Last week, Oregon Secretary of State Dennis Richardson published his office’s audit of The Oregon Liquor Control Commission (OLCC). The audit uncovered a number of inadequacies with the regulatory agency, most notably the problems with their tracking system, designed to prevent cannabis form being sold on the black market.
The report highlights the need for Oregon to implement a more robust tracking system, citing reliance on self-reporting, overall poor data quality and allowing untracked inventory for newly licensed businesses. The audit also found an insufficient number of inspectors and unresolved security issues. According to The Oregonian, the OLCC only has 18 inspectors, roughly one for every 83 licensed businesses.
Auditors also found inadequacies in the application system, saying the OLCC doesn’t monitor third-party service providers and doesn’t have a process in place for reconciling data between the licensing and tracking systems. The audit found there is a risk that decisions made for the program could be based on unreliable data. It also found a risk of unauthorized access to the systems, due to a lack of managing user accounts.
This audit’s publication is very timely. Most notably because U.S. Attorney Billy Williams, who called Oregon’s black market problem “formidable,” convened a summit this week to examine how Oregon can prevent cannabis being exported to other states. According to the Oregonian, Williams said Oregon has an “identifiable and formidable overproduction and diversion problem.” The audit’s findings highlighting security issues are also very timely, given that in the same week, Oregon’s neighbor to the North, Washington, experienced a security breach in its own tracking system.
The problems with the Oregon tracking system’s security features are numerous, the audit says. They found that the OLCC lacks a good security plan, IT assets aren’t tracked well, there are no processes to determine vulnerabilities, servers and workstations not using supported operating systems and a lack of appropriately managing antivirus solutions. “Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets,” reads the report’s summary.
The audit proposes 17 recommendations for the state to bolster its regulatory oversight. Those recommendations intend to address undetected compliance violations, weaknesses in application management, IT security weaknesses and weaknesses in disaster recovery and media backup testing. You can read the full audit here.
On February 8th, Peter Antolin, the deputy director for the Washington State Liquor and Cannabis Board (WSLCB), sent an email to licensees explaining why the transition to their new traceability system was disrupted. Last Saturday, someone gained access to the sensitive information in Leaf Data Systems, the state’s traceability software that is powered by MJ Freeway.
“A computer vulnerability was exploited on Saturday, allowing unauthorized access to the traceability system,” Antolin told licensees in the email. “There are indications an intruder downloaded a copy of the traceability database and took action that caused issues with inventory transfers for some users. We believe this was the root cause of the transfer/manifest issue experienced between Saturday and Monday.”
The email goes on to say that no personally identifiable information was available to the ‘intruder,’ but some sensitive information was clearly accessed. That data includes route information of manifests filed between February 1st and 4th as well as transporter vehicle information including VIN, license plate number and vehicle type, according to the email.
That email leaves much to be desired. For one, they do not exactly have a solution, instead trying to alleviate licensees’ worries with a hollow inanity full of meaningless jargon: “The WSLCB and MJ Freeway continue to implement several strategies to prevent future vulnerabilities to future intrusions,” reads the email. “This includes full logging and monitoring and working with third-party entities. Since this remains an active investigation, details on security are not publicly available.” However, today the WSLCB is hosting a webinar where Peter Antolin, their IT division, the MJ Examiners unit and enforcement will be available to answer questions, according to the email.
This is by no means the first security breach that Washington and MJ Freeway have suffered. In May of 2017, Washington originally selected Franwell’s METRC as the contract partner for their traceability software system. Less than a month later in June of 2017, after a mistake in the selection process, Washington selected MJ Freeway instead of Franwell for the traceability contract. Three days later, MJ Freeway’s source code was stolen and published online. Then in September, Nevada cancelled their contract with MJ Freeway after a security breach, their services crashed in Pennsylvania and Spain, and in October it became clear that the company could not meet the October 31 deadline for their new Washington contract.
In November of 2017, BioTrackTHC, the company that held the previous contract for Washington’s traceability software, helped the state through the transition period with a temporary Band-Aid solution to hold the state over until January of 2018. A month after they expected to implement the new MJ Freeway system, the latest security breach occurred this week and disrupting the rollout yet again.
At the end of the email Antolin sent to licensees yesterday, he says there will continue to be attempts to breach the system’s security. “The bottom line is that this incident is unfortunate,” says Antolin. “There will continue to be malicious cyberattacks on the system. This is true of any public or private system and is especially true of the traceability system.” This begs a few questions: why aren’t we hearing about this kind of security breach in other states’ traceability systems? What are other companies doing that prevents this from happening? Why does this keep happening to MJ Freeway?
Today, Tikun Olam announced their expansion into the Washington, D.C. market. Partnering with the cultivator, Alternative Solutions, they will license them to grow, manufacture and distribute Tikun-branded products.
Tikun Olam is an international cannabis company with roots in Israel, where they are working in clinical trials to produce strains targeting a handful of medical conditions. The company has made serious investments in the United States market previously, with operations in Delaware, Washington and Nevada, and has plans to enter the Rhode Island, Maryland, Massachusetts and Illinois markets in 2018.
The five-year licensing deal signed with Alternative Solutions is the latest development in their expansion plans in North America. They also have similar partnerships developing around the world, including in Canada, Australia, United Kingdom and South Africa.
Tikun plans on having their full line of products ready for distribution with Alternative Solutions in the Washington, D.C. market some time in 2018. “Alternative Solutions is thrilled to be Tikun Olam’s exclusive partner in DC,” says Matt Lawson-Baker, chief operating officer of Alternative Solutions. “We look forward to making Tikun’s products available at all DC dispensaries, giving access to these clinically proven strains to the more than 5,600 registered MMJ patients in Washington DC.”
Bernard Sucher, chief executive officer of Tikun Olam, says he is excited to get working with Alternative Solutions. “Its cultivation and manufacturing operations will make it possible for Tikun to serve every single patient in a single jurisdiction–a first for us and something we hope to accomplish within every U.S. state. “
According to a press release published this morning, BioTrackTHC successfully implemented their Universal Cannabis System (UCS) in Washington State, a temporary solution for the state’s seed-to-sale cannabis tracking system, while the new system is yet to be deployed.
BioTrackTHC had a contract with Washington State for four years, which expired just weeks ago at the beginning of November. Back in June, after a few minor hiccups, the state announced that MJ Freeway would be the successive software platform used for the state’s seed-to-sale traceability system.
The deadline for the new software to be ready for deployment was set for November 1st, when the BioTrackTHC contract would expire and the MJ Freeway contract would begin. Between when the contract was awarded and the deadline for implementation, MJ Freeway made headlines for a series of security hacks and systems failures. Subsequently, MJ Freeway said they could not deliver the software platform until January of 2018, leaving a two-month gap where businesses have no state-mandated software to use for the tracking system.
The contingency plan that the state laid out consisted of business owners manually inputting data in excel spreadsheets. When first pressed for a Band-Aid solution, representatives of BioTrackTHC cited security concerns related to MJ Freeway’s hacks as reason for being hesitant to extend their contract through the interim period.
In an open letter to the Washington cannabis industry back in October before the end of their contract, Patrick Vo, president and chief executive officer of BioTrackTHC, laid out an explanation for what went wrong and provided an alternative solution, essentially a private sector version of their government-mandated traceability software system.
Announced this morning, the new system, UCS, is being used by over 1,600 of the 1,700 cannabis licensees in Washington. The UCS has so far submitted 39,000 individual excel spreadsheets to the Washington State Liquor and Cannabis Board (WSLCB). “After the WSLCB announced that their replacement system would not be ready in time and that the only other option was for all 1,700 licensees to submit their seed-to-sale data via manual spreadsheets, BioTrackTHC created the UCS—a privatized clone of the government system—within a few days and deployed it minutes after the termination of the old system to minimize the impact on all licensees,” reads the press release.
The UCS allows business owners to streamline data recording, instead of manually entering information into spreadsheets. It is also integrating with 3rd party software competitors such as WeedTraQR, GrowFlow, Mr. Kraken, TraceWeed, GreenBits, S2Solutions and DopePlow. “After the WSLCB’s announcement, we knew that we had only a few days to provide a universal system to which the whole industry could submit compliance data and enable communication across the supply chain between licensees and their seed-to-sale system,” says Vo. “Our priority was to ensure that licensees could continue to operate in the absence of a government seed-to-sale system. Not having that system in place could have left Washington licensees vulnerable to noncompliance in a variety of ways, not to mention the potentially crippling volume of extra work needed to manually track a business’ entire inventory.”
Washington State’s new traceability software system by MJ Freeway is expected to deploy in January of 2018.
Emerald Scientific recently announced their proficiency-testing program, The Emerald Test, has been approved by Colorado as a third party provider for proficiency testing in licensed cannabis laboratories. The Emerald Test, held twice annually, is an inter-laboratory comparison and proficiency test (ILC-PT), allowing data to be collected pertaining to the performance of laboratories on a national scale. Proficiency testing is designed to measure how accurately laboratories perform and is a critical tool for quality assurance.
Colorado requires labs to participate in a proficiency-testing program in order to be certified to conduct required testing on cannabis and cannabis products for safety and quality. According to the press release, Colorado’s Marijuana Enforcement Division, under the Department of Revenue, conducted an evaluation process to determine which applicants could meet the performance standards for regulatory compliance concerning proficiency testing. The contract was awarded to Emerald Scientific following this evaluation process.
According to Ken Groggel, director of the Proficiency Testing Program at Emerald Scientific, a number of states have recognized the need for independent proficiency testing as a required piece of regulatory compliance. “The Emerald Test Inter-Laboratory Comparison/PT is state approved in Washington & Colorado for cannabis testing laboratory licensure,” says Groggel. “States with cannabis or hemp production, as well as labs in other countries are now actively participating in the Emerald Test as a tool for quality improvement, efficiency upgrades and product safety.” He says the Colorado Marijuana Enforcement Division has contracted with Emerald Scientific to provide third party PT programs for microbial contaminants, residual solvents and pesticides.
Beginning in 2014, The Emerald Test has been offered twice a year and, in 2017, over 50 labs participated from 14 states and 2 countries. “Laboratories that have enrolled more than once have seen significant improvement in their results, an indicator of improved performance for industry customers,” says Groggel.
Proficiency testing is important for ensuring quality, safety and product content accuracy. “This should be the priority whether you are a grower, manufacturer, testing laboratory, regulatory entity, medical patient or adult use consumer,” says Groggel. It also helps labs meet regulatory requirements and achieve ISO 17025 accreditation. “Independent proficiency testing helps determine if the lab is able to deliver the services marketed to its customers,” says Groggel. “Regulatory agencies can use this information when licensing, monitoring & enforcing good science for public safety.”
As new states legalize cannabis and develop consumer protection regulations, proficiency testing programs can help labs demonstrate their commitment to responsible and accurate testing. “When PT results show the cannabis testing lab is capable it is up to the government to ensure accountability for performance on behalf of all its citizens,” says Groggel. Labs can enroll starting on September 25th in the Fall 2017 Emerald Test ILC/PT.
Portions of MJ Freeway’s source code were reportedly stolen and posted in Reddit threads as well as on Gitlab.com, a source code hosting website. On June 15th, the account “MJFreeway Open Source” was made on Gitlab.com, and portions of the source code were posted, but have since been taken down. Source code is essentially a list of commands of a program, the basis for making improvements and modifications to a software system. Source code can sometimes contain sensitive information. To be clear, MJ Freeway does not use an open source model; their source code is the basis of their traceability software. Open source is a tool that fosters public collaboration on software development, helping identify weaknesses or areas for improvement.
When asked to comment on the matter, MJ Freeway issued the following statement:
“Last week we discovered that someone had obtained an outdated portion of MJ Freeway’s source code. This incident has absolutely no impact on our systems or MJ Freeway services, and client and patient data is not at risk. While this theft poses no risk to our clients, patients, or business operations, we take any incident involving unauthorized access very seriously and have reported it to the Colorado Bureau of Investigation.
Unfortunately, it has come to our attention that our competitors are spreading inaccurate information about the incident, including baseless claims about SSL info and the potential for client data being compromised – neither of which is true. We encourage our customers to contact us directly with any questions they may have.
We follow or exceed all relevant industry security standards and are confident that we have the most robust security measures in our industry. None of our peers come close. However, we live in a world of determined cyber-criminals and we operate in a competitive environment. Success and size makes a company a bigger target for malicious actors, as other large companies also know. We will continue to investigate and take follow-up action as we learn more about this incident.”
On Sunday, June 18th, a user by the name of ‘techdudes420’ posted in the subreddit, r/weedbiz, a thread titled “MJFreeway goes open source.” The link for that post was the Gitlab.com page where MJ Freeway’s source code was published briefly. The same user then published a second reddit post the following day with the same link to the stolen code, but this time in the r/COents, a subreddit for the Colorado cannabis community. MJ Freeway is based in Denver. That post claimed the user found the stolen source code with a quick search and that the user was banned because of that. The moderator of the thread chimed in, saying they banned the user for posting the stolen code. “We received a takedown request from the software owner stating the code had been stolen and released without permission,” says the moderator. “After investigating the matter I reached the same conclusion and removed the thread.” The moderator then updated the comment shortly after: “Edit: As for OP [original poster] ‘finding’ the code, if that were true I don’t know why he or she would have created a new Reddit account just to post the link.”
In addition to their own cybersecurity analysis, a spokeswoman for MJ Freeway says they will be performing a third party audit and analysis this week as well. When that information becomes available, we will update this article.
Update: Multiple sources have reported that portions of MJ Freeway’s source code are still available online on torrent sites like PirateBay.
Two weeks ago, we reported on the State of Washington choosing Franwell as their apparent successful vendor (ASV) for their seed-to-sale traceability system contract. Late last week, the Washington State Liquor and Cannabis Board (WSLCB) sent out an email explaining that they are no longer going with Franwell and the new ASV is MJ Freeway.
The email (left) consisted of a letter sent by Peter Antolin, Deputy Director of the WSLCB, to licensees “who had written to the Board and staff regarding the marijuana traceability Apparent Successful Vendor and RFID tags.” Apparently, the reason behind switching the ASV to MJ Freeway is because Franwell’s system requires only one method for tagging plants- RFID tags. According to the letter, Deputy Director Antolin says the initial request for proposal (RFP) stated that the traceability system needs to support a variety of tagging methods, including bar codes and RFID. “The RFP requirements did not allow a vendor to make any assumptions regarding use of a single tagging methodology or allow vendors to include any such costs affecting the state or our licensees in their proposal,” says Antolin. As they made clear in the previous press release, the ASV is not the official contract winner until they complete negotiations and sign the contract.
On June 7th, Franwell withdrew their proposal for the state’s traceability system, thus Washington went with the second highest scoring vendor, MJ Freeway. Deputy Director Antolin says they submitted a strong bid, but there are still many questions left unanswered. How could such a glaring mistake be overlooked when the state named Franwell the highest scoring bidder? Is MJ Freeway’s system robust enough and capable of handling the state’s cannabis licensees’ traceability requirements even though they were not the highest scoring bidder? The deadline for the new system to be in place is October 31, 2017, which is quickly approaching for such a massive systems overhaul.
The WSLCB’s oversight highlights a few inadequacies with the state’s regulatory agency, particularly their indecision and lack of foresight. So much of the concept behind seed-to-sale traceability rests on Cole Memo compliance. A big reason why some states seek to implement a robust tracking system is to remain compliant with the Cole Memo; preventing diversion to crime organizations with regulatory oversight is a key tool that states use to tell the federal government they are complying with their directive and intend to protect their state’s legal cannabis operations from federal prosecution. Without a proper system in place, the state runs the risk of exposing their entire cannabis market to threats of federal enforcement, a scenario that seems unlikely but could be disastrous to cannabis businesses and the local economy.
The Washington State Liquor and Cannabis Board (WSLCB) announced today they plan to choose Franwell as their technology partner for the state’s cannabis seed-to-sale traceability system. While the release states they have not yet officially awarded them the contract, it says Franwell is the apparent successful vendor (ASV) to replace their current system. “An ASV is the procurement term used for the highest scoring, responsive vendor,” says the press release.
Rick Garza, director of the WSLCB, says they plan on making a number of changes that they couldn’t under their current contract. “Over the last four years we have learned a lot about this industry, including aspects to the industry that were unknown when the current traceability system was implemented,” says Garza. “We need a system that will grow and flex with Washington’s maturing marijuana system.”
Seven companies submitted bids for the new contract and the agency narrowed that down to three finalists, each of which gave presentations and demonstrations on their software products to WSLCB staff last week. They also worked with folks in the cannabis industry, selected by trade organizations, that provided input on the requests for proposal. Those industry stakeholders that participated with input will get a demonstration of the new software system in early June.
They plan on transitioning to the new system no later than October 31, 2017. Franwell’s METRC product is currently used in Colorado, Oregon and Alaska.
Tikun Olam is a Jewish concept that addresses social policy, promoting acts of kindness to better society. In Hebrew, it literally means, “repair of the world.” The company by the same name, Tikun Olam Ltd, and now in the United States as T.O. Global LLC, was the first medical cannabis provider in Israel back in 2007. Working with patients, doctors and nurses in clinical trials, they developed 16 strains over the last decade that target alleviating symptoms of specific ailments.
In November 2016, they launched their United States brand, Tikun, in the Delaware medical cannabis program with their partner, First State Compassion Center, a vertically integrated business of cultivation, extraction and retail in Wilmington. After the success of their pilot program, Tikun announced their expansion into the Nevada market with their licensed partner, CW Nevada LLC. Tikun is leveraging its experience with clinical trials and medical research to launch a line of cannabis products focused on health and wellness in the United States. According to Stephan Gardner, chief marketing officer at Tikun Olam, they have the largest collection of medical cannabis data in the world. “Tikun Olam started out as a non-profit, working to bring medication to patients in Israel,” says Gardner. “Opening nursing clinics gave us a tremendous amount of knowledge and data to work on the efficacy of strains developed specifically for targeting symptoms associated with certain conditions.” For example, their strain, Avidekel, was developed years ago as the first high-CBD strain ever created.
In a single-strain extraction, Avidekel has been used to successfully mitigate the symptoms associated with neurological conditions, like epilepsy in children, and they have the data to demonstrate that efficacy. “The American market needs some sort of guidance on how these cannabinoid and terpene profiles in certain strains can truly assist patients,” says Gardner. “We have been tracking and monitoring our patients with clinical and observational data in one, six month and annual follow ups, which are data we can use to guide the needs in the US.”
Their expansion strategy focuses heavily on the health benefits of their strains, not necessarily targeting the recreational market. “As a wellness brand in Nevada, we are positioned to work first and foremost in the medical market,” says Gardner. “Our wellness brand can cater to people looking for homeopathic remedies for things like inflammation issues, sleep disorders or pain relief for example,” says Gardner. “You will not see us going out there catering to the truly recreational market; the benefits of what our strains can do is marketed from a wellness perspective.” A cannabis product with high-THC percentages is not unique, says Gardner, but their approach using the entourage effect and proven delivery mechanisms is. “While higher THC might appeal to the rec market, that is not exactly how we will promote and position ourselves,” says Gardner. “We want to be a dominant force in the wellness market.”
That effort requires working within the US regulatory framework, which can be quite complicated compared to their experience in Israel. “We have to understand the Israeli market and American market are completely different due to the regulatory regimes each country has in place,” says Gardner. “We understand the efficacy of these products and want to educate customers on how they might benefit. We don’t want to make claims looking to cure anything, but we found in our data that a lot of symptoms in different ailments, like cancer, PTSD, Crohn’s disease, colitis and IBS, can be alleviated by strains we developed.” In addition to the medical research, they are bringing their intellectual property, cultivation methodologies, evidence-based scientific collaboration and best practices to their partners in the US.
So for Tikun’s expansion in the US, they want to get a medical dialogue going. “We will launch a fully accredited AMA [American Medical Association] program, educating medical practitioners, giving the doctors the understanding of the capabilities of cannabis and what our strains can do,” says Gardner. “We will also share our observational data with doctors so they can work to better guide their patients.” Right now, they are working on the education platform in their pilot program in Delaware. “We plan on using that as a platform to expand into other markets like Nevada,” says Gardner. “And we will be launching the Tikun brand in the Washington market this summer.” Based on the high demand they saw in the Delaware market, Gardner says they plan to launch six unique strains in the American market, with delivery mechanisms like vape products, tinctures, lozenges and topicals in addition to dried flower.
While Tikun expands throughout the United States, their sights are set on global expansion, living up to the true meaning of the concept Tikun Olam. They entered a strategic partnership with a licensed producer based in Toronto, bringing their strains, including Avidekel, to the Canadian market. The company they are partnering with, MedReleaf, recently filed for an initial public offering (IPO) on the Toronto stock exchange. Tikun Olam is actively seeking to expand in other parts of the world as well.
According to National Cannabis Industry Association (NCIA) executive director Aaron Smith, seven measures were introduced today at the Capitol, covering a variety of issues that, if signed into law, would ease many of the legal implications on the federal level affecting cannabis businesses in legal states currently.
In a very important development, Rep. Carlos Curbelo (R-FL), a member of the House Ways and Means Committee, joined Rep. Earl Blumenauer as a lead sponsor of the 280E tax reform bill. According to an NCIA press release, that bill is The Small Business Tax Equity Act of 2017 and was introduced in the Senate by Sen. Ron Wyden (D-OR), Sen. Rand Paul (R-KY) and Sen. Michael Bennet (D-CO).
That bill gives cannabis businesses in legal states the opportunity to take business deductions like any other legal business. Right now cannabis businesses cannot deduct any expenses related to sales, given its Schedule I status. “Cannabis businesses aren’t asking for tax breaks or special treatment,” says Smith. “They are just asking to be taxed like any other legitimate business.”
Rep. Jared Polis (D-CO) introduced the Regulate Marijuana Like Alcohol Act in the House, which would put cannabis in the section of code that regulates intoxicating liquors, essentially giving the ATF oversight authority. “The flurry of bills on the Hill today are a reflection of the growing support for cannabis policy reform nationally,” says Smith. “State-legal cannabis businesses have added tens of thousands of jobs, supplanted criminal markets, and generated tens of millions in new tax revenue. States are clearly realizing the benefits of regulating marijuana and we are glad to see a growing number of federal policy makers are taking notice.”
Sen. Wyden and Rep. Blumenauer introduced The Responsibly Addressing the Marijuana Policy Gap (RAMP) Act, which addresses banking and tax fairness for businesses, civil forfeiture, and drug testing for federal employees. Both Blumenauer and Wyden represent Oregonians, who could benefit tremendously if it becomes legislation. Rep. Blumenauer also introduced The Marijuana Tax Revenue Act, which would put a federal excise tax of initially 10% on cannabis sales, then rising to 25% after five years, according to the NCIA press release.