Author writes by way of introduction……The aspect of track-and-trace with the biggest potential for disaster isn’t the fact that it’s so complex, but rather the fact that loss of access to the system could be devastating for licensees. Each of the three California cannabis agencies’ track-and-trace rules prohibit licensees from transferring cannabis to other licensees in the event of loss of access to the track-and-trace system. This effectively means that businesses have to stop doing business until access is restored—no matter what—and every day waiting could cost thousands of dollars in lost revenues. It doesn’t matter if the loss of access was caused by a licensee, a third party, or even issues with METRC or a third-party application integrated with METRC.
This leads me to a post I wrote several months ago on how data breaches are likely to ravage the cannabis industry. One of the things I talked about is the potential for “ransomware” or similar attacks—situations where hackers encrypt files or even in some cases lock users out of systems and demand money (the ransom) in exchange for giving access back to the user.
If a ransomware or similar attack causes loss of access to a licensee’s track-and-trace software, the licensee will be at the mercy of hackers and won’t be able to conduct business until they either pay the ransom (which may pose legal problems in and of itself, see here) or figure out how to gain back access themselves (which may be impossible). If there’s an attack to or even simply unintended downtime in the METRC system or integrated applications, that could cause chaos for operators across the state.