Tag Archives: tracking

OLCC-Logo

Audit Finds Oregon Lacking Regulatory Oversight and Proper Security

By Aaron G. Biros
No Comments
OLCC-Logo

Last week, Oregon Secretary of State Dennis Richardson published his office’s audit of The Oregon Liquor Control Commission (OLCC). The audit uncovered a number of inadequacies with the regulatory agency, most notably the problems with their tracking system, designed to prevent cannabis form being sold on the black market.

The report highlights the need for Oregon to implement a more robust tracking system, citing reliance on self-reporting, overall poor data quality and allowing untracked inventory for newly licensed businesses. The audit also found an insufficient number of inspectors and unresolved security issues. According to The Oregonian, the OLCC only has 18 inspectors, roughly one for every 83 licensed businesses.

Auditors also found inadequacies in the application system, saying the OLCC doesn’t monitor third-party service providers and doesn’t have a process in place for reconciling data between the licensing and tracking systems. The audit found there is a risk that decisions made for the program could be based on unreliable data. It also found a risk of unauthorized access to the systems, due to a lack of managing user accounts.

Oregon Secretary of State Dennis Richardson
Oregon Secretary of State Dennis Richardson

This audit’s publication is very timely. Most notably because U.S. Attorney Billy Williams, who called Oregon’s black market problem “formidable,” convened a summit this week to examine how Oregon can prevent cannabis being exported to other states. According to the Oregonian, Williams said Oregon has an “identifiable and formidable overproduction and diversion problem.” The audit’s findings highlighting security issues are also very timely, given that in the same week, Oregon’s neighbor to the North, Washington, experienced a security breach in its own tracking system.

The problems with the Oregon tracking system’s security features are numerous, the audit says. They found that the OLCC lacks a good security plan, IT assets aren’t tracked well, there are no processes to determine vulnerabilities, servers and workstations not using supported operating systems and a lack of appropriately managing antivirus solutions. “Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets,” reads the report’s summary.

The audit proposes 17 recommendations for the state to bolster its regulatory oversight. Those recommendations intend to address undetected compliance violations, weaknesses in application management, IT security weaknesses and weaknesses in disaster recovery and media backup testing. You can read the full audit here.

Washington Security Breach Delays Traceability System Rollout

By Aaron G. Biros
No Comments

On February 8th, Peter Antolin, the deputy director for the Washington State Liquor and Cannabis Board (WSLCB), sent an email to licensees explaining why the transition to their new traceability system was disrupted. Last Saturday, someone gained access to the sensitive information in Leaf Data Systems, the state’s traceability software that is powered by MJ Freeway.

“A computer vulnerability was exploited on Saturday, allowing unauthorized access to the traceability system,” Antolin told licensees in the email. “There are indications an intruder downloaded a copy of the traceability database and took action that caused issues with inventory transfers for some users. We believe this was the root cause of the transfer/manifest issue experienced between Saturday and Monday.”WSLCB

The email goes on to say that no personally identifiable information was available to the ‘intruder,’ but some sensitive information was clearly accessed. That data includes route information of manifests filed between February 1st and 4th as well as transporter vehicle information including VIN, license plate number and vehicle type, according to the email.

That email leaves much to be desired. For one, they do not exactly have a solution, instead trying to alleviate licensees’ worries with a hollow inanity full of meaningless jargon: “The WSLCB and MJ Freeway continue to implement several strategies to prevent future vulnerabilities to future intrusions,” reads the email. “This includes full logging and monitoring and working with third-party entities. Since this remains an active investigation, details on security are not publicly available.” However, today the WSLCB is hosting a webinar where Peter Antolin, their IT division, the MJ Examiners unit and enforcement will be available to answer questions, according to the email.

WSLCB emailThis is by no means the first security breach that Washington and MJ Freeway have suffered. In May of 2017, Washington originally selected Franwell’s METRC as the contract partner for their traceability software system. Less than a month later in June of 2017, after a mistake in the selection process, Washington selected MJ Freeway instead of Franwell for the traceability contract. Three days later, MJ Freeway’s source code was stolen and published online. Then in September, Nevada cancelled their contract with MJ Freeway after a security breach, their services crashed in Pennsylvania and Spain, and in October it became clear that the company could not meet the October 31 deadline for their new Washington contract.

In November of 2017, BioTrackTHC, the company that held the previous contract for Washington’s traceability software, helped the state through the transition period with a temporary Band-Aid solution to hold the state over until January of 2018. A month after they expected to implement the new MJ Freeway system, the latest security breach occurred this week and disrupting the rollout yet again.

At the end of the email Antolin sent to licensees yesterday, he says there will continue to be attempts to breach the system’s security. “The bottom line is that this incident is unfortunate,” says Antolin. “There will continue to be malicious cyberattacks on the system. This is true of any public or private system and is especially true of the traceability system.” This begs a few questions: why aren’t we hearing about this kind of security breach in other states’ traceability systems? What are other companies doing that prevents this from happening? Why does this keep happening to MJ Freeway?

Open For Business: California Market Launches

By Aaron G. Biros
No Comments

California’s full legal cannabis market officially opened its doors for business on January 1st, 2018. Following a relatively short time frame when they announced the first licenses awarded less than a month ago, retail stores were open for business in counties throughout California. Customers came out in full force, with long lines on the opening day, with some hundreds deep stretching around blocks.

For the quick turn around time between implementing regulations and awarding temporary licenses, the grand opening of the cannabis market in the nation’s most populous state proceeded smoothly. Only a handful of minor hiccups associated with the launch were reported throughout the state. In the grand scheme of things, that’s a pretty good job for a new regulatory agency (The Bureau) tasked with regulating such a massive fledgling market.

One major and definitely foreseeable hiccup in the launch of California’s new medical and adult use markets was the failure to implement tracking software. According to Michael Blood with The Associated Press, licensed businesses are being asked by the California Department of Food and Agriculture to manually document sales and transfers of cannabis with paper invoices.

Los Angeles
Image: Kevin Stanchfield, Flickr

While the Department said the traceability system was implemented Tuesday, Blood says, cannabis businesses are not required to use it and will be trained on how to operate it before it becomes required to use later in 2018.

Local control regulations in California means that businesses must first seek approval from local authorities before attaining a temporary license from the state to operate. That coupled with the rolling process of awarding licenses meant that only some cannabis businesses could officially open their doors. Municipalities throughout California handle regulating cannabis differently.

The handful of adult use dispensaries with temporary licenses in the Los Angeles area received a massive influx of customers on opening day. Residents of LA came in droves to the four West Hollywood dispensaries open for adult use business.

Integrating Your LIMS System With State Tracking Systems

By Cannabis Industry Journal Staff
No Comments

Cannabis Labs Virtual Conference: Part 3

Integrating Your LIMS System With State Tracking Systems
By Hannah O’Brien, Operations Manager, Confident Cannabis

Running a lab is hard. Running a cannabis lab is harder. Watch this webinar hosted by Confident Cannabis, the most popular and only free cannabis LIMS in the country, to learn how cannabis compliance and regulatory burdens impact analytical testing laboratories in any state, and how important purpose-built software solutions are to make their business run smoothly.

BioTrackTHC To The Rescue: Contingency Plan for Washington

By Aaron G. Biros
1 Comment

According to a press release published this morning, BioTrackTHC successfully implemented their Universal Cannabis System (UCS) in Washington State, a temporary solution for the state’s seed-to-sale cannabis tracking system, while the new system is yet to be deployed.

BioTrackTHC had a contract with Washington State for four years, which expired just weeks ago at the beginning of November. Back in June, after a few minor hiccups, the state announced that MJ Freeway would be the successive software platform used for the state’s seed-to-sale traceability system.

The deadline for the new software to be ready for deployment was set for November 1st, when the BioTrackTHC contract would expire and the MJ Freeway contract would begin. Between when the contract was awarded and the deadline for implementation, MJ Freeway made headlines for a series of security hacks and systems failures. Subsequently, MJ Freeway said they could not deliver the software platform until January of 2018, leaving a two-month gap where businesses have no state-mandated software to use for the tracking system.

The contingency plan that the state laid out consisted of business owners manually inputting data in excel spreadsheets. When first pressed for a Band-Aid solution, representatives of BioTrackTHC cited security concerns related to MJ Freeway’s hacks as reason for being hesitant to extend their contract through the interim period.

In an open letter to the Washington cannabis industry back in October before the end of their contract, Patrick Vo, president and chief executive officer of BioTrackTHC, laid out an explanation for what went wrong and provided an alternative solution, essentially a private sector version of their government-mandated traceability software system.

The open letter to the Washington cannabis industry, written by Patrick Vo

Announced this morning, the new system, UCS, is being used by over 1,600 of the 1,700 cannabis licensees in Washington. The UCS has so far submitted 39,000 individual excel spreadsheets to the Washington State Liquor and Cannabis Board (WSLCB). “After the WSLCB announced that their replacement system would not be ready in time and that the only other option was for all 1,700 licensees to submit their seed-to-sale data via manual spreadsheets, BioTrackTHC created the UCS—a privatized clone of the government system—within a few days and deployed it minutes after the termination of the old system to minimize the impact on all licensees,” reads the press release.

The UCS allows business owners to streamline data recording, instead of manually entering information into spreadsheets. It is also integrating with 3rd party software competitors such as WeedTraQR, GrowFlow, Mr. Kraken, TraceWeed, GreenBits, S2Solutions and DopePlow. “After the WSLCB’s announcement, we knew that we had only a few days to provide a universal system to which the whole industry could submit compliance data and enable communication across the supply chain between licensees and their seed-to-sale system,” says Vo. “Our priority was to ensure that licensees could continue to operate in the absence of a government seed-to-sale system. Not having that system in place could have left Washington licensees vulnerable to noncompliance in a variety of ways, not to mention the potentially crippling volume of extra work needed to manually track a business’ entire inventory.”

Washington State’s new traceability software system by MJ Freeway is expected to deploy in January of 2018.

MJ Freeway Hardships Linger

By Aaron G. Biros
No Comments

MJ Freeway, a seed-to-sale traceability software company with a number of government contracts, has been making headlines this year for all the wrong reasons. A series of security breaches, website crashes and implementation delays have beleaguered the software company throughout 2017.

Just this morning, the Philadelphia Inquirer reported the company’s services crashed Saturday night and Monday afternoon. That article also mentions an anonymous hacker tried to sell sensitive information from the Washington and Nevada hacks in September. Back in April, when Pennsylvania awarded the state’s contract to MJ Freeway for its tracking system, Amy Poinsett, co-founder and chief executive officer of MJ Freeway told reporters “I think I can confidently say we are the most secure cannabis company in this particular industry.” It is safe to say this is now being called into question.

Earlier this week, New Cannabis Venture’s Alan Brochstein reported that MJ Freeway is unable to meet Washington’s October 31st deadline to integrate their software with the state, forcing customers to manually report data.

Roughly a month ago, Nevada suddenly cancelled their contract with MJ Freeway, just two years into their five-year deal. Back in June, the company’s source code was stolen and published online. And back in January of this year, the company’s sales and inventory system was the target of a cyber attack.

According to an email we obtained, all of MJFreeway’s clients in Spain experienced an online outage, but that services were restored within 24 hours. In an email sent to clients in Spain, the company told customers that the problems were the result of a system failure. “Our initial analysis indicates that this was a system failure and unfortunately none of the data was able to be successfully retrieved from the backup archive due to an error but we can assure you that none of your data was extracted or viewed at any moment,” reads the email. “We are extremely distressed regarding the event that occurred with the system and the service interruption that occurred yesterday. We recognize that this is a situation that is very serious and negatively impacts your club.” The email says that MJ Freeway is addressing those problems in a few ways, one of which being ongoing audits of their data backups. “The event has led us to reconstruct our “hosting environment” in Europe to use the latest technology from Amazon Web Services with the best redundancy, flexibility and security, using the highest stability measures in the AWS environment,” reads the email. While the site will be restored fully, according the email, historical data is lost. The company is working with their clients to help them get data back into the system. 

Biros' Blog

Washington Changes Course, Selects MJ Freeway as New ASV

By Aaron G. Biros
3 Comments

Two weeks ago, we reported on the State of Washington choosing Franwell as their apparent successful vendor (ASV) for their seed-to-sale traceability system contract. Late last week, the Washington State Liquor and Cannabis Board (WSLCB) sent out an email explaining that they are no longer going with Franwell and the new ASV is MJ Freeway.

The email (left) consisted of a letter sent by Peter Antolin, Deputy Director of the WSLCB, to licensees “who had written to the Board and staff regarding the marijuana traceability Apparent Successful Vendor and RFID tags.” Apparently, the reason behind switching the ASV to MJ Freeway is because Franwell’s system requires only one method for tagging plants- RFID tags. According to the letter, Deputy Director Antolin says the initial request for proposal (RFP) stated that the traceability system needs to support a variety of tagging methods, including bar codes and RFID. “The RFP requirements did not allow a vendor to make any assumptions regarding use of a single tagging methodology or allow vendors to include any such costs affecting the state or our licensees in their proposal,” says Antolin. As they made clear in the previous press release, the ASV is not the official contract winner until they complete negotiations and sign the contract.

On June 7th, Franwell withdrew their proposal for the state’s traceability system, thus Washington went with the second highest scoring vendor, MJ Freeway. Deputy Director Antolin says they submitted a strong bid, but there are still many questions left unanswered. How could such a glaring mistake be overlooked when the state named Franwell the highest scoring bidder? Is MJ Freeway’s system robust enough and capable of handling the state’s cannabis licensees’ traceability requirements even though they were not the highest scoring bidder? The deadline for the new system to be in place is October 31, 2017, which is quickly approaching for such a massive systems overhaul.

The WSLCB’s oversight highlights a few inadequacies with the state’s regulatory agency, particularly their indecision and lack of foresight. So much of the concept behind seed-to-sale traceability rests on Cole Memo compliance. A big reason why some states seek to implement a robust tracking system is to remain compliant with the Cole Memo; preventing diversion to crime organizations with regulatory oversight is a key tool that states use to tell the federal government they are complying with their directive and intend to protect their state’s legal cannabis operations from federal prosecution. Without a proper system in place, the state runs the risk of exposing their entire cannabis market to threats of federal enforcement, a scenario that seems unlikely but could be disastrous to cannabis businesses and the local economy.

The WSLCB needs to get their act together fast.

BioTrackTHC Awarded Delaware’s Tracking Software Contract

By Aaron G. Biros
No Comments

According to a press release, the State of Delaware has chosen BioTrackTHC as their partner in seed-to-sale tracking software. Delaware’s Department of Health and Social Services (DHSS) signed a contract with BioTrackTHC for the tracking and patient registry software.

In 2016, Delaware issued a request for proposals for “the Delaware Enterprise Consolidated Cannabis Control System,” which encompasses the statewide patient registry and seed-to-sale traceability systems. “Our sincerest thanks to DHSS for choosing Team BioTrack,” says Patrick Vo, CEO of BioTrackTHC. “DHSS has been wonderful to work with throughout the contracting process, and we look forward to partnering with them to provide the tools and data they need to continue overseeing the industry and protecting their patients.” BioTrack’s software was selected as the winner of a number of government contracts in other states previously for the same role.

Their software is currently used in government traceability systems in Washington, New Mexico, Illinois, Hawaii, New York and the city of Arcata, California. The press release states regulators will have the ability to view the retail data “including plant counts and usable inventory, lab results, transportation, and point-of-sale data—to perform periodic audits and ensure compliance.” The patient registry will also provide better patient accessibility through the new software with a faster turn around time and automated application processing.

BioTrackTHC provides technology solutions for businesses and governments to tracking products throughout the supply chain to the point of sale. The software systems help businesses remain compliant with regulations and monitor data for things like inventory management.

OLCC-Logo

OLCC Issues First Recreational Cannabis Recall for Oregon

By Aaron G. Biros
No Comments
OLCC-Logo

On March 18th, the Oregon Liquor Control Commission (OLCC) issued its first recall for recreational cannabis products. The recall, according to the press release, occurred because an unnamed wholesaler sent cannabis products to a retailer before the pesticide test results were entered into the OLCC Cannabis Tracking System (CTS).


Photo: Michelle Tribe, Flickr

The cannabis grown at Emerald Wave Estate, LLC is said to fail a test for pyrethrins exceeding the Oregon Health Authority (OHA) action level (the action level for pyrethrins is 1 ppm). Pyrethrins are a class of insecticides derived from the chrysanthemum flower. Their toxicity varies a lot depending on exactly what organic compound was used, but has an acute toxicity level that is cause for concern. When exposed to high levels of pyrethrins, people have reported symptoms similar to asthma. Generally, pyrethrins have a low chronic toxicity for humans.

The retailer, Buds 4 U LLC, located in Mapleton, OR, issued a voluntary recall for 82.5 grams of the strain Blue Magoo sold between March 8th and 10th. After finding the failed test results in the CTS, the retailer immediately contacted the OLCC. According to The Portland Tribune, OLCC spokesman Mark Pettinger says the retailer was very cooperative in immediately notifying the OLCC. “The retailer was great,” says Pettinger. “They get the gold star.” The Portland Tribune also says the wholesaler who shipped the cannabis prior to test results being entered is Cascade Cannabis Distributing of Eugene. That mistake could be a violation of Oregon’s regulations, leading to a 10-day closure and up to a $1,650 fine.

According to the press release, the rest of the nine pounds in the batch is on hold “pending the outcome of an additional pesticide retest.” The OLCC encourages consumers to check if their products have the license and product numbers detailed in the press release. They advise consumers who did purchase the affected cannabis to dispose of the product or return it to the retailer. The press release also mentions that they have not received any reports of illness related to the tainted cannabis.

Microsoft Enters Cannabis Compliance Software Market; Industry Outlooks

By Aaron G. Biros
1 Comment

In a New York Times article published yesterday, news broke of Microsoft’s entry into the cannabis marketplace, teaming up with KIND Financial to launch its Microsoft Health and Human Services Pod for Managed Service Providers, which is essentially a seed-to-sale tracking technology. Their goal is to provide local and state governments with software solutions for traceability in the burgeoning cannabis industry.kind-financial-cannabis-government-solutions

In a press release yesterday, Kimberly Nelson, executive director of state and local government solutions from Microsoft said, “KIND’s strategic industry positioning, experienced team and top-notch-technology running in the Microsoft Azure Government cloud, made for an easy decision to align efforts.” According to KIND Financial founder and chief executive officer, David Dinenberg, the cannabis marketplace will continue to have strict oversight and government regulations. “I am delighted that Microsoft supports KIND’s mission to build the backbone for cannabis compliance,” says Dinenberg.MSFT_logo_rgb_C-Gray

This move could represent an opening of the floodgates for corporate interest in the space. According to Matt Karnes, founder of GreenWave Advisors, a cannabis financial data analysis firm, this could potentially result in an increase in capital flow into the cannabis industry. “This signals a wider acceptance of cannabis and perhaps that changes to national policies are more likely now that we see a large corporation stepping in,” says Karnes. “This could certainly mean an inflow of capital from larger, mainstream enterprises that were previously unwilling to take the risk.” Microsoft also made news recently for the acquisition of LinkedIn for $26.2 billion. The move to get into the cannabis space could represent a diminishing stigma associated with the market and a wider mainstream acceptance in business.

According to Nic Easley, chief executive officer at Comprehensive Cannabis Consulting (3C), this is another legitimizing factor for the cannabis industry. “It shows that cannabis is here to stay, and the fact that Microsoft is now spending resources on software, further validates that,” says Easley. “Many of the first mover seed-to-sale companies, entered the industry too early, had problems with their technology and lacked quality customer service, which created opportunities for new companies to emerge to dominate and capitalize upon the first ‘Netscapes’ of the cannabis industry’s failures.” Additionally, this could rationalize the market for other quality software companies such as Compliant Cannabis, according to Easley.

While Microsoft publicly announced their entrance into the cannabis marketplace,  one can speculate that other large companies are planning their entrance as well. “We are fielding inquiries from Fortune 500 companies, Wall Street investors and even major foreign investors on a weekly basis,” says Easley. “In the past week alone, we received calls from three different Fortune 500 companies asking us how they can get into the industry.” It appears that because Microsoft is in the cloud business and they are offering this ancillary service that not only does this further legitimize the industry, but it could be quelling the dated stigma associated with cannabis.