Washington Archives - Green Market Report

William SumnerWilliam SumnerDecember 12, 2018
Alaska.jpg

4min15690

Earlier this week, the cannabis technology platform LeafLink released its 2018 Wholesale Cannabis Pricing Guide and the company learned that Alaska and Maryland are the two most expensive states to buy legal cannabis, followed by Nevada and California.

Examining the wholesale landscape of some of the most mature cannabis markets in the United States, the guide looks at the average wholesale price of cannabis in eight states: Alaska, Arizona, California, Colorado, Maryland, Nevada, Oregon, and Washington. The product types covered by the report include concentrates, cartridges, edibles, flower, and pre-rolls.

Although the report does not dive into the specifics of why one state is more expensive than another, the authors speculate that the Alaska and Maryland’s high prices are due to the states having a low number of cannabis cultivators. In the two states where cannabis is cheapest, Washington and Oregon, there is currently a glut of cannabis cultivators; leading to low prices and oversupply.

“As the standard wholesale marketplace for the industry’s leading brands, we are able to provide crucial market information to cannabis retailers and brands, which will help inform their plans for 2019,” said LeafLink Co-Founder and CEO Ryan G. Smith in a statement. “As more states like Massachusetts, Connecticut, Pennsylvania, and Michigan continue to establish wholesale operations, we will be able to provide a larger scope of market activity to further empower the LeafLink community, as well as the industry at large.”

Nationwide, the average price for a pound of cannabis flower is $2,124 per pound, while a gram of pre-rolls costs around $5.66 per gram. The average price for cannabis concentrates costs approximately $26.07 per gram and cartridges are priced at around $39.55 per gram. Edible cannabis products, on average, cost around $0.20 per milligram.

When taken on a state-by-state level, cannabis prices start to vary. With regards to cannabis consumer preferences, the report found that consumers prefer products in the lowest 25% price range. The exception to this was pre-rolls. On average, consumers preferred pre-roll products in the 25%-49.99% price range.

The report also examined the relationship between pricing and discounted sales. On average, approximately 16% of the products sold through LeafLink’s platform have a discounted price. Across all eight states examined, discounted products generated 3% more sales than regularly priced products.

The discount effect is magnified when combined with larger sales campaigns. During the last year, LeafLink ran two sales promotions, one in the month leading up to 4/20 (dubbed 3/20) and one in July called 7/10; which is a considered an industry-wide “holiday” for concentrates.

When combined with those larger sales campaigns, discounted products generated 37% more sales on 3/20 and 38% more sales on 7/10. This seems to suggest that cannabis retailers stand to significantly boost their sales numbers by combining sales promotions with discounted cannabis products.


Debra BorchardtDebra BorchardtFebruary 9, 2018
shutterstock_693016693.jpg

3min18472

Congress shut down the government for a moment, but then our representatives in D.C. agreed on a 2-year framework for a budget and the government was back in business. Wrapped into this budget agreement was a vote to renew the Rohrabacher-Blumenauer amendment. This legislation protects states with legal medical marijuana from prosecution by the Department of Justice (DOJ) by denying them from spending money on enforcement.

The two years isn’t a done deal because for the next six weeks details in the budget will be hammered out with March 23 as another date to look towards voting on the budget. Yet, it keeps getting included and each time that happens, it becomes more and more secure

The federal budget decides how much money each department gets to spend and the Department of Justice gets lumped in with all the other departments. This particular amendment prevents the DOJ from spending any of the money it gets towards enforcing federal marijuana laws against businesses and individuals in states that have legalized medical marijuana.

Each time the budget has been up for a vote, the cannabis industry would begin biting its nails. Would they include it again? Would this be the year they kick it to the curb and open the money train back up to Attorney General Jeff Sessions? There was even a fear that if the government shut down and the amendment was technically no longer in effect, the DOJ could quickly begin raiding companies in Colorado, Washington, Oregon and more.

There are multiple pieces of legislation that have been written to address issues with the cannabis industry. From outright legalization to more cherry-picked items like banking or veterans access to medical marijuana. Yet, before a piece of legislation can be passed, it must be voted on and in order for it to be voted on the Rules Committee must allow the bill to go to the floor for a vote. The makeup of the committee is skewed towards the majority party – in the case, the Republicans.

The Republicans consistently vote along party lines and refuse to allow any of the legislation get to the floor for a vote. So, the only recourse the legislators have is this amendment.


William SumnerWilliam SumnerFebruary 9, 2018
MJFreeway.jpg

8min13870

The cannabis industry in Washington is in a crisis this week as technical issues concerning that state’s new seed-to-sale tracking system continue to cost business owners thousands of dollars in lost sales and diminishing inventories.

Dubbed Leaf Data Systems, the new software was developed by Denver-based MJ Freeway, which provides business management solutions and consulting services for the cannabis industry. Launched on the first of February, the system has been plagued by a slew of bugs from the very start.

According to the Seattle Times, some growers have complained that the system scrambled their shipping orders while some dispensary managers have been unable to receive order shipping manifests. In addition to slowing down or altogether halting daily business operations, some users haven’t even been able to log into the system at all.

Initially, the state was supposed to switch over to a new seed-to-sale tracking system in November 2017 but the technology company chosen as the vendor, Franwell, abruptly backed out of the contract. MJ Freeway was subsequently chosen to pick up the contract but was only given several months to put together a system.

In a letter to licensees, Washington Liquor and Cannabis Board deputy director Peter Antolin said that the source of the transfer/manifest issues was related to an unauthorized access of the traceability system.

The system intruder reportedly downloaded a copy of the traceability database and took undisclosed actions which caused the technical issue with inventory transfers. Although no personally identifying information was stolen, the WSLCB says that some information was accessed.

The intruder gained access to route information of manifests filed between Feb. 1 and Feb. 4 as well as transport information; such as the vehicle type, VIN and license plate number. Driver information was not accessed.

The WSLCB claims that the issue has been resolved and that it and MJ Freeway are working towards fixing the other technical glitches within the system, noting that there are several workarounds for the errors while the system is being fixed.

Despite the board’s reassurances, some cannabis business owners, like Cannasol Farms CEO Jeremy Moberg, are more than skeptical.

“I don’t believe it’s fixed,” said Moberg told MJ Biz Daily. “Not until I hear of retailers bringing in product.”

Moberg went on to say that he has approximately $18,000 in inventory sitting in a van because he cannot integrate his company with the Leaf Data Systems and that this week he’s had to lay off all but a handful of employees who are remaining to help him figure out the system.

“If you think about five days in this industry, it’s millions of dollars worth of transactions that are not happening,” Moberg added.

Some business owners have suggested that the state cancel its contract with MJ Freeway and go back to the contingency system left by the state’s previous vendor BioTrackTHC. But as the state continues to fix the technical glitches, cannabis businesses will continue to lose thousands of dollars; and while Washington’s cannabis industry will at some point return to normal, for many businesses, the damage has already been done.

The Back Story

 

 BioTrackTHC was contracted in 2013 to monitor the program with its seed-to-sale tracking, and by all accounts, it seemed to be working just fine. Then the state decided to open the program up to a public bid to see if there might be a better vendor for a better price.

In June the state selected Franwell’s METRC system to replace BioTrackTHC. However, when Franwell came to the table to begin the negotiations of planning the program takeover, talks quickly broke down. On June 9, Franwell walked away from the contract and never spoke publicly about it. One inside source said that basically, the state wanted more than what they were willing to pay for from Franwell. 

The state then chose MJ Freeway, which has had its own share of troubles last year. The company has suffered hack attacks, alleged security breaches (which the company denies) and systems failures. By winning the contract, it was also put in the position of trying to take over a multi-million dollar system with over 1,700 participants in a matter of months. No easy task for any software company. MJ Freeway issued a video response regarding the situation and trying to address market concerns.

BioTrackTHC was set to terminate its contract on October 31, but in early October the state began talking to BioTrackTHC to extend the contract. “Events occurred that brought up a potential security concern,” said Jeff Gonring, Director of Market and Communications for BioTrack. He was referring to security over data issues surrounding MJ Freeway. Regardless, BioTrack designed a work around for the state to use as it makes its transition. This band-aid approach has helped the customers and reduced BioTrack’s exposure to MJFreeway’s security problems that seem to plague the company.


Cynthia SalarizadehCynthia SalarizadehOctober 26, 2017
Seed-1280x720.jpg

45min19480

Dear Washington Cannabis Industry,

I write to you today with the sincere hope that I can cut through much of the noise and rumor of the last few days with some transparency so you can make informed decisions as business owners and so we can come together for the forward progress of the industry.

Before I write anything else, I want to emphasize the fact that Washington’s cannabis industry is incredibly important to BioTrack.  It was our first government contract.  TJ Ferraro – BioTrack’s founder – and I lived in Washington for the three months it took to customize and implement the original traceability system.  More licensees use our business platform in Washington than in any other state.  We have an office in Olympia, and nine BioTrack employees call Washington home.  Many of you are our friends.  If you take away nothing else from this letter, please know that you are important to us and we remain committed to doing everything in our power to make you successful.

Rather than ask you to blindly believe my narrative over someone else’s, the actual emails sent from me to the WSLCB are attached to the end of this letter so you can verify the facts and judge for yourself.  These emails are available via public records request so I am not sharing anything that wouldn’t already be available for public inspection.

What Is Going On?

BioTrackTHC’s traceability system contract with the WSLCB expires on October 31st, 2017 unless it is extended.  A more detailed chain of events is provided later, but the short story is that the WSLCB initially chose to not extend our contract beyond October 31, 2017, and MJ Freeway was selected to provide a replacement system that was to take over by the time our system is to be decommissioned, at midnight on October 31st.  It was recently announced by the WSLCB that the replacement system will not be operational in time, and licensees will have to report their seed-to-sale traceability data via manual spreadsheets for two months until the replacement system’s updated go-live date of January 2, 2018 assuming everything moving forward remains on schedule.  These manual spreadsheets are to be used for tracking all plant, harvest, inventory, conversion, sample, laboratory testing, transportation/chain-of-custody, and sales data for as long as the WSLCB’s contingency plan is in place.  

Is There Currently A Contract Extension On The Table Between The WSLCB And BioTrackTHC?

The WSLCB sent to BioTrack terms for an extension last Tuesday, October 17th.  This was the first offer for an extension that the WSLCB has offered BioTrack since MJ Freeway was awarded their contract in July, and remains as the current offer on the table.

The WSLCB offered BioTrack a four month extension for $125,000, or $31,250 per month.  

To put this offer in context, over the four-year life of the contract, BioTrack did not earn maintenance and support fees for the first two years and earned $180,000 per year ($15,000 per month) for the past two years.  The WSLCB’s extension offer is a $16,000 per month premium over the standard rate.

The WSLCB’s contract with the new vendor is $600,000 per year, or $50,000 per month.

Per my email to the WSLCB on Thursday, October 19th(see “Exhibit 2”), BioTrack did NOT decline the WSLCB’s offer for extension.  However, BioTrack requires resolution on security concerns that were previously brought to the WSLCB’s attention before the other components of any offer, such as financial and timing components, can even be considered.  BioTrack is still actively seeking to resolve these security concerns prior to the expiration of the contract.

The final paragraph in my last email to the WSLCB on this matter, dated October 19th, reads as follows:

When we first spoke last Monday about the possibility of extension, you assured me multiple times that the current project is running on schedule and that the extension was being offered to us for the benefit of the third-party software providers, and for that we are grateful for the WSLCB’s consideration.  I want to be clear that we are not saying “no” to the extension.  We just cannot consider any other factors until we can resolve these concerns and they have not yet been resolved.  However, we don’t want our security concerns to cause a burden on the WSLCB if everything is indeed running on time.  We have done our best to be partners with the WSLCB since the beginning so we hope that we can resolve our concerns before next week’s transition.

What Is The Security Concern That Needs To Be Resolved Before BioTrack Can Feel Comfortable In Accepting The Extension?

On Monday October 9th, the WSLCB and I connected for the first time in nearly six months to discuss a possible extension.  I was informed that the WSLCB remained confident that the new system was on time, but that an extension would allow the business seed-to-sale software providers more time to integrate with the new government system.  I then informed the WSLCB that BioTrack has serious concerns related to security.  

After MJ Freeway was awarded the contract, beginning the week of August 21, 2017, BioTrack began providing a “data dump” of the entire traceability system database to the WSLCB on a weekly basis so that the entire dataset could be mapped and migrated to the replacement system. However, many Washington licensees received an email in mid-September alleging to sell databases described as “WA DATABASE,” “NV PROD DATABASE,” and “PA PROD DATABASE,” among others (see “Exhibit 6”).  These presumably are to mean the Washington database, the Nevada database, and the Pennsylvania database.  The emails also provided unencrypted sample data files as a kind of “proof of life.”  Some business seed-to-sale software providers took it upon themselves to investigate the sample data and it was reported that the sample data not only appeared legitimate, but that it included sensitive data that is not publicly available: data that is contained within the full un-redacted traceability dataset.  I am sure that many of my peers contributed to the industry’s investigation, but I specifically want to recognize David Busby, CEO of WeedTraQR, for his tireless efforts in this regard.

To BioTrack, other third-party software providers, and many Washington licensees, this is a serious concern.  BioTrack currently operates six state-level government cannabis traceability systems and has managed Washington’s traceability system for four years without any security breaches.  We then find ourselves in a situation where both our reputation and our security are co-mingled with another company’s; and then a few months later, credible reports surface that Washington-specific data not otherwise available to the public is found outside of the chain of custody.  

I conveyed to the WSLCB our concern that this situation where we “share space” with their new vendor puts us in jeopardy.  I memorialized those concerns in writing within my follow-up email dated October 16th (see “Exhibit 1”).

The current status quo has already harmed both our reputation and our peace of mind with respect to security risk.  Please understand that we have continued to provide our traceability technology, support, and weekly data dumps of the entirety of the database because we remain contractually obligated to do so, not because the new status quo is in any way comfortable for us.  Every passing day in which we find our reputation and security co-mingled with another vendor without any assurances that our technology—and therefore our livelihoods—are safe within this new co-mingled environment compounds our anxiety and intensifies our desire to exit the unsafe situation.”

Our technology is how we make our living.  If the security of our technology becomes compromised, at least sixty people lose their jobs and all of our customers who depend on us also become compromised.  It would be irresponsible of us to ignore credible threats to technology security.

Now I am not saying that we know for certain that the WSLCB’s or MJ Freeway’s security was breached.  Maybe there was no security breach of any kind.  Maybe there was a security breach and it has since been remedied.  Maybe there was a security breach and it’s still there.  What we do know is that there is enough smoke that we are not comfortable moving forward without a reasonable level of assurance that the fire has been addressed.

The WSLCB’s position at the time was that the email was a “spoof” and that it was “fake news”, and BioTrack respects their prerogative to believe that no security issues exist.  However, we respectfully disagreed with that position and said we needed some type of meaningful assurances that the alleged breach either did not happen or did happen and has since been remedied, since without that we have no solid footing in understanding our current risk exposure.

What Has BioTrack Obtained So Far To Address The Security Concerns?

To emphasize BioTrack’s sincere interest in a possible extension and to ensure that BioTrack’s concern regarding the possible security issue was not misunderstood, I had a member of BioTrack’s board of directors join me on a call with the WSLCB on Friday, October 13th.  I also had the CEO of one of our competitors join the call to show what he had uncovered from the “spoof” email that licensees had received.  At one point, we suggested that a third-party security audit providing a “clean bill of health” may go a long way in allaying our concerns.  The WSLCB reassured us that a security audit had been performed by the Washington State Office of the Chief Information Officer (OCIO), but that none of the contents of the audit report could be provided to us.  The WSLCB offered to obtain a statement from the OCIO that could address our concerns.  We agreed to incorporate it into our overall evaluation, but could not promise that it would allay our concerns since we had not yet seen it.

To expedite the process in good faith, immediately after that call concluded, BioTrack submitted a records request to the OCIO for any security audit documentation that is available to the public.  As of the writing of this letter we have received one response from the OCIO’s office dated October 19th stating that they estimate, “it will require no more than thirty days to provide you a response,” (see “Exhibit 3”).

On October 17th, I received an email from the WSLCB stating that BioTrack’s “concerns were addressed already.”  Up to that point, we had received only verbal assertions and nothing in writing.  One part of my October 19th email (see “Exhibit 2”) contained the following response:

We appreciate the fact that the WSLCB is leaning on a review performed by the OCIO that found no adverse security concerns, but we have not seen any documentation with our own eyes or even a document stating that we are prohibited from seeing such documentation.  No offense, but we cannot just take your verbal word on something that could have far reaching consequences for our livelihoods and our customers. 

I am an accountant by training.  If someone withdraws $1,000 from the company bank account, that person would have to show me a receipt proving where it went.  A response of, “I have the receipt, but I cannot produce it for you,” is not one than anyone could reasonably accept.    

I’m not trying to make light of the situation, but please appreciate the position we’re in in that nothing that we can rely on has been provided to us.

Later that day, the WSLCB sent to me a letter from the State of Washington Office of Cyber Security (see “Exhibit 4”).  The letter states, “We have completed our security design review on the new cannabis traceability system provided by Leaf Data Systems vendor MJ Freeway… the project, as proposed, uses appropriate security controls and methods to meet OCIO IT security standards at the time of review.”  Though we greatly appreciate the efforts of the WSLCB staff to obtain this letter, it does not provide much information or the peace of mind that we are seeking.  

  1. The letter does not provide a date for when the review was performed.  No review can provide any assurances about current system security if it was performed before the “spoof” email was sent to licensees.  
  2. The letter states that it was the security design that was reviewed; the system itself did not undergo generally accepted security audit testing.  That is like the difference between, “Patrick, we reviewed the airplane design you drew on paper and the design should fly,” versus, “Patrick we tested the actual plane you built and it successfully flew.”
  3. Finally, the OCIO’s online project dashboard’s OCIO Assessment reads, “user authentication requirements and Security Design Review increase risk due to imminent project implementation deadline” (emphasis mine) for 07/13/2017, 07/27/2017, 08/22/017, and 09/15/2017.  Now, I don’t know what this means, and to be fair I only just found this today and have not given the WSLCB an opportunity to help me understand what this comment means, but my current interpretation is that on each of those dates, the Security Design Review continued to increase the risk that the project would not be completed on time because the review remained ongoing as the system was being developed (see “Exhibit 5”).

(https://http://waocio.force.com/ProjectDetail?id=a060P00000ezEk1QAE)

The WSLCB has been quoted recently in the media saying, “We’ve given them everything that we have and every assurance.”  Now I understand that this is likely true; that the WSLCB has given to us what they are allowed to give us.  However, everything they have given us thus far has been verbal and one brief letter on which we cannot place a great deal of reliance.  Again, we have a responsibility to our other government clients, to the licensees who depend on our business software, and our staff to take every reasonable precaution to protect our technology from security risks.  Accepting any extension of the current situation without reasonable assurances, regardless of the amount of money offered, would be irresponsible.

Again, we did not decline the WSLCB’s extension request.  We just cannot move forward until these concerns are dealt with.  We are still actively searching for alternative means to help us determine how sensitive non-public data came to be found within the “spoof” email sent to the industry and welcome any assistance from any other party, WSLCB or otherwise.

Can BioTrack Accept The Extension After October 31st If The Security Issue Is Addressed Shortly After?

I am not sure as I am not an attorney that specializes in Washington’s government contract law.  However, I do not believe either the WSLCB or BioTrack can “extend” a contract that is no longer in effect.  There may be a way to justify a sole-source procurement where the WSLCB can offer a new contract should the current contract expire, but we would have to consult an attorney.

What Is BioTrack’s Plan If The Contract Expires on October 31st?

We learned about the WSLCB’s “contingency plan” from the same announcement that many others in the industry received on Thursday, October 19th, and we learned on Tuesday October 24th, with everyone else that the manual spreadsheet era is expected to last at least through January 1st… so many of our plans are rapidly evolving and still solidifying.  That being said, here is our game plan for now.

First, BioTrack is committed to its direct commercial customers: those who rely on BioTrack’s business system for inventory management and point-of-sale.  It is our intent that in every way possible, your BioTrack business system will automatically generate the spreadsheets necessary for submission to the WSLCB so that there is a reduced impact to your business.  Please have patience with us as we are working with a moving target.

Secondly, the success of Washington’s industry as a whole – and therefore the success of every licensee in Washington whether you use our business platform or not — is important to us.  We have no intention of giving the federal government any reason to give this industry a hard time.  BioTrack understands that even with manual spreadsheets, there needs to be some method of communication and data exchange between licensees regardless of which third-party commercial system you use.  One common denominator for every third-party commercial software system in Washington is that it successfully integrates with our API.  Because BioTrack owns its traceability technology and licenses it to state governments for use, we can create a private-sector version of our traceability system that would mirror the current traceability system.  It would even include a web-interface for the licensees who have relied on the freely-provided MJ Traceability website, and it would have the current version of the Washington API so every current business seed-to-sale provider will already be integrated with it.  Though we are still working on the specific mechanics, all it would take is for everyone to point their systems to the new URL (website); all functions and all data that is currently coordinated and exchanged between licensees would be nearly identical, if not perfectly identical, to the way things presently work.  This private-sector “clone” of BioTrack’s traceability system could continue to operate for as long as we need it to, even if a worst-case scenario were to happen and the WSLCB’s system is unable to go-live by January 1, 2018 as planned.  We have yet to figure out the economics, but our goal is to just get the job done first and worry about the rest later.

Please remember that we are attempting to surf a wave in the wild here, so I can guarantee you that there will be turbulence as we go; however, my team and I believe that this is our best option to avoid industry Armageddon and we will all band together to navigate these unpredictable waters as best we can.  We have already received an outpouring of support from the other third-party software systems and in spite of the fact that we’re competitors and have our differences, I know that we can continue to use this challenge as an opportunity to bring the industry together for everyone’s success.

 

Highest Regards,

Patrick Vo

President and CEO

BioTrackTHC

 

Exhibit 1

Email — October 16, 2017

No changes have been made to this email reproduction other than the removal of recipients who were cc’d.

—    —

From: Patrick Vo <patrick.vo@biotrackthc.com>
Date: Mon, Oct 16, 2017 at 12:28 PM
Subject: BioTrack – Follow-up On Friday’s Call
To: “Antolin, Peter P (LCB)” <peter.antolin@lcb.wa.gov>

Peter,

First of all, because the question came up on Friday’s call, I want to reiterate that we are indeed interested in the possibility of an extension.  Neither I, nor Director Molloy would have invested our time for the call were that not the case.  However, though it is the LCB’s prerogative to believe that there are no security issues related to the LCB or any of the LCB’s other vendors, we’ve heard otherwise from other third-party vendors within the state who have uncovered concerning evidence to the contrary.

It was also asked of us why security is an issue when all the LCB is asking for is an extension of the status quo.  To reiterate and clarify what Mr. Molloy stated on the call, that question assumes that we are okay with the status quo.  However, the status quo changed when another company was chosen to essentially be a co-vendor with the LCB and BioTrack, followed by reports surfacing that Washington-specific data not otherwise available to the public began being distributed.   

The current status quo has already harmed both our reputation and our peace of mind with respect to security risk.  Please understand that we have continued to provide our traceability technology, support, and weekly data dumps of the entirety of the database because we remain contractually obligated to do so, not because the new status quo is in any way comfortable for us.  Every passing day in which we find our reputation and security co-mingled with another vendor without any assurances that our technology—and therefore our livelihoods—are safe within this new co-mingled environment compounds our anxiety and intensifies our desire to exit the unsafe situation. 

With respect to reputational harm, at least two state agencies have reached out to one of our other government clients with concerns that they heard that the “Washington Traceability System” was allegedly compromised.  At this point, BioTrack has become synonymous with Washington’s Traceablity System and so we had to assertively defend ourselves; and these are just the two inquiries that we know about.  This cannot continue.

With respect to security risk, because LCB owns the data captured by the traceablity system (including password hashes included within the database), we currently have no viable method available to us of ensuring perfect security of our systems within the current co-mingled situation.  Even if every single password was changed tomorrow, this would only provide temporary relief until the next weekly file. 

Thankfully, the third-party vendors who have been independently investigating this matter have yet to uncover evidence that passwords themselves have been compromised.  Nevertheless, their findings thus far suggest that there is indeed a breach somewhere. 

On the call, we asked for assurances that the alleged breach either did not happen or has since been remedied if it did happen.  Please remember that we at BioTrack do not know what the LCB knows, and so we have no solid footing when it comes to understanding our risk exposure to being co-vendors with the LCB’s other system provider.  We are not asking for anything inappropriate.  We expect the LCB to protect their own proprietary information, and that of any other vendor, just as we would expect the LCB to protect our own proprietary information.  However, we don’t know what to ask for because we don’t know what we don’t know. 

The consensus from the majority of our board of directors is that, though the LCB’s request for an extension remains on the table, the current situation represents an imminent and unknown risk.  We have a responsibility to our customers, employees, and shareholders to not endanger our own security. 

You mentioned on the call that the vendor with whom the reported evidence appears to implicate has already completed a security audit or something similar by the OCIO.  In order to keep the momentum of our conversation moving as quickly as possible, and to avoid putting the agency in an awkward position, we submitted a public records request on Friday for a (presumably redacted) copy of the completed information technology security audit for that vendor.  We know that it may take a few days to receive whatever redacted information will be made available for public inspection, but whatever is contained therein might go a long way towards allaying our concerns. 

Finally, you requested a dollar figure from us earlier in the week, and once again Friday.  We have made good faith attempts at determining a price, but without knowing the risk factor we cannot put a price on the unknown potential exposure component.  The value of the contract to BioTrack is its revenue less its costs; and the probability of costs related to potential events such as a security breach, our source code made public, reputation loss, commercial client loss, other government client loss, litigation, etc… are undefinably higher now than they were prior to the other vendor’s co-existence with BioTrack and the LCB.  Better understanding those risks are a prerequisite to determining the likely costs and therefore the contract extension as a whole.   

I know that this is not the answer you were hoping for; but it is the most responsible answer I can give you given the circumstances and the concerns of our directors.  We will wait for the public records from OCIO and will continue to work with other third-party vendors to independently investigate the reported matters in order to reach a conclusion with respect to our risk exposure moving forward and that risk exposure’s appropriate price. 

We understand that the LCB is pressed for time and may need to withdraw its request for an extension if you are not able to wait for us to receive and inspect the requested public documents from OCIO.  Any further assistance the LCB can provide in allaying our concerns and the concerns of other third-party vendors would be greatly appreciated.  We hope to come to a resolution in the best interest of all parties that does not sacrifice security, and I trust that you would expect nothing less.

Sincerely,

Exhibit 2

Email — October 19, 2017

No changes have been made to this email reproduction other than the removal of recipients who were cc’d.

—    —

From: Patrick Vo <patrick.vo@biotrackthc.com>
Date: Thu, Oct 19, 2017 at 12:21 PM
Subject: Re: BioTrack – Follow-up On Friday’s Call
To: “Antolin, Peter P (LCB)” <peter.antolin@lcb.wa.gov>

Peter,

I know I sound like a broken record, but I registered our concerns again because we do not feel that those concerns have been sufficiently addressed.  I am not sure what you meant by “the most we could offer was the information that we provided last week,” as we were not provided anything of substance.  We appreciate the fact that the LCB is leaning on a review performed by the OCIO that found no adverse security concerns, but we have not seen any documentation with our own eyes or even a document stating that we are prohibited from seeing such documentation.  No offense, but we cannot just take your verbal word on something that could have far reaching consequences for our livelihoods and our customers. 

I am an accountant by training.  If someone withdraws $1,000 from the company bank account, that person would have to show me a receipt proving where it went.  A response of, “I have the receipt, but I cannot produce it for you,” is not one than anyone could reasonably accept. 

Here is how a hypothetical conversation with my board of directors or one of our customers may go with what we have been provided thus far:

      Patrick:    “The LCB tells me that everything is fine and that we should not be concerned.”

      Board:     “How do you know?”

      Patrick:    “Because they told me so.”

      Board:     “Have you reviewed the evidence that supports this conclusion?”

      Patrick:    “No.  The LCB tells me that I am prohibited from reviewing the evidence.”

      Board:     “How do you know you cannot review the evidence?”

      Patrick:    “Because they told me so.”

 

I’m not trying to make light of the situation, but please appreciate the position we’re in in that nothing that we can rely on has been provided to us.

Thank you for taking a second look at the spoof email.  Other third-party software providers have analyzed the sample database provided from that spoof email and have reported that it contained the following information that is not available in the FOIA data that the LCB releases:

  • User email addresses of vendor staff and LCB staff,
  • Licensee employees, drivers, and vehicles (tag and VIN).

Obviously, there’s not much you can do regarding the Nevada data and the Pennsylvania data, but any insight you could provide on how this information left LCB custody would be helpful.

I understand that all Washington agencies are held to the same public disclosure standards, whether LCB, OCIO, or otherwise.  However, as stated earlier, even a reply from OCIO stating that the document exists but cannot be made available for public inspection is still more than what I have at the moment.  We are doing everything we can to quickly get comfort over the discomforting red flags and are leaving no stone unturned. 

The potential security risks are a major concern, but I would be remiss to not also reiterate the reputational damage as a concern.  Whether or not the LCB believes that the alleged security breaches are real, state agencies from across the country have heard about and expressed concern regarding them.  We remain at the forefront of having to defend both our credibility and the LCB’s credibility to current and prospective government clients without any assurance that we will not have to continue to do so should we agree an extension

When we first spoke last Monday about the possibility of extension, you assured me multiple times that the current project is running on schedule and that the extension was being offered to us for the benefit of the third-party software providers, and for that we are grateful for the LCB’s consideration.  I want to be clear that we are not saying “no” to the extension.  We just cannot consider any other factors until we can resolve these concerns and they have not yet been resolved.  However, we don’t want our security concerns to cause a burden on the LCB if everything is indeed running on time.  We have done our best to be partners with the LCB since the beginning so we hope that we can resolve our concerns before next week’s transition. 

__________

For the copies of the emails :

https://goo.gl/4rhvZa

 

 



About Us

The Green Market Report focuses on the financial news of the rapidly growing cannabis industry. Our target approach filters out the daily noise and does a deep dive into the financial, business and economic side of the cannabis industry. Our team is cultivating the industry’s critical news into one source and providing open source insights and data analysis


READ MORE



Recent Tweets

@GreenMarketRpt – 19 hours

RT : We’re proud to have offered 20,000 hours of free services to the surrounding community and given $250,000-wort…

@GreenMarketRpt – 19 hours

RT : I chatted with about how while the industry has faced challenges this year, it’s still undoubtedly growing.…

@GreenMarketRpt – 21 hours

Exchange Traded Note Launched By REX Shares

Back to Top

You have Successfully Subscribed!