Tag Archives: type

Cannabis Registry Reality Check: Privacy Must be Paramount

By Shadrach White
No Comments

The task of preserving privacy for any records platform, especially a cannabis registry, cannot simply be relegated to ones and zeros lurking in some forgotten codebase. This past year taught us many lessons, especially related to the trauma unleashed by vulnerabilities in government domains. We learned time and again that a registrant’s privacy must be the first order of business for the architects of registries.

But the first order of business isn’t the last order of business. That intention and effort to secure privacy must then be communicated and reinforced through real-world reality checks.

Lapses in data security and rising distrust for government institutions block the efficacy of well-intentioned and vital registries. Those states launching new registries in 2021 are at a precarious crossroads as public trust erodes.

As I write this, we’ve just learned illicit operators hacked a third-party service provider for the Washington State Auditor’s office. The attack compromised the personal data of 1.4 million users seeking unemployment benefits. Security hacks are a cautionary tale, whose impact is felt too often.

But many in the government sector are staring at a once-in-a-generation challenge to launch new registries – those related to cannabis – with privacy top-of-mind from the initial Request For Bid.“The question isn’t when these privacy-first registries will be implemented, it’s a question of whether they’ll be implemented proactively ahead of hacks or after the damage is done.”

Here’s how:

Table Stakes for New Cannabis Registries

These suggestions are just the beginning, and I see them as the minimum buy-in to begin the architecture of a new cannabis registry. They include:

  • End-to-end data encryption while in transit and within the system while the data is at rest.
  • A solution that is a cloud-native web application which is managed as a service for maximum uptime and strong security posture.
  • Registries should also leverage algorithms and machine learning to ensure accurate data entry by analyzing incorrect or duplicate data before it is saved within the system.

Beyond HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) requires privacy and security measures to protect Personal Health Information (PHI). Debate exists on whether compliance is a requirement for all entities transacting in the medicinal cannabis space. While some state registries are exempt from HIPAA, others choose to provide HIPAA compliance not just for the optics, but the known benefit to users’ privacy and confidence. New cannabis registries should commit to HIPAA-compliance to set a trusted new privacy standard for medical patient credentials and legal authorization for the use of cannabis for medical purposes.

That’s just the start. Registries should also ensure SOC2 Type II certification, which safeguards security, site availability, confidentiality and privacy through independent third-party auditors.

Connect with Confidence

Registries function as a hub of information in an often-confusing cannabis space. The California Bureau of Cannabis Control displays more than 25 links wired into its top navigation bar alone. Each link sends the curious to new resources. Registries must establish themselves as credible resources, especially when directing users to third-party sites.

One example is for cannabis registries to provide secure access to healthcare professionals who are verified by the Drug Enforcement Agency (DEA). These healthcare professionals are licensed to distribute controlled substances including cannabis. Each third-party link should offer the same high-level of scrutiny to enshrine confidence and credibility in the registry.

Next-Generation ID Cards

A cannabis registry card should not just be a document, but a toolset that attests to the identity and the authority of the carrier represented. An illicit counterfeiting market seeks to exploit registry card vulnerabilities. Next generation ID cards present the best defense against counterfeiting and illegal use with robust security measures. That starts with assuring that any credential is mobile ID compatible with iOS Wallet and GooglePay for mobile identification.

ID cards should also include:

The automated modification of the document bearer’s photograph to ICAO (International Civil Aviation Organization) standards. This critical modification makes the photograph easier to use for ID verification; it also facilitates the detection of photograph substitution.

A two-dimensional barcode compiles information contained in a one-dimensional barcode. It also delivers confirmation of other data shown on the card or in the system such as license authorization and limitations. Adding additional material to the physical document such as holograms, UV image, micro-printing or laser perforations offers another level of protection against illicit use or counterfeiting.

While cannabis registries are the beginning, they’re not the end. Driving efficacy for government registries needed for COVID19 track-and-tracing, cannabis plant track-and-tracing and vaccine distribution require the same attention to privacy, security and ultimate useability. A sea change is required – not just for the sake of those who use the registries but also for those who must implement, deploy and maintain those registries. The question isn’t when these privacy-first registries will be implemented, it’s a question of whether they’ll be implemented proactively ahead of hacks or after the damage is done. I believe the government sector leaders exploring new cannabis registries offer the wisdom and foresight to choose the proactive approach.

Learning from The First Wave Part 3: Seven Basic Questions About Local Cannabis Ordinances & Real Estate

By Todd Feldman
No Comments

Part One of this series took a look at how the regulated cannabis market can only be understood in relation to the previous medical market as well as the ongoing “traditional” market. Part Two of the series describes how regulation defines vertical integration in California cannabis.

If you are considering getting involved in California cannabis, imagine the following sentence in ten-foot-tall letters made out of recently ignited $20 bills:

Before you put any money down on property, carefully examine the local cannabis ordinance and tax rates. 

This article is written in the form of advice to a newbie cannabis entrepreneur in California, but it will discuss issues that are also of significance to investors, as well as (to various degrees) cannabis entrepreneurs in other states.

Here are seven basic questions that you need to ask about local regulations (in order, except for Number 7).

1. What’s Your Jurisdiction?

If you’re in city limits, it’s the city. If you’re outside city limits, it’s the county.

2. Does the Jurisdiction Allow Cannabis Activities?

If the answer is yes, go to the next question. If the answer is no, pick another jurisdiction.

3. Where Does the Jurisdiction Allow Cannabis Activities?

A zoning ordinance will limit where you can set up shop. The limitation will probably vary by license type.

4. How Does the Local Ordinance Affect Facility Costs?

The short answer is: in many ways. Your local ordinance is a Pandora’s box of legal requirements, especially facility-related requirements.1 Read your local cannabis ordinance very carefully.

Generally speaking, the cannabis ordinance will set out two types of requirements – those that are specific to cannabis and those that apply generally to any business.

Looks great but . . . where are the sprinklers? Does it need a seismic upgrade? How about floor drains?
Photo by Wilhelm Gunkel on Unsplash

Cannabis-specific requirements:

  • Typically incorporate state cannabis laws by reference.
  • Have significant overlaps with state cannabis laws. For example, the state requires commercial-grade locks and security cameras everywhere cannabis may be found on a given premises. Local ordinances generally include similar requirements – keep in mind that you will need to comply with a combined standard that satisfies both state and local requirements.2
  • Vary greatly according to type of activity. For example, manufacturers will need to comply with Health & Safety Code requirements that can have a major impact on construction costs.
  • Vary greatly by jurisdiction when it comes to equity programs.

General requirements:

  • Include by reference building and fire codes, which can require very expensive improvements. Note that this means your facility will be inspected by the building department and the fire department.
  • Can include anything from Americans with Disabilities Act (ADA) requirements to city-specific requirements, such as Design Guidelines.
  • Will be zealously enforced because you’re a cannabis business.

5. What is the Enforcement Policy?

It may be that your local jurisdiction will give you temporary local authorization after meeting some, but not all, of the requirements. For example, you may be able to begin operations once you’ve provided your city or county with your cannabis permit application, a zoning clearance and a business permit. In this jurisdiction, you would be able to bring your building up to code sometime after you begin operations.

On the other hand, your local jurisdiction may require you to meet every requirement – from cannabis-specific security requirements to general building code and ADA requirements – before you can begin operations. Depending on the type of cannabis business (and facility condition), this might be inconsequential. Or it might mean that you will have to pay more than a year’s worth of rent (or mortgage) before you can start making money.

6. Can You Choose a Facility That Saves You Time and Money?

Of course, you won’t have to spend much time or money bringing your facility up to code if it’s already up to code. How likely it is that you will find such a facility varies wildly according to the type of cannabis activity in question. In general:

  • Service-side activities (delivery retail, storefront retail, distribution) are in many respects similar to their non-cannabis counterparts. From a facilities standpoint, the major differences come from security requirements. So, it may be possible to save time and money by choosing a facility that is already up to code for a similar use.
  • Manufacturing activities are trickier, since you will need food-grade facilities and equipment. You may be able to save money by setting up shop in a commercial kitchen.
  • Extraction with volatile solvents is a special (and particularly expensive) case, since it is inherently dangerous and requires special facilities.
  • Outdoor cultivation may be relatively unproblematic if it has an appropriate water source.
  • Indoor cultivation is expensive because of climate-control and lighting requirements. Buildings potentially suitable for large-scale indoor grows frequently come with significant problems. Former warehouses will typically require major power upgrades, while former factories may have inconvenient architecture and/or hidden toxic waste. In all cases, internal reconstruction is likely to be necessary, and will trigger all sorts of building and fire code requirements.

7. What Are the Local Cannabis Taxes?

Cannabis tax rates may be determinative. For example, Oakland imposes a 6.5% gross receipts tax on manufacturers that have gross receipts of less than $5M, and 9.5% on manufacturers that have gross receipts over $5M. In comparison, Santa Rosa only imposes a 1% gross receipts tax on manufacturers.

Local cannabis ordinances and taxes can make or break your business, so you need to understand them before you commit to a location. The seven basic questions listed above are designed to get you started.

This article is the opinion of the author and is not intended to be legal or other advice.

References

  1. For example, see Part II of the City of Oakland’s Administrative Regulations and Performance Standards, and The City of Los Angeles’s Rules and Regulations for Cannabis Procedures No. 3 (A)(14).
  2. For example, compare 16 CCR § 5044 (“Video Surveillance System”) with The City of Los Angeles’s Rules and Regulations for Cannabis Procedures No. 10 (A)(7).

Due Diligence for Suppliers & Cannabis Supply Chain Partners

By Mark Slaugh
1 Comment

Between the patchwork quilt of rules and regulations that is the modern cannabis industry, products pass through many hands before being sold to a customer. From sourcing, cultivating, manufacturing, distributing and vending, the relationships between a licensee and their vendors/partners up and down the supply chain is complex and touches many stakeholders along the way.

While the focus on quality packaging, dope labeling, delicious ingredients and consistently potent cannabis is a priority for most companies, what often isn’t thought about is the liability in bringing these components together in terms of compliance.

Compliance responsibility falls on licensees as a direct term and condition of licensure within their state. To operate, licensees must maintain and be able to demonstrate compliance with a plethora of rules and regulations. Compliance is the name of the game in cannabis.

While most operators understand this, what most do not think about is how the compliance or noncompliance of their vendors affects their own liability.

Sharing Noncompliance & Liability

Supply chain partners are automatically segregated by whether or not they are plant touching licensees or not.

Licensees are the only entities in the supply chain that can be fined, administratively held, suspended, revoked or even arrested due to noncompliance. This fundamental nature means that supply chain partners are automatically segregated by whether or not they are plant touching licensees or not.

In the case of mutual licensees such as a manufacturer and dispensary, the liability for compliance falls on both entities. A single manufacturer that makes an error on labeling language or a cultivator using the incorrect containers both pass on their liability to any downstream partners.

iComply has seen regulators quarantine hundreds of products among multiple dispensaries who never checked the compliance of the supplying manufacturer. Surprisingly, most dispensaries don’t think of the liability passed to them amid hundreds of SKUs and multiple manufacturers and cultivators. Confounding the issue further is that everyone in the industry can interpret the same rules in completely different ways.

Assuming your supply chain partners are 100% compliant is a dangerous pitfall.

By not checking noncompliance from supply chain partners, operators accumulate evidence dating back years. Like METRC being off, these issues tend to snowball until they seem overwhelmingly difficult to handle. And it doesn’t just stop at labeling issues. Noncompliance can fall on all supply chain partners and be left in the hands of a licensee in a variety of ways.

Business partners like security contractors can often run afoul of regulations and put their licensed partners at risk.

Even worse, are supply chain partners who don’t have a motive to be compliant as they do not own licenses and often have a poor understanding of cannabis compliance. A packaging provider, marketing company, CBD provider, security company, vending machine providers, waste disposal companies and other commonplace suppliers and partners can often run afoul of regulations and put their licensed partners at risk.

Since regulators can only enforce the licensed entity, many states have made it clear that licensees are ultimately and fully responsible for any actions of noncompliance taken by third parties contracted by the company – regardless if they touch cannabis or not.

Areas of Common Noncompliance in Cannabis

Like a game of “Hot Potato” (worth millions of dollars), we’ve seen common noncompliance liability get passed down the supply chain in the following areas of cannabis operations:

  • Product liability
  • Packaging and labeling
  • Test result manipulation
  • Expired licenses
  • Input or ingredient defects
  • Inventory tracking errors
  • Recordkeeping and manifest errors

Some of these areas of noncompliance rely with non-licensed supply chain partners such as packaging, ingredients or third party printed labels. Often, these folks simply don’t know what they don’t know and make mistakes – not knowing the thousands of dollars they could be costing their licensed partner down the line.

Other areas in which compliance should be expected from licensed partners lies in product liability, test result issues, inventory tracking, manifests and recordkeeping. No one usually wants to be out of compliance and usually these issues arise from licensed partners who are simply confused, mistaken or ignorant to the requirements of ongoing and changing rules.

It’s hard to keep all of one’s suppliers and supply chain partners on the same page over the long run and amid a multitude of changing rules. But what you resist, persists…

Managing Compliance in the Cannabis Supply Chain

Nothing worth it is ever easy; but it is possible to identify common areas of noncompliance in one’s cannabis operation and supply chain partners and to do something about.

To identify problem areas, iComply recommends conducting regular auditing at a macro level; but to also dive deeper into micro level audits of all of one’s books and records (covering vendor files) and packaging and labeling for at least 12 months.

You don’t know what you don’t know, so one must begin by investigating and understanding where liabilities are occurring between themselves and their supply chain partners. Once valid feedback and noncompliance is discovered, it can be remediated.

Like triage, you have to stop the bleeding before you can prevent further injury.

Consistency in quality standards requires meticulous SOPs

It is always more expensive and time consuming to continue reacting to noncompliance and trying to fix issues after the fact. This is how snowball effects happen until the problems seem so overwhelming, operators tend to simply ignore the liability. While it is human nature, it is also extremely dangerous and detrimental when multimillion dollar licenses are on the line.

An ounce of prevention is worth a pound of cure –Benjamin Franklin

By implementing proactive compliance measures, cannabis businesses can avoid costly noncompliance consequences and position themselves as proactive checkpoints of supply chain compliance. We recommend integrating the following procedures, documents, training and tools into one’s operational compliance infrastructure:

  • New vendor checklist
  • Packaging and labeling checklists by product type
  • Virtual review of labels/non-cannabis packaging
  • Calendar expiration dates for licenses and products
  • Compliance auditing of key vendors and strong contracts regarding liability
  • Input product checklists and tracking as per GMP compliance

This snapshot is just the tip of the iceberg when it comes to the depths of liability a cannabis business is exposed to by its supply chain partners. To truly manage compliance, one must be aware of shared risk and implement proactive measures to prevent suppliers and supply chain partners from inadvertently affecting the operational compliance of your cannabis business.

Selecting Supply Chain Partners

There are plenty of fish in the sea and plenty of suppliers vying to do business with you. iComply has seen the good, the bad and the ugly. We’ve been on the front lines of developing markets like California where we warned our clients to steer clear of companies like Kushy Punch long before they finally lost their license for noncompliance.

control the room environment
Preventing contamination can save a business from extremely costly recalls.

We advise our clients on the importance of being selective and conducting due diligence in vetting supply chain partners and vendors. Most fundamentally, how aligned are the values of potential partners? Are they in the business for the same reasons you are? What brought them to the cannabis space? How do they value relationships and what do they know about compliance?

Too often when focused on price or speed, people miss the more important fundamentals of relationships. We serve as vetters for our clients whether they are shopping for a POS provider, a bank or a waste disposal company. Beyond the cultural alignment, the more objective questions begin to take shape in vetting a potential partner. This can differentiate between license holding and non-holding supply chain partners.

For plant-touching licensed partners, we recommend answering the following before entering into business partnerships that affect your supply chain:

  • Copies of licenses, contracts, and a catalogue of products
  • For products being selected, prior to ordering a sample, obtain a copy of the label by email first. Or an EMPTY sample of product packaging and labeling to vet against a packaging and labeling checklist.
  • Search news articles on the company and ask if they have had compliance issues before. Obtain documentation if there have been compliance issues previously.
  • Ask how they manage their compliance and prevent noncompliance down their supply chain. Do they train their staff? Do they conduct regular audits internally? How often do they update SOPs and reconcile inventory?

For non-plant touching partners, we recommend answering the following:

  • Obtain any certifications for quality assurance or in credentials for services.
  • Ask for references from other customers who have cannabis licenses.
  • Discover how familiar they are with the cannabis industry AND the rules and regulations in your market.
  • Ensure they have an understanding of how they impact your compliance. Discover how they plan on preventing areas of concern together.
  • Make sure they know you are ultimately responsible for noncompliance and understand what they are willing to do to protect you.

Ensuring accountability across the supply chain means selectively choosing partners who share the same values of integrity and professionalism. On more complicated deals, such as licensing IP or your brand to operators in new states or markets, we recommend that you mandate a compliance program that offers third-party validation to ensure the internal integrity of your partners. Too often, brand risk isn’t considered in the fast-paced expansion of the industry and operators must not only be vetted, but held accountable, when representing one’s brand and products.

For all intents and purposes, the wild web of the supply chain in cannabis is the industry. We are a collective of collaborators who all serve the goal of delivering high quality and safe products to cannabis consumers globally. For those committed to minimizing their risk to protect their profits, cannabis compliance is the key to success.

Ensuring accountability across the supply chain means selectively choosing partners who share the same values of integrity and professionalism. In doing so, the industry elevates its legitimacy and more effectively expands in a sustainable manner that protects all stakeholders involved.

Noncompliance affects licensees the most and they must be the most vigilant, but it takes a village to raise an industry. Compliance affects most everyone in the supply chain and the loss of any operator hurts the entire industry.