A shutdown of the state’s pot tracking software next week is already causing confusion and headaches for the more than 1,500 legal weed businesses in the state. While legal weed retail sales are unlikely to be affected, some pot shops are already stocking up on hundreds of thousands of dollars of extra pot products just in case.
The state had planned to switch to a new software vendor for managing the state’s seed-to-sale database on Nov. 1, but that vendor failed to set up the new database in time and the old vendor is refusing to extend their contract. Washington’s Liquor and Cannabis Board (LCB) released a contingency plan on Monday outlining how the state was going to track cannabis after it loses its database the 1st.
The massive seed-to-sale database is used to track every single pot plant and product in the state as it moves from a pot seed to a retail product. After the switch, it appears that at least some businesses will be left tracking pot plants and products by hand, a particularly arduous task this time of year, when tens of thousands of pounds of legal pot are being harvested by outdoor growers.
For the last four years, the LCB has contracted with BioTrack THC, a Florida-based company, to build and manage the database. In June of this year the Denver-based MJ Freeway won the new contract. Brian Smith, spokesman for the LCB, said the state wanted BioTrackTHC to extend their contract and continue operating the database, but the company declined.
“We very diligently sought an extension of three to four months. And they responded back with questions rather than promised proposals,” Smith said.
Patrick Vo, CEO of BioTrackTHC, said his company has been subject to possible security breaches after the new vendor, MJ Freeway, gained access to the system. Vo said the LCB has been unwilling to provide evidence that MJ Freeway’s cybersecurity system is adequate.
“We don’t know what our vulnerability is for the moment but we have not been given any substantive assurances with respect to whether or not a security issue happened and what’s been done to remedy that,” Vo said.
Smith disagreed with Vo’s characterization, saying the state had provided ample proof that MJ Freeway was a secure system. “We’ve given them everything that we have and every assurance,” Smith said.
A representative for MJ Freeway declined to answer questions about the alleged security breach.
Up until Monday, the LCB indicated that the switch between the two vendors would require only a two-day blackout starting Oct. 29, with MJ Freeway’s new database coming online on Nov. 1. That plan faltered last week after reports that the new MJ Freeway database was not yet operational. On Friday, LCB Spokesman Brian Smith confirmed to The Stranger that MJ Freeway’s database was not operational, and then Monday afternoon, the LCB posted a bulletin to their website saying that the new system as not ready and the state would instead implement a “contingency plan.”
This means, for the first time since legal weed went on sale in Washington, the state will operate a recreational market without a functional tracking database. The state will instead rely on private software companies to store the majority of the tracking data, which will then be uploaded to the new MJ Freeway database when it is operational. The majority of cannabis businesses in the state were already using these software companies to interact with BioTrackTHC’s database, and Smith said all of these existing software companies will remain operational after Nov. 1.
Smith also said about 25 percent of legal pot businesses in the state do not pay for these third-party software systems, instead using a free product BioTrackTHC has been required to supply. That product will go away Nov. 1, leaving a quarter of the state’s licensees with no way to report tracking data. For these businesses, reporting will have to be done manually by filling out spreadsheets and uploading them to the LCB’s website.
Some pot business owners are worried about liability. If these private companies have an operational failure, the state would still hold the pot businesses responsible for tracking all of their products. Failure to follow traceability laws frequently results in fines and sometimes suspensions or cancellation of licenses. The state has made it clear that traceability rules will still be enforced even if the state lacks a working traceability database.
Ryan Kunkel, an owner of the Have A Heart chain of retail stores, said representatives from the state have told licensees to maintain their own backup databases even if they are using third-party software. To build that separate inventory, Have A Heart has over 20 employees working every night to create an additional back up of the inventory, according to purchasing manager Brad Miller.
“In the past two weeks, all of our total stores collectively have done over 45,000 transactions and we’ve sold just under 100,000 units. That will now have to go onto paper backup,” Miller said.
Smith said he was not aware of any LCB employee recommending licensees keep a separate traceability record. “People are responsible for keeping track of their records but if they go with a commercial, third-party provider, we want them to be in communication with their provider,” Smith said. “If their third-party provider gives them every assurance that they’re going to be OK, they ought to feel like they can go with their provider.”
Kunkel said his company is ordering about $100,000 in extra pot products for each store in the event that transfers between producers and retailers are shut down.
“The reason we are stocking up is if we can’t buy product and the system isn’t ready, what happens if we can’t buy product for a day a month, a week? That’s the big fear. Business must go on,” Kunkel said.
Ian Eisenberg, the owner of the Uncle Ike’s, said his three locations were not backing up their inventory.
“A lot of the vendors are sending us emails and calling us and telling us it’s going to be down for weeks or months and we better stock up but I think it’s just a sales tactic,” Eisenberg said. “We have more than a couple of days supply anyway. If we are down for two weeks we’ll have issues. Down for two days, there’s no issue.”
Smith could not provide a timeline for when the new MJ Freeway database would become functional.
David Busby, CEO of the third-party software company Weed TraQR, said he had been working with MJ Freeway’s new database and saw serious flaws.
“The product that we have right now is still buggy. When MJ Freeways has meetings with third-party integrators they still make mention of the fact that they are doing some updates to the core functionality of the system. That’s not what you want to hear with ten days to go,” Busby said. “You want to hear we are just tweaking some rule sets, or something like that where they are talking about sanding down rough edges, not still framing up the barn.”
Tracking on the producer side of the market is likely to be an even bigger problem, as many growers are in the middle of harvesting the last of this year’s outdoor crop. These large outdoor harvests are often seen as a risky time for the legal crop diverting into the black market. The state of Oregon announced an increase police presence last month during this harvest season to make sure all outdoor pot was effectively tracked.
Vo said that two months ago, an e-mail was sent to multiple licensees offering to sell the raw data behind Washington, Pennsylvania, and Nevada’s recreational and legal weed markets. According to Vo, proprietary data was shared in this e-mail that made it appear to show that Washington’s data had been hacked.
“There’s a lot of sensitive data points that are protected. One of our concerns right now is the fact that the data dump that is provided to the LCB also includes the sensitive scramble passwords contained within the database,” Vo said. “The status quo changed when another party was introduced to this program and then subsequent to that, the Washington specific data that is not otherwise available to the public began being distributed.”
Smith said the e-mails were not an actual breach of the system. “There was some stuff circulating around… where they were acting as though there was another breach of MJ Freeway. That was a spoof e-mail that we certainly got a lot of questions about,” Smith said.
Vo said if the state was able to provide a security audit or some other piece of evidence corroborating MJ Freeway’s security, they would be willing to extend their contract. “We can’t discuss any other factors about the extension… until we can get some solid footing regarding our security risk exposure. I can’t put price tag or a dollar amount on the security of our product,” Vo said.
Jeannette Ward, a vice president at MJ Freeway, declined to answer a list of specific questions about the company’s security, instead providing a statement that appeared to be copied from the LCB’s Monday web update.
This is not the first time the security of MJFreeway’s systems have been questioned. In January, MJ Freeway’s system was hacked and sales at 1,000 cannabis dispensaries in 23 states across the country were subsequently suspended, according to Marijuana Business Daily. Five months later, the company’s source code was stolen and posted on Reddit, and in September the state of Nevada canceled its contract with MJ Freeway, according to Forbes.
The Nevada Department of Taxation, which was responsible for the contract, did not give a public reason for the cancellation and did not return calls from The Stranger for comment. Nevada replaced MJ Freeway with a company called Franwell, which, ironically, was the company the LCB had originally selected to replace BioTrackTHC. Franwell backed out of the Washington contract in June and the LCB picked MJ Freeway, the second place in the state’s bidding contest.
Update: The LCB met with a group of industry stakeholders today and announced that MJ Freeway's new system will not be operational until Jan. 1, 2018, according to Smith.