Business
Ontario Cannabis Store data breach raises credibility, security concerns
The credibility of the government-run Ontario Cannabis Store is at stake after sensitive industry data was misappropriated and leaked, according to experts.
The Ontario Provincial Police (OPP) confirmed it opened an investigation earlier this month into what the OCS alleges is the theft of the business data.
The data includes individual cannabis retailers’ sales, their inventory levels and other sensitive information such as store license number and the amount of kilograms and packaged units sold for at least the months of December 2021 and January 2022.
As the only legal wholesaler of cannabis in Ontario – Canada’s biggest legal cannabis market by sales – industry sources said it’s imperative the government-run body be seen as credible in the eyes of its clients, the more than 1,500 cannabis stores that can buy their products only from the OCS.
David Hyde, CEO of security consultancy Hyde Advisory & Investments in Toronto, said the wholesaler needs to address the issue head-on and identify what led to the breach.
“To maintain their reputation and credibility, I’d think the OCS wants to identify and address any root cause issues of this firstly and then send out other communications to appropriate parties, stores included, to reassure them that those have been addressed,” Hyde told MJBizDaily.
Other business sources expressed concern the data could be used to exploit vulnerable store owners whose businesses aren’t performing well – for example, they could be vulnerable to predatory takeover bids.
They also wonder if the OCS could benefit from a permanent CEO after years of filling the position on an interim basis.
Responding to queries from MJBizDaily, OCS Senior Director of Communications Daffyd Roderick said immediate steps were taken to address the situation once the organization became aware of the data breach.
“We restricted access to our internal data reports, commenced a comprehensive investigation to identify the source of this problem and notified the Ontario Provincial Police,” he said.
“The OPP is conducting its own review and investigation into the misuse of this data within the cannabis industry.”
Who has the data?
The Canadian Federation of Independent Business (CFIB) is among those concerned the stolen data could be used for exploitative business practices.
“With all the stories about the (cannabis retail) market probably going to consolidate, there’s a bit of oversaturation, you’ve got to wonder exactly who has the information,” said Ryan Mallough, the CFIB’s senior director of provincial affairs for Ontario.
“Are there bully offers out there? If you’ve got that (leaked data) and you’re looking to consolidate stores in an area, you know who to pick on, who to flex and go at.”
Mallough also expressed concern over other possible fallout.
“I heard from one business owner who was now wondering if they’re doing really well, will someone use that data and open a store across the street?” he said.
“Another asked, ‘Does my competitor two blocks away have that information, and how are they using it? Maybe not against me but still to their advantage?’”
Mallough said the general feeling among store owners he spoke with was “shock, frustration, a little bit of exasperation, like a ‘What did you expect from the OCS kind of thing.’ Yet another frustration point.”
Leadership issues?
Shane Morris, founder of Ottawa-based Morris and Associates Consulting, said the OCS plays a pivotal role as the Ontario cannabis retail industry’s only wholesaler.
“It’s the only cannabis bridge in the industry (in terms of wholesale in Ontario), and if that bridge goes down, then it damages the value chain very quickly and very substantially.”
“I think it’s a function of a young organization, they’re handling billions of dollars, (and) it clearly has leadership issues. They’re on their sixth CEO – they have a lot of learning to do,” he said.
Last March, David Lobo became the OCS’ sixth president in three years – but only on an interim basis.
Lobo, who hasn’t done any media interviews, was the organization’s third straight temporary chief executive since September 2019.
The OCS said it initiated a search for a new CEO “in early 2022.”
“Once the successful candidate is selected, OCS will issue an official announcement,” the OCS’ Roderick said.
“There is definitely a credibility issue, because you’ve got a lot of people’s livelihoods in the value chain that rely on this organization (Ontario Cannabis Store), whether it’s licensed producers or retailers,” Morris said.
“Fundamentally, I think the OCS has a problem with handling confidential business information.”
The leak of information raises concerns about the OCS’ data governance model, said Ann Cavoukian, Ontario’s former privacy commissioner and the current executive director of the Global Privacy and Security by Design Centre, which advises businesses on privacy protections.
Cavoukian said the government-run corporation “reneged in terms of their requirements to protect the data – the data need to be strongly secured, and that’s their obligation.”
“I would urge them to add security and get security into the design of their operations, so that the data can be secured and protected.”
A late 2021 report from the Office of the Auditor General of Ontario found that the OCS lacked “a data-governance component, including identification of what data the enterprise has, where that data resides, how that data is used and what compliance obligations apply.”
In response, the OCS said it was working on a data strategy that would “include appropriate safeguarding and retention standards for third-party data.”
‘Needs to be reassurance’
One independent Ontario cannabis retailer told MJBizDaily the data breach represented “an egregious breach of trust” between the wholesaler and the retailers that depend on it.
To regain that trust, experts in business security suggest the OCS needs to get to the bottom of what actually happened and come clean with the hundreds of stores that rely on its services.
“At the end of the day, this is something that needs to be answered to,” said Hyde, the security consultant.
“There needs to be reassurance that whatever it was that led to this has been addressed and identified. Right now, we know what it’s not – an IT security breach.”
The OCS has said the data was stolen and not the result of a hack.
Hyde said the security industry leans on a standard called “the principle of least privilege.”
It means only those who absolutely must have access credentials to certain security or data should be allowed to have them, and the credentials need to be very tightly monitored.
“That’s to make sure that if you have the keys to the crown jewels, so to speak, those passwords are changed every couple of months, there’s oversight,” Hyde said.
“The likelihood is that this is more of a procedural failure, or an access-privilege type of issue that befell the OCS, rather than it being a weak security system that was overtaken by hackers.”
Matt Lamers can be reached at matt.lamers@mjbizdaily.com.
Solomon Israel can be reached at solomon.israel@mjbizdaily.com.
Source: https://mjbizdaily.com/ontario-cannabis-store-data-breach-raises-security-credibility-concerns/
Business
New Mexico cannabis operator fined, loses license for alleged BioTrack fraud
New Mexico regulators fined a cannabis operator nearly $300,000 and revoked its license after the company allegedly created fake reports in the state’s traceability software.
The New Mexico Cannabis Control Division (CCD) accused marijuana manufacturer and retailer Golden Roots of 11 violations, according to Albuquerque Business First.
Golden Roots operates the The Cannabis Revolution Dispensary.
The majority of the violations are related to the Albuquerque company’s improper use of BioTrack, which has been New Mexico’s track-and-trace vendor since 2015.
The CCD alleges Golden Roots reported marijuana production only two months after it had received its vertically integrated license, according to Albuquerque Business First.
Because cannabis takes longer than two months to be cultivated, the CCD was suspicious of the report.
After inspecting the company’s premises, the CCD alleged Golden Roots reported cultivation, transportation and sales in BioTrack but wasn’t able to provide officers who inspected the site evidence that the operator was cultivating cannabis.
In April, the CCD revoked Golden Roots’ license and issued a $10,000 fine, according to the news outlet.
The company requested a hearing, which the regulator scheduled for Sept. 1.
At the hearing, the CCD testified that the company’s dried-cannabis weights in BioTrack were suspicious because they didn’t seem to accurately reflect how much weight marijuana loses as it dries.
Company employees also poorly accounted for why they were making adjustments in the system of up to 24 pounds of cannabis, making comments such as “bad” or “mistake” in the software, Albuquerque Business First reported.
Golden Roots was fined $298,972.05 – the amount regulators allege the company made selling products that weren’t properly accounted for in BioTrack.
The CCD has been cracking down on cannabis operators accused of selling products procured from out-of-state or not grown legally:
- Regulators alleged in August that Albuquerque dispensary Sawmill Sweet Leaf sold out-of-state products and didn’t have a license for extraction.
- Paradise Exotics Distro lost its license in July after regulators alleged the company sold products made in California.
Golden Roots was the first alleged rulebreaker in New Mexico to be asked to pay a large fine.
Source: https://mjbizdaily.com/new-mexico-cannabis-operator-fined-loses-license-for-alleged-biotrack-fraud/
Business
Marijuana companies suing US attorney general in federal prohibition challenge
Four marijuana companies, including a multistate operator, have filed a lawsuit against U.S. Attorney General Merrick Garland in which they allege the federal MJ prohibition under the Controlled Substances Act is no longer constitutional.
According to the complaint, filed Thursday in U.S. District Court in Massachusetts, retailer Canna Provisions, Treevit delivery service CEO Gyasi Sellers, cultivator Wiseacre Farm and MSO Verano Holdings Corp. are all harmed by “the federal government’s unconstitutional ban on cultivating, manufacturing, distributing, or possessing intrastate marijuana.”
Verano is headquartered in Chicago but has operations in Massachusetts; the other three operators are based in Massachusetts.
The lawsuit seeks a ruling that the “Controlled Substances Act is unconstitutional as applied to the intrastate cultivation, manufacture, possession, and distribution of marijuana pursuant to state law.”
The companies want the case to go before the U.S. Supreme Court.
They hired prominent law firm Boies Schiller Flexner to represent them.
The New York-based firm’s principal is David Boies, whose former clients include Microsoft, former presidential candidate Al Gore and Elizabeth Holmes’ disgraced startup Theranos.
Similar challenges to the federal Controlled Substances Act (CSA) have failed.
One such challenge led to a landmark Supreme Court decision in 2005.
In Gonzalez vs. Raich, the highest court in the United States ruled in a 6-3 decision that the commerce clause of the U.S. Constitution gave Congress the power to outlaw marijuana federally, even though state laws allow the cultivation and sale of cannabis.
In the 18 years since that ruling, 23 states and the District of Columbia have legalized adult-use marijuana and the federal government has allowed a multibillion-dollar cannabis industry to thrive.
Since both Congress and the U.S. Department of Justice, currently headed by Garland, have declined to intervene in state-licensed marijuana markets, the key facts that led to the Supreme Court’s 2005 ruling “no longer apply,” Boies said in a statement Thursday.
“The Supreme Court has since made clear that the federal government lacks the authority to regulate purely intrastate commerce,” Boies said.
“Moreover, the facts on which those precedents are based are no longer true.”
Verano President Darren Weiss said in a statement the company is “prepared to bring this case all the way to the Supreme Court in order to align federal law with how Congress has acted for years.”
While the Biden administration’s push to reschedule marijuana would help solve marijuana operators’ federal tax woes, neither rescheduling nor modest Congressional reforms such as the SAFER Banking Act “solve the fundamental issue,” Weiss added.
“The application of the CSA to lawful state-run cannabis business is an unconstitutional overreach on state sovereignty that has led to decades of harm, failed businesses, lost jobs, and unsafe working conditions.”
Business
Alabama to make another attempt Dec. 1 to award medical cannabis licenses
Alabama regulators are targeting Dec. 1 to award the first batch of medical cannabis business licenses after the agency’s first two attempts were scrapped because of scoring errors and litigation.
The first licenses will be awarded to individual cultivators, delivery providers, processors, dispensaries and state testing labs, according to the Alabama Medical Cannabis Commission (AMCC).
Then, on Dec. 12, the AMCC will award licenses for vertically integrated operations, a designation set primarily for multistate operators.
Licenses are expected to be handed out 28 days after they have been awarded, so MMJ production could begin in early January, according to the Alabama Daily News.
That means MMJ products could be available for patients around early March, an AMCC spokesperson told the media outlet.
Regulators initially awarded 21 business licenses in June, only to void them after applicants alleged inconsistencies with how the applications were scored.
Then, in August, the state awarded 24 different licenses – 19 went to June recipients – only to reverse themselves again and scratch those licenses after spurned applicants filed lawsuits.
A state judge dismissed a lawsuit filed by Chicago-based MSO Verano Holdings Corp., but another lawsuit is pending.
Source: https://mjbizdaily.com/alabama-plans-to-award-medical-cannabis-licenses-dec-1/
-
Business1 year ago
Pot Odor Does Not Justify Probable Cause for Vehicle Searches, Minnesota Court Affirms
-
Business1 year ago
New Mexico cannabis operator fined, loses license for alleged BioTrack fraud
-
Business1 year ago
Alabama to make another attempt Dec. 1 to award medical cannabis licenses
-
Business1 year ago
Washington State Pays Out $9.4 Million in Refunds Relating to Drug Convictions
-
Business1 year ago
Marijuana companies suing US attorney general in federal prohibition challenge
-
Business1 year ago
Legal Marijuana Handed A Nothing Burger From NY State
-
Business1 year ago
Can Cannabis Help Seasonal Depression
-
Blogs1 year ago
Cannabis Art Is Flourishing On Etsy