By Griffen Thorne, Attorney at Harris Bricken
Most states’ regulated cannabis regimes require licensed cannabis companies to use seed-to-sale track-and-trace software. In California, the state has contracted the entire track-and-trace program to the METRC program. The METRC program isn’t yet fully implemented because many operators don’t yet have annual licenses. Our California cannabis attorneys frequently assist clients with track-and-trace compliance and preparation. We know that most California cannabis licensees are just trying to get a handle on how they will use METRC and what that will require from an operational standpoint. What nobody seems to be focusing on is the fact that some apparent oversights in California’s regulations could lead to widespread chaos for operators across the state.
The aspect of track-and-trace with the biggest potential for disaster isn’t the fact that it’s so complex, but rather the fact that loss of access to the system could be devastating for licensees. Each of the three California cannabis agencies’ track-and-trace rules prohibit licensees from transferring cannabis to other licensees in the event of loss of access to the track-and-trace system. This effectively means that businesses have to stop doing business until access is restored—no matter what—and every day waiting could cost thousands of dollars in lost revenues. It doesn’t matter if the loss of access was caused by a licensee, a third party, or even issues with METRC or a third-party application integrated with METRC.
This leads me to a post I wrote several months ago on how data breaches are likely to ravage the cannabis industry. One of the things I talked about is the potential for “ransomware” or similar attacks—situations where hackers encrypt files or even in some cases lock users out of systems and demand money (the ransom) in exchange for giving access back to the user.
If a ransomware or similar attack causes loss of access to a licensee’s track-and-trace software, the licensee will be at the mercy of hackers and won’t be able to conduct business until they either pay the ransom (which may pose legal problems in and of itself, see here) or figure out how to gain back access themselves (which may be impossible). If there’s an attack to or even simply unintended downtime in the METRC system or integrated applications, that could cause chaos for operators across the state.
In our experience, these are issues that the average cannabis company just isn’t even considering. Because of the expense and difficulty of complying with cannabis laws, data make cannabis companies take a very hard look at how they operate.
Cannabis companies have a lot more to lose than regular companies given the federal status of cannabis (would cannabis companies want to report data breaches to the FBI?) and the fact that data breaches can already be tremendously expensive for companies that don’t have to spend tens (or hundreds) of thousands of dollars on permits and deal with Internal Revenue Code section 280E. Cannabis companies should consult with their counsel to figure out solid ways to protect themselves in the event of loss of access to the track-and-trace system or from other data security problems.