Video StaffJuly 1, 2019HelixTCS Inc. (OTCQB: HLIX) CEO Zachary Venegas told the Green Market Report that his company continues to add new states to its portfolio of clients. The CEO spoke with Debra Borchardt at the MJ Link Micro Investor Conference in New York City on June 25. Beyond the U.S., the company is expected to ramp up its international markets and wholesale business.
Cynthia SalarizadehJune 19, 2018
Seattle, WA, June 19, 2018 /AxisWire/ MainStem, Inc. a leading cannabis e-commerce technology company, has launched an integrated marketplace with BioTrackTHC, a seed-to-sale software in the legal cannabis industry. BioTrackTHC has rolled out the integration to customers in Colorado, Washington, California, Puerto Rico, and Montanawith additional states to be rolled out systematically over the next several weeks. Customers can now enjoy the benefit of purchasing all their packaging, retail accessories, lighting, grow supplies and traceability equipment within their BioTrackTHC’s user-interface at competitive pricing.
“When our team created the MainStem Affiliate Program, we understood the influence it could have within our industry, and we’re ecstatic to see our community recognizing how easy it is to use,” said Garrett Hampton, CTO of MainStem, Inc. “MainStem is known for our strength in product offerings and efficiencies, and this partnership provides BioTrackTHC’s user base with strong support from our business and our approach to open and connected partners throughout the industry. I look forward to extending integrations with all software applications and partners looking to streamline the overall process of supply chain management.”
Alen Nguyen, CEO of MainStem, Inc. commented: “We realized the opportunity presented by the fragmentation of the ancillary supply market in the cannabis industry. MainStem is revolutionizing the way traditional supply chain management is happening in the industry “.
“Imagine you’re dealing with thousands of plants/products being moved around in your seed-to-sale software and you realize you need more nutrients or packaging. You’d have to leave what you’re working on to order more supplies, or make yourself a note to do it later,” said Dr. Moe Afaneh, COO of BioTrackTHC. “Without any incurred costs or change in monthly billing, we’re providing a way for customers to order those supplies without breaking from what they’re currently working on. Businesses already invest so much time and money into seed-to-sale and compliance, so this adds a more efficient process to yet another facet of their business and does so in a way that also offsets the cost of your seed-to-sale software by leveraging partnerships.”
About MainStem, Inc.
MainStem, a technology-based ancillary product distribution company in the regulated cannabis industry, is the leading comprehensive marketplace in the industry, with over 10,000 products for cannabis businesses to choose from. The company integrates its marketplace into significant industry software providers to maximize its customer reach and simplify the procurement process for industry businesses. To learn more, please visit https://www.gomainstem.com/
Linden Mundekis,
MainStem, Inc.
206-492-7173
media@gomainstem.com
Debra BorchardtOctober 31, 2017
Washington State’s marijuana program is a hot mess and the state only has itself to blame. The state monitors its legalized marijuana program by tracking the marijuana from seed to sale. Every single plant is tagged from its point of conception to its final use and sale through a sophisticated software program. The program is used by every license holder and covers thousands of transactions daily.
One of the reasons for such an onerous tracking system is that marijuana is still federally illegal. States have been allowed to operate marijuana programs that have been legalized at a state level so long as they abide by guidelines listed in a document from the Department of Justice called the Cole Memorandum. The goal of the memo was to make sure legal marijuana did not make its way into the black market or in the hands of children.
The state is changing vendors and the transition has gone very badly forcing businesses to manually keep track of the marijuana plants until the new vendor can take over. The problem is that anti-marijuana forces could point to this debacle as vindication that legalized marijuana is a bad idea because it can’t be properly monitored.
BioTrackTHC was contracted in 2013 to monitor the program with its seed-to-sale tracking, and by all accounts, it seemed to be working just fine. Then the state decided to open the program up to a public bid to see if there might be a better vendor for a better price. This isn’t such a bad idea because states should always try to see if they can save their taxpayers money and always seek to improve programs. However, the execution went horribly wrong.
In June the state selected Franwell’s METRC system to replace BioTrackTHC. However, when Franwell came to the table to begin the negotiations of planning the program takeover, talks quickly broke down. On June 9, Franwell walked away from the contract and never spoke publicly about it. One inside source said that basically, the state wanted more than they were willing to pay for from Franwell. Then the state tried to throw Franwell and the cannabis businesses under the bus by saying that Franwell wanted to charge too much money for RFID tags that the businesses didn’t want. Thereby deflecting attention away from its poorly managed transition.
Another theory from a blog PA Marijuana Medical Watch suggested that the state made demands on Franwell that weren’t in the original Request For Proposal (RFP) causing them to walk away. This blogger believes the state decided to pick MJ Freeway’s Leaf Data Systems, a seed-to-sale software company because it is getting advice from the advocacy groups National Cannabis Industry Association and Marijuana Policy Project, both investors in MJ Freeway.
Whatever the reason, Franwell walked away from a lucrative contract with the state of Washington in nine days. The state then chose MJ Freeway, which has had its own share of troubles this past year. The company has suffered hack attacks, alleged security breaches (which the company denies) and systems failures. It desperately needed a win this year. However, by winning the contract, it was also put in the position of trying to take over a multi-million dollar system with over 1,700 participants in a matter of months. No easy task for any software company. MJ Freeway issued a video response regarding the situation and trying to address market concerns.
MJ Freeway insisted that its software problems were resolved in a matter of hours and that customers were back online quickly. They also point out in the video that the task they are taking on is very complicated and takes more time than what the state had allotted.
“It’s a huge program with thousands of transactions every day and hundreds of businesses involved,” said Jeff Gonring, Director of Market and Communications for BioTrack. “This is not a simple transfer of data.”
MJ Freeway was set to take over from BioTrackTHC on October 31 but now isn’t expected to take over until January 2018. The state’s Liquor and Cannabis Board has come up with a contingency plan for November 1. It’s message to the businesses, “You must keep a record of all required activity associated with your business. If you have a third-party, commercial software provider consider contacting them to review your coverage. Some software systems may capture traceability transactions for later reporting which may minimize your manual reporting requirements.” In other words, sharpen those pencils for your spreadsheets. Not only do these businesses have onerous rules and regulations they have to abide by, they now have to manually track this information and then two months later transfer it to a new program.
“The whole situation is still pretty dynamic between the Washington State Liquor and Cannabis Board, many of traceability platforms active in the state and other marijuana licensees, new information seems to be coming through on an almost hourly basis,” said Mindon Win Special Operations Coordinator at BotanicaSeattle. “The marijuana industry here in Washington is banding together to come up with solutions that keep us in compliance and able to continue doing business.”
So, what about BioTrackTHC in all of this mess? The company was set to terminate its contract on October 31, but in early October the state began talking to BioTrackTHC to extend the contract. “Events occurred that brought up a potential security concern,” said Jeff Gonring, Director of Market and Communications for BioTrack. “We need resolution on that security concern before entering into an extension.” Gonring is referring to an email that was sent to Washington licensees last month from someone claiming to have sensitive data that seems to be proven as accurate.
“We are concerned about the breach. We are currently in a co-mingled state and we need assurances from the LCB that it has been remedied. We can’t expose our system to that,” said Gonring. “There is enough smoke to give us concern there is fire.” BioTrackTHC is so concerned the company issued a public letter to the Washington State LCB. At this stage, BioTrach THC hasn’t officially agreed to the extension, nor has it declined.
The security breach that Gonring believes happened is outlined in the public letter. He noted that BioTrack began a data dump in August to MJ Freeway in order to assist in the transfer of vendors. Then in September, the licensees received emails saying that a hacker had gotten sensitive data from the Washington dispensaries and wanted to sell it. The data seemed to be real and the emails weren’t seen as an idle threat. BioTrack seems to suggest that the timing is not a coincidence.
In the meantime, the state has sent out spreadsheets to business owners. The opportunity for human error is enormous. There are almost 20,000 pounds of marijuana that are produced each month in the state that must be tracked and traced. There were 3.8 million pounds of extracts produced in August in the state that must be accounted for and the state logged $1.3 million in sales for the fiscal year 2017.
The business owners seem to be the one group left out of this equation. They are at the mercy of the state and its mismanagement of the tracking system. “I don’t want to speak for everyone but we hope people recognize that marijuana businesses are invested in compliance with the state and it’s in everyone’s best interest to demonstrate our ability to run a regulated and monitored cannabis market under these circumstances,” said Win.
It gives anti-marijuana forces fuel for their fire to claim that legalized marijuana can’t be properly monitored. They will argue that over the next two months, marijuana can end up on the black market because it can’t be properly tracked and traced. They could be right.
Washington State’s debacle could hurt the legalization efforts if this proves to be true, especially ahead of the holiday season which is when sales rise. The entire situation could have been either avoided by remaining with a program that worked without any hiccups or at least giving a vendor enough tie to properly prepare for a transfer of services. In the end, the problem must be owned by the state for creating this self-inflicted wound.
Cynthia SalarizadehOctober 26, 2017
Dear Washington Cannabis Industry,
I write to you today with the sincere hope that I can cut through much of the noise and rumor of the last few days with some transparency so you can make informed decisions as business owners and so we can come together for the forward progress of the industry.
Before I write anything else, I want to emphasize the fact that Washington’s cannabis industry is incredibly important to BioTrack. It was our first government contract. TJ Ferraro – BioTrack’s founder – and I lived in Washington for the three months it took to customize and implement the original traceability system. More licensees use our business platform in Washington than in any other state. We have an office in Olympia, and nine BioTrack employees call Washington home. Many of you are our friends. If you take away nothing else from this letter, please know that you are important to us and we remain committed to doing everything in our power to make you successful.
Rather than ask you to blindly believe my narrative over someone else’s, the actual emails sent from me to the WSLCB are attached to the end of this letter so you can verify the facts and judge for yourself. These emails are available via public records request so I am not sharing anything that wouldn’t already be available for public inspection.
What Is Going On?
BioTrackTHC’s traceability system contract with the WSLCB expires on October 31st, 2017 unless it is extended. A more detailed chain of events is provided later, but the short story is that the WSLCB initially chose to not extend our contract beyond October 31, 2017, and MJ Freeway was selected to provide a replacement system that was to take over by the time our system is to be decommissioned, at midnight on October 31st. It was recently announced by the WSLCB that the replacement system will not be operational in time, and licensees will have to report their seed-to-sale traceability data via manual spreadsheets for two months until the replacement system’s updated go-live date of January 2, 2018 assuming everything moving forward remains on schedule. These manual spreadsheets are to be used for tracking all plant, harvest, inventory, conversion, sample, laboratory testing, transportation/chain-of-custody, and sales data for as long as the WSLCB’s contingency plan is in place.
Is There Currently A Contract Extension On The Table Between The WSLCB And BioTrackTHC?
The WSLCB sent to BioTrack terms for an extension last Tuesday, October 17th. This was the first offer for an extension that the WSLCB has offered BioTrack since MJ Freeway was awarded their contract in July, and remains as the current offer on the table.
The WSLCB offered BioTrack a four month extension for $125,000, or $31,250 per month.
To put this offer in context, over the four-year life of the contract, BioTrack did not earn maintenance and support fees for the first two years and earned $180,000 per year ($15,000 per month) for the past two years. The WSLCB’s extension offer is a $16,000 per month premium over the standard rate.
The WSLCB’s contract with the new vendor is $600,000 per year, or $50,000 per month.
Per my email to the WSLCB on Thursday, October 19th(see “Exhibit 2”), BioTrack did NOT decline the WSLCB’s offer for extension. However, BioTrack requires resolution on security concerns that were previously brought to the WSLCB’s attention before the other components of any offer, such as financial and timing components, can even be considered. BioTrack is still actively seeking to resolve these security concerns prior to the expiration of the contract.
The final paragraph in my last email to the WSLCB on this matter, dated October 19th, reads as follows:
“When we first spoke last Monday about the possibility of extension, you assured me multiple times that the current project is running on schedule and that the extension was being offered to us for the benefit of the third-party software providers, and for that we are grateful for the WSLCB’s consideration. I want to be clear that we are not saying “no” to the extension. We just cannot consider any other factors until we can resolve these concerns and they have not yet been resolved. However, we don’t want our security concerns to cause a burden on the WSLCB if everything is indeed running on time. We have done our best to be partners with the WSLCB since the beginning so we hope that we can resolve our concerns before next week’s transition.”
What Is The Security Concern That Needs To Be Resolved Before BioTrack Can Feel Comfortable In Accepting The Extension?
On Monday October 9th, the WSLCB and I connected for the first time in nearly six months to discuss a possible extension. I was informed that the WSLCB remained confident that the new system was on time, but that an extension would allow the business seed-to-sale software providers more time to integrate with the new government system. I then informed the WSLCB that BioTrack has serious concerns related to security.
After MJ Freeway was awarded the contract, beginning the week of August 21, 2017, BioTrack began providing a “data dump” of the entire traceability system database to the WSLCB on a weekly basis so that the entire dataset could be mapped and migrated to the replacement system. However, many Washington licensees received an email in mid-September alleging to sell databases described as “WA DATABASE,” “NV PROD DATABASE,” and “PA PROD DATABASE,” among others (see “Exhibit 6”). These presumably are to mean the Washington database, the Nevada database, and the Pennsylvania database. The emails also provided unencrypted sample data files as a kind of “proof of life.” Some business seed-to-sale software providers took it upon themselves to investigate the sample data and it was reported that the sample data not only appeared legitimate, but that it included sensitive data that is not publicly available: data that is contained within the full un-redacted traceability dataset. I am sure that many of my peers contributed to the industry’s investigation, but I specifically want to recognize David Busby, CEO of WeedTraQR, for his tireless efforts in this regard.
To BioTrack, other third-party software providers, and many Washington licensees, this is a serious concern. BioTrack currently operates six state-level government cannabis traceability systems and has managed Washington’s traceability system for four years without any security breaches. We then find ourselves in a situation where both our reputation and our security are co-mingled with another company’s; and then a few months later, credible reports surface that Washington-specific data not otherwise available to the public is found outside of the chain of custody.
I conveyed to the WSLCB our concern that this situation where we “share space” with their new vendor puts us in jeopardy. I memorialized those concerns in writing within my follow-up email dated October 16th (see “Exhibit 1”).
“The current status quo has already harmed both our reputation and our peace of mind with respect to security risk. Please understand that we have continued to provide our traceability technology, support, and weekly data dumps of the entirety of the database because we remain contractually obligated to do so, not because the new status quo is in any way comfortable for us. Every passing day in which we find our reputation and security co-mingled with another vendor without any assurances that our technology—and therefore our livelihoods—are safe within this new co-mingled environment compounds our anxiety and intensifies our desire to exit the unsafe situation.”
Our technology is how we make our living. If the security of our technology becomes compromised, at least sixty people lose their jobs and all of our customers who depend on us also become compromised. It would be irresponsible of us to ignore credible threats to technology security.
Now I am not saying that we know for certain that the WSLCB’s or MJ Freeway’s security was breached. Maybe there was no security breach of any kind. Maybe there was a security breach and it has since been remedied. Maybe there was a security breach and it’s still there. What we do know is that there is enough smoke that we are not comfortable moving forward without a reasonable level of assurance that the fire has been addressed.
The WSLCB’s position at the time was that the email was a “spoof” and that it was “fake news”, and BioTrack respects their prerogative to believe that no security issues exist. However, we respectfully disagreed with that position and said we needed some type of meaningful assurances that the alleged breach either did not happen or did happen and has since been remedied, since without that we have no solid footing in understanding our current risk exposure.
What Has BioTrack Obtained So Far To Address The Security Concerns?
To emphasize BioTrack’s sincere interest in a possible extension and to ensure that BioTrack’s concern regarding the possible security issue was not misunderstood, I had a member of BioTrack’s board of directors join me on a call with the WSLCB on Friday, October 13th. I also had the CEO of one of our competitors join the call to show what he had uncovered from the “spoof” email that licensees had received. At one point, we suggested that a third-party security audit providing a “clean bill of health” may go a long way in allaying our concerns. The WSLCB reassured us that a security audit had been performed by the Washington State Office of the Chief Information Officer (OCIO), but that none of the contents of the audit report could be provided to us. The WSLCB offered to obtain a statement from the OCIO that could address our concerns. We agreed to incorporate it into our overall evaluation, but could not promise that it would allay our concerns since we had not yet seen it.
To expedite the process in good faith, immediately after that call concluded, BioTrack submitted a records request to the OCIO for any security audit documentation that is available to the public. As of the writing of this letter we have received one response from the OCIO’s office dated October 19th stating that they estimate, “it will require no more than thirty days to provide you a response,” (see “Exhibit 3”).
On October 17th, I received an email from the WSLCB stating that BioTrack’s “concerns were addressed already.” Up to that point, we had received only verbal assertions and nothing in writing. One part of my October 19th email (see “Exhibit 2”) contained the following response:
“We appreciate the fact that the WSLCB is leaning on a review performed by the OCIO that found no adverse security concerns, but we have not seen any documentation with our own eyes or even a document stating that we are prohibited from seeing such documentation. No offense, but we cannot just take your verbal word on something that could have far reaching consequences for our livelihoods and our customers.
I am an accountant by training. If someone withdraws $1,000 from the company bank account, that person would have to show me a receipt proving where it went. A response of, “I have the receipt, but I cannot produce it for you,” is not one than anyone could reasonably accept.
I’m not trying to make light of the situation, but please appreciate the position we’re in in that nothing that we can rely on has been provided to us.”
Later that day, the WSLCB sent to me a letter from the State of Washington Office of Cyber Security (see “Exhibit 4”). The letter states, “We have completed our security design review on the new cannabis traceability system provided by Leaf Data Systems vendor MJ Freeway… the project, as proposed, uses appropriate security controls and methods to meet OCIO IT security standards at the time of review.” Though we greatly appreciate the efforts of the WSLCB staff to obtain this letter, it does not provide much information or the peace of mind that we are seeking.
(https://http://waocio.force.com/ProjectDetail?id=a060P00000ezEk1QAE)
The WSLCB has been quoted recently in the media saying, “We’ve given them everything that we have and every assurance.” Now I understand that this is likely true; that the WSLCB has given to us what they are allowed to give us. However, everything they have given us thus far has been verbal and one brief letter on which we cannot place a great deal of reliance. Again, we have a responsibility to our other government clients, to the licensees who depend on our business software, and our staff to take every reasonable precaution to protect our technology from security risks. Accepting any extension of the current situation without reasonable assurances, regardless of the amount of money offered, would be irresponsible.
Again, we did not decline the WSLCB’s extension request. We just cannot move forward until these concerns are dealt with. We are still actively searching for alternative means to help us determine how sensitive non-public data came to be found within the “spoof” email sent to the industry and welcome any assistance from any other party, WSLCB or otherwise.
Can BioTrack Accept The Extension After October 31st If The Security Issue Is Addressed Shortly After?
I am not sure as I am not an attorney that specializes in Washington’s government contract law. However, I do not believe either the WSLCB or BioTrack can “extend” a contract that is no longer in effect. There may be a way to justify a sole-source procurement where the WSLCB can offer a new contract should the current contract expire, but we would have to consult an attorney.
What Is BioTrack’s Plan If The Contract Expires on October 31st?
We learned about the WSLCB’s “contingency plan” from the same announcement that many others in the industry received on Thursday, October 19th, and we learned on Tuesday October 24th, with everyone else that the manual spreadsheet era is expected to last at least through January 1st… so many of our plans are rapidly evolving and still solidifying. That being said, here is our game plan for now.
First, BioTrack is committed to its direct commercial customers: those who rely on BioTrack’s business system for inventory management and point-of-sale. It is our intent that in every way possible, your BioTrack business system will automatically generate the spreadsheets necessary for submission to the WSLCB so that there is a reduced impact to your business. Please have patience with us as we are working with a moving target.
Secondly, the success of Washington’s industry as a whole – and therefore the success of every licensee in Washington whether you use our business platform or not — is important to us. We have no intention of giving the federal government any reason to give this industry a hard time. BioTrack understands that even with manual spreadsheets, there needs to be some method of communication and data exchange between licensees regardless of which third-party commercial system you use. One common denominator for every third-party commercial software system in Washington is that it successfully integrates with our API. Because BioTrack owns its traceability technology and licenses it to state governments for use, we can create a private-sector version of our traceability system that would mirror the current traceability system. It would even include a web-interface for the licensees who have relied on the freely-provided MJ Traceability website, and it would have the current version of the Washington API so every current business seed-to-sale provider will already be integrated with it. Though we are still working on the specific mechanics, all it would take is for everyone to point their systems to the new URL (website); all functions and all data that is currently coordinated and exchanged between licensees would be nearly identical, if not perfectly identical, to the way things presently work. This private-sector “clone” of BioTrack’s traceability system could continue to operate for as long as we need it to, even if a worst-case scenario were to happen and the WSLCB’s system is unable to go-live by January 1, 2018 as planned. We have yet to figure out the economics, but our goal is to just get the job done first and worry about the rest later.
Please remember that we are attempting to surf a wave in the wild here, so I can guarantee you that there will be turbulence as we go; however, my team and I believe that this is our best option to avoid industry Armageddon and we will all band together to navigate these unpredictable waters as best we can. We have already received an outpouring of support from the other third-party software systems and in spite of the fact that we’re competitors and have our differences, I know that we can continue to use this challenge as an opportunity to bring the industry together for everyone’s success.
Highest Regards,
Patrick Vo
President and CEO
BioTrackTHC
Exhibit 1
Email — October 16, 2017
No changes have been made to this email reproduction other than the removal of recipients who were cc’d.
— —
From: Patrick Vo <patrick.vo@biotrackthc.com>
Date: Mon, Oct 16, 2017 at 12:28 PM
Subject: BioTrack – Follow-up On Friday’s Call
To: “Antolin, Peter P (LCB)” <peter.antolin@lcb.wa.gov>
Peter,
First of all, because the question came up on Friday’s call, I want to reiterate that we are indeed interested in the possibility of an extension. Neither I, nor Director Molloy would have invested our time for the call were that not the case. However, though it is the LCB’s prerogative to believe that there are no security issues related to the LCB or any of the LCB’s other vendors, we’ve heard otherwise from other third-party vendors within the state who have uncovered concerning evidence to the contrary.
It was also asked of us why security is an issue when all the LCB is asking for is an extension of the status quo. To reiterate and clarify what Mr. Molloy stated on the call, that question assumes that we are okay with the status quo. However, the status quo changed when another company was chosen to essentially be a co-vendor with the LCB and BioTrack, followed by reports surfacing that Washington-specific data not otherwise available to the public began being distributed.
The current status quo has already harmed both our reputation and our peace of mind with respect to security risk. Please understand that we have continued to provide our traceability technology, support, and weekly data dumps of the entirety of the database because we remain contractually obligated to do so, not because the new status quo is in any way comfortable for us. Every passing day in which we find our reputation and security co-mingled with another vendor without any assurances that our technology—and therefore our livelihoods—are safe within this new co-mingled environment compounds our anxiety and intensifies our desire to exit the unsafe situation.
With respect to reputational harm, at least two state agencies have reached out to one of our other government clients with concerns that they heard that the “Washington Traceability System” was allegedly compromised. At this point, BioTrack has become synonymous with Washington’s Traceablity System and so we had to assertively defend ourselves; and these are just the two inquiries that we know about. This cannot continue.
With respect to security risk, because LCB owns the data captured by the traceablity system (including password hashes included within the database), we currently have no viable method available to us of ensuring perfect security of our systems within the current co-mingled situation. Even if every single password was changed tomorrow, this would only provide temporary relief until the next weekly file.
Thankfully, the third-party vendors who have been independently investigating this matter have yet to uncover evidence that passwords themselves have been compromised. Nevertheless, their findings thus far suggest that there is indeed a breach somewhere.
On the call, we asked for assurances that the alleged breach either did not happen or has since been remedied if it did happen. Please remember that we at BioTrack do not know what the LCB knows, and so we have no solid footing when it comes to understanding our risk exposure to being co-vendors with the LCB’s other system provider. We are not asking for anything inappropriate. We expect the LCB to protect their own proprietary information, and that of any other vendor, just as we would expect the LCB to protect our own proprietary information. However, we don’t know what to ask for because we don’t know what we don’t know.
The consensus from the majority of our board of directors is that, though the LCB’s request for an extension remains on the table, the current situation represents an imminent and unknown risk. We have a responsibility to our customers, employees, and shareholders to not endanger our own security.
You mentioned on the call that the vendor with whom the reported evidence appears to implicate has already completed a security audit or something similar by the OCIO. In order to keep the momentum of our conversation moving as quickly as possible, and to avoid putting the agency in an awkward position, we submitted a public records request on Friday for a (presumably redacted) copy of the completed information technology security audit for that vendor. We know that it may take a few days to receive whatever redacted information will be made available for public inspection, but whatever is contained therein might go a long way towards allaying our concerns.
Finally, you requested a dollar figure from us earlier in the week, and once again Friday. We have made good faith attempts at determining a price, but without knowing the risk factor we cannot put a price on the unknown potential exposure component. The value of the contract to BioTrack is its revenue less its costs; and the probability of costs related to potential events such as a security breach, our source code made public, reputation loss, commercial client loss, other government client loss, litigation, etc… are undefinably higher now than they were prior to the other vendor’s co-existence with BioTrack and the LCB. Better understanding those risks are a prerequisite to determining the likely costs and therefore the contract extension as a whole.
I know that this is not the answer you were hoping for; but it is the most responsible answer I can give you given the circumstances and the concerns of our directors. We will wait for the public records from OCIO and will continue to work with other third-party vendors to independently investigate the reported matters in order to reach a conclusion with respect to our risk exposure moving forward and that risk exposure’s appropriate price.
We understand that the LCB is pressed for time and may need to withdraw its request for an extension if you are not able to wait for us to receive and inspect the requested public documents from OCIO. Any further assistance the LCB can provide in allaying our concerns and the concerns of other third-party vendors would be greatly appreciated. We hope to come to a resolution in the best interest of all parties that does not sacrifice security, and I trust that you would expect nothing less.
Sincerely,
Exhibit 2
Email — October 19, 2017
No changes have been made to this email reproduction other than the removal of recipients who were cc’d.
— —
From: Patrick Vo <patrick.vo@biotrackthc.com>
Date: Thu, Oct 19, 2017 at 12:21 PM
Subject: Re: BioTrack – Follow-up On Friday’s Call
To: “Antolin, Peter P (LCB)” <peter.antolin@lcb.wa.gov>
Peter,
I know I sound like a broken record, but I registered our concerns again because we do not feel that those concerns have been sufficiently addressed. I am not sure what you meant by “the most we could offer was the information that we provided last week,” as we were not provided anything of substance. We appreciate the fact that the LCB is leaning on a review performed by the OCIO that found no adverse security concerns, but we have not seen any documentation with our own eyes or even a document stating that we are prohibited from seeing such documentation. No offense, but we cannot just take your verbal word on something that could have far reaching consequences for our livelihoods and our customers.
I am an accountant by training. If someone withdraws $1,000 from the company bank account, that person would have to show me a receipt proving where it went. A response of, “I have the receipt, but I cannot produce it for you,” is not one than anyone could reasonably accept.
Here is how a hypothetical conversation with my board of directors or one of our customers may go with what we have been provided thus far:
Patrick: “The LCB tells me that everything is fine and that we should not be concerned.”
Board: “How do you know?”
Patrick: “Because they told me so.”
Board: “Have you reviewed the evidence that supports this conclusion?”
Patrick: “No. The LCB tells me that I am prohibited from reviewing the evidence.”
Board: “How do you know you cannot review the evidence?”
Patrick: “Because they told me so.”
I’m not trying to make light of the situation, but please appreciate the position we’re in in that nothing that we can rely on has been provided to us.
Thank you for taking a second look at the spoof email. Other third-party software providers have analyzed the sample database provided from that spoof email and have reported that it contained the following information that is not available in the FOIA data that the LCB releases:
Obviously, there’s not much you can do regarding the Nevada data and the Pennsylvania data, but any insight you could provide on how this information left LCB custody would be helpful.
I understand that all Washington agencies are held to the same public disclosure standards, whether LCB, OCIO, or otherwise. However, as stated earlier, even a reply from OCIO stating that the document exists but cannot be made available for public inspection is still more than what I have at the moment. We are doing everything we can to quickly get comfort over the discomforting red flags and are leaving no stone unturned.
The potential security risks are a major concern, but I would be remiss to not also reiterate the reputational damage as a concern. Whether or not the LCB believes that the alleged security breaches are real, state agencies from across the country have heard about and expressed concern regarding them. We remain at the forefront of having to defend both our credibility and the LCB’s credibility to current and prospective government clients without any assurance that we will not have to continue to do so should we agree an extension
When we first spoke last Monday about the possibility of extension, you assured me multiple times that the current project is running on schedule and that the extension was being offered to us for the benefit of the third-party software providers, and for that we are grateful for the LCB’s consideration. I want to be clear that we are not saying “no” to the extension. We just cannot consider any other factors until we can resolve these concerns and they have not yet been resolved. However, we don’t want our security concerns to cause a burden on the LCB if everything is indeed running on time. We have done our best to be partners with the LCB since the beginning so we hope that we can resolve our concerns before next week’s transition.
__________
For the copies of the emails :
Unpack the industry with the daily cannabis newsletter for business leaders.
Unpack the industry with the daily cannabis newsletter for business leaders.
