Washington’s recreational cannabis industry is about to hit a huge speed bump. The Washington Liquor and Control Board (WLCB) requires a mandatory seed-to-sale tracking system be used for all cannabis products. Since the Fall of 2013, the WLCB used BioTrack THC as their seed-to-sale software provider, but as of the November 1st their contract with the WLCB is up and plans to replace BioTrack’s services have not gone according to plan.
Back in April, it was announced that the WLCB wouldn’t renew BioTrack’s contract and would instead shop out the contract. However, BioTrack opted out of the newest bid because BioTrack’s CEO Patrick Vo was “uncomfortable” with the bidding terms, The Cannabist reports. Vo isn’t certain the bidding contract laid out by the WLCB meets the Cole Memo’s standard. The Cole Memo is a document drafted by former U.S. Attorney General James Cole. It allows the recreational sale of cannabis under strict guidelines that must be adhered to without question; such as not selling to minors or criminal organizations; per Leafly.
The contract was awarded to MJ Freeway’s Leaf Data Systems, a Denver based software provider. Originally the WLCB predicted a two-day limbo when BioTrack’s replacement was implemented. It’s now being reported that by the WLCB that MJ Freeway’s system will not be operational until January 2018.
This blackout period could cause real damage to the cannabis industry. If it occurs, businesses will either contract third-party data tracking outfits like Green Bits or WeedTraQR. Businesses that can’t afford third party tracking services will be forced to manually input sales and inventory data on paper spreadsheets, The Stranger reports. This significantly increases the chance of making mistakes when tracking product. The WLCB can fine, suspend or revoke licenses for traceability mistakes.
There’s been dispute on why the WLCB didn’t renegotiate with BioTrack to avoid this entire situation. WLCB representative Brain Smith told The Stranger their aggressive attempts at renegotiating with BioTrack were met with questions rather than “proposed solutions.” There is some truth to Smith’s statement, but there’s more to the story.
Vo wrote an open letter to the cannabis industry explaining BioTrack’s position in regard to renegotiations with the WLCB. VO attached personal emails between him and WLCB members and other documents dealing with the situation.
On the week of August 21, 2017, After MJ Freeway was awarded the new contract, BioTrack began dumping data to be swapped onto the MJ Freeway system. During this process, an email was sent from MJ Freeway’s Leaf Data System’s to several Washington cannabis licensees, it contained sensitive data not publicly available. Vo confirmed this with CEO of WeedTraQR, David Busby.
Busby and several other cannabis business owners conducted a private investigation of the email and concluded the data was hacked from state databases, Vo writes. If MJ Feeway’s system is compromised, BioTrack can be compromised as well by sharing a digital space with them. This is extra dangerous for software company’s whose entire business model depends on tight cyber security.
The WLCB scoffed at these claims, calling the email a “spoof” and “fake news,” Vo writes. BioTrack requested a third-party security check be performed on MJ Freeway’s system. The WLCB told Vo the Washington State Office of the Chief Information Officer (OCIO) conducted a security scan, but declined to give BioTrack physical documentation of the security check’s results.
On October 17, the WLCB offered BioTrack a four-month extension while MJ Feeway gets it together. Vo won’t work with the WLCB until his security concerns are resolved In order for BioTrack to move forward with a contract extension, the WLCB and OCIO would have to address the following three points.
1. “The letter does not provide a date for when the review was performed. No review can provide any assurances about current system security if it was performed before the “spoof” email was sent to licensees.”
2. “The letter states that it was the security design that was reviewed; the system itself did not undergo generally accepted security audit testing. That is like the difference between, “Patrick, we reviewed the airplane design you drew on paper and the design should fly,” versus, “Patrick we tested the actual plane you built and it successfully flew.”
3. “Finally, the OCIO’s online project dashboard’s OCIO Assessment reads, “user authentication requirements and Security Design Review increase risk due to imminent project implementation deadline” (emphasis mine) for 07/13/2017, 07/27/2017, 08/22/017, and 09/15/2017. Now, I don’t know what this means, and to be fair I only just found this today and have not given the WSLCB an opportunity to help me understand what this comment means, but my current interpretation is that on each of those dates, the Security Design Review continued to increase the risk that the project would not be completed on time because the review remained ongoing as the system was being developed.”
Vo’s suspicions of MJ Freeway’s cyber security are justified. Their systems were breached in January which lead to 1000 stores across 23 states to suspend sales temporarily and part of their source code being posted on a Reddit forum, The Stranger reports.
Vo hopes that differences can be solved by the deadline, but will not risk his company’s integrity and his employee’s future to squeeze the WLCB out of a hole they stuck themselves in.