Tag Archives: authorization

Cannabis Registry Reality Check: Privacy Must be Paramount

By Shadrach White
No Comments

The task of preserving privacy for any records platform, especially a cannabis registry, cannot simply be relegated to ones and zeros lurking in some forgotten codebase. This past year taught us many lessons, especially related to the trauma unleashed by vulnerabilities in government domains. We learned time and again that a registrant’s privacy must be the first order of business for the architects of registries.

But the first order of business isn’t the last order of business. That intention and effort to secure privacy must then be communicated and reinforced through real-world reality checks.

Lapses in data security and rising distrust for government institutions block the efficacy of well-intentioned and vital registries. Those states launching new registries in 2021 are at a precarious crossroads as public trust erodes.

As I write this, we’ve just learned illicit operators hacked a third-party service provider for the Washington State Auditor’s office. The attack compromised the personal data of 1.4 million users seeking unemployment benefits. Security hacks are a cautionary tale, whose impact is felt too often.

But many in the government sector are staring at a once-in-a-generation challenge to launch new registries – those related to cannabis – with privacy top-of-mind from the initial Request For Bid.“The question isn’t when these privacy-first registries will be implemented, it’s a question of whether they’ll be implemented proactively ahead of hacks or after the damage is done.”

Here’s how:

Table Stakes for New Cannabis Registries

These suggestions are just the beginning, and I see them as the minimum buy-in to begin the architecture of a new cannabis registry. They include:

  • End-to-end data encryption while in transit and within the system while the data is at rest.
  • A solution that is a cloud-native web application which is managed as a service for maximum uptime and strong security posture.
  • Registries should also leverage algorithms and machine learning to ensure accurate data entry by analyzing incorrect or duplicate data before it is saved within the system.

Beyond HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) requires privacy and security measures to protect Personal Health Information (PHI). Debate exists on whether compliance is a requirement for all entities transacting in the medicinal cannabis space. While some state registries are exempt from HIPAA, others choose to provide HIPAA compliance not just for the optics, but the known benefit to users’ privacy and confidence. New cannabis registries should commit to HIPAA-compliance to set a trusted new privacy standard for medical patient credentials and legal authorization for the use of cannabis for medical purposes.

That’s just the start. Registries should also ensure SOC2 Type II certification, which safeguards security, site availability, confidentiality and privacy through independent third-party auditors.

Connect with Confidence

Registries function as a hub of information in an often-confusing cannabis space. The California Bureau of Cannabis Control displays more than 25 links wired into its top navigation bar alone. Each link sends the curious to new resources. Registries must establish themselves as credible resources, especially when directing users to third-party sites.

One example is for cannabis registries to provide secure access to healthcare professionals who are verified by the Drug Enforcement Agency (DEA). These healthcare professionals are licensed to distribute controlled substances including cannabis. Each third-party link should offer the same high-level of scrutiny to enshrine confidence and credibility in the registry.

Next-Generation ID Cards

A cannabis registry card should not just be a document, but a toolset that attests to the identity and the authority of the carrier represented. An illicit counterfeiting market seeks to exploit registry card vulnerabilities. Next generation ID cards present the best defense against counterfeiting and illegal use with robust security measures. That starts with assuring that any credential is mobile ID compatible with iOS Wallet and GooglePay for mobile identification.

ID cards should also include:

The automated modification of the document bearer’s photograph to ICAO (International Civil Aviation Organization) standards. This critical modification makes the photograph easier to use for ID verification; it also facilitates the detection of photograph substitution.

A two-dimensional barcode compiles information contained in a one-dimensional barcode. It also delivers confirmation of other data shown on the card or in the system such as license authorization and limitations. Adding additional material to the physical document such as holograms, UV image, micro-printing or laser perforations offers another level of protection against illicit use or counterfeiting.

While cannabis registries are the beginning, they’re not the end. Driving efficacy for government registries needed for COVID19 track-and-tracing, cannabis plant track-and-tracing and vaccine distribution require the same attention to privacy, security and ultimate useability. A sea change is required – not just for the sake of those who use the registries but also for those who must implement, deploy and maintain those registries. The question isn’t when these privacy-first registries will be implemented, it’s a question of whether they’ll be implemented proactively ahead of hacks or after the damage is done. I believe the government sector leaders exploring new cannabis registries offer the wisdom and foresight to choose the proactive approach.

California Rolls Out Licensing For Cannabis Businesses

By Aaron G. Biros
No Comments

Last week, the Bureau of Cannabis Control issued the first licenses for California’s new market. The first license went to Moxie, a cannabis distribution company out of Lynwood.

The search feature for the list of licenses issued so far

As of the publication of this article, the Bureau, the state authority tasked with leading the regulation of the industry, has issued 43 temporary licenses. So far, four laboratories have received licenses, along with a number of retailers, distributors, microbusinesses in both medical and adult-use markets.

The labs to receive their temporary licenses so far are pH Solutions, Steep Hill Labs, Pure Analytics and ORCA Cannalytics. Judging by the number of temporary medical and adult-use licenses awarded so far, it appears the Bureau is trying to issue a similar amount for each sector, distributing the number of licenses between the two equitably.

You can find the list of licensees here, and search between the dates of 12/15/17 to 1/2/18 to get the most up-to-date list of licenses awarded. “Last week, we officially launched our online licensing system, and today we’re pleased to issue the first group of temporary licenses to cannabis businesses that fall under the Bureau’s jurisdiction,” says Lori Ajax, Bureau of Cannabis Control Chief. “We plan to issue many more before January 1.”

According to the press release, temporary licenses are only issued to applicants with prior local authorization in the form of a license or permit from the jurisdiction where the business is. Those licenses will become effective on January 1, 2018. The temporary licenses will work for 120 days, or May 1, 2018, after which businesses will need to have a permanent license to continue operating.

More than 1,900 users have registered with the Bureau’s online system, and more than 200 applications have been submitted, according to the press release.

The various regulatory bodies in California have worked diligently for months now to roll out proposed emergency regulations, setting strict requirements for manufacturers, growers, retailers and testing labs. Manufacturing regulations, including specific labeling, packaging and processing requirements, give a good snapshot of how regulators plan to move forward. Testing requirements could also be significantly firmer, with rules for documentation, sample sizes, sampling procedures, storage and transportation.

Yet when the adult-use sales become fully legal on January 1, 2018, those regulations will not be fully implemented.

Donald Land, a UC Davis chemistry professor and chief scientific consultant at Steep Hill Labs Inc., told The Associated Press, “Buyer beware.” There will be a six-month range where existing inventory will be allowed on the shelves, products that might not meet the standards of the new rules. So dispensaries will get half a year of sales before all products have to meet the new, stricter testing requirements.