Saturday, September 29, 2018

Cannabis Cybersecurity: Information Security Standards in Oregon

oregon marijuana cannabis data securityLast week we discussed the data breach notification laws with which cannabis companies doing business in Oregon must comply following a cyber intrusion. Today, we discuss the safeguards these companies must adopt to protect the security, confidentiality and integrity of customers and employee (collectively, “Consumer”)’s personal information, who reside in Oregon.

Pursuant to Oregon Revised Statutes (“ORS”) § 646A.622 any business that “owns, maintains or otherwise possesses, and has control over or access to,” written and electronic data that includes personal information used for business purposes, must develop, implement, and maintain reasonable safeguards to protect the personal information.

Generally, “personal information” means a Consumer’s first name or first initial and last name in combination with, for example, a Consumer’s social security number, driver license number or financial account information, if (1) encryption, redaction or other methods have not rendered the data element or combination of data elements unusable; and (2) the data element or combination of data elements would enable a person to commit identity theft against a consumer.

The company must act in accordance with this law by:

(1) Complying with:

  • State or federal laws with greater protections for personal information than ORS § 646A.622;
  • Gramm-Leach-Billey Act as of January 1, 2016 as of June 2018, if the company is subject to this act; or
  • Requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) as of June 2018, if HIPAA applies to the company;

and

(2) Implementing a security program that includes:

Administrative Safeguards, such as:

  • Frequently identifying reasonably foreseeable internal and external risks;
  • Frequently training and managing employees in security program practices and procedures; and
  • Selecting service providers that are capable of maintaining appropriate safeguards and adhering to procedures and protocols to which you and the service provider agree, but also requiring the service providers by contract to maintain the safeguards, procedures and protocols.

 Technical Safeguards, like:

  • Assessing risks and vulnerabilities in network and software design;
  • Taking reasonably timely action to address the risks and vulnerabilities; and
  • Applying security updates and a reasonable security patch management program to software that might reasonably be at risk of or vulnerable to a breach of security;

and

 Physical Safeguards, including but not limited to:

  • Monitoring, detecting, preventing, isolation and responding to intrusions timely and frequently; and
  • Disposing of personal information after you no longer use it for business purposes, pursuant to local, state and federal law.

So what does all of this mean? Simply put, business owners with 100 or fewer employees (which includes almost all Oregon cannabis businesses), will comply with these statutory requirements if their information security and disposal program contains administrative, technical and physical safeguards and disposal measures that are appropriate to: (1) the size and complexity of their business; (2) the nature and scope of their activities; and (3) the sensitivity of the personal information collected from or about a Consumer.

Cannabis business should take these safeguard standards seriously. Each violation if subject to a penalty of up to $1,000. Note that each day of a continuing violation is a separate violation, but the maximum penalty for any occurrence is $500,000. Civil penalties under ORS § 183.745 may also apply.

Complying with ORS § 646A.222 is not only required by law, it is also a very good idea for all cannabis business. Indeed, developing a vetted, comprehensive plan of action is the best way to effectively respond to an attack and to reduce the amount of damage to your company. Be safe out there!



source https://www.cannalawblog.com/cannabis-cybersecurity-information-security-standards-in-oregon/

Monday, September 24, 2018

International Cannabis: Selling Worldwide

Our firm’s main practice areas include cannabis, China, trade and immigration. As such, it may not surprise you to learn that we get a lot of questions about the developing international cannabis trade. This is in large part due to the fact that Canada is on the verge of legalizing marijuana nationwide.

Importing or exporting cannabis in the United States at this point is extremely limited. Marijuana is listed as a Schedule I substance in the Controlled Substances Act (CSA) and it is illegal under federal law to possess or sell marijuana. The Controlled Substances Import and Export Act incorporates the schedules of the CSA. That means that the U.S. Customs and Border Protection is likely to seize any shipments of marijuana, even if shipments are going to or coming from a nation that has legalized marijuana in some form. There has even been some noise about barring travel by foreign marijuana company investors themselves as of late.

All of that said, not all parts of the cannabis plant are considered marijuana. The CSA defines “marihuana” as “all parts of the plant Cannabis sativa L., whether growing or not; the seeds thereof; the resin extracted from any part of such plant; and every compound, manufacture, salt, derivative, mixture, or preparation of such plant, its seeds or resin.” The second classification under the CSA is “Exempt Cannabis Plant Material” which includes the following four categories:

  1. Mature stalks
  2. Fiber produced from mature stalks
  3. Oil or cake made from seeds
  4. Seeds incapable  of germination

Exempt Cannabis Plant Material also includes “any other compound, manufacture, salt, derivative, mixture, or preparation” of the items listed above. The term does not include resin derived from mature stalks as that is considered marijuana, not Exempt Plant Material.

Back in May 2018, the Drug Enforcement Administration (DEA) issued an internal directive acknowledging that Exempt Plant Material is not “marijuana.” The directive touched on how the distinction impacted internationally traded cannabis

[A]ny product that the U.S. Customs and Border Protection determines to be made from the cannabis plant but which falls outside the CSA definition of marijuana may be imported into the United States without restriction under the Controlled Substances Import and Export Act. The same considerations apply to exports of such products from the United States, provided further that it is lawful to import such products under the laws of the country of destination.”

There you have it straight from the horse’s mouth: Importing or exporting Exempt Cannabis Plant Material is lawful under the Controlled Substance Import Export Act. What is not clearly indicated is whether or not the DEA considers exporting industrial hemp, grown pursuant to the 2014 Farm Bill, as outside of the scope of the CSA.

By nature of the 2014 Farm Bill, industrial hemp cannot be imported. This is because the cultivation of industrial hemp is only permitted if grown pursuant to a state’s agricultural pilot program under the guidance of a state department of agriculture.

But before you go and order a metric ton of mature cannabis stalks, keep in mind that any shipment of any cannabis-related good can come with additional scrutiny. Even if a product is solely derived from Exempt Cannabis Plant Material, that doesn’t mean that Customs will thoroughly investigate its shipment. Importers and exporters should be prepared to prove that the product was solely derived from Exempt Cannabis Plant Material and not marijuana. This can be difficult to do as there is no way to truly test from what portion of the plant a product was derived. You may be thinking, “well can’t a lab confirm that a product contains no THC?” The answer, of course, is “yes”, but even though verifying THC content is important (THC is listed separately from marijuana as a controlled substance in the CSA) it is not dispositive in determining whether a product is derived from Exempt Cannabis Plant Material.

Intrepid importers and exporters should prepare to detail the chain of title for Exempt Cannabis Plant Material. This can include an affidavit from the original supplier of the plant that only Exempt Cannabis Plan Material was used, lab certifications, purchase orders, shipping documentation, and any other documentary evidence showing the source of the plant material. There is no single item guaranteed to satisfy the authorities, so it’s best to prepare multiple documents in case they are needed.



source https://www.cannalawblog.com/international-cannabis-selling-worldwide/

Saturday, September 22, 2018

Oregon Cannabis: Data Breach Notification Laws 101

oregon marijuana data breach cyberA few weeks ago, we mentioned that cannabis companies that fall victim to a data breach are required, under state law, to inform employees and customers whose data was compromised by the intrusion. However, not every stolen piece of information demands notification. This post further dives into these laws—all 50 states have now enacted breach notification laws—by addressing the notification requirements imposed by the State of Oregon.

Oregon Revised Statutes (“ORS”) 646A.602 defines “breach of security” as “an unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information that a person maintains.” “Personal information” means an Oregon resident’s:

  • Social security number;
  • Driver license number or state identification card number;
  • Passport number or other identification number;
  • Financial account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to a consumer’s financial account;
  • Physical characteristics, such as an image of a fingerprint, retina or iris, that are used to authenticate the consumer’s identity in the course of a financial transaction or other transaction;
  • Health insurance policy number or health insurance subscriber identification number in combination with any other unique identifier that a health insurer uses to identify the resident; or
  • Any information about their medical history or mental or physical condition or about a health care professional’s medical diagnosis or treatment information.

Personal information also includes any of the data elements listed above, without the resident’s name, if the data elements, alone or in combination with others, would enable a person to commit identify theft against the resident.

However, the breach of a resident’s personal information does not, in and of itself, prompt the notification requirement. In Oregon, notification is not mandated if, after an appropriate investigation or consultation with law enforcement agencies, the company reasonably determines that the resident has not and is not likely to be harmed from the breach. Such determination must be documented in writing and maintained by the company for a minimum of 5 years.

If the company determines that the stolen data will harm or is likely to harm the resident, then the company must notify the resident “in the most expeditious manner possible, without unreasonable delay,” but no later than 45 days after discovering or receiving notification of the breach. Notification may only be delayed if the notice were to impede on a criminal investigation.

The notification, which must be made in writing, by phone or electronically, must include, at a minimum:

  • A description of the breach in general terms;
  • The approximate date of the breach;
  • The type of personal information that was subject to the breach;
  • The company’s contact information;
  • The contact information for national consumer reporting agencies; and
  • Advice to the consumer to report suspected identity theft to law enforcement, including the state Attorney General and the Federal Trade Commission.

Moreover, if more than 250 residents are notified, the company will be required to submit, in writing or electronically, a copy of the notification to the Attorney General. If more than 1,000 residents are notified, then the company will also have to notify all nationwide Consumer Reporting Agencies.

Data breach notification laws are demanding on hacked companies, but they are not the only laws with which these business entities must comply following a cyber attack. State and federal laws, including employment, medical, and financial laws, usually apply. In addition, states like Oregon impose pre-data breach measures, also known as information security standards—we will further cover this issue in our next post—on any company doing business in the state to protect the security, confidentiality and integrity of personal information before a breach. (California just passed one such law, specifically targeted at marijuana businesses.)

Cannabis companies affected by a data breach should always consult with experienced cyber security attorneys to avoid any civil penalty, but also to retain public confidence and maintain their competitive edge in this high-risk cyber environment.



source https://www.cannalawblog.com/oregon-cannabis-data-breach-notification-laws-101/

Friday, September 14, 2018

FREE Portland Event: Employment Law for Oregon Cannabis Businesses

What’s in YOUR employee handbook?

Even if your company is fully compliant with all OLCC-mandated marijuana laws and regulations, you can still expose yourself to legal pitfalls if you aren’t just as strict keeping up with state and federal employment laws. While the rapid evolution of corporate cannabis is evident in the news alone, you may not realize that state employment laws are just as volatile — and there are a lot of them.

As a business owner, you should know how to navigate this multitude of regulations. We saw one company face the consequences of violating Oregon’s sick leave law earlier this year. OSHA could be just as serious if they find marijuana producers are not adhering to state agricultural safety standards. What can you expect with an employment audit? How does Oregon and Portland’s “ban-the-box” ordinance effect who and how you hire?

Harris Bricken employment lawyer Megan Vaniman will be leading a free presentation on employment law for cannabis businesses on October 11, 2018 from 4 to 5 PM PST, followed by a reception. OSHA and BOLI are the tip of the iceberg; Megan will dive deep into state and federal legislation that can prevent your business from succeeding if you don’t proceed with caution.

Both the event and reception will take place at Harris Bricken’s Portland office. Can’t be there in person? The content in this presentation will be recorded and distributed as a webinar at a later date. Further questions about the event can be sent to firm@harrisbricken.com.

RSVP for this event at our EventBrite today!

Want to study up before the event? In addition to the articles linked above, check out these past articles by Megan:



source https://www.cannalawblog.com/free-portland-event-employment-law-for-oregon-cannabis-businesses/

Wednesday, September 12, 2018

State Legal Cannabis in 2018: Status Report (Part II)

marijuana north dakota missouri utahLast week, we discussed New Jersey, Oklahoma, Michigan, and Virginia’s recent legislative and/or referendum developments in ending marijuana prohibition.

Today, we look at the three other states that will decide the fate of recreational and medical marijuana locally during the November election.

North Dakota

Last month, North Dakota’s recreational pot measure, Measure 3, was approved for bringing the matter to a public vote. Legalize ND, the committee that introduced this measure, managed to submit more than the 13,452 valid petition signatures which are required to get a measure on the November ballot.

Measure 3 aims to legalize marijuana use by people 21 and older and seeks to seal the records of anyone convicted of a marijuana-related crime.

In May, the North Dakota Sheriff’s and Deputies Association introduced a measure opposing Measure 3 as it believes legalizing recreational marijuana would create more problems for law enforcement, such as more impaired drivers and fatalities. Another anti-legalization organization, Smart Approaches, is also working to oppose the ballot measure.

In response, Legalize ND is planning to bring in members of Law Enforcement Against Prohibition, better known as LEAP, a pro-legalization organization composed of former and current police officers, federal agents, judges and prosecutors, that are critical of existing drug policies.

Utah

Although Utah is a rather conservative state, state voters are ready to decide the fate of medical marijuana ballot measures.

Proponents of Utah Proposition 2 collected about 200,000 signatures, which is roughly 80,000 more signatures than is required for ballot inclusion.

If the measure were approved, patients suffering from qualifying medical conditions with medical cards would be able to buy up to 2 ounces of unprocessed marijuana with no more than 10 grams of tetrahydrocannabinol (THC) or cannabidiol (CBD) every two weeks. The measure would continue to ban smoking marijuana, driving under the influence of marijuana, or using marijuana in public view except in a medical emergency.

Missouri

Missouri voters will get to choose from three medical marijuana measures in the November ballot. Two of the ballot measures are constitutional amendments; the third one is a statutory change. Although the details of the three measures vary, all would provide legal protection to patients and would regulate the production, processing and retail sales of cannabis.

New Approach Missouri championed one of the proposed constitutional amendments, which would allow doctors to recommend medical cannabis for any medical condition they see fit. Registered patients would be allowed to grow up six marijuana plants and purchase up to four ounces from dispensaries each month. A four percent tax would be imposed on the sales of medical cannabis.

The other proposed constitutional amendment, backed by Find the Cures, would let doctors recommend medical marijuana to patients who suffer from one or more of the listed qualifying conditions. The retail sales tax, which would be set at 15 percent, would be used to support research to develop cures and treatments for cancer and other diseases.

Lastly, the proposed statutory change, sponsored by Missourians for Patient Care, would also afford access to medical marijuana to qualifying patients who suffer from specific conditions. Under this measure, sales would be taxed at 2 percent.

Undoubtedly, it will to be a busy election season for the legal marijuana industry. We will keep you posted on any other legislative or referendum developments between now and the November 6 election.



source https://www.cannalawblog.com/state-legal-cannabis-in-2018-status-report-part-ii/