Cannabis Traceability Trouble | I502 Seed to Sale Tracking

February 22, 2018
cannabis traceability | eliminate weed stigma

In Washington’s legal cannabis system, every plant must be tracked from seed to sale. With thousands of businesses involved in the cannabis industry in Washington, cannabis traceability becomes a monumental systemic task.

For the first 3 years of legalization in Washington, the services were provided by BioTrackTHC. There were considerable logistics issues in creating the world’s first seed-to-sale cannabis traceability system. After creating Washington’s program, they added contracts for seed-to-sale logistics in multiple US states and territories: Delaware, New Mexico, Illinois, New York, Hawaii, and Puerto Rico.

In 2017, the Washington State Liquor and Cannabis Board (WSLCB) chose not to continue utilizing BioTrackTHC services. The agency named Franwell, supply chain solutions providers with a product called Metrc, as the Apparent Vendor Successor (AVS). They also held contracts in Alaska, Oregon, Maryland, and Michigan They primarily focus on RFID integration in supply chain systems.

Days after the potential contract award was announced, Franwell sent emails to all cannabis producer/processor stakeholders indicating they would require RFID as the sole supported traceability mechanism, which tags cost approximately 50 cents and are required on all plants at all stages. Immediately following this, the WSLCB released an announcement that any vendor would be obligated to utilize all legal methods of cannabis traceability – including pen and paper records. Nearly immediately, Franwell withdrew their bid from the running.  

The remaining vendor was MJ Freeway, with their Leaf system. This vendor had a history of cybersecurity challenges, with documented cyberattacks on their networks in November, 2016, and again in January, 2017.

Those considerable challenges notwithstanding, they became the the AVS in June, 2017, with a timetable of October 31, 2017.  It was obviously clear to professionals who voiced concern in a number of industry publications and social media pundits throughout Washington, many of whom with tech backgrounds. There was simply no way this task would be completed in the time aloted.

In August, 2017, BioTrackTHC began providing massive data dumps to the WSLCB for integration and mapping. Within weeks, cannabis business stakeholders werereceiving emails offering full data on Washington, Nevada, and Pennsylvania, all states in which MJ Freeway provides cannabis traceability services.  These emails offered sample unencrypted data to demonstrate the contents, which appeared to be legitimate and accurate information.  This strongly indicated a data security breach. Nevada discontinued using MJ Freeway’s Leaf in November, 2017, in favor of Franwell’s Metrc.

Throughout October, 2017, BioTrack began communicating with the WSLCB about their concerns working with a provider that has demonstrated their data vulnerability.  The WSLCB insisted the email did not have legitimate data to offer, saying it was a “spoof”, and not an indicator of a legitimate data security breach.

BioTrackTHC was offered an extension, purportedly to help provide support to third-party providers, although it seemed likely the company would be providing all traceability services.  Even though the WSLCB offered double the monthly rate they received as maintenance on the original contract, about $31,000 monthly, BioTrack chose not to accept the extension, citing security risks which could jeopardize the security of other government contracts.

On October 24, 2017, the WSLCB announced their Contingency Plan pending implementation, as Leaf would not be integrated by the October 31 deadline.  The Contingency Plan consisted of spreadsheets, manually documented, and submitted manually.

With this Contingency Plan, primary stakeholders in I502 businesses were required to submit their Traceability data by midnight on Sundays. For retailers, this often obligated closing earlier to provide time to gather the information required and submit it in a timely manner. Otherwise, business as normal.  

The Contingency Plan remained in place until February 1, 2018. On that date, Leaf went live, although just barely.

The vast majority of users could not engage their accounts for several days. After that, secondary account integration became an issue. Several producer-processors discovered that Leaf was creating 16-character alphanumeric tracking sequences. However, Washington law requires 16-digit numerical tracking numbers. It was nearly a week after this was discovered that the WSLCB released a newsletter statement via email and on their website that these 16-character alphanumerics would be acceptable.

On the same date, February 9, 2018, the WSLCB deputy director Peter Antolin announced that a “computer vulnerability” took place in MJ Freeway’s Leaf Data tracking system. The cyberattack resulted in a full copy of the cannabis traceability database — including several days worth of delivery schedules, with vehicle license plates and other critical driver information.

Further, the intruder “took action that caused issues with inventory transfers for some users,” according to a letter written by Mr. Antolin, addressed to licensed business owners.

Adding to the early issues, a large number of producer/processors did not appear in Leaf systems for several days, stifling their ability to transfer goods, execute sales, and generate revenue. To resolve this, the WSLCB announced on February 10, 2018, that the Contingency Reporting period (essentially, pen and paper tracking) would continue for a further 2 weeks to allow full transition for all licensees.

Overall, tracking the vast volume of cannabis grown and sold in Washington is an immense, complex task. It’s also required to maintain the spirit of the Cole Memo, which has been rescinded but the primary goal of which was to minimize diversion to states without legal cannabis markets. While the Cole Memo is no longer in effect, the cannabis industry is working to maintain standards set when it was. The general spirit is a hope to demonstrate the industry’s capability of operating within tight constraints that fit the spirit of those rules, thereby promoting a change in rules.

Sources:

https://lcb.wa.gov/mjtrace/mj-traceability-faq

https://www.newcannabisventures.com/biotrack-thc-shares-plan-to-minimize-disruption-to-washington-cannabis-industry-caused-by-mj-freeway-delay/

http://fortune.com/2017/01/15/marijuana-sales-system-hack/

https://mjbizdaily.com/mj-freeway-releases-notice-regarding-2016-cyberattack/

https://mjbizdaily.com/washington-state-marijuana-traceability-glitches-stem-mj-freeway-hack/

https://www.thestranger.com/slog/2017/10/24/25490384/states-pot-tracking-software-causes-headaches-for-the-legal-weed-industry

http://www.spokesman.com/stories/2017/nov/03/delayed-software-launch-forcing-marijuana-business/

 

Learn More About Industry Happenings

  1. Why Experiential Marketing Matters for Your Dispensary Design
  2. TOP COMPLIANCE TIPS FOR CANNABIS BUSINESSES
  3. Your Cannabis Business Strategies for Success
  4. Women in Weed: Breaking the Grass Ceiling or Business as Usual?
  5. The CCC Has Launched an Online Marijuana Catalog
Posted in News