There are few European experts at this point, and even fewer foreign ones. It is worth a call around to find out who is doing this auf Deutschland and bite the bullet.

It also means that internally, patient data must be handled and stored differently. And furthermore, it is not just “patients” who have this right, but everyone who transacts with your electronic or other presence. That includes consumers, subscribers to email newsletters and other stakeholders in the industry.

As the cannabis industry also starts to embrace technology more fully, it will also have highly impactful influence on what actually passes for a compliant technology (particularly if it is customer facing) but not limited to the same.

On the marketing side, GDPR is currently causing no end of headaches. Starting with PR and customer outreach teams who are trying to figure out how much of their master mailing lists they can keep and which they cannot. On this front, Mail Chimp is undeniably the go-to right now and has also implanted easy to understand and use technology that is being adopted by European marketers and those targeting Europe.

Stay tuned for more coverage on GDPR as we cover how data protection and privacy regulations will impact cannabis businesses, their marketing and outreach, plus service design efforts (in particular to patients) and other areas of interest.