Photo of Nathalie Bougenies

Located in Harris Bricken's Portland office, Nathalie practices corporate law, intellectual property, real estate, and litigation, enabling her to assist companies with a wide range of legal and business challenges.

marijuana north dakota missouri utahLast week, we discussed New Jersey, Oklahoma, Michigan, and Virginia’s recent legislative and/or referendum developments in ending marijuana prohibition.

Today, we look at the three other states that will decide the fate of recreational and medical marijuana locally during the November election.

North Dakota

Last month, North Dakota’s recreational pot measure, Measure 3, was approved for bringing the matter to a public vote. Legalize ND, the committee that introduced this measure, managed to submit more than the 13,452 valid petition signatures which are required to get a measure on the November ballot.

Measure 3 aims to legalize marijuana use by people 21 and older and seeks to seal the records of anyone convicted of a marijuana-related crime.

In May, the North Dakota Sheriff’s and Deputies Association introduced a measure opposing Measure 3 as it believes legalizing recreational marijuana would create more problems for law enforcement, such as more impaired drivers and fatalities. Another anti-legalization organization, Smart Approaches, is also working to oppose the ballot measure.

In response, Legalize ND is planning to bring in members of Law Enforcement Against Prohibition, better known as LEAP, a pro-legalization organization composed of former and current police officers, federal agents, judges and prosecutors, that are critical of existing drug policies.

Utah

Although Utah is a rather conservative state, state voters are ready to decide the fate of medical marijuana ballot measures.

Proponents of Utah Proposition 2 collected about 200,000 signatures, which is roughly 80,000 more signatures than is required for ballot inclusion.

If the measure were approved, patients suffering from qualifying medical conditions with medical cards would be able to buy up to 2 ounces of unprocessed marijuana with no more than 10 grams of tetrahydrocannabinol (THC) or cannabidiol (CBD) every two weeks. The measure would continue to ban smoking marijuana, driving under the influence of marijuana, or using marijuana in public view except in a medical emergency.

Missouri

Missouri voters will get to choose from three medical marijuana measures in the November ballot. Two of the ballot measures are constitutional amendments; the third one is a statutory change. Although the details of the three measures vary, all would provide legal protection to patients and would regulate the production, processing and retail sales of cannabis.

New Approach Missouri championed one of the proposed constitutional amendments, which would allow doctors to recommend medical cannabis for any medical condition they see fit. Registered patients would be allowed to grow up six marijuana plants and purchase up to four ounces from dispensaries each month. A four percent tax would be imposed on the sales of medical cannabis.

The other proposed constitutional amendment, backed by Find the Cures, would let doctors recommend medical marijuana to patients who suffer from one or more of the listed qualifying conditions. The retail sales tax, which would be set at 15 percent, would be used to support research to develop cures and treatments for cancer and other diseases.

Lastly, the proposed statutory change, sponsored by Missourians for Patient Care, would also afford access to medical marijuana to qualifying patients who suffer from specific conditions. Under this measure, sales would be taxed at 2 percent.

Undoubtedly, it will to be a busy election season for the legal marijuana industry. We will keep you posted on any other legislative or referendum developments between now and the November 6 election.

marijuana cannabis state legal
Great progress so far in 2018.

The path to marijuana public reforms is inevitable. According to recent surveys, 64 percent of Americans favor the legalization of marijuana and roughly 90 percent support its legal use for medical purposes. This growing popularity of cannabis has been reflected in recent legislative and referendum actions across the country at the state level.

Earlier this year, shortly after Vermont legalized, we looked at four states–New Jersey, Oklahoma, Michigan, and Virginia–most likely to follow the footsteps of the existing 9 states that had already passed laws to regulate marijuana and the 28 with medical cannabis programs. Today, on the eve of the November 6 elections, we take another look at the legislative and/or referendum developments in these jurisdictions and see whether these four states have in fact come closer to ending marijuana prohibition.

New Jersey

New Jersey’s governor, Phil Murphy, has made legalizing, regulating, and taxing marijuana a goal of his administration. Unfortunately, Gov. Murphy has yet to convince lawmakers to pass a combined bill that aims to (1) expand medical marijuana and (2) fully legalize recreational marijuana for adults. Because New Jersey does not allow its citizens to bring direct initiatives, the fate of marijuana will have to be decided by legislators, a process that will most certainly take time. But the state seems close.

Oklahoma

On June 26th, Oklahoma voters approved State Question 788, an initiative that legalized the use of medical cannabis. Specifically, the initiative allowed for the use, cultivation, and distribution of medical cannabis to qualified patients. The Oklahoma Medical Marijuana Authority (“OMMA”), which oversees the program, has been accepting online applications since August 24th. As of early this week, OMMA had already issued more than 1,000 patient licenses and 100 business licenses.

Michigan

In April, the Michigan Board of Canvassers ruled (a 4-0 decision) that the Coalition to Regulate Marijuana Like Alcohol, the committee behind the initiative that would end marijuana prohibition in the state, had collected enough signatures to qualify for the November 6 ballot. According to a March survey conducted by the Michigan-based pollster EPIC-MRA, 61 percent of Michigan voters favor the legalization and regulation of marijuana. If this poll is accurate and if the initiative were to pass, it would:

  • Legalize the possession of up to 2.5 ounces of marijuana for personal use by individuals over the ages of 21;
  • Allow possession of up to 10 ounces of marijuana at home;
  • Impose testing and safe transportation guidelines within the state;
  • Impose a 10 percent excise tax on the sale of marijuana at the retail level and a 6 percent state tax;
  • The revenues generated from those taxes would be allocated as follows: 35 percent to K-12 education, 15 percent to roads, 15 percent to communities that allow marijuana businesses in their communities, and 15 percent to counties where marijuana businesses are located; and
  • Give communities the opportunity to decide whether to allow marijuana businesses in their towns.

Virginia

Like Gov. Murphy, Virginia Gov. Ralph Northam was unable to convince his colleagues to pass a bill decriminalizing marijuana before the end of his first legislative session. Although marijuana possession remains a criminal act in the state, Gov. Northam managed to enact on major piece of legislation this year by signing a bill that will allow doctors to recommend cannabidioil (CBD) or HC-A oil for any medical condition.

Next Up

Other states will decide the fate of recreational and medical marijuana during the November election. North Dakota voters will consider initiatives that would legalize and regulate marijuana for adults’ use, whereas voters in Utah and Missouri will decide the fate of medical marijuana ballot measures. I’ll cover those states in part two of this installment.

In addition, the legislature of the Commonwealth of the Northern Mariana Islands has recently approved a bill to legalize and regulate marijuana for adult and medical use. The bill is now sitting on Gov. Ralph Deleon Guerrero Torres’ desk. If enacted, the bill would make the Commonwealth of the Northern Mariana Islands the first U.S. territory to legalize and regulate marijuana for adult use.

cannabis cbd alcohol beerThis past year, the country has witnessed widespread interest in the use of cannabis in its nutraceutical (when added to food or drinks) form. Cannabidiol (“CBD”), the non-psychoactive chemical compound found in the cannabis plant, has gained great popularity among alcohol beverage companies. The growing popularity of CBD-infused products combined with their mainstream nature has given alcohol beverage companies the false impression that blending CBD into their products is an easy process. This post bursts the myth by highlighting the regulatory labyrinth into which alcohol beverage manufacturers must venture to enter this growing, popular market.

Alcoholic beverages are regulated by federal and state law. Consequently, beer, wine and spirits producers are generally accustomed to navigating rules, various forms of licensure, and modes of compliance related to their industry. Their familiarity with comprehensive regulations makes alcohol beverage companies well equipped to navigate the intersection between alcohol and cannabis, which is heavily regulated at the state level.

Unlike alcohol, though, many forms of cannabis are strictly federally prohibited. As such, “marijuana” and “tetrahydrocannabinols” (THC) are listed on Schedule I of the Controlled Substances Act (“CSA”). The CSA defines “marijuana” as:

“all parts of the Cannabis sativa L. plant whether growing or not; the seeds thereof; the resin extracted from any part of such plant; and every compound, manufacture, salt, derivative, mixture, or preparation of such plant, its seeds or resin.”

The CSA exempts certain parts of the cannabis plant from the definition of marijuana, including hemp-derived CBD products that are manufactured with hemp grown as part of a Farm Bill-authorized state pilot program. Accordingly, only CBD derived from industrial hemp (“Hemp” or “Hemp-CBD”) is allowed in the formulation of CBD-infused alcoholic beverages.

The U.S. Alcohol and Tobacco and Trade Bureau (“TTB”)’s 2000 Hemp Policy (the “Policy”) dictates how manufacturers may use Hemp-CBD in their alcohol products. The Policy sets forth the requirements for formulas and statements of process producers may use. Although the TTB permits the use of Hemp derivatives in alcohol products, the federal agency strictly prohibits producers from using “depictions, graphics, designs, devices, puffery, statements, slang, representations, etc. implying or referencing the presence of hemp, marijuana, and other controlled substance; or any psychoactive effects.” In other words, producers should refrain from using the term “CBD” in their formula or statement of process as the TTB seems to interpret the term as unlawful under federal law.

In addition to submitting the list of ingredients and the method of manufacture they intend to use, producers must provide the TTB with an analysis conducted by a U.S. lab of the hemp components that will be used in the product. A detailed description of the method employed by the U.S. lab must also be presented to the TTB.

The TTB will approve the formula or statement of process if the finished product does not contain a controlled substance. Once the hemp components have been tested for controlled substances, producers must ensure that detailed records are kept at the manufacturing premises for inspections, which we hear may occur as early as within the first month of production.

Once a producer receives TTB approval, which may take up to two years, the producer must then comply with state rules and regulations. In Oregon, for example, manufacturers must provide proof to the Oregon Liquor Control Commission (“OLCC”) that they have met the TTB formula requirement and meet the OLCC labeling requirements before they can manufacture and sell the infused beverage in the state. Oregon beverage producers who intend to sell their infused product outside of Oregon must also show the OLCC that they comply with the TTB labeling requirements.

As this post underlines, obtaining approval for the manufacture and sale of hemp-CBD infused alcoholic beverages is a complex process, due primarily to the uncertain nature of hemp-CBD laws. Therefore, it is crucial for any company intending to enter this market to consult with an experienced, well-versed law firm (like us!) prior to moving into this trending space.

oregon marijuana cannabis oversupply black market
We are not convinced by the HIDTA report.

Earlier this month, Billy J. Williams, U.S. Attorney for the District of Oregon, responded to a recent federal report on drug policy in Oregon by calling the state’s cannabis program “out of control.” The report in question was published by the Oregon-Idaho High Intensity Drug Trafficking Area (“HIDTA”), a federally-funded organization dedicated to combatting drug trafficking and to preventing the diversion of marijuana from states where it is legal to states where it is not, which examined Oregon’s cannabis production, distribution, and consumption since its legalization in 2014 (“HIDTA Report”).

By and large, the HIDTA Report reiterates the findings of last year’s controversial report published by the Oregon State Police Drug Enforcement Section (“2017 Report”)—which, interestingly, was drafted by the same author—and concludes that the Beaver State is the top source for black market pot in the country. Similarly to the 2017 Report, the HIDTA Report stresses the negative impact overproduction has had on fueling illegal trade from Oregon to other states where marijuana remains illegal.

The HIDTA Report associates overproduction with the unlimited number of cannabis licenses issued in Oregon. Yet, shrinking the pool of available licenses would not make the black market disappear. As we explained before, overproduction in the state is driven by substantial and relentless demand from other states, which have come to identify Oregon weed as a superior product. Therefore, even if the Oregon Legislature were to impose a cap on the number of licenses the OLCC is allowed to issue, black market activity would continue because the demand would not likely decrease.

In addition, the HIDTA Report highlights that Oregon produces more than 2 million pounds of marijuana each year, equating to more than 6 times Oregon’s annual consumption demands, which range from 186,100 to 372,600 pounds. This means that roughly 70 percent of the cannabis produced in Oregon is not state-approved and is instead exported to states where cannabis is currently illegal.

Unfortunately, like the 2017 Report, the findings in the HIDTA Report appear incomplete in that its author cannot point to a single source for direct, reliable information on total state production, which includes both legally and illegally grown marijuana. Although the issues of overproduction in Oregon and interstate leakage are very well present, it is important to stress that such surplus does not commonly emanate from the state-sanctioned cannabis production market (i.e., cannabis grown and produced by Oregon Liquor Control Commission (“OLCC”) licensees). Instead, overproduction tends to stem from illegal growth and from unsanctioned, poorly regulated, quasi-commercial systems like the Oregon Medical Marijuana Program.

Although we suspect that the findings of the 2017 Report and the HIDTA Report reflect the anti-legalization position of the federal government—if you recall, both reports were federally funded—the reports stress the need to tackle overproduction and interstate leakage in a responsive and comprehensive manner, a goal shared by prohibitionists and legalization proponents. For its part, the OLCC has taken recent steps to corral diversion, including its harvest notification rule alongside reduction in purchase limits for medical cardholders. The agency also seems to be taking a tougher stance on rules violations by licensees.

Regardless of OLCC actions, though, and whatever the Oregon legislature decides to do in early 2019, the state’s response must take into consideration the fact that federal illegality is encouraging unscrupulous and desperate cannabis businesses to cut their losses and sell their surplus in the black market. In addition, controlling supply by capping Oregon licenses as a fearful response to interstate leakage would in fact incentivize black markets, because a cap would increase the prices of cannabis. Illegal marijuana grows were prevalent in Oregon prior to 2015, after all.

The legal cannabis market is a nascent industry, making it difficult to determine how it will respond to outside forces. Consequently, we must accept that it will take time for the cannabis industry to adjust to these outside forces and find its equilibrium. This process promises to be rocky, and yes, possibly “out of control” to some.

For more on Oregon cannabis and the oversupply issue, please see the following:

marijuana cannabis Oregon packaging labeling
Don’t worry, your favorite symbol isn’t going anywhere.

Last year, the Oregon Legislature passed Senate Bill 1057, which transferred cannabis labeling authority from the Oregon Health Authority (“OHA”) to the Oregon Liquor Control Commission (“OLCC”). The new rules, which became operational on August 15, 2018, merged the OHA rules with those of the OLCC and further clarified the labeling and packaging regulations. Overall, this is a good thing.

Although the new regulations do not drastically differ from those under the old rules, OLCC licensees (i.e., recreational marijuana producers, processors, wholesalers, and retailers, including those processing and selling hemp products) and OHA registrants (i.e., medical marijuana growers, processors, and retailers) will need to familiarize themselves with these revisions and update their labels to be in compliance by April 1, 2019. At that point, all marijuana items transferred to dispensaries or retail shops will have to be packaged and labelled pursuant to the new rules.

To comply with these new standards, existing licensees will need to resubmit their label and package applications for pre-approval before the April 1, 2019 deadline. Also note that all new label and package applications submitted for pre-approval as of August 15th will be reviewed and evaluated by the OLCC under these rules. Typically, pre-approval takes 2 to 4 weeks but can occasionally last longer.

The most noticeable changes and clarifications to the labeling and packaging rules are as follows:

  • The word “consumer” now excludes “a patient or designated caregiver.”
  • The new rules explicitly provide that they apply to marijuana items and industrial hemp products sold to consumers, patients, or designated primary caregivers. Consequently, the new rules require a clear label of whether the product contains marijuana or hemp. If it contains both, then the label must identify the item as a marijuana item.
  • Marijuana items and industrial hemp products must be packaged in a container that is “resealable and continually child-resistant.”
  • If the product is an industrial hemp commodity or product processed by a licensee, the principal display must include the hemp symbol in place of the marijuana universal symbol.
  • The new rules define “added substances” to mean “any additional component or ingredient added to usable marijuana, cannabinoid concentrate or cannabinoid extract during or after processing that is present in the final product. This includes added flavors, terpenes, and any substances used to change viscosity or consistency of the cannabinoid product.”
  • The new rules no longer provide a distinction for “flag labels.” Instead, the new regulations refer to “small container labels and “tiny container labels,” which have their own requirements.
  • The new rules no longer require test batch numbers on labels.
  • The new rules replaced the font size and font type requirements (at least 8 point Times New Roman, Helvetica, or Arial font) with a provision that the labels display a “legible font that is easy to read and contrasts sufficient with the background and is at least 1/16th of an inch in height based on the uppercase ‘K’.”
  • The new rules rephrased some of the warning requirements to read as follows: “Do not drive a motor vehicle while under the influence of marijuana.” And, “Keep out of reach of children.” (You are no longer required to mention animals.)

Note that while labels must comply with the new rules by April 1, 2019, marijuana items on dispensary or retail shelves that meet old packaging and labeling rules under the OHA will be allowed for sale until December 31, 2019. However, as of January 1, 2020, all marijuana items will have to meet the OLCC packaging and labeling rules and all items with labels that meet the pre-August 15, 2018 rules will be removed from the market.

So, if you are licensed to produce, process or sell marijuana or industrial hemp products in Oregon be sure to review the new rules now to have ample time to update your labels by the April 1, 2019 deadline and avoid any civil penalty, which can go up to $500 per day—Ouch!

Hacking back isn’t the answer, unfortunately.

As I have discussed for the last two weeks, cannabis businesses have become increasingly vulnerable to cyberattacks. It is natural for a company victimized by data breaches to want to retaliate by hacking back. However, under current U.S. law, which is codified under the Computer Fraud and Abuse Act (“CFAA”), it is strictly prohibited to intentionally access another’s computer without authorization.

Legislators have given some thought to this problem. Most recently, the re-introduction in October 2017 of the Active Cyber Defense Certainty (“ACDC”) Act, a bill sponsored by Congressman Tom Graves (R-Ga) and Congresswoman Krysten Sinema (D-Az), raised questions about the legality of counter attacking. Indeed, the ACDC Act proposes to amend the CFAA and enable victims of cyberattacks to adopt active defensive measures to identify the hackers, destroy information originally stolen from the victims’ networks, and attack the intruders’ servers to interrupt the ongoing attack. Although an eye-for-an-eye form of justice is appealing, unauthorized access to networks is not a good idea. Here is why.

First and foremost, the ACDC Act has not be enacted. This means that the CFAA remains the law of the land, and accessing others’ computer systems without their permission is a criminal offense. Every state law punishes hacking under the computer crime statutes. These crimes carry serious penalties ranging from a class B misdemeanor (punishable by up to six months in prison, a fine of up to $1,000, or both) to a class B felony (punishable by up to 20 years in prison, a fine of up to $15,000, or both).

Second, even if retaliation were legal, most companies would lack the expertise required to safely conduct an offensive cyber operation. It is incredibly difficult to identify individuals and entities behind cyberattacks. Most intruders cover their tracks very carefully by using encryption and by routing strikes through others’ computers. Given this, counter hacking would most certainly result in attacking computer systems and destroying data belonging to innocent third parties.

Then, there is the issue of whether victim companies have the technical proficiency required to effectively take counter measures against cyber intruders. Indeed, the internal tools needed to effectively hack back represent a major undertaking: a high level of expertise, constant vigilance, and huge financial resources. Moreover, it is highly unlikely that companies that could not prevent the intrusion of their networks would manage to take on their attackers on their own digital turf.

Lastly, retaliation by companies that fell victim of a data breach would most certainly impede law enforcement investigations and delete or temper with evidence that could be useful in a prosecution. Unlike law enforcement agencies, companies do not have the relevant technical expertise or diplomatic tools to pursue hackers. Most companies ignore how to preserve a chain of custody that would enable the introduction of untampered evidence at trial. In addition, counter hacking is an incredibly dangerous endeavor because it is very difficult, if not impossible, to see what a company would be up against. In retaliating, a company would run the risk of escalating the situation and of further injuring itself.

As I have discussed before (here and here), no one and no company is immune to cyberattacks. It is understandable that companies, including cannabis companies, are getting tired of being passive and of merely defending against these breaches. However, hacking back is not a feasible option given its illegality and the negative consequences it could have on the retaliating company. When faced with a data breach, don’t let your emotions dictate your actions; instead, stick with a comprehensive plan of action that will help you minimize your damages and let skilled, experienced law enforcement agents do the job of tracking and investigating your attackers.

cannabis marijuana cyber attack security
Be prepared!

As I discussed last week, hacked devices, breached networks, and stolen proprietary information have become commonplace in the cannabis industry. Because cybercrime variants are continually emerging, no company can achieve totally assured cybersecurity. Consequently, we strongly encourage all our clients to adopt a cyber incident plan for responding to attacks before they occur. Developing a vetted, comprehensive plan of action is the best way to effectively respond to an attack and to reduce the amount of damage to your company.

This post highlights some of the best practices for preparing and responding to a cyberattack.

Before falling prey to a cyberattack, your company should:

  1. Identify Valuable Assets. Depending on your needs, it may be cost prohibitive to protect your entire business. Therefore, before creating a cyber incident plan, you should determine which data, assets, and device warrant the most protection.
  2. Develop a Plan of Action. Cyber incident plans will differ in size and structure, but at a minimum, your plan should:
    (i) Name those who have lead responsibility for different aspects of the response;
    (ii) determine ways to contact critical personnel at all times;
    (iii) identify how to preserve your most valuable assets, data, and device in a forensically sound manner; and
    (iv) develop notification plan for customers and data owners whose data would be compromised during an intrusion.
  3. Adopt Appropriate Technology and Services. Adopting off-site data back-up, intrusion detection capabilities, and data loss prevention technology will help you detect intrusions soon after they occur and help minimize the loss of valuable information.
  4. Implement Internal Preventative Policies. You must assist your employees with recognizing internal and external vulnerabilities to prevent security breaches but also to effectively react to attacks. Employee training should address issues such as safe password management, cryptographic communications, secure browsing practices and proper system configuration.

Following a breach, you will need to focus on mitigating damages and working with law enforcement. Specifically, you will need to:

  1. Assess the Nature and the Scope of the Incident. You will first need to determine whether your company is faced with a malicious act or a technical glitch.
  2. Capture the Extent of the Damage. If you detect a cyberattack, you should immediately make a forensic image—an image or exact, sector by sector, copy of a hard disk—of the affected computer(s), which will be used for later analysis and may possibly serve as evidence at trial.
  3. Implement Measures to Minimize Damage. To contain the attack and prevent it from spreading, you will need to stop ongoing traffic caused by the attacker. Some measures include rerouting network traffic and isolating all or parts of the compromised network.
    Regardless of the option you select, be sure to keep detailed records of all steps taken. This information may be relevant for recovering damages from responsible parties.
  4. Notify. The notification list includes:
    (i) Relevant Personnel: You should inform the relevant personnel (i.e., managers, IT department, security department, and legal department) of the attack and keep them informed of the preliminary analysis.
    (ii) Law enforcement: Generally, you will need to contact law enforcement authorities to assist with investigating the intrusion. Law enforcement can also help coordinate statements to the news media concerning the incident, ensuring that information harmful to the company’s interest won’t unnecessarily be disclosed.
    (iii) Customers: All 50 states have now enacted breach notification laws that require companies faced with a cyberattack to inform customers whose data was compromised by the intrusion. Accordingly, soon after the attack, you should prepare a statement that explains to the customers the scope of the breach of security and which remedial efforts were adopted.

Cyberattacks can raise unique legal questions. Therefore, you should consult with attorneys who are accustomed to addressing these types of issues to assist you with decisions, such as how to interact with government agents, the types of preventative technologies you can lawfully use, your obligations to report the loss of customer information, and your potential liability for taking specific remedial measures when faced with a cyberattack.

cannabis cybercrime
Protect your business and its data from theft.

To our surprise, many of our clients remain convinced that they are immune to cyberattacks. Yet, cannabis businesses house incredibly valuable information, making them exceedingly vulnerable to these attacks. This misplaced confidence has led numerous cannabis companies to operate without the necessary protective measures. Given the fact that more than 4,000 attacks occur daily, this post briefly discusses how cybercrime is affecting the cannabis industry and provides basic precautions companies should take to reduce the risk of falling prey to cyber hackers.

The most common type of cybercrime is known as ransomware. Ransomware is a form of malware that targets a business’s sensitive information for extortion purposes. This information may include customer lists, trade secrets, financial information and research and development information. Specifically, hackers block access to a database or system until the user agrees to pay a ransom. Not only does the temporary, and potentially permanent, loss of critical data disrupts a business’s regular operations, it also creates massive financial losses associated with restoring systems—assuming the business pays the ransom and that the hacker provides access back to the database—and severely damages the business’s reputation.

Bringing about awareness and training your team is a paramount preventative measure. Indeed, effective precautionary measures can significantly mitigate the risk of falling victim to a cyber infection. Here are a few simple precautions cannabis businesses should take:

  1. Educate Your Personnel: Attackers often enter a business by deceiving an internal user to disclose a password or click on a virus-laden email attachment. You should therefore remind your employees to never click or open unsolicited email attachments. In addition, you should emphasize the importance of not sharing personal passwords to be able to determine how your system was compromised in the event of an attack.
  2. Use Complex Passwords: You should use 12-character or longer passwords and change your passwords regularly.
  3. Enable Strong Spam Filters: Strong spam filters will prevent phishing emails, which purport to be from reputable companies to induce individuals to reveal personal information, from reaching the end users and will authenticate incoming emails.
  4. Set Anti-Virus and Anti-Malware Programs: Setting anti-virus and anti-malware programs will automatically and frequently scan your database and system to detect threats and filter files from reaching end users.
  5. Shred Physical Documents Containing Sensitive Information: Avoid old fashioned dumpster diving by shredding all sensitive information you may have printed or written down.

Although ransomware is the most commonly known and used technique, it is no longer the sole method of attack used against cannabis businesses. You may recall the precarious situation in which MJ Freeway, the giant cannabis compliance software system, found itself in 2016 and again in 2017. The company’s databases were hacked, preventing MJ Freeway from processing transactions and precluding over 1,000 dispensaries from tracking sales and inventories for weeks. These cyberattacks against MJ Freeway revealed a new kind of cybercrime where no extortion demands are made, but rather are used by competitors to destroy valuable data to gain a competitive advantage.

The MJ Freeway case highlights the concerning fact that cybercrime variants are continually emerging, making companies, including cannabis businesses, increasingly more vulnerable to these attacks. Accordingly, cannabis businesses must stop underestimating the value of their data and must protect it by putting in place a comprehensive data security system that will minimize their risk of attack and ensure the continuation of their financial success in this high-risk cyber environment.

cannabis copyrightI previously discussed how cannabis works of authorship, including the design of sufficiently original logos (only the graphic elements of the logo, not the words), are copyrightable. I also alluded to the possibility that such copyrights may be unenforceable due to the federal illegality of cannabis. Indeed, whether a cannabis copyright is enforceable remains speculative as none of the U.S. federal district courts (which hold exclusive jurisdiction over copyright infringement cases) have issued an order in a cannabis copyright lawsuit. Today, I revisit this issue by looking at whether federal district courts have enforced other copyrighted illegal works and how those legal decisions may help us determine the likelihood of courts enforcing cannabis copyrights.

Under current copyright law, illegal works are often treated similarly to other works. Illegal works are entitled to copyright protection and are eligible for registration so long as the works are:

  1. Original, meaning that the works are independently created by their authors and possess a “modicum of creativity;” and
  2. Fixed in a tangible medium of expression, which allows for their reproduction.

A certificate of registration from the U.S. Copyright Office is a prerequisite to initiate a lawsuit for copyright infringement—including lawsuits alleging infringement of illegal works. To establish copyright infringement, a plaintiff must prove two elements: First, ownership of a valid copyright, for which the certificate of registration will provide prima facie evidence; and second, that the defendant copied substantial elements of the copyrighted work.

Copyright law does not require the plaintiff demonstrate the legality of the work’s content. The currently prevailing view is that “even illegality is not a bar to copyrightability.”

Because illegal works are copyrightable, illegality is not generally a defense in an infringement suit. For example, the Ninth Circuit Court of Appeals has held that fraudulent content is not a defense to infringement. The Fifth Circuit Court of Appeals reached a similar decision when it dismissed the defense of obscenity to a claim of copyright infringement.

Favoring the enforcement of copyrighted illegal works is also consistent with their authors’ constitutional right to freedom of speech. If Congress were to impose copyright restrictions on illegal works, it would essentially censor these works, which would likely be deemed unconstitutional.

So, given the fact that the prevailing view under U.S. Copyright law is that illegality is not a bar to either copyrightability or enforceability, it is likely most U.S. federal district courts would enforce cannabis copyrights. Therefore, the strong likelihood of a court enforcing cannabis copyrights, combined with the ease and minimal cost of copyright registration, should incentivize you, cannabis businesses, to copyright your work.

cannabis marijuana copyright
Definitely worth a shot.

Every business thrives on brand differentiation. One of the most effective ways to promote public identification and recognition is to enhance and protect your brand. Your brand is of course your name but it is also your logo. Beyond that, really, it’s everything about you.

As far as “formal” branding elements, logos are right there at the top. Still, there is a fair bit of confusion among business owners and even lawyers about how logos are legally protected. Are they to be registered as trademarks? Copyrights? Are logos registrable as both?

Let’s look at trademark first. Trademarks are words, phrases, symbols or designs that identify the source of a product and help distinguish that product from that of competitors. The very best way to protect your brand name and logo is to register it as a trademark. However, as we have written about extensively on this blog, federal trademark protection is not typically available to cannabis businesses because the federal illegality of “marijuana” prevents owners from demonstrating lawful use of their marks in commerce, necessary under the Trademark Act.

Although trademark law is the preferred means to protect a logo, it is not the sole intellectual property tool a cannabis business can use. Copyright protection may be available as well. Unlike trademark law, copyright law does not prohibit registration of works that concern illegal subject matter. Accordingly, cannabis-related works, including logos, often may be copyrighted.

To benefit from copyright protection, a cannabis logo must:

  1. Be original to the author, which means the author must have created the work independently (i.e., the work must not be copied);
  2. Possess a “minimal degree of creativity;” and
  3. Be fixed in a tangible form that is sufficiently permanent to be reproduced.

Therefore, logos that are adequately original and ornate have a strong chance of being copyright protected, even without registration. But it is in the business’s best interest to register its logo with the U.S. Copyright Office. Registration affords significant benefits, because it gives the business the right to sue and to be awarded statutory damages and attorney’s fees should it prevail on an infringement claim. In addition, copyright registration is relatively straightforward and inexpensive.

There is one significant catch, however. Many logos consist of words combined with graphic images: For example, Starbucks Coffee’s logo in which the brand name encircles a mermaid design. Trademark law allows both the words and the images to be protected. But copyright law will generally apply only to the graphic elements of a logo. Short phrases, including brand names, tag lines, and titles, are not copyrightable. You can submit a copyright registration for your logo with words and graphics. It will not be rejected by the Copyright Office, because copyright registrations are not reviewed or examined. But your copyright will only cover the pictures in your logo, not the brand names or catch phrases.

There is some risk that the federal illegality of cannabis would arise in certain facets of litigation and hinder the enforceability of the copyright. (The same would be true in cannabis patent enforcement cases, as we discussed here.) However, there is no provision in copyright law prohibiting works that address illegal activity, as there is in trademark law. Such risk is speculative as no cannabis copyright infringement case (or patent infringement case) has been litigated.

Assuming the copyrighted logo of a cannabis business is enforceable, it affords the business the exclusive right over the graphic portion of the logo’s reproduction and public display. In addition, copyright protection gives the cannabis business the possibility of receiving compensation for the use of the logo by others in some circumstances. Keep in mind, however, that a copyright will not allow you to collect royalties every time someone mentions your product by name. Nor would you want to prevent anyone from mentioning your product!

Given the fact that cannabis businesses are presently barred from securing federal trademark registration for their logos, they should consider copyright registration for the graphci portion of logos. While not as valuable as trademark protection, the value proposition for copyrights is strong because registration is cheap and easy.