By Griffen Thorne, Attorney at Harris Bricken
Most states’ regulated cannabis regimes require licensed cannabis companies to use seed-to-sale track-and-trace software. In California, the state has contracted the entire track-and-trace program to the METRC program. The METRC program isn’t yet fully implemented because many operators don’t yet have annual licenses. Our California cannabis attorneys frequently assist clients with track-and-trace compliance and preparation. We know that most California cannabis licensees are just trying to get a handle on how they will use METRC and what that will require from an operational standpoint. What nobody seems to be focusing on is the fact that some apparent oversights in California’s regulations could lead to widespread chaos for operators across the state.
The aspect of track-and-trace with the biggest potential for disaster isn’t the fact that it’s so complex, but rather the fact that loss of access to the system could be devastating for licensees. Each of the three California cannabis agencies’ track-and-trace rules prohibit licensees from transferring cannabis to other licensees in the event of loss of access to the track-and-trace system. This effectively means that businesses have to stop doing business until access is restored—no matter what—and every day waiting could cost thousands of dollars in lost revenues. It doesn’t matter if the loss of access was caused by a licensee, a third party, or even issues with METRC or a third-party application integrated with METRC.
This leads me to a post I wrote several months ago on how data breaches are likely to ravage the cannabis industry. One of the things I talked about is the potential for “ransomware” or similar attacks—situations where hackers encrypt files or even in some cases lock users out of systems and demand money (the ransom) in exchange for giving access back to the user.
If a ransomware or similar attack causes loss of access to a licensee’s track-and-trace software, the licensee will be at the mercy of hackers and won’t be able to conduct business until they either pay the ransom (which may pose legal problems in and of itself, see here) or figure out how to gain back access themselves (which may be impossible). If there’s an attack to or even simply unintended downtime in the METRC system or integrated applications, that could cause chaos for operators across the state.
In our experience, these are issues that the average cannabis company just isn’t even considering. Because of the expense and difficulty of complying with cannabis laws, data make cannabis companies take a very hard look at how they operate.
Cannabis companies have a lot more to lose than regular companies given the federal status of cannabis (would cannabis companies want to report data breaches to the FBI?) and the fact that data breaches can already be tremendously expensive for companies that don’t have to spend tens (or hundreds) of thousands of dollars on permits and deal with Internal Revenue Code section 280E. Cannabis companies should consult with their counsel to figure out solid ways to protect themselves in the event of loss of access to the track-and-trace system or from other data security problems.
Re-published with the permission of Harris Bricken and The Canna Law Blog
Your email address will not be published. Required fields are marked *
Save my name, email, and website in this browser for the next time I comment.
Notify me of follow-up comments by email.
Notify me of new posts by email.
Competing agendas have stifled the effectiveness of the burgeoning industry on Capitol Hill. Marijuana advocates are stuck in the weeds. Cannabis policy has never had a rosier outlook on Capitol Hill: Democrats control both Congress and the White House, seven new states just legalized recreational marijuana, and the cannabis industry has gained powerful new allies…
Delaware lawmakers who support legalizing recreational marijuana are taking a run at it for the sixth straight year, and the lead sponsor says he’s “feeling optimistic.” First introduced in 2017, a bill to legalize weed fell four votes short of passage in the Delaware House of Representatives in 2018 but since then has not reached…
While marijuana became legal for adults to purchase in Montana on New Year’s Day, a key federal agency has confirmed a fact underreported in coverage of the state’s new marijuana program: It remains illegal under federal law for individuals to simultaneously possess marijuana or marijuana products and firearms, and penalties for violating that law are…
Row by row, Oklahoma Bureau of Narcotics and Dangerous Drugs agents and Garvin County deputies cut down 2,500 marijuana plants and loaded them in a dump truck for destruction during an April 2021 raid near Pauls Valley. The grow operation had a Oklahoma Medical Marijuana Authority license, but had not obtained an additional permit from…