Tag Archives: record

How Private-Sector-Led Information Sharing Can Transform Cybersecurity in the Cannabis Industry.

By Andy Jabbour, Ben Taylor
No Comments

The cannabis industry’s advancement towards legalization continues to dominate national headlines, from the stance of incoming Attorney General Merrick Garland to deprioritize enforcement of low-level cannabis crimes, Senate Majority Leader Chuck Schumer’s continued advocacy, to the recent passing of legislation in New York, New Mexico and Virginia (the first in the South) to authorize adult-use cannabis. While these updates are likely to intrigue customers and investors alike, they are also sure to draw the attention of cyber criminals who could look at the relative youth of the industry, as well as its rapid growth, as a prime target of opportunity for nefarious acts.

In order to understand risk mitigation best practices across a wide spectrum of private sector industries, this article will first identify the current security environment in order to understand the threats, briefly highlight specific case studies and assess the risks and identify methods that individual organizations, as well as the cannabis industry as a whole, can take action to enhance security and preparedness and to develop resiliency against future attacks.

Understanding the Threats

For an industry that has operated in a largely cash-based system for much of its existence, the idea of security is not foreign. Typically, these concerns focused on physical security implementation. The topic has received plenty of coverage, including a recent article in this journal articulating Important Security Considerations When Designing Cannabis Facilities. While an audit of physical security measures is a valuable part to any all-hazards threat assessment, securing a growing online network – from email to online finances to connected devices within cannabis facilities – can pose more unfamiliar challenges. When consulted for this article, Patten Wood, a former VP of marketing for a prominent west-coast cannabis retail brand noted: “While the topic of cybersecurity is critically important to customers, businesses, and the industry at large, it isn’t top of mind for many of the cannabis companies that I’ve experienced.” Understanding what risks are present is the first step to mitigating them, so we must first discuss several common cyber threats for the cannabis industry.

  • Phishing: Phishing happens when cybercriminals impersonate a trusted individual or entity, typically through email. The goal in this instance is to get the target to share confidential information or download software that can allow unauthorized access into an organization’s network. Phishing is one of the most common types of cyberattacks as it is relatively easy to conduct and surprisingly effective.
  • Ransomware Attacks: Ransomware attacks are used to gain access to a computer network and then lock and encrypt either the entire system or certain sets of high-value files, which can compromise important business information, and impact client and vendor privacy. A ransom is then demanded for restoring access, but paying the ransom comes with its own risk as it doesn’t guarantee the files will be restored. 
  • Cyber Extortion: Similar to ransomware attacks in their design, cyber extortion typically deals with a threat of leaking personal information and will generally demand payment in cryptocurrency in order to maintain their anonymity. 
  • Lumu: 2020 Ransomware Flashcard

    Remote Access Threats: As 2020 has forced organizations to rethink how they conduct business and shift to more remote operations than they had in the past, it can open up several new threats. According to a survey by IT social network SpiceWorks.com, six out of every ten organizations allow their employees to connect their company-issued devices to public Wi-Fi networks. Utilizing unsecured Wi-Fi networks opens the user up to man-in-the-middle attacks, allowing hackers to intercept company data. Unsecure Wi-Fi also brings the threat of malware distribution. An additional consideration with remote workers is the uptick in cyber attacks against remote access software referred to as remote desktop protocol (RDP) attacks. According to Atlas VPN, RDP attacks skyrocketed 241% in 2020 and we’ve seen numerous RDP attacks against critical infrastructure throughout the pandemic and across all industries.

  • Internet of Things (IoT) Leaks: With IoT devices running everything from security systems to automated growing operations, the convenience has been a huge boost for the industry. Unfortunately, many IoT devices don’t have sophisticated built-in security. Another common problem is the tendency of users to keep default passwords upon installation, which can make devices easy for cyber criminals to access. Once they are inside the system, malware can easily be installed, and the actors can move laterally throughout the network.
  • Personal and Medical Record Security: Many cyberattacks expose some level of personal data, whether that be customer, employee or vendor information. An extra consideration for retail operations that either treat medical patients, or medical and adult-use customers, is the additional information they must store about their clients. Medical facilities will maintain protected health information (PHI), which are much more valuable on the dark web than personally identifiable information (PII). But even adult use facilities may keep government-issued ID or other additional information above that of a typical retailer, which makes the potential value of their information much more intriguing for a cybercriminal.

Assessing the Risks

Depending on where your organization lies in the seed to sale chain, you will have different levels of risk for various types of attacks. We briefly discussed ransomware attacks earlier. Ransoms can range widely depending on the size of the organization that is attacked, but the ransom alone isn’t the only risk consideration. Businesses must also factor in the cost of downtime (an average of 18 days in 2020) caused by the ransomware when evaluating the impact to business operations, as well as reputation. While small – medium businesses are absolutely at risk, especially given their relative lack of cybersecurity resources and sophistication, a recent trend involves “Big Game Hunting” where cybercriminals are targeting larger organizations with the potential for bigger paydays. Criminals understand that big business can rarely afford major delays, and may be more able and willing to pay, and pay big, for a return to normal operations.

Group-IB: Ransomware Uncovered

Below are several examples of attacks which have either directly impacted the cannabis industry, or have valuable lessons the industry can learn from.

GrowDiaries: In October 2020 researcher Bob Diachenko discovered that 3.4 million records including passwords, posts, emails and IP addresses were exposed after two open-source application Kibana apps were left exposed online. As a platform for cannabis growers around the world (who are not all growing legally), this type of exposure puts the community at great risk, and can lower user confidence in the product, as well as putting them at personal risk of harm or legal ramifications. The applications being left open is a prime example of either a lack of good cybersecurity policies, or not following through on those policies.

Aurora Cannabis: On December 25th, 2020 Canadian company Aurora Cannabis suffered a data breach when SharePoint and OneDrive were illegally accessed. Included in the data that was compromised was credit card information, government identification, home addresses and banking details. The access point coming through Microsoft cloud software is a prime example of some of the challenges facing businesses who have an increasingly remote workforce yet still need that workforce to access critical (and usually highly sensitive) information.

THSuite: A database owned by seed to sale Point-Of-Sale (POS) software provider THSuite was discovered by researchers in December 2019. The database contained PHI/PII for 30,000 people, with over 85,000 files being exposed. The information that was left accessible included scanned government IDs, personal contact information and medical ID numbers. Clearly this gets into HIPAA territory, which can result in fines of up to $50,000 for every exposed record.

Door Dash: As cannabis delivery apps become more prevalent, it’s good to reference how similar businesses in other industries have been targeted. In May of 2019 nearly 5 million user records were accessed by an unauthorized third party, exposing PII and partial payment card information.  

Taking Action 

On an organizational level, employee training, password hygiene and malware protection are some of the basic and most important steps that should be taken by all organizations. But, if “knowledge is power,” the best defense for any organization against cyber threats is a well-informed organization- including leadership down to the front-line employees. Excellent tools to assist in this are Information Sharing & Analysis Centers/Organizations (ISACs/ISAOs). ISACs were established under a presidential directive in 1998 to enable critical infrastructure owners and operators to share cyber threat information and best practices. The National Council of ISACs currently has over 20 member ISACs including Real Estate, Water, Automotive and Energy. ISAOs were created by a 2015 executive order to encourage cyber threat information sharing within private industry sectors that fall outside of those listed as “critical infrastructure”. Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO) says information sharing enabled by the executive order is critical. “We need to accelerate private sector information sharing, and I believe that the ISAO is the vehicle.”

According to Michael Echols, CEO of the International Association of Certified ISAO’s (IACI) at the Kennedy Space Center, security experts have long understood that threat information sharing can allow for better situational awareness and help organizations better identify common threats and ways to address them. “On the other side, hackers in a very documented way are already teaming up and sharing information on new approaches and opportunities to bring more value (to their efforts).” The ongoing crisis surrounding the Microsoft Exchange Server Vulnerability demonstrates that different cybercriminal groups will work simultaneously to abuse system flaws. As of March 5th it was reported that at least 30,000 organizations in the U.S. – and hundreds of thousands worldwide – have backdoors installed which makes them vulnerable to future attacks, including ransomware.

Below are several links to recent products that have been shared by various ISACs/ISAOs, which are provided as an example of the type of information that is commonly shared via these organizations.

If organizations are interested in learning more about enhancing their cybersecurity resiliency through private-sector led information sharing, please reach out to the newly formed Cannabis ISAO at ben@cannabisisao.org 

Vermont Senate Approves Cannabis Regulation Bill

By Cannabis Industry Journal Staff
No Comments

On Tuesday, September 22, the Vermont Senate voted (23-6) to pass a bill that would legalize, tax and regulate adult use cannabis sales. The bill, S. 54, was approved by 92-56 in the Vermont House of Representatives last week. The bill has now made it to Governor Phil Scott’s desk, where although he has not said whether or not he’ll sign it, supporters think it is likely he will.

Vermont Gov. Phil Scott

If the Governor signs this piece of legislation into law, it’ll make Vermont the 11th state to regulate and tax cannabis sales. The Marijuana Policy Project (MPP) has a helpful summary of the legislation you can find here.

Back in 2018, Vermont actually voted to legalize adult use possession and cultivation of cannabis, just not to tax and regulate it. Governor Scott signed that bill into law, which is why some supporters are hopeful he will sign S. 54 into law as well.

Currently, only Vermont and Washington D.C. have legislation that legalized cannabis, just not the sale of it. Technically speaking, it is still illegal to sell cannabis in D.C. or Vermont.

The Vermont Senate is also expected to pass a bill that would automatically expunge criminal records for past low-level cannabis possession charges. Check out the MPP summary for that bill here.

How Cannabis Businesses Can Prepare for Tax Season

By Melissa Diaz
3 Comments

A Little About 280E

The 280E statute bans businesses from deducting business expenses for gross income associated with the trafficking of Schedule I or II substances. While other businesses can deduct any number of expenses when filing their taxes — employee salaries, rent, equipment, electricity, etc. — 280E limits cannabis companies to only expensing deductions directly related to earning a profit, or the cost of goods sold (COGs).

For example, a dispensary whose square footage is split between 60% sales floor and 40% lobby may only deduct 60% of rent expenses because that’s the portion dedicated to COGs. Transactions do not occur in the lobby, so that portion of the rent is not deductible.

Image: Flickr

So long as cannabis remains a Schedule I substance, companies that produce, sell and otherwise touch the plant in their operations must comply with 280E.

Tips for Tax Success

While taxes can be complex and stressful for cannabis businesses, it is possible to limit the headaches. With tax season right around the corner, here are a handful of tips to ensure a successful filing.

  • Close Out Your Books. Before tax preparation can even start, cannabis businesses want to make sure to close out their financials for the previous year. It may sound like a no-brainer, but with the extra scrutiny facing companies in the industry and the nuances of 280E, it’s extremely important to have fully reconciled and closed-out books to work from when preparing taxes. Incomplete books can cause delays and add unnecessary extra stressors to the process that could result in penalties or additional liabilities.
  • Consult a Cannabis Tax Professional. Once books are ready to go, it’s time to consult a tax professional who has experience in the cannabis industry. A cannabis-focused tax pro will be familiar with the intricacies of 280E and and will be able to identify relevant business expenses to ensure compliance and limit liabilities. In addition to 280E issues, a competent accountant will also be able to highlight any other tax code changes that may impact a business. Every business is different — even in the cannabis industry — and since the tax code is large, complex and prone to new rules and interpretations, it’s important to have a strong accountant guiding the way.
  • Justify Your Numbers. After consulting with a tax professional and identifying relevant business expenses, it’s time to back up the numbers. This is where strong record-keeping comes into play. Ongoing regulatory hurdles limit cannabis firms’ ability to participate in the financial system where, generally, record creation is inherent with each transaction. But in a cash-heavy industry like cannabis, record creation and retention fall on the businesses themselves. This is because cash transactions don’t come with any built-in records. That inherent lack of documentation is yet another potential pitfall for cannabis businesses and taxes since large amounts of cash often raise eyebrows at the IRS. It is up to businesses to provide adequate proof of their tax numbers. Since the IRS will put zero effort into investigating the accuracy of your numbers, it will likely assume the worst when reviewing your filing.

Preparation is King

Taxes can be stressful. But they don’t have to be. Navigating tax season as a cannabis business is all about preparation. By putting in the work and partnering with an experienced tax professional, cannabis operators will be able to avoid penalties, limit their audit risk and stay on track with their business goals.

Documentation: Are You Prepared?

By Radojka Barycki
No Comments

Documents play a key role in the world of regulations and global standards. Documents tell a story on programs development, implementation and verification during an inspection or audit. Documents are used as evidence to determine conformance to the law or standard. However, do you know what kind of documents may be reviewed during a regulatory inspection or a food safety audit? Are you prepared to show that the implementation of regulatory requirements or a standard is done efficiently at your facility?

Inspectors and auditors will look for compliance either to regulations or to a standard criterion. Regulations and standards require that documentation is controlled, secured and stored in an area where they cannot deteriorate. Therefore, writing a Document Management Program (DMP) will help a business owner ensure consistency in meeting this and other requirements.Radojka Barycki will host a a plenary session titled, “Cannabis: A Compliance Revolution” at the 2018 Food Safety Consortium | Learn More

A well-developed and implemented DMP provides control over documents by providing a number sequence and revision status to the document. In addition, ownership for development, review and distribution of the documents are assigned to specific individuals within the company to ensure that there are no inconsistencies in the program. Documents must also have the name of the company in addition to a space to write the date when the record is generated. It is recommended to include the address if there are multiple operational sites within the same company.

There are different types of documents that serve as support to the operations:

  1. Program: A written document indicating how a business will execute its activities. When it comes to the food industry, this is a written document that indicates how quality, food safety and business activities are controlled.
  2. Procedures: General actions conducted in a certain order. Standard Operational Procedures (SOPs) allow the employee to know what to do in general. For example, a truck receiving procedure only tells the employee what the expected conditions are when receiving a truck (cleanliness, temperature, etc.) However, it doesn’t tell the employee how to look for the expected conditions at the time of the truck arrival.
  3. Work Instructions: Detailed actions conducted in a certain order. For example, truck inspection work instruction tells the employee what steps are to be followed to perform the inspection.
  4. Forms: Documents used to record activities being performed. 
  5. Work Aids: are documents that provide additional information that is important to perform the job and can be used as a quick reference when performing the required activities within the job. 
Are you prepared to face document requirements now and in the future?

The inspectors and auditors base their role on the following saying: “Say what you do. Do what you say. Prove it!” The programs say what the company do. The procedures, work instructions and work aids provide information on implementation (Do what you say) and the forms become records that are evidence (prove) that the company is following their own written processes.

Regulatory requirements for cannabis vary from state to state. In general, an inspector may ask a cannabis business to provide the following documentation during an inspection:

  1. Business License(s)
  2. Product Traceability Programs and Documents
  3. Product Testing (Certificate of Analysis – COAs)
  4. Certification Documents (applicable mainly to cannabis testing labs)
  5. Proof of Destruction (if product needs to be destroyed due to non-compliance)
  6. Training Documents (competency evidence)
  7. Security Programs

As different states legalize cannabis, new regulatory requirements are being developed and modeled after the pharma, agriculture and food industries. In addition, standards will be in place that will provide more consistency to industry practices at a global level. The pharma, agriculture and food industries base their operations and product safety in programs such as cGMPs, GAPs, HACCP-based Food Safety Management Systems and Quality Management Systems. Documents required during an inspection or audit are related to:

  1. Good Agricultural Practices (GAPs)
  2. Current Good Manufacturing Practices (cGMPs)
  3. Food Safety Plan Documents
  4. Ingredient and Processing Aids Receiving
  5. Ingredient and Processing Aids Storage
  6. Operational Programs (Product Processing)
  7. Final Product Storage
  8. Final Product Transportation
  9. Defense Program
  10. Traceability Program
  11. Training Program
  12. Document Management Program

In the always evolving cannabis industry, are you prepared to face document requirements now and in the future?

HACCP

Hazard Analysis and Critical Control Points (HACCP) for the Cannabis Industry: Part 1

By Kathy Knutson, Ph.D.
1 Comment
HACCP

Hazard Analysis and Critical Control Points (HACCP) Defined

Farm-to-fork is a concept to describe the control of food safety starting in the fields of a farm and ending with deliciousness in my mouth. The more that is optimized at every step, the more food safety and quality are realized. Farm-to-fork is not a concept reserved for foodies or “eat local” food campaigns and applies to all scales of food manufacture. HACCP is like putting the last piece of a huge puzzle in the middle and seeing the whole picture develop. HACCP is a program to control food safety at the step of food processing. In states where cannabis is legal, the state department of public health or state department of agriculture may require food manufacturers to have a HACCP plan. The HACCP plan is a written document identifying food safety hazards and how those hazards are controlled by the manufacturer. While there are many resources available for writing a HACCP plan, like solving that puzzle, it is a do-it-yourself project. You can’t use someone else’s “puzzle,” and you can’t put the box on a shelf and say you have a “puzzle.”

HACCP is pronounced “ha” as in “hat” plus “sip.”

(Say it aloud.)

3-2-1 We have liftoff.

The history of HACCP starts not with Adam eating in the garden of Eden but with the development of manned missions to the moon, the race to space in the 1950s. Sorry to be gross, but imagine an astronaut with vomiting and diarrhea as a result of foodborne illness. In the 1950s, the food industry relied on finished product testing to determine safety. Testing is destructive of product, and there is no amount of finished product testing that will determine food is safe enough for astronauts. Instead, the food industry built safety into the process. Temperature was monitored and recorded. Acidity measured by pH is an easy test. Rather than waiting to test the finished product in its sealed package, the food industry writes specifications for ingredients, ensures equipment is clean and sanitized, and monitors processing and packaging. HACCP was born first for astronauts and now for everyone.HACCP

HACCP is not the only food safety program.

If you are just learning about HACCP, it is a great place to start! There is a big world of food safety programs. HACCP is required by the United States Department of Agriculture for meat processors. The Food and Drug Administration (FDA) requires HACCP for seafood processing and 100% juice manufacture. For all foods beyond meat, seafood and juice, FDA has the Food Safety Modernization Act (FSMA) to enforce food safety. FSMA was signed in 2011 and became enforceable for companies with more than 500 employees in September of 2016; all food companies are under enforcement in September 2018. FSMA requires all food companies with an annual revenue greater than $1 million to follow a written food safety plan. Both FDA inspectors and industry professionals are working to meet the requirements of FSMA. There are also national and international guidelines for food safety with elements of HACCP which do not carry the letter of law.

The first step in HACCP is a hazard analysis.

Traditionally HACCP has focused on processing and packaging. Your organization may call that manufacturing or operations. In a large facility there is metering of ingredients by weight or volume and mixing. A recipe or batch sheet is followed. Most, but not all, products have a kill step where high heat is applied through roasting, baking, frying or canning. The food is sealed in packaging, labeled, boxed and heads out for distribution. For your hazard analysis, you identify the potential hazards that could cause injury or illness, if not controlled during processing. Think about all the potential hazards:

  • Biological: What pathogens are you killing in the kill step? What pathogens could get in to the product before packaging is sealed?
  • Chemical: Pesticides, industrial chemicals, mycotoxins and allergens are concerns.
  • Physical: Evaluate the potential for choking hazards and glass, wood, hard plastic and metal.

The hazards analysis drives everything you do for food safety.

I cannot emphasize too much the importance of the hazard analysis. Every food safety decision is grounded in the hazard analysis. Procedures will be developed and capital will be purchased based on the hazard analysis and control of food safety in your product. There is no one form for the completion of a hazard analysis.

HACCP risk matrix
A risk severity matrix. Many HACCP training programs have these.

So where do you start? Create a flow diagram naming all the steps in processing and packaging. If your flow diagram starts with Receiving of ingredients, then the next step is Storage of ingredients; include packaging with Receiving and Storage. From Storage, ingredients and packaging are gathered for a batch. Draw out the processing steps in order and through to Packaging. After Packaging, there is finished product Storage and Distribution. Remember HACCP focuses on the processing and packaging steps. It is not necessary to detail each step on the flow diagram, just name the step, e.g. Mixing, Filling, Baking, etc. Other supporting documents have the details of each step.

For every step on the flow diagram, identify hazards.

Transfer the name of the step to the hazard analysis form of your choice. Focus on one step at a time. Identify biological, chemical and physical hazards, if any, at that step. The next part is tricky. For each hazard identified, determine the probability of the hazard occurring and severity of illness or injury. Some hazards are easy like allergens. If you have an ingredient that contains an allergen, the probability is high. Because people can die from ingestion of allergens when allergic, the severity is high. Allergens are a hazard you must control. What about pesticides? What is the probability and severity? I can hear you say that you are going to control pesticides through your purchasing agreements. Great! Pesticides are still a hazard to identify in your hazard analysis. What you do about the hazard is up to you.