As we continue to geek out on cannatech, let’s explore compliance and security matters.
Compliance
What is compliance?
“Business owners think (and wish) that compliance requirements don’t affect them,” says compliance expert Mike Semel of Semel Systems. “My definition of compliance is ‘anything someone else makes you do,’ including federal and state laws, industry regulations, contracts and cyber liability insurance policies.
“They all can affect businesses in the cannabis industry — even federal laws, in spite of the fact that cannabis isn’t legal at the federal level. The Federal Trade Commission (FTC) protects consumers, as do the 50 state attorneys general. State data-breach laws protect Social Security numbers and driver’s license numbers. Even if the company doesn’t collect that info from customers, they have it for their workforce members. Cyber insurance carries its own requirements and exclusions,” he says.
Mike Semel is a well known compliance expert.
Semel says every business in all 50 states must comply with at least one data protection regulation, so they should build in cybersecurity and compliance as foundational strategies, not “bolt-on tactics that leave them at risk.”
From a technology perspective, compliance has three primary characteristics.
– Traceability: Using Washington state as an example, here is what traceability means from “seed to sale” in the cannatech supply chain: Marijuana seedlings, clones, plants, lots of useable marijuana or trim, leaves and other plant matter, batches of extracts, marijuana-infused products, samples and marijuana waste must be traceable from production through processing and finally into the retail environment, including being able to identify which lot was used as base material to create each batch of extracts or infused products.
All marijuana, useable marijuana, marijuana-infused products, marijuana concentrates, seeds, plant tissue, clone lots and marijuana waste must be physically tagged with the unique identifier generated by the traceability system and tracked.
The two technology elements used to automate traceability are bar codes and radio-frequency identification (RFID) that are scanned and tracked through software from Metrc and MJ Freeway. Of course, there are tales from the trenches that folks have used Excel spreadsheets to facilitate traceability, but that is not recommended for productivity and accuracy reasons (though some of the commercial traceability systems on the market have been known to have their own problems with accuracy and reliability).
– Point of sale: In the January 2021 issue of Marijuana Venture, I published the CannaTech Ecosystem Stack (which can be viewed here: https://bit.ly/cannatechecosystem). There were 11 point-of-sale solutions featured and all connect to traceability software.
– Video: In the context of compliance, here are several examples of video surveillance and the retention requirements:
In Washington, licensed premises must, at minimum, have a complete video surveillance system with camera resolution of 640-by-470 pixels or pixel equivalent for analog. The surveillance system storage device and/or the cameras must be internet protocol (IP) compatible. All cameras must be fixed and placement must allow for the clear and certain identification of any person and activities in controlled areas of the licensed premises. All entrances and exits to an Indoor facility must be recorded from both indoor and outdoor, or ingress and egress vantage points. On-site retention of the video must be maintained for a minimum of 45 days (no cloud storage allowed).
California businesses are required to have 24-hour continuous video (motion detection is not allowed). The video must be a minimum of 15 frames per second and 720p resolution, and footage must be retained on-site for a minimum of 90 days (no cloud storage allowed). Any four-hour downtime must be reported to state regulators.
In Colorado, 40 days of retained footage is required (the same as Alaska). Camera coverage must enable recording of the customers’ and employees’ facial features with sufficient clarity to determine identity. All camera views of all limited access areas must be continuously recorded 24 hours a day. The use of motion detection is authorized when a licensee can demonstrate that monitored activities are adequately recorded.
Canada takes video retention to another level, with licensees being required to maintain at least one year of footage.
Two video vendors committed to the cannabis segment on the CannaTech Ecosystem Stack are Deep Sentinel and Hikvision.
Security
The cannabis segment is somewhat unique in that security is both physical security and cybersecurity. I spoke with Tony Bradley, cybersecurity professional and author and editor-in-chief of TechSpective, about security in the cannabis sector.
“While cannabis may be an emerging market, and many of the business may be small business startups, the reality is that every business must address the risk of cyber-attacks,” Bradley says. “The vast majority of attacks are not targeted. In other words, the attackers do not know or care what industry you are in or how large the business is. Phishing, ransomware and other common attacks are automated and simply look for any vulnerable system to exploit. That said, the cannabis industry is young and booming, which makes it an ideal target as well. Attackers know that many cannabis businesses are not focused on cybersecurity and do not have the expertise or tools necessary to defend themselves. At the same time, privacy is crucial for many cannabis customers, and a successful attack can quickly devastate a cannabis business.”
A cannabis business is — first and foremost — a business. Operators should follow the same basic cybersecurity protocols and established best practices as any other company with things like antimalware, firewalls and intrusion detection.
“Three things I would recommend as you move beyond the table stakes to implement better security are deception and extended detection and response (XDR),” Bradley says. “Deception technology sets up lures and decoys to attract attackers and quickly alert you that suspicious activity is occurring. XDR takes the concept of endpoint detection and response and extends it to the broader network — providing visibility and effective response across your entire network, including the cloud.”
Bottom Line
Consider engaging a technology professional service provider to help you navigate the technology side of compliance and security in your cannabis business.
Harry Brelsford is the founder of 420MSP, a community of managed services providers (MSP) and IT service providers that target the cannabis industry. Brelsford is a long-time Seattle-based technology entrepreneur. He can be reached at harrybrelsford@gmail.com or 206-201-2943. Visit www.420msp.com.