Startup cannabis manufacturers find themselves navigating a sea of compliance that seems to change and evolve as often as waves crash.
Manufacturers often need to abide by food safety regulations, state and city licensing rules, and a ream of QC tests. It's a lot to keep on top of for an entrepreneur, especially if they're coming in from another industry.
Kim Stuck of Hood River, Oregon-based Allay Consulting, has worked in cannabis compliance since she worked for Denver Environmental Health as a public health investigator specializing in marijuana starting in 2014.
"There's a lot of regulations based around security as in physical security -- door locks and video surveillance and that kind of thing -- but there aren't a whole lot of Internet security or cybersecurity regulations at all," says Stuck. "Most people don't even think about it, because it isn't written into any regulation."
That means IT security often ends up falling by the wayside. "In the cannabis industry, they have so many other things compliance-wise to focus on. A lot of times, they forget about it," says Stuck. "Most people don't have an IT director in the cannabis industry."
Stuck typically refers clients to outside IT consultants when such needs become apparent, because data security is not just a nice to have, it's a need to have. Hacks can be devastating, whether it's ransomware or a disgruntled employee (or ex-employee). "We've seen that happen in other industries," she says. "The word needs to get out."
Colton Griffin, CEO of Flourish Software in Atlanta, says data security is one of those things that is largely invisible to most users. "If you're doing it right, it's probably not going to be noticed, which is a good thing," says Griffin.
But if you're doing it wrong, it makes the news -- like MJ Freeway's multiple hacks in 2017. "It was pretty widely reported and pretty significant," says Griffin.
For cannabis manufacturers, the worst-case scenario likely involves leakage of trade secrets, standard operating procedures, and inventory levels as well as financials, HR records, and pricing data.
"From a manufacturing perspective, [a hack of] the methods and ingredients used would probably be the worst-case scenario," says Griffin. "It's all sensitive but it's definitely not mandated to be protected in the way consumer data is. That being said, it's still proprietary and could negatively impact business if it's exposed."
Griffin says it's critical to have a detailed plan in place in the event of a breach, whether it's a malicious attack or "accidental leakage" of data. "You need a strategy that's comprehensive and takes care of both," he notes.
Another bullet point: Know your systems, adds Griffin. That means mapping and documenting "what you have, where it lives, and how it's transmitted." If sensitive customer data is involved, "You also need to have a policy on how to sunset that data."
It also involves documenting who has access to which systems and making sure that is part of the onboarding and offboarding processes. "You want to provide the least level of access required for employees to get into these systems," he says. "Don't add everybody to the system as an admin."
No matter how many employees are on staff, companies should appoint a point person for data security within the organization and bring on outside help to advise and implement new systems and practices. "If you're relying on third-party SaaS companies, it's really about asking the questions, and generally you want to do that early -- before adopting them, says Griffin. "What are the controls and policies internally for them? Are they compliant with ISO requirements or HIPAA or various data? There's an alphabet soup of data security and privacy frameworks out there."
He adds, "Most enterprise clients that we work with, they would be expecting that. Most earlier-stage companies do not know to ask the questions."
Eric Peterson is editor of CompanyWeek and its monthly Cannabis Manufacturing Report. Reach him at firstname.lastname@example.org.