California law requires licensed cannabis businesses to use a “track-and-trace” system that, as its name suggests, tracks the movement of cannabis from seed through final sale.
Cannabis licensees are obligated to meticulously register nearly every data point for cannabis biomass and products (such as harvest date, sale, processing activities, and so on) into the track-and-trace database, or they can face penalties.
In turn, the database is accessible by state regulators, who can use information in the database to determine whether licensees violated rules or whether cannabis was sold into the illicit market.
While many licensees view the track-and-trace system as regulatory overreach and a headache to use, the State of California views it as a necessary tool to combat the illicit market and to ensure that cannabis is properly tracked, sold, and taxed.
In fact, California’s regulators believe that the track-and-trace system is so critical that they require cannabis businesses that lose connectivity to the system to stop conducting certain critical commercial cannabis activities until they get back online, without exception.
Notably, cannabis businesses that are the victims of data breaches that result in loss of access to the track-and-trace system face unique risks—even though in many, if not most data breaches, the cannabis business would be a victim of cyber criminals that itself did nothing wrong.
In addition to the ordinary high costs of responding to a data breach and potentially providing notice to affected consumers, cannabis businesses may be required to cease major parts of their operations—and possibly for a significant amount of time—until the breach is resolved and connectivity is restored.
This article examines some of the risks that California cannabis businesses face with respect to track-and-trace and data breaches, and provides a clear proposal for ending the potentially devastating outcomes forced onto the industry by these rules.
California’s Track-and-Trace System
California’s track-and-trace system, like similar systems in many other U.S. states, is administered by METRC.
All licensed cannabis businesses in California are required to assign track-and-trace managers who oversee compliance with the licensed entity’s track-and-trace reporting and who train and manage lower-level employees with respect to use of the track-and-trace system.
Virtually every milestone in the life of cannabis plants, from seed through sale, must be reported in the track-and-trace system.
This includes events such as the harvest of plants, processing of plant material, packaging, sale, transportation, receipt of cannabis goods, laboratory testing, destruction of cannabis goods, and so on.
At each track-and-trace reporting event, numerous data sets must be input into the system, including the name and type of cannabis goods, unique identifier, date and time of the transaction, and so on.
The track-and-trace rules for each of California’s three agencies vary, as the agencies each regulate different kinds of commercial cannabis activities (cultivators have to track different events than retailers do, for example).
Most, if not all, California cannabis businesses use various third-party software programs to facilitate access to and to interact seamlessly with the METRC system.
These third-party software programs can enable various functionality features that may integrate directly into various kinds of technology to make compliance somewhat easier for licensees.
For example, if integrated into a point-of-sale system, software can populate data from each sale into the track-and-trace system so that the licensee does not have to manually do it.
If, for any reason, licensees lose connectivity to the track-and-trace system, they must effectively cease conducting many significant commercial cannabis activities.
For example, Bureau of Cannabis Control (“BCC”) rule 5050(b) requires licensees that lose connectivity to the track-and-trace system to “notify the Bureau immediately for any loss of connectivity, and shall not transport, receive, or deliver any cannabis goods until such time as connectivity is restored.”
Rules for the other agencies also prohibit licensees from transferring products until access is restored.
To be fair, these rules do not completely prevent cannabis businesses from operating—indeed, rule 5050(a) notes that if a business loses connectivity, it must “prepare and maintain comprehensive records detailing all commercial cannabis activities that were conducted during the loss of connectivity.”
So there may be some aspects of commercial cannabis activity that businesses can carry out during loss of access.
However, the prohibition on receiving, transporting, or delivering cannabis means that for many license types, the bulk of meaningful commercial cannabis activities may not be permitted.
Data Breaches and Loss of Connectivity
The State of California defines data breaches as the “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” Cal. Civil Code § 1798.82(g).
This definition is incredibly broad and can cover virtually any kind of event from hacking to phishing.
One particularly nefarious type of data breach is known as a ransomware attack.
According to the Federal Bureau of Investigations:
Ransomware is a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return.
Ransomware attacks can cause costly disruptions to operations and the loss of critical information and data.
You can unknowingly download ransomware onto a computer by opening an email attachment, clicking an ad, following a link, or even visiting a website that’s embedded with malware.
Once the code is loaded on a computer, it will lock access to the computer itself or data and files stored there.
More menacing versions can encrypt files and folders on local drives, attached drives, and even networked computers.
Most of the time, you don’t know your computer has been infected.
You usually discover it when you can no longer access your data or you see computer messages letting you know about the attack and demanding ransom payments.
In other words, hackers in ransomware attacks encrypt files or data on a computer or device, or the actual computer or device itself, and the user will not be able to regain access to the files, data, or device until the user does something (usually paying money or cryptocurrency to the hacker).
Often, victims of ransomware attacks work with law enforcement and/or forensic teams to restore access and determine the scope of the breach.
Restoration of access can take significant time and in some cases may never happen—especially if the victim does not want to pay the ransom.
Some victims may opt to simply pay the ransom, but the decryption process can also take a significant time depending on the amount of data or number of devices that were encrypted.
For cannabis businesses, data breaches can limit or cut off access to the track-and-trace system in many ways.
Ransomware attacks can directly cut off access to the track-and-trace system.
If a licensee has no backup way to access the track-and-trace system, they will be cutoff from access and have to comply with the BCC (or other applicable agency) rules for loss of access.
Data breaches of third-party software systems could also have significant indirect effects on licensees.
If a software system that enables connectivity is breached and consequentially cannot be accessed by licensees, that breach could significantly affect access to the track-and-trace system.
And of course, if the METRC system itself is the victim of a breach, there could be far-reaching and devastating effects throughout the industry.
The possibility for disruptions and the requirement to use third-party tools and software that itself can be susceptible to breaches creates many obvious problems for cannabis licensees.
Even short losses of access can be problematic.
Businesses that are obligated to transfer or receive cannabis from third-party licensees, for example, may be required to cease performance under contracts which could lead to a host of third-party liability.
Licensees who do not have room to store cannabis may but cannot transfer it may face more liabilities.
The list of potential problems is virtually endless.
A Clear and Simple Solution
California can easily fix this potential problem by allowing licensees to continue conducting commercial cannabis activities during losses of connectivity to the track-and-trace system.
The BCC already has a rule requiring licensees to keep track of permitted commercial cannabis activities that may be undertaken during track-and-trace outages and to report those records to the BCC immediately upon restoration of access.
The rule should be expanded to cover any type of commercial activity.
If the State of California wants to ensure that it has a healthy cannabis industry that is not susceptible to business interruptions for causes truly of its control, the state should make this simple, common-sense change to its rules.
After all, there is no sensible rationale for prohibiting licensees from doing business based on the criminal activity of hackers.
