Harris Bricken Article Highlights The Issues With METRC Track & Trace In CA – Beware The Data Breach

Author  Griffen Thorne  writes by way of introduction……The aspect of track-and-trace with the biggest potential for disaster isn’t the fact that it’s so complex, but rather the fact that loss of access to the system could be devastating for licensees. Each of the three California cannabis agencies’ track-and-trace rules prohibit licensees from transferring cannabis to other licensees in the event of loss of access to the track-and-trace system. This effectively means that businesses have to stop doing business until access is restored—no matter what—and every day waiting could cost thousands of dollars in lost revenues. It doesn’t matter if the loss of access was caused by a licensee, a third party, or even issues with METRC or a third-party application integrated with METRC.

This leads me to a post I wrote several months ago on how data breaches are likely to ravage the cannabis industry. One of the things I talked about is the potential for “ransomware” or similar attacks—situations where hackers encrypt files or even in some cases lock users out of systems and demand money (the ransom) in exchange for giving access back to the user.

If a ransomware or similar attack causes loss of access to a licensee’s track-and-trace software, the licensee will be at the mercy of hackers and won’t be able to conduct business until they either pay the ransom (which may pose legal problems in and of itself, see here) or figure out how to gain back access themselves (which may be impossible). If there’s an attack to or even simply unintended downtime in the METRC system or integrated applications, that could cause chaos for operators across the state.

While loss of access to the entire METRC system could happen, it’s probably not very likely. What is virtually guaranteed to occur is individualized loss of access to the track-and-trace system following routine computer incidents or malicious hacking. There’s not much that the industry can do if METRC is breached and there’s widespread loss of access. But there is a lot that companies can do to protect themselves from individualized breaches or at least minimize the damage caused by breaches—from cyber insurance to breach planning to privacy policy compliance.

Read the full article at https://www.cannalawblog.com/cannabis-track-and-trace-is-a-disaster-waiting-to-happen-and-not-for-the-reasons-you-might-think/