Tag Archives: security

Best Practices for Workforce Reduction

By Conor Dale
No Comments

Due to anticipated contractions in the industry and concerns over a potential nationwide recession, cannabis industry employers may be planning on implementing large scale reduction in force (RIF) layoffs or employee furloughs to reduce payroll. While RIFs can provide business-saving cost reductions, they can subject an employer to substantial potential legal liability, including but not limited to class action lawsuits and enforcement actions from state and federal agencies. Understanding and addressing potential legal pitfalls before implementing an RIF can help in materially limiting an employer’s potential legal exposure.

Employers should first consider potential cost saving alternatives to implementing mass employee layoffs. Such steps can include reducing the salaries and/or work hours for current employees, temporarily freezing company operations for limited periods, or placing non-critical positions in a limited paid leave of absence at reduced wages. While each of these steps bear their own risks, they may assist in avoiding mass employee layoffs.

Next, federal law and the laws of certain states require employers to provide written notice to employees and local governments at least 60 days before implementing mass layoffs. For example, under the federal Work Adjustment and Retraining Notification (WARN) Act, an employer must generally provide a written notice to employees regarding an impending reduction in force when it: (1) permanently or temporarily shuts down a worksite which results in an employment loss of 50 or more employees; (2) lays off between 50 to 499 workers at a single worksite when such layoffs constitute at least 33% of the employer’s workforce; (3) lays off at least 500 employees within a 30 day period; (4) implements a wide scale temporary layoff of more than 6 months; or (5) reduces the work hours of 50 or more employees by at least 50% during each month of any six month period. Please note that the WARN Act aggregates layoffs over 90 days; thus, an employer conducting a series of smaller layoffs may still need to provide employees with a WARN notice. An employer who fails to provide a required notice could owe each impacted employee up to 60 days’ back pay, which includes but is not limited to the cost of potential employment benefits.

An employer should also take steps to limit potential discrimination claims based on an RIF. It is illegal for an employer to select an employee for layoff because of their protected characteristics, including but not limited to race, religion, gender or age. The primary defense to such a discrimination lawsuit is to prove the legitimate, nondiscriminatory reason for the layoff decision. As a result, employers are strongly encouraged to create a formal RIF plan which documents the legitimate reasons for layoff decisions. The RIF plan should expressly articulate the cost-saving grounds for the RIF and the goals to be achieved by its implementation; these grounds and goals should be the sole reason for any subsequent layoff decision.

Employers are strongly encouraged to consult with legal counsel before implementing an RIFFor example, an employer should identify all necessary positions and employee skills needed for a company’s current and future business operations in order to identify non-essential positions that may be subject to position eliminations or layoffs. Similarly, employers should create standards to select employees for a RIF when multiple employees hold the same or similar jobs. These standards commonly include considering employees’ education, skills, unique knowledge, previous job performance and seniority. Most importantly, an employer should make actual layoff decisions that are consistent with its articulated RIF plans; under both state and federal law, a termination decision that is inconsistent with or contradictory to the articulated reasons for a layoff decision may provide an employee with considerable evidence that that his or her termination was at least partly motivated by their protected characteristics.

Even when making and implementing a reduction in force plan based solely on legitimate business reasons, employers must be aware of the adverse impact those decisions have on certain groups of employees. It is illegal for an employer to implement policies and practices that are facially neutral but have an unintentional discriminatory effect on protected groups of employees if those policies and practices are not job related or required by business necessity. Before implementing an RIF, employers are strongly encouraged to perform a statistical analysis of the protected characteristics of individuals selected for layoffs to determine whether they are being selected for layoffs at a significantly higher rate than other employees. If an employer does discover that certain groups are being selected for layoffs at a disproportionate rate, an employer should review its layoff decisions to confirm that these decisions are in fact required by business necessity.

Finally, employers will commonly provide severance packages to laid off employees to assist in their transition to other employment. A key factor in these packages is an employee providing an employer with a full release of potential legal claims in exchange for a severance payment. Employers are strongly encouraged to ensure that they obtain full and complete legal releases in any severance agreements they provide. For example, under California law, an employee can only provide a full and complete release of legal claims when a separation agreement specifically cites and waives a specific provision of California’s civil code. Additionally, an employer cannot obtain a legal release of federal age discrimination claims when it offers a separation package to multiple employees over 40 during an RIF program unless it provides specific information regarding the job positions and ages of employees who were and were not selected for layoffs.

While a reduction in force layoff program may help ensure a business’ survival, employers are strongly encouraged to consult with legal counsel before implementing an RIF to detect and avoid potential future legal claims.

Soapbox

Cannabis Growers and Distributors: Your Cyber Risk is Growing Like Weeds

By Emily Selck
No Comments

Cannabis growers and distributors are “green” when it comes to cyber security. Unaware of the real risks, cannabis businesses consistently fall short of instituting some of the most basic cybersecurity protections, leaving them increasingly vulnerable to a cyber-attack.

Cannabis businesses are especially attractive to hackers because of the vast amount of personally identifiable and protected health information they’re required to collect as well as the crop trade secrets they store. With businesses growing by leaps and bounds, and more and more Americans and Canadians purchasing cannabis, cybercriminals are likely to increase their attacks on the North American market in the coming year. Arm your cannabis business with the following best practices for growers and distributors.

Distributor Risk = A Customer’s PII

Cyber risk is the greatest for cannabis distributors, required to collect personal identifiable information (PII), including driver’s licenses, credit cards, medical history and insurance information from patients. State regulatory oversight further compounds the distributor’s risk of cyber-attack. If you’re a cannabis distributor, you’ll want to make sure to:

  • Know where you retain buyer information, and understand how it can potentially be breached. Are you scanning driver’s licenses into a database, or retaining paper files? Are you keeping them in a secure area off site, or on a protected network? Make sure a member of your management team is maintaining compliance with HIPAA and state statutes and requirements for cannabis distribution.
  • Institute strong employee oversight rules. Every employee does not have to have access to every sale, or your entire database of proprietary customer information. Delegate jobs behind the sales desk. Give each employee the access they need to do their job – and that’s it.
  • Distributors have to protect grower’s R&D information too. Most cannabis distributors have access to their grower’s proprietary R&D information so they can help customers understand which products are best for different medical symptoms/needs. Make sure your employees don’t reveal too much to put your suppliers in potential risk of cyberattack.

Grower Risk = Crop Trade Secrets

For cannabis growers, the risk is specific to crop trade secrets, research and development (R&D). If you’re a cannabis grower, you’ll want to:

  • Secure your R&D process. If you’ve created a cannabis formula that reduces anxiety or pain or boosts energy, these “recipes” are your competitive advantage – your intellectual property. Consider the way you store information behind the R&D of your cannabis crops. Do you store it on electronic file, or a computer desktop? What type of credentials do people need to access it? Other industries will use a third party cloud service to store their R&D information, but with cannabis businesses that’s typically not the case. Instead, many growers maintain their own servers because they feel this risk is so great, and because their business is growing so fast, there are not yet on the cloud.
  • Limit the number of people with access to your “secret sauce.” When workers are harvesting crop, or you’re renting land from farmers and planting on it, make sure to keep proprietary information in the hands of just the few who need it – and no one else. This is especially important when sharing details with third party vendors.

Cyber coverage is now ripe for picking

Although cannabis businesses are hard to insure – for just about every type of risk – cyber insurance options for cannabis companies have recently expanded, and come down in price. If you’ve looked for cyber coverage in the past and were previously unable to secure it, now is the time to revisit the market.

Know that cyber policy underwriters will do additional due diligence, going beyond the typical policy application, and ask about the types of proprietary information you collect from customers, as well as how you store and access it at a later date. Have this knowledge at your fingertips, and be ready to talk to underwriters about it when you’re bidding for a new policy – and at renewal time.

Fungal Monitoring: An Upstream Approach to Testing Requirements

By Bernie Lorenz, PhD
1 Comment

Mold is ubiquitous in nature and can be found everywhere.1 Cannabis growers know this all too well – the cannabis plant, by nature, is an extremely mold-susceptible crop, and growers battle it constantly.

Of course, managing mold doesn’t mean eradicating mold entirely – that’s impossible. Instead, cultivation professionals must work to minimize the amount of mold to the point where plants can thrive, and finished products are safe for consumption.

Let’s begin with that end in mind – a healthy plant, grown, cured and packaged for sale. In a growing number of states, there’s a hurdle to clear before the product can be sold to consumers – state-mandated testing.

So how do you ensure that the product clears the testing process within guidelines for mold? And what tools can be employed in biological warfare?

Mold: At Home in Cannabis Plants

It helps to first understand how the cannabis plant becomes an optimal environment.

The cannabis flower was designed to capture pollen floating in the air or brought by a pollinating insect.

Photo credit: Steep Hill- a petri dish of mold growth from tested cannabis

Once a mold spore has landed in a flower, the spore will begin to grow. The flower will continue to grow as well, and eventually, encapsulate the mold. Once the mold is growing in the middle of the flower, there is no way to get rid of it without damaging the flower.

A Name with Many Varieties

The types of spores found in or around a plant can make or break whether mold will end with bad product.

Aspergillus for example, is a mold that can produce mycotoxins, which are toxic to humans2. For this reason, California has mandatory testing3for certain aspergillus molds.

Another example, Basidiospores, are found outside, in the air. These are spores released from mushrooms and have no adverse effects on cannabis or a cannabis cultivation facility.

Fungi like powdery mildew and botrytis (PM and Bud Rot) typically release spores in the air before they are physically noticed on plants. Mold spores like these can survive from one harvest to the next – they can be suspended in the air for hours and be viable for years.

How Mold Travels

Different types of spores – the reproductive parts of mold – get released from different types of mold. Similar to plants and animals, mold reproduces when resources are deemed sufficient.

The opposite is also true that if the mold is under enough stress, such as a depleting nutrient source, it can be forced into reproduction to save itself.4

In the end, mold spores are released naturally into the air for many reasons, including physical manipulation of a plant, which, of course, is an unavoidable task in a cultivation facility.5

Trimming Areas: A Grow’s Highest Risk for Mold

Because of the almost-constant physical manipulation of plants that happen inside its walls, a grow’s trimming areas typically have the highest spore counts. Even the cleanest of plants will release spores during trimming.

Best practices include quality control protocols while trimming

These rooms also have the highest risk for cross contamination, since frequently, growers dry flower in the same room as they trim. Plus, because trimming can be labor intensive, with a large number of people entering and leaving the space regularly, spores are brought in and pushed out and into another space.

The Battle Against Mold

The prevalence and ubiquitous nature of mold in a cannabis facility means that the fight against it must be smart, and it must be thorough.

By incorporating an upstream approach to facility biosecurity, cultivators can protect themselves against testing failures and profit losses.

Biosecurity must be all encompassing, including everything from standard operating procedures and proper environmental controls, to fresh air exchange and surface sanitation/disinfection.

One of the most effective tactics in an upstream biosecurity effort is fungal monitoring.

Ways to Monitor Mold

Determining the load or amount of mold that is in a facility is and always will be common practice. This occurs in a few ways.

Post-harvest testing is in place to ensure the safety of consumers, but during the growing process, is typically done using “scouting reports.” A scouting report is a human report: when personnel physically inspect all or a portion of the crop. A human report, unfortunately, can lead to human error, and this often doesn’t give a robust view of the facility mold picture.

Another tool is agar plates. These petri dishes can be opened and set in areas suspected to have mold. Air moves past the plate and the mold spores that are viable land on the dishes. However, this process is time intensive, and still doesn’t give a complete picture.

Alternatively, growers can use spore traps to monitor for mold.

Spore traps draw a known volume of air through a cassette.The inside of the cassette is designed to force the air toward a sticky surface, which is capable of capturing spores and other materials. The cassette is sent to a laboratory for analysis, where they will physically count and identify what was captured using a microscope.

Spore trap results can show the entire picture of a facility’s mold concerns. This tool is also fast, able to be read on your own or sent to a third party for quick and unbiased review. The information yielded is a useful indicator for mold load and which types are prevalent in the facility.

Spore Trap Results: A Story Told

What’s going on inside of a facility has a direct correlation to what’s happening outside, since facility air comes infromthe outside. Thus, spore traps are most effective when you compare a trap inside with one set outside.

When comparing the two, you can see what the plants are doing, view propagating mold, and understand which of the spore types are only found inside.

Similar to its use in homes and businesses for human health purposes, monitoring can indicate the location of mold growth in a particular area within a facility.

These counts can be used to determine the efficacy of cleaning and disinfecting a space, or to find water leaks or areas that are consistently wet (mold will grow quickly and produce spores in these areas).

Using Spore Traps to See Seasonality Changes, Learn CCPs

Utilizing spore traps for regular, facility-wide mold monitoring is advantageous for many reasons.

One example: Traps can help determine critical control points (CCP) for mold.

What does this look like? If the spore count is two times higher than usual, mitigating action needs to take place. Integrated Pest Management (IPM) strategies like cleaning and disinfecting the space, or spraying a fungicide, are needed to bring the spore count down to its baseline.

For example, most facilities will see a spike in spore counts during the times of initial flower production/formation (weeks two to three of the flower cycle).

Seasonal trends can be determined, as well, since summer heat and rain will increase the mold load while winter cold may minimize it.

Using Fungal Monitoring in an IPM Strategy

Fungal monitoring – especially using a spore trap – is a critical upstream step in a successful IPM strategy. But it’s not the only step. In fact, there are five:

  • Identify/Monitor… Using a spore trap.
  • Evaluate…Spore trap results will indicate if an action is needed. Elevated spore counts will be the action threshold, but it can also depend on the type of spores found.
  • Prevention…Avoiding mold on plants using quality disinfection protocols as often as possible.
  • Action…What will be done to remedy the presence of mold? Examples include adding disinfection protocols, applying a fungicide, increasing air exchanges, and adding a HEPA filter.
  • Monitor…Constant monitoring is key. More eyes monitoring is better, and will help find Critical Control Points.

Each step must be followed to succeed in the battle against mold.

Of course, in the battle, there may be losses. If you experience a failed mandatory product testing result, use the data from the failure to fix your facility and improve for the future.

The data can be used to determine efficacy of standard operating procedures, action thresholds, and other appropriate actions. Plus, you can add a spore trap analysis for pre- and post- disinfection protocols, showing whether the space was really cleaned and disinfected after application. This will also tell you whether your products are working.

Leveraging all of the tools available will ensure a safe, clean cannabis product for consumers.

References

  1. ASTM D8219-2019: Standard Guide for Cleaning and Disinfection at a Cannabis Cultivation Center (B. Lorenz): http://www.astm.org/cgi-bin/resolver.cgi?D8219-19
  2. Mycotoxin, Aspergillus: https://www.who.int/news-room/fact-sheets/detail/mycotoxins
  3. State of California Cannabis Regulations: https://cannabis.ca.gov/cannabis-regulations/
  4. Asexual Sporulation in Aspergillus nidulans (Thomas H. Adams,* Jenny K. Wieser, and Jae-Hyuk Yu):  https://pdfs.semanticscholar.org/7eb1/05e73d77ef251f44a2ae91d0595e85c3445e.pdf?_ga=2.38699363.1960083875.1568395121-721294556.1562683339
  5. ASTM standard “Assessment of fungal growth in buildings” Miller, J. D., et al., “Air Sampling Results in Relation to Extent of Fungal Colonization of Building Materials in Some Water Damaged Buildings,” Indoor Air, Vol 10, 2000, pp. 146–151.
  6. Zefon Air O Cell Cassettes: https://www.zefon.com/iaq-sampling-cassettes

Top 5 Cybersecurity Threats To The Cannabis Industry

By Lalé Bonner
No Comments

Is your cannabis business an attractive target for cyber criminals? With the influx of investment to this market and new businesses opening frequently throughout the United States, the legal cannabis industry is a prime target for cyber criminals.

Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.Cannabis industry hackers pick their targets by vulnerability, exploiting consumer or patient data to darknet black markets and forums. The impact can be devastating to both the business and their consumers. With new laws on protecting consumer and patient data on the horizon, businesses that do not adequately protect that data, could face stiff fines, in addition to losing the trust of their customers.

So, how do these attacks present themselves? Recent studies implicate employees as the “weakest link” in the cybersecurity chain due to a lack of cybersecurity best practices and training. Implementing safeguards and providing employee training is imperative to the cybersecurity health of your business.

Now, let’s identify the top 5 cybersecurity threats to the cannabis industry and some valuable tips for protecting against these criminal hacks:

PhishingPhishing is a form of cyber-attack, typically disguised as an official email from a trustworthy entity, attempting to dupe the recipient into revealing confidential information or downloading malware. Don’t take the bait! 91 percent of cyber-attacks start as phishing scams, with most of these lures being cast through fraudulent emails.

  • Tips: Do not download attachments from unknown senders!
  • Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.

Password ManagementPassword complexity is key to protecting against cyber breaches. When it comes to data hacking, 81 percent of breaches are caused by stolen or weak passwords. With a password often being the only barrier between you and a data breach, creating a complex password will dramatically decrease those password-sniffers from obtaining your sensitive information.

  • Tips: Create passwords that are at least 12 characters in length – include letters, numbers and symbols (*$%^!), and never use a default password. This will fend off brute-force attacks.
  • Change passwords every six months to a year, keeping them complicated and protected. For IT Managers, make using a password manager mandatory for all employees. (Pro-tip: LastPass is free).Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.

Public Wi-FiBeing able to connect in public spaces, while a modern marvel of convenience, leaves us wide open to cyber-attacks. Whether you are in an airport or café, always err on the side of caution.

  • Tips: Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.
  • Browse in a “private” or “incognito” window to avoid saving information. If you have a VPN, use it. If not, then do not handle any sensitive data.

BYOD: Beware of Bad Apps: Using personal devices for work has become the norm. In fact, approximately 74 percent of businesses have bring-your-own-device (BYOD) policies or plans to adopt in the future.

With these platforms providing greater access to mobile apps, comes greater responsibility on the part of the end user.

  • Tips: Password protect devices that will be used for work (and, any device in general).
  • Only download applications from a trusted, authorized app store. Do not use untrusted play apps.
  • Mobile device protection is recommended for any device being used on a business network.

Whether it is an app from an unauthorized website or a lost/stolen device that was not password protected, cyber criminals do not need much to compromise critical data.Avoid logging into a SaaS application on a public computer or public Wi-Fi network.

SaaS Selectively: Keep Sensitive Data Safe: SaaS (Software As A Service) are cloud-based software solutions and chances are you are using one of these SaaS solutions for work purposes. IT is typically responsible for implementing security controls for SaaS applications, but ultimate responsibility falls on IT and the end user jointly. Here is what you can do to help keep these solutions safe:

  • Tips: Avoid logging into a SaaS application on a public computer or public Wi-Fi network.
  • Never share your SaaS login credentials with unauthorized persons over digital format or in person. Lastly, if you need to step away, always lock your screen during an active session.

While these tips will help keep your consumer/patient data from falling into the wrong hands, always have a plan B- backup plan! Your plan B must incorporate saving important data to a backup drive daily. Most likely, there is already a backup protocol in place for your mission-critical work data; however, for sanity’s sake, back up your BYOD devices as well.

Soapbox

ERP’s Role in Ensuring Traceability & Compliance in the Cannabis Market

By Daniel Erickson
1 Comment

Recent trends in the cannabis space and media headlines reveal the challenges and complexities of the evolving cannabis industry with regard to traceability and compliance. Keeping abreast of the evolving state of legislative requirements is complex and requires effective procedures to ensure your business will flourish. At the forefront is the need to provide complete seed-to-sale traceability from the cannabis plant to the consumer, increasing the demand for effective tracking and reporting technologies to assure cultivators, manufacturers, processors and dispensaries are able to meet regulatory compliance requirements. An enterprise resource planning (ERP) solution offers a business management solution designed to integrate all aspects from the greenhouse and growing to inventory, recipe/formulation, production, quality and sales, providing complete traceability to meet compliance regulations.

The main force driving cannabusinesses’ adoption of strict traceability and secure systems to monitor the growth, production and distribution of cannabis is the Cole Memorandum of 2013 issued by former US Deputy Attorney General James Cole. The document was designed to prevent the distribution of cannabis to minors, as well as prevent marijuana revenue from being used for criminal enterprises. Due to the non-legal status of cannabis on the federal level, the memo provides guidance for states whose voters have passed legislation permitting recreational or medical cannabis use. If states institute procedures for transparent inventory control and tracking documentation, the memo indicates that the federal government will refrain from interference and/or prosecution. Despite the Trump administration rescinding the memo in early 2018, companies have largely continued to follow its guidelines in an attempt to avoid targeted enforcement of federal law. Local government reporting is a primary reason for strict inventory control, necessitating reliable traceability documentation of the chain-of-custody. 

Process metrics within an ERP solution are essential in providing the accountability necessary to meet required cannabis compliance initiatives. With a centralized, streamlined and secure system, each process becomes documented and repeatable – enabling best practices to provide an audit trail for accountability in all cannabis activities. Whether cultivating, extracting, manufacturing or dispensing cannabis, an ERP’s functionality assists with compliance demands to manage and support traceability and other state-level requirements.

An ERP solution solves the traceability and compliance issues faced by the industry by providing inventory control management and best practices that automates track and trace record keeping from seed to consumer. Growers are also implementing cultivation management solutions within their ERP and highly secure plant identification methods to mobilize greenhouse and inventory to support real-time tracking. Monitoring the loss of inventory due to damage, shrinkage, accidentally or purposeful destruction is efficiently documented to assure that inventory is accounted for. Similar to other process manufacturing industries, it is possible to produce tainted or unsafe products, therefore an ERP solution that supports product recall capabilities is fundamental. With a centralized framework for forward and backward lot, serial and plant ID tracking, the solution streamlines supply chain and inventory transactions to further ensure compliance-driven track and trace record keeping is met.

Local government reporting is a primary reason for strict inventory control, necessitating reliable traceability documentation of the chain-of-custody. Data regarding inventory audit and inspection details, complete with any discrepancies, must be reported to a states’ seed-to-sale tracking system to conform with legal requirements. An ERP utilizes cGMP best practices and reporting as safeguards to keep your company from violating compliance regulations. Failure to complete audits and meet reporting guidelines can be detrimental to your bottom line and lead to criminal penalties or a loss of license from a variety of entities including state regulators, auditors and law enforcement agencies. A comprehensive ERP solution integrates with the state-administered traceability systems more easily and reliably as compared to manual or stand-alone systems – saving time, money and detriment resulting from non-compliance.

Similar to other food and beverage manufacturers, the growing market for cannabis edibles can benefit from employing an ERP system to handle compliance with food safety initiatives – encompassing current and future requirements. Producers of cannabis-infused products for recreational and medicinal use are pursuing Global Food Safety Initiative (GFSI) certification, employing food safety professionals and implementing comprehensive food safety practices–taking advantage of ERP functionality and processes currently in place in similarly FDA regulated industries.

As legalization continues and reporting regulations standardize, dynamic cannabis ERP solutions for growers, processors and dispensaries will evolve to meet the demands and allow for operations to grow profitably.In addition to lot, serial and plant ID tracking, tracing a product back to the strain is equally important. An ERP can efficiently trace a cannabis strain from seedling through the final product, monitoring its genealogy, ongoing clone potency, CBD and THC content ratios and other attributes. The health, weight and required growing conditions of each individual plant or group of plants in the growing stages may be recorded throughout the plant’s lifecycle. In addition, unique plant identification regarding the performance of a particular strain or variety, how it was received by the market and other critical elements are tracked within ERP system. This tracking of particular strains assists with compliance-focused labeling and determining the specific market for selling and distribution of cannabis products.

Collecting, maintaining and accessing traceability and compliance data in a centralized ERP system is significant, but ensuring that information is safe from theft or corruption is imperative as well. An ERP solution with a secure platform that employs automated backups and redundancy plans is essential as it uses best practices to ensure proper procedures are followed within the company. User-based role permissions provide secure accessibility restricted to those with proper authorization. This level of security allows for monitoring and recording of processes and transactions throughout the growing stages, production and distribution; ensuring accountability and proper procedures are being followed. Investing in an ERP solution that implements this level of security aids companies in their data assurance measures and provides proper audit trails to meet regulations.

In this ever-changing industry, regulatory compliance is being met by cannabusinesses through the implementation of an ERP solution designed for the cannabis industry. Industry-specific ERP provides functionality to manage critical business metrics, inventory control, local and state reporting and record keeping, and data security ensuring complete seed-to-sale traceability while offering an integrated business management solution that supports growth and competitive advantage in the marketplace. As legalization continues and reporting regulations standardize, dynamic cannabis ERP solutions for growers, processors and dispensaries will evolve to meet the demands and allow for operations to grow profitably.

Why Does GDPR Matter for The Cannabis Industry?

By Marguerite Arnold
2 Comments

The global cannabis industry is hitting thorny regulatory challenges everywhere these days as the bar is raised for international commerce. First it was recognition that the entire production industry in Canada would basically have to retool to meet European (medical and food) standards. And that at least for now for the same reasons, American exports are basically a no go.

However, beyond this, the battle over financial reporting and other compliance of a fiscal kind has been a hot topic this year on European exchanges.

As of this summer, (and not unrelated to the other two seismic shifts) there is another giant in the room.

If you haven’t heard about it yet, welcome to the world of EU GDPR (European Union General Data Privacy Regulation).

The German version is actually Europe’s highest privacy standard, which means for the cannabis industry, this is the one that is required for operations here across the continent if you are in this business.

What is it, and what does it mean for the industry?

GDPR – The Elevator Pitch

Here is why you cannot ignore it. The regulation affects bankers as much as growers, distributors as much as producers and of course the entire ecosystem behind medical production and distribution across Europe and actually far beyond it. Starting of course, with patients but not limited to them. The law in essence, applies to “you” whoever you are in this space. That is why it becomes all that much more complicated in the current environment.

While this is complex and far reaching, however, there are a couple of ways to think about this regulation that can help you understand it and how to manage to it (if not innovate with it).

The first is, to American audiences at least, that GDPR is sort of like HIPAA, the federal American privacy civil rights statute that governs medical privacy law. Except, of course, this being Europe, it is far more robust and far reaching. It touches every aspect of electronic privacy including data storage, retention, processing and security that is applicable to modern life. And far, far, beyond just “patients.”

On the marketing side, GDPR is currently causing no end of headaches. Broadly, the legislation, which came into force this year, with real teeth (4% of global revenues if you get it wrong), applies to literally every aspect of the cannabis industry for two big reasons beyond that. Medical issues, which are the only game in town right now in Europe (and thus require all importers to also be in compliance) and financial regulatory requirements.

The requirements in Germany are more onerous than they are in the rest of Europe. Therefore, they also affect the cannabis industry in a big way, especially since there is at this point a great deal of European cultivation with the German (and now British) medical market in mind. Further Germany is becoming European HQ for quite a few of the Canadian LPs. That means German standards apply.

The UK, for those watching all Brexit events with interest, will also continue to be highly affected by this. Whether it stays in the EU or not, it must meet a certain “trusted nation” status to be able to transact with the continent in any kind of favoured nation status.

Bottom line? It is big and here and expensive if you screw it up. If considering doing any kind of business with European customers, start hitting the books now. Large mainstream media organizations in the United States and Canada right now are so afraid of the consequences of getting this wrong that they have blocked readership from Europe for the present. Large financial institutions also must not only be in compliance but compliance of companies also guides their investment mandates on the regulatory front.

For all of these reasons, the cannabis industry would do well to take note.

What Does This Mean for The Cannabis Industry?

The Canadian and rest of the global industry is still struggling with compliance and this will have some interesting repercussions going forward.patient data must be handled and stored differently

Immediately, this means that all websites that are targeted to German eyes (read Canadian LPs and international, even English-only press) should hire German side compliance experts for a quick GDPR audit. There are few European experts at this point, and even fewer foreign ones. It is worth a call around to find out who is doing this auf Deutschland and bite the bullet.

It also means that internally, patient data must be handled and stored differently. And furthermore, it is not just “patients” who have this right, but everyone who transacts with your electronic or other presence. That includes consumers, subscribers to email newsletters and other stakeholders in the industry.

As the cannabis industry also starts to embrace technology more fully, it will also have highly impactful influence on what actually passes for a compliant technology (particularly if it is customer facing) but not limited to the same.

On the marketing side, GDPR is currently causing no end of headaches. Starting with PR and customer outreach teams who are trying to figure out how much of their master mailing lists they can keep and which they cannot. On this front, Mail Chimp is undeniably the go-to right now and has also implanted easy to understand and use technology that is being adopted by European marketers and those targeting Europe.

Stay tuned for more coverage on GDPR as we cover how data protection and privacy regulations will impact cannabis businesses, their marketing and outreach, plus service design efforts (in particular to patients) and other areas of interest.

Image 2: Temperature display provides quick view of sensor data

10 Questions To Ask Before Installing a Remote Monitoring System

By Rob Fusco
No Comments
Image 2: Temperature display provides quick view of sensor data

No matter the size of your cannabis greenhouse operation, keeping your plants alive and healthy requires the best possible growing environment. This means greenhouse managers and personnel must frequently monitor the status of environmental conditions and equipment. The sooner someone discovers extreme temperature fluctuations, rising humidity or equipment failure, the more inventory you can save.

Image 1: Cloud-based remote monitoring system in protective enclosure
Cloud-based remote monitoring system in protective enclosure

That’s why integrating a remote monitoring system into your greenhouse operation can save you time, money and anxiety. Monitoring systems that use cloud-based technology let you see real-time status of all monitored conditions and receive alerts right on your mobile device.

Installing a monitoring system and sensors can be easier than you might think. Here are answers to ten questions to ask before installing a cloud-based monitoring system:

  1. What is required to use a remote monitoring system?

Most remote monitoring systems require an internet or WiFi connection and access to an electrical outlet. Programming is done through a website, so it’s easiest to use a computer for the initial setup. If you don’t have an internet connection at your location, you’ll want to choose a cellular system. Make sure that there’s sufficient signal strength at your site, and check the signal quality in the area before purchasing a cellular device.

2. How do we determine what kind of monitoring system and sensors we need?

A reputable manufacturer will have a well-trained support team that can assess your needs even without a site visit to determine which products are best for your application. If you feel you need them to check out your greenhouse operation,many companies can set up a video conference or FaceTime chat to substitute for being on site.

You will want to provide details about the scope and purpose of your cannabis growing operation. Important factors to discuss include:

  • Skeletal structure of the greenhouse (metal, plastic, wood, etc.) and the covering material (glass or plastic).
  • Floor space square footage and height of each of your greenhouses.
  • Number of greenhouse structures in your operation.
  • Outdoor climate to determine if you rely more on heating or air conditioning and the level of humidity control needed.
  • Space dedicated to phases of growth (cloning and propagation, vegetative, flowering) and the microclimates needed for each.
  • Types of lighting, ventilation and irrigation systems.
  • Level of technological automation versus manual operation in place.

The monitoring system representative will then determine the type of system that would best serve your operation, the number of base units you will need and the types of sensors required.

Image 2: Temperature display provides quick view of sensor data
Temperature display provides quick view of sensor data

The representative should also be able to provide tips on the placement of the sensors you’re purchasing. For example, to ensure thorough air temperature coverage, place sensors throughout the greenhouse, next to the thermostat controlling the room temperature and in the center of the greenhouse out of direct sunlight.

Note that there shouldn’t be a cost for a demo, consultation or assistance throughout the sales process. Be sure to ask if there are any fees or licenses to keep using the monitoring equipment after you purchase it.

3. Are sensors included with the monitoring system?

In most cases, sensors are sold separately. The sensors you select depend upon the conditions you want to monitor and how many you can connect to your base unit. Certainly, temperature is critical, but there are many other factors to deal with as well, such as humidity, CO2, soil moisture, water pH, power and equipment failure, ventilation and physical security.

For example, humidity has a direct impact on the photosynthesis and transpiration of plants. High humidity can also cause disease and promote the growth of harmful mold, algae and mildew. Sensors can detect changes in humidity levels.

Image 3: Water pH sensor
Water pH sensor

Like any other plant, cannabis needs COto thrive, so it’s a good idea to include a COsensor that will signal to the monitoring device when readings go out of the preset range. There are even sensors that you can place in the soil to measure moisture content to help prevent over- or underwatering, budget water usage costs, promote growth and increase crop yield and quality.

Of course, all the critical systems in your growing facility—from water pumps to irrigation lines to louvers—rely on electrical power. A power outage monitoring sensor detects power failure. It can also monitor equipment for conditions that predict if a problem is looming, such as power fluctuations that occur at specific times.

Ventilation systems not only help control temperature, they also provide fresh air that is critical to plant health. Automated systems include features like vented roofs, side vents and forced fans. Sensors placed on all these systems will send personnel an alert if they stop running or operate outside of preset parameters.

To monitor the physical security of your greenhouses, you can add sensors to entrance doors, windows, supply rooms and equipment sheds. During off hours, when no staff is on duty, you can remain vigilant and be alerted to any unauthorized entry into your facility.

4. Do monitoring systems only work with the manufacturer’s sensors?

Not necessarily. For example, certain monitoring units can connect with most 4-20mA sensors and transmitters regardless of the brand. When selecting sensors, you might have a choice between ones that are designed by the manufacturer to work specifically with the monitoring system or universal components made by a third party. If the components aren’t made by the system manufacturer, you’ll want to find out if they have been tested with the monitor you are choosing and if you need to work with another vendor to purchase the parts.

A humidity sensor mounted in a weatherproof enclosure
A humidity sensor mounted in a weatherproof enclosure

5. Is a monitoring system easy to set up, or do we need to hire an electrician?

Many monitoring systems are quick and easy to install, and users can often set them up without hiring an outside expert. Look for one that requires only a few simple physical installation steps. For example:

  1. Mount the device to the wall or somewhere secure;
  2. Plug it into an electrical outlet and an internet connection;
  3. Connect the sensors.

You connect the sensors to the base unit’s terminal strip using wire, which is included with many sensors. The range of many wired sensors can be extended up to 2,000 feet away from the base unit by adding wire that can be easily purchased at any home store. It’s a good idea to hire an electrician if you need to run wires through walls or ceilings.

Usually, once you plug in the device and connect the sensors, you then create an account on the manufacturer’s designated website and begin using your device. There should be no fee to create an account and use the site.

If the manufacturer doesn’t offer installation services, ask if they can recommend a local representative in your area who can set up your system. If not, make sure they provide free technical support via phone or email to walk you through the installation and answer any questions you might have about programming and daily usage.

6. Is there a monthly fee to access all the functionality of a monitoring device?

Many web- or cloud-based systems provide free functionality with some limitations. You might have to purchase a premium subscription to unlock features such as text messaging, phone call alerts and unlimited data logging access.

 7. Should we get a system that is wired or wireless? Will we need to have a phone line, cable, internet or something else?

Wireless can mean two different things as it relates to monitoring: how the system communicates its data to the outside world and how the sensors communicate with the system.

The most popular systems require an internet or WiFi connection, but if that’s not an option, cellular- and phone-based systems are available.

A hardwired monitoring system connects the sensors to the base device with wires. A wireless system uses built-in radio transmitters to communicate with the base unit. Some monitoring systems can accommodate a combination of hardwired and wireless sensors.

8. Can one system monitor several sensor inputs around the clock?

Once the monitoring system is installed and programmed, it will constantly read the information from the sensors 24/7. Cloud-based systems have data logging capabilities and store limitless amounts of information that you can view from any internet-connected device via a website or app.

If the system detects any sensor readings outside of the preset range, it will send an alarm to all designated personnel. The number of sensors a base unit can monitor varies. Make sure to evaluate your needs and to select one that can accommodate your present situation and future growth.

When a monitoring system identifies a change in status, it immediately sends alerts to people on your contact list. If you don’t want all your personnel to receive notifications at the same time, some devices can be programmed to send alerts in a tiered fashion or on a schedule. Multiple communications methods like phone, email and text provide extra assurance that you’ll get the alert. It’s a good idea to check the number of people the system can reach and if the system automatically cycles through the contact list until someone responds. Some systems allow for flexible scheduling, so that off-duty personnel don’t receive alerts.

9. Do monitoring systems have a back-up power system that will ensure the alarming function still works if the power goes out or if someone disconnects the power?

The safest choice is a cloud-based system that comes with a built-in battery backup that will last for hours in the event of a power failure. Cloud-based units constantly communicate a signal to the cloud to validate its online status. If the communication link is interrupted—for example by a power outage or an employee accidently switching off the unit—the system generates an alarm indicating that the internet connection is lost or that there is a cellular communications problem. Users are alerted about the disruption through phone, text or email. All data collected during this time will be stored in the device and will be uploaded to the cloud when the internet connection is restored.

If you opt for a cloud-based monitoring system, make sure the infrastructure used to create the cloud platform is monitored 24/7 by the manufacturer’s team. Ask if they have multiple backups across the country to ensure the system is never down.

10. What should we expect if we need technical support or repairs to the system?

Purchase your system from a reputable manufacturer that provides a warranty and offers full repair services in the event the product stops working as it should. Also, research to make sure their tech support team is knowledgeable and willing to walk you through any questions you have about your monitoring system. Often, support specialists can diagnose and correct unit setup and programming issues over the phone.

It helps to record your observations regarding the problem, so the tech team can look for trends and circumstances concerning the issue and better diagnose the problem. Ideally, the manufacturer can provide loaner units if your problem requires mailing the device to their facility for repair.

Documentation: Are You Prepared?

By Radojka Barycki
No Comments

Documents play a key role in the world of regulations and global standards. Documents tell a story on programs development, implementation and verification during an inspection or audit. Documents are used as evidence to determine conformance to the law or standard. However, do you know what kind of documents may be reviewed during a regulatory inspection or a food safety audit? Are you prepared to show that the implementation of regulatory requirements or a standard is done efficiently at your facility?

Inspectors and auditors will look for compliance either to regulations or to a standard criterion. Regulations and standards require that documentation is controlled, secured and stored in an area where they cannot deteriorate. Therefore, writing a Document Management Program (DMP) will help a business owner ensure consistency in meeting this and other requirements.Radojka Barycki will host a a plenary session titled, “Cannabis: A Compliance Revolution” at the 2018 Food Safety Consortium | Learn More

A well-developed and implemented DMP provides control over documents by providing a number sequence and revision status to the document. In addition, ownership for development, review and distribution of the documents are assigned to specific individuals within the company to ensure that there are no inconsistencies in the program. Documents must also have the name of the company in addition to a space to write the date when the record is generated. It is recommended to include the address if there are multiple operational sites within the same company.

There are different types of documents that serve as support to the operations:

  1. Program: A written document indicating how a business will execute its activities. When it comes to the food industry, this is a written document that indicates how quality, food safety and business activities are controlled.
  2. Procedures: General actions conducted in a certain order. Standard Operational Procedures (SOPs) allow the employee to know what to do in general. For example, a truck receiving procedure only tells the employee what the expected conditions are when receiving a truck (cleanliness, temperature, etc.) However, it doesn’t tell the employee how to look for the expected conditions at the time of the truck arrival.
  3. Work Instructions: Detailed actions conducted in a certain order. For example, truck inspection work instruction tells the employee what steps are to be followed to perform the inspection.
  4. Forms: Documents used to record activities being performed. 
  5. Work Aids: are documents that provide additional information that is important to perform the job and can be used as a quick reference when performing the required activities within the job. 
Are you prepared to face document requirements now and in the future?

The inspectors and auditors base their role on the following saying: “Say what you do. Do what you say. Prove it!” The programs say what the company do. The procedures, work instructions and work aids provide information on implementation (Do what you say) and the forms become records that are evidence (prove) that the company is following their own written processes.

Regulatory requirements for cannabis vary from state to state. In general, an inspector may ask a cannabis business to provide the following documentation during an inspection:

  1. Business License(s)
  2. Product Traceability Programs and Documents
  3. Product Testing (Certificate of Analysis – COAs)
  4. Certification Documents (applicable mainly to cannabis testing labs)
  5. Proof of Destruction (if product needs to be destroyed due to non-compliance)
  6. Training Documents (competency evidence)
  7. Security Programs

As different states legalize cannabis, new regulatory requirements are being developed and modeled after the pharma, agriculture and food industries. In addition, standards will be in place that will provide more consistency to industry practices at a global level. The pharma, agriculture and food industries base their operations and product safety in programs such as cGMPs, GAPs, HACCP-based Food Safety Management Systems and Quality Management Systems. Documents required during an inspection or audit are related to:

  1. Good Agricultural Practices (GAPs)
  2. Current Good Manufacturing Practices (cGMPs)
  3. Food Safety Plan Documents
  4. Ingredient and Processing Aids Receiving
  5. Ingredient and Processing Aids Storage
  6. Operational Programs (Product Processing)
  7. Final Product Storage
  8. Final Product Transportation
  9. Defense Program
  10. Traceability Program
  11. Training Program
  12. Document Management Program

In the always evolving cannabis industry, are you prepared to face document requirements now and in the future?

canna grow
Soapbox

CannaGrow Expo Heads to Palm Springs

By Aaron G. Biros
No Comments
canna grow

We’ve covered the CannaGrow Expo previously, but this time around we catch up with Joseph De Palma, founder of CannaGrow, to talk about the genesis of his conference and what makes the event so special. This year’s CannaGrow Expo heads to Palm Springs, California, a new location for the event, on May 19thand 20th.

We’ve watched De Palma’s conference grow over the years, moving around the country and becoming the tight-knit community we know it as today. The meat and potatoes of the show are definitely the educational sessions, panel discussions, roundtables and the expo hall. But covering it year after year we’ve noticed a real sense of community develop, one where genuine idea sharing, collaboration and inclusivity are preached. There are no dumb questions at the CannaGrow Expo.

Tom Lauerman speaks to a room full of attendees at CannaGrow San Diego

According to Joseph De Palma, CannaGrow started in 2014, when the original event was held in Denver. “From the beginning, we wanted to create an event specifically for growers, where the focus was always on education and ‘becoming a better grower’,” says De Palma. “We had experienced the existing events in the marketplace, and almost all fit into two categories at the time, festival, or generic tradeshow. Those were fine for their purpose, but they didn’t foster an environment of education, and that’s what we believed was most important to the emerging cannabis industry.” Back in 2014, their show only had 10 sessions and 30 exhibitors. “Passionate growers from around the country had 2 days of grow-focused sharing and learning, and you could see the energy and excitement,” De Palma says. “Discussions would dive deep, people made new friends, and it really elevated the conversation around cultivation.”

Attendees gather at a lighting exhibit at CannaGrow San Diego

Since the show’s debut, it’s grown substantially. The 7th CannaGrow Expo is fast approaching, and this upcoming conference has four separate tracks and roughly 100 exhibitors. But it still keeps its sense of community, one where you don’t feel crowded, where everyone has time to chat and network, without the overwhelming feeling that can come with larger trade shows. “That inclusivity and open dialog is built in,” says De Palma. “If you go to an event that’s tradeshow dominant, most people are there to walk, shop, and leave. At CannaGrow, growers and extractors come together with a plan for the weekend, remaining in a constant state of engagement with others at the show.”

This year’s show has some exciting additions to look out for. The agenda covers a wide range of topics, including everything from an introduction to growing with living soil to a discussion of cyber security. The Extraction Summit, new to this year’s event and held on Day 2, is their response to the massive rise in popularity and demand of extracts.

Eric Schlissel
Eric Schlissel, president and chief executive officer of GeekTek

Eric Schlissel, cybersecurity specialist, president and chief executive officer of GeekTek, is giving a talk focused on IT infrastructure. “My presentation will center around the actions cannabis businesses need to take right now to repel cybercrime and potential federal seizure,” says Schlissel. “As cannabis operators build their businesses and develop their security strategies, they often focus exclusively on the physical portion of their business – the merchandise and the cash in particular – and overlook the importance of designing and fortifying a secure IT infrastructure. I will discuss the importance of a holistic security strategy that embraces both and how you can both create one and prepare it for expansion into other states or even globally from the very start.” Schlissel’s discussion is one example of just how all-encompassing CannaGrow intends to be.

De Palma and his team leave few stones unturned as the show truly delivers vital information for cannabis cultivators in every area. Some things we are looking forward to? Seeing old friends and learning everything under the sun about cannabis science, growing and extraction. “People get to know each other, and with everyone sharing a core passion for cultivation and extraction, lifelong friendships are made,” says De Palma.

To check out the agenda, speakers and exhibitors, click here.

Iowa’s Medical CBD Program Gets Tracking System

By Aaron G. Biros
No Comments

BioMauris, LLC became the 5th company in the United States to win a state contract for a seed-to-sale platform today. BioMauris is a technology company that manages product tracking, fulfillment and distribution with a focus on the healthcare market. According to a press release, the company announced today that the state of Iowa selected BioMauris to manage their tracking system for the medical cannabidiol (CBD) program.

That program’s contract includes inventory tracking, medical cannabidiol sales and patient and caregiver registration. In 2014, Iowa’s Medical Cannabidiol Act was signed into law. Three years later, in May of 2017, Governor Terry Branstad expanded the state’s program, including manufacture and dispensing in the previous legislation. On December 1st, 2018, Iowa expects sales to begin and fully implement the program.

This is BioMauris’ first state contract in the cannabis industry. According to the press release, BioMauris bases their platform on Salesforce for point of sale, tracking, customer loyalty and distribution services in the healthcare sector. The company says they use Salesforce because it is extremely customizable and secure.

Erik Emerson
Erik Emerson, founder and president of Biomauris

According to Erik Emerson, founder and president of BioMauris, they’re poised to deliver on this front, given their experience in other industries. “Our team has extensive history in the pharmaceutical business, and therefore has a unique appreciation for data integrity and security,” says Emerson. “Additionally, we fundamentally believe the opportunity to track patient progress and associate the benefits received with the products used, is an incredible opportunity for the cannabis industry.” BioMauris has worked with clients on similar projects in the healthcare space for some time.

The company touts their platform as fully PCI-DSS and HIPAA compliant, allowing them to process payments and protect sensitive patient information. “Our patented technology, makes this not only possible, but simple for all users,” says Emerson. “We are excited to bring our product to the great state of Iowa and look forward to a long partnership with them. We believe strongly in what Iowa is attempting to do with their program and believe it is a perfect fit with our strategy for the cannabis industry.”