marijuana cannabis loan
This industry is different, you know.

Many cannabis businesses are funded with debt. Sometimes, the debt is owed to one of the business’s owners, who pursued a debt structure for tax reasons. Other times, the debt is owed to a third party. That party could be a friend or family member, an investor keen on the industry, or even a professional hard money lender. Our marijuana business lawyers have papered a large number of loans in the industry, on behalf of both businesses and lenders. This blog post identifies some considerations for lenders making plays in the industry.

Do Your Diligence.

Before making a loan of any type to a cannabis business, do your diligence. Like so many things related to cannabis businesses, this exercise is different than with standard businesses. There are several reasons for this: 1) cannabis businesses often have short or non-existent operating histories; 2) by extension, cannabis businesses often have limited financial information at hand (tax returns, P&Ls, etc.); 3) the financial projections for cannabis businesses are more speculative than for other businesses, due to market dynamism; and 4) regarding operations, cannabis businesses may be “license pending” and thus offer little to vet.

Altogether, these factors make it supremely important to vet the actual owners of the business, as well as whatever you can get on the enterprise. This means having a look at personal financials and assets, credit reports, asking for personal references and calling around, etc. And when it comes to diligence on the business, make sure you do more than simply run a UCC search and review financials. Ask for company agreements. After all, a business may have an oppressive lease or licensing agreement which makes it less likely to succeed, or it may have similar documents with contingent or springing security interests that diminish your repayment prospects.

Prepare to Be Vetted.

The cannabis business will look into you, of course. But the real vetting is likely to happen by the licensing authority. In Washington, for example, the two groups that must report to the Liquor Control Board are “true parties of interest” and “financiers.” In California, it’s “owners and financial interest holders.” And in Oregon, it’s anyone with a “financial interest.” Each of these terms is defined in each state’s ever-evolving administrative rules, but it’s very likely that as a lender, you will need to be disclosed and vetted by the licensing authority. This may entail submission of information on your business, if you have one, and/or its owners and spouses. It also usually means fingerprints, background checks, and having your name on file as a part of the public record.

Demand Security.

Arms-length loans are almost never unsecured, so this one is a no-brainer, and if a marijuana business pushes back, it should be a dealbreaker. The best type of collateral is something tangible, like real property (land) that is unencumbered by senior interests, or where foreclosure by a senior noteholder would not wipe out all available equity. But there are other types of collateral, too, like personal property (including intellectual property); and there is always the option for a convertible note. Finally, lenders often get creative with deposit control agreements and other collection levers.

In the personal property category, the noteworthy asset when lending to plant-touching businesses is the cannabis itself. Most states have procedures for secured creditors to take control of a cannabis business under provisional licensing authority, for liquidation purposes. But, before you sign up for this, ask yourself: Could I really see myself chopping down cannabis plants one day? Or paying a receiver to do that? If not, and if the business has no other valuable assets, this loan may not be right for you.

Demand Personal Guarantees.

This ties into the diligence and security categories. A personal guaranty is just an extension on whatever security you can otherwise acquire as a part of the loan. Make sure these guarantees are uniformly integrated into the loan documents, and that each guaranty is more than a cursory sentence appended to a promissory note. The personal guaranty should cover various contingencies, e.g.: What happens if the guarantor dies? Are there any allowances for its termination, aside from repayment of the loan? Etc. Also, consider whether your borrower resides in a community property state like Washington or California, where the guaranty may not attach to marital property.

Do Market (and Legal!) Research.

Lenders to the cannabis industry are getting better rates than almost anyone else. They are taking on more risk, and feeding an insatiable capital market. We have seen loans with interest rates up to 50%(!) for relatively quick turns, but we have also seen loans that do not conform with licensing rules, or with state lending and usury laws. The exercise here is to ascertain market norms, look at your prospective borrower’s situation, and consider these factors in the greater context of lending statutes and marijuana licensing program rules. Finally, balance what you think you can get against the decreasing odds of collection that inevitably come with higher interest rates and compact repayment schedules.

Hacking back isn’t the answer, unfortunately.

As I have discussed for the last two weeks, cannabis businesses have become increasingly vulnerable to cyberattacks. It is natural for a company victimized by data breaches to want to retaliate by hacking back. However, under current U.S. law, which is codified under the Computer Fraud and Abuse Act (“CFAA”), it is strictly prohibited to intentionally access another’s computer without authorization.

Legislators have given some thought to this problem. Most recently, the re-introduction in October 2017 of the Active Cyber Defense Certainty (“ACDC”) Act, a bill sponsored by Congressman Tom Graves (R-Ga) and Congresswoman Krysten Sinema (D-Az), raised questions about the legality of counter attacking. Indeed, the ACDC Act proposes to amend the CFAA and enable victims of cyberattacks to adopt active defensive measures to identify the hackers, destroy information originally stolen from the victims’ networks, and attack the intruders’ servers to interrupt the ongoing attack. Although an eye-for-an-eye form of justice is appealing, unauthorized access to networks is not a good idea. Here is why.

First and foremost, the ACDC Act has not be enacted. This means that the CFAA remains the law of the land, and accessing others’ computer systems without their permission is a criminal offense. Every state law punishes hacking under the computer crime statutes. These crimes carry serious penalties ranging from a class B misdemeanor (punishable by up to six months in prison, a fine of up to $1,000, or both) to a class B felony (punishable by up to 20 years in prison, a fine of up to $15,000, or both).

Second, even if retaliation were legal, most companies would lack the expertise required to safely conduct an offensive cyber operation. It is incredibly difficult to identify individuals and entities behind cyberattacks. Most intruders cover their tracks very carefully by using encryption and by routing strikes through others’ computers. Given this, counter hacking would most certainly result in attacking computer systems and destroying data belonging to innocent third parties.

Then, there is the issue of whether victim companies have the technical proficiency required to effectively take counter measures against cyber intruders. Indeed, the internal tools needed to effectively hack back represent a major undertaking: a high level of expertise, constant vigilance, and huge financial resources. Moreover, it is highly unlikely that companies that could not prevent the intrusion of their networks would manage to take on their attackers on their own digital turf.

Lastly, retaliation by companies that fell victim of a data breach would most certainly impede law enforcement investigations and delete or temper with evidence that could be useful in a prosecution. Unlike law enforcement agencies, companies do not have the relevant technical expertise or diplomatic tools to pursue hackers. Most companies ignore how to preserve a chain of custody that would enable the introduction of untampered evidence at trial. In addition, counter hacking is an incredibly dangerous endeavor because it is very difficult, if not impossible, to see what a company would be up against. In retaliating, a company would run the risk of escalating the situation and of further injuring itself.

As I have discussed before (here and here), no one and no company is immune to cyberattacks. It is understandable that companies, including cannabis companies, are getting tired of being passive and of merely defending against these breaches. However, hacking back is not a feasible option given its illegality and the negative consequences it could have on the retaliating company. When faced with a data breach, don’t let your emotions dictate your actions; instead, stick with a comprehensive plan of action that will help you minimize your damages and let skilled, experienced law enforcement agents do the job of tracking and investigating your attackers.

cannabis marijuana term sheet

When I receive a summary of a cannabis business deal–the first emails, calls, LOIs, and term sheet in any form–with 90% accuracy I can say whether the transaction will be a difficult one or not. Note that “difficult” does not correlate with complex: Often the more complex deals, with multiple entities and asset transfers, end up being much easier, whereas a simple secured loan can be more difficult. And in the context of a transaction, “difficult” = “time consuming” = unnecessary expense. Everyone would like to avoid that.

The number one differentiating and determinative factor in assessing the difficulty of a marijuana business deal is the term sheet. If a deal is a building, think of the term sheet as both the architect’s blueprint and the physical foundation on which the deal is built. Deals that are smooth are built with a clear plan and on a solid base; these come in on time and under budget. Deals that are built based on a vague understanding of the final goal but with no firm, documented plan, will be typified by stops and starts, walls built, torn down and rebuilt, and a final product that stands but doesn’t resemble what either parties had in mind (“in mind” being a key phrase here, as often what was in the parties’ mind was never exchanged in an agreement). Oh, and the dreaded cost overruns.

Engage your attorney before you sign a term sheet. 

Having a final term sheet is necessary for a smooth transaction, but agreeing that a half-baked term sheet is “final” may prove worse than having no term sheet at all. Do not make the mistake of thinking you cannot engage your attorney until you have a term sheet signed: In fact, an hour with your attorney before you finalize the terms, could save you many hours down the line. Your experienced business attorney will know how the terms will fit in the documents, and in turn what terms you may not have addressed fully, or at all.

Do not have your attorney draft the transaction documents until after you sign a comprehensive and binding term sheet. 

Speed in transactions is defined by certainty. Term sheets that say “market standard” terms for X is likely a proxy for “we didn’t take the time to discuss X.” This can work if the parties have a common reference point or an external reference. For example, in the context of an equity financing, “standard NVCA language on Registration Rights” is OK. “Standard anti-dilution” is not OK: There are at least three flavors and they are wildly different, so the drafting attorney with that term sheet is guessing–or likely talking only to his side–on the issue. The stops, starts, and re-drafts is what eats up time.

Continuing with the building analogy: Every couple building their dream home wants the house built quickly and correctly, and on budget. But they had better get all the critical details decided and in the plans before the first brick is laid. In other words, if you don’t agree on the location and number of bathrooms, you wouldn’t tell a contractor to “start building now and we’ll decide on the bathrooms later.” The decisions won’t get easier if you put them off, and having a full plan in place from the beginning will make the process more enjoyable for all.

cannabis marijuana cyber attack security
Be prepared!

As I discussed last week, hacked devices, breached networks, and stolen proprietary information have become commonplace in the cannabis industry. Because cybercrime variants are continually emerging, no company can achieve totally assured cybersecurity. Consequently, we strongly encourage all our clients to adopt a cyber incident plan for responding to attacks before they occur. Developing a vetted, comprehensive plan of action is the best way to effectively respond to an attack and to reduce the amount of damage to your company.

This post highlights some of the best practices for preparing and responding to a cyberattack.

Before falling prey to a cyberattack, your company should:

  1. Identify Valuable Assets. Depending on your needs, it may be cost prohibitive to protect your entire business. Therefore, before creating a cyber incident plan, you should determine which data, assets, and device warrant the most protection.
  2. Develop a Plan of Action. Cyber incident plans will differ in size and structure, but at a minimum, your plan should:
    (i) Name those who have lead responsibility for different aspects of the response;
    (ii) determine ways to contact critical personnel at all times;
    (iii) identify how to preserve your most valuable assets, data, and device in a forensically sound manner; and
    (iv) develop notification plan for customers and data owners whose data would be compromised during an intrusion.
  3. Adopt Appropriate Technology and Services. Adopting off-site data back-up, intrusion detection capabilities, and data loss prevention technology will help you detect intrusions soon after they occur and help minimize the loss of valuable information.
  4. Implement Internal Preventative Policies. You must assist your employees with recognizing internal and external vulnerabilities to prevent security breaches but also to effectively react to attacks. Employee training should address issues such as safe password management, cryptographic communications, secure browsing practices and proper system configuration.

Following a breach, you will need to focus on mitigating damages and working with law enforcement. Specifically, you will need to:

  1. Assess the Nature and the Scope of the Incident. You will first need to determine whether your company is faced with a malicious act or a technical glitch.
  2. Capture the Extent of the Damage. If you detect a cyberattack, you should immediately make a forensic image—an image or exact, sector by sector, copy of a hard disk—of the affected computer(s), which will be used for later analysis and may possibly serve as evidence at trial.
  3. Implement Measures to Minimize Damage. To contain the attack and prevent it from spreading, you will need to stop ongoing traffic caused by the attacker. Some measures include rerouting network traffic and isolating all or parts of the compromised network.
    Regardless of the option you select, be sure to keep detailed records of all steps taken. This information may be relevant for recovering damages from responsible parties.
  4. Notify. The notification list includes:
    (i) Relevant Personnel: You should inform the relevant personnel (i.e., managers, IT department, security department, and legal department) of the attack and keep them informed of the preliminary analysis.
    (ii) Law enforcement: Generally, you will need to contact law enforcement authorities to assist with investigating the intrusion. Law enforcement can also help coordinate statements to the news media concerning the incident, ensuring that information harmful to the company’s interest won’t unnecessarily be disclosed.
    (iii) Customers: All 50 states have now enacted breach notification laws that require companies faced with a cyberattack to inform customers whose data was compromised by the intrusion. Accordingly, soon after the attack, you should prepare a statement that explains to the customers the scope of the breach of security and which remedial efforts were adopted.

Cyberattacks can raise unique legal questions. Therefore, you should consult with attorneys who are accustomed to addressing these types of issues to assist you with decisions, such as how to interact with government agents, the types of preventative technologies you can lawfully use, your obligations to report the loss of customer information, and your potential liability for taking specific remedial measures when faced with a cyberattack.

cannabis cybercrime
Protect your business and its data from theft.

To our surprise, many of our clients remain convinced that they are immune to cyberattacks. Yet, cannabis businesses house incredibly valuable information, making them exceedingly vulnerable to these attacks. This misplaced confidence has led numerous cannabis companies to operate without the necessary protective measures. Given the fact that more than 4,000 attacks occur daily, this post briefly discusses how cybercrime is affecting the cannabis industry and provides basic precautions companies should take to reduce the risk of falling prey to cyber hackers.

The most common type of cybercrime is known as ransomware. Ransomware is a form of malware that targets a business’s sensitive information for extortion purposes. This information may include customer lists, trade secrets, financial information and research and development information. Specifically, hackers block access to a database or system until the user agrees to pay a ransom. Not only does the temporary, and potentially permanent, loss of critical data disrupts a business’s regular operations, it also creates massive financial losses associated with restoring systems—assuming the business pays the ransom and that the hacker provides access back to the database—and severely damages the business’s reputation.

Bringing about awareness and training your team is a paramount preventative measure. Indeed, effective precautionary measures can significantly mitigate the risk of falling victim to a cyber infection. Here are a few simple precautions cannabis businesses should take:

  1. Educate Your Personnel: Attackers often enter a business by deceiving an internal user to disclose a password or click on a virus-laden email attachment. You should therefore remind your employees to never click or open unsolicited email attachments. In addition, you should emphasize the importance of not sharing personal passwords to be able to determine how your system was compromised in the event of an attack.
  2. Use Complex Passwords: You should use 12-character or longer passwords and change your passwords regularly.
  3. Enable Strong Spam Filters: Strong spam filters will prevent phishing emails, which purport to be from reputable companies to induce individuals to reveal personal information, from reaching the end users and will authenticate incoming emails.
  4. Set Anti-Virus and Anti-Malware Programs: Setting anti-virus and anti-malware programs will automatically and frequently scan your database and system to detect threats and filter files from reaching end users.
  5. Shred Physical Documents Containing Sensitive Information: Avoid old fashioned dumpster diving by shredding all sensitive information you may have printed or written down.

Although ransomware is the most commonly known and used technique, it is no longer the sole method of attack used against cannabis businesses. You may recall the precarious situation in which MJ Freeway, the giant cannabis compliance software system, found itself in 2016 and again in 2017. The company’s databases were hacked, preventing MJ Freeway from processing transactions and precluding over 1,000 dispensaries from tracking sales and inventories for weeks. These cyberattacks against MJ Freeway revealed a new kind of cybercrime where no extortion demands are made, but rather are used by competitors to destroy valuable data to gain a competitive advantage.

The MJ Freeway case highlights the concerning fact that cybercrime variants are continually emerging, making companies, including cannabis businesses, increasingly more vulnerable to these attacks. Accordingly, cannabis businesses must stop underestimating the value of their data and must protect it by putting in place a comprehensive data security system that will minimize their risk of attack and ensure the continuation of their financial success in this high-risk cyber environment.

Cannabis finance lawyers

Has Investing in Cannabis gone mainstream? In “As Marijuana Goes Mainstream, Investors Rush In,” The New York Times answered this question affirmatively, but that article focused primarily on publicly traded companies. What about industry-wide?

As our attorneys regularly put together investment rounds for cannabis companies we see these macro trends at the deal level. And in recent months we are increasingly seeing a wider variety in types of investors — often private investors more familiar with commercial real estate, tech investing, or other private company financing — crossing over into cannabis. These investors bring a wealth of knowledge on terms, structures, and business strategy. For many tech-focused startup companies providing services to the cannabis industry, the deals may look nearly identical to those in other industries; in fact, we’ve done equity financings where the documents are identical to a typical tech startup.

However, particularly for investors working with “direct operator” cannabis companies for the first time, there will be certain aspects of the cannabis industry that do not translate and other aspects that are shocking or incomprehensible to investors coming over from other industries. Now that cannabis has gone “mainstream,” investors may believe all the kinks have been worked out, but as those in the cannabis industry know, that’s not true. Not by a long shot.

  • Banking remains imperfect, and there still are gaps by geography or company size and type. Many cannabis companies still operate on an all-cash basis.
  • Company Execs (and others involved in “direct operators”) can still go to jail for this. That’s what federal illegality means. This comes as a shock to many.
  • Many investors and funds are still going to be unable to invest, depending on their source of funds. For example, state or public pension funds are a non-starter.
  • Many cannabis businesses are limited by state borders.
  • Regulators are still catching up at the state level and their timing may not meet with your spreadsheet projections.
  • Regulators at the local level are highly unpredictable. On cannabis financing, our corporate finance lawyers often must contend with municipalities that had permit processes up and running and then completely changed their minds.

The above contribute to the “green tax” in the cannabis industry — factors that complicate and add expense to doing business in the industry — and these often surprise investors coming from other industries. Investors that are open-minded and have a “growth mindset” can make the shift pretty quickly. But other investors may grow frustrated and impatient with having to face the hurdles faced by all cannabis companies. Companies are wise to evaluate potential investors and test their mettle, as the industry will soon enough.

Definitely say “NO” to unregistered broker dealers.

Startups in the cannabis space have few options when looking to raise funds– almost all banks, venture capital (VC) firms, and other institutional funds are off limits. Suitable private investors are few and far between. This situation is unfortunately leading to a proliferation of unscrupulous individuals that offer their “services” or “connections” to help companies meet investors and bring in dollars, for a fee. We’ve referenced on a few occasions (see here and here) that these investment “finders”, as well as any type of commission on dollars raised or other transaction-based fee, is 100% illegal (unless they hold a FINRA license to serve as a securities broker, and as I’m seeing, nearly all do not). Engaging an “unlicensed broker-dealer” can have serious consequences for the company. Even a dollar raised in this way puts all other company funds and assets at risk.

The frequency with which these issues are raised by clients and others makes me believe that 1) some companies are engaging unlicensed brokers without thinking to run this by their attorney, and 2) some of these unlicensed brokers are aware they are breaking securities laws, while others are simply ignorant and trying to capitalize on their “connections”, not knowing their business model is illegal.

So clearly this topic deserves its own post and its own bolded and underlined warning: Don’t sign any engagement with an advisor / consultant / snake oil salesperson that offers to raise funds for your company, in exchange for a fee. If anyone approaches you, run it by your business attorney right away, and keep them involved throughout the process.

The Law:

Section 3(a)(4)(A) of the Securities Exchange Act of 1934 generally defines a “broker” as “any person engaged in the business of effecting transactions in securities for the account of others.” Pursuant to that law the SEC has laid put extensive regulations and guidance to further define “broker activities” and prohibited fee structures.

Assuming the individual is not a registered broker-dealer (which you can confirm on the FINRA site here) then here’s what you certainly cannot do:

  • Engage an advisor, agent, or anyone describe their role or duties in terms that touch broker activities. At the most basic level, you should avoid any engagement that calls out “introducing” or “finding” or “bringing in” investors. If an engagement calls out “fundraising advice” or “investor relations” as a euphemism for broker activities, you’re walking a fine line. Best to reword your engagement and make no references to broker activities.
  • Tie any compensation to funds raised. This includes the obvious “transaction-based” fee of a percentage of funds raised, or fees scaled to milestones. This includes “fees” paid as equity grants. It also includes any fee contingent on a fundraising round – such as a retainer charged when funds arrive.

As a startup you often feel stretched thin, and in need of any help you can get. But in this case, this is not the help you want. Accepting any funds raised through an unregistered broker-dealer, or another performing broker activities for a fee, is worse than not having funds at all. The risk is then to the entire company, and in turn all the investors and employees current and future. Don’t do it!

cannabis capitalization license
Prepare to describe how the sausage was made.

Over the past few years, we have had many cannabis clients call us during the license application process and ask some version of the following: “The state is asking me to disclose the capitalization of the company. What should I write?” From a lawyer’s perspective, the answer to this question is usually something very simple, such as: “The capitalization of the company should be disclosed as the amount and type of capital you used to start the company.” Makes sense, right? But there is often more to this question than meets the eye.

In most cases, cannabis businesses are built differently than other businesses, as far as funding sources and mechanics. Therefore, we get the capitalization question from business neophytes, seasoned entrepreneurs, and everyone in between. When we dig a little deeper, there may be any of several reasons the question surfaces during the licensing process, some better than others. I’ll run through each of them below.

The owners had to start this business without access to financial services, and therefore do not have bank records of capitalization.

It’s true that most cannabis companies start off unbanked, whether the business starts “from scratch” or is transitioning out of medical or grey market operations. This creates a documentary hurdle in many cases: Unlike with a new generic venture, the cannabis business owners are unable to fund a bank account (creating a record of capitalization) and begin writing checks for business expenses. Therefore, most cannabis businesses have to be extra diligent in tracking business funding and expenses through internal recordkeeping. These records should be immediately producible in the event of a state inquiry, IRS audit, member dispute, potential investor inquiry, or for any number of reasons.

The owners were in a rush to apply for the license, and don’t really care about business formalities. 

If you want to make your lawyer nervous, tell her that you only need a company name because it’s a cannabis licensee requirement. If the lawyer is worth your time, the first thing she will tell you is that you should always run your marijuana company like a real business. That means writing things down and using appropriate forms to do so. Failure to follow basic business formalities can land owners in a world of hurt if anything goes sideways; and in such a case, a company shell will be no defense at all to personal liability.

The owners are nervous to disclose funding and funding sources on the public record.

This is a legitimate concern. Every state has public records laws, and depending on how those laws intersect with cannabis program rules (and administrative policies), public disclosure of funding and funding sources may be unavoidable in response to nosy, third-party requests. If someone makes a public records request related to a licensee file in Oregon, for example, records of funding sources and amounts will be made available (other sensitive information, like security plans, will be redacted). There may be no ideal workaround here, other than describing the source of funds in a general sense, and hoping that further information is not required.

The owners are not sure how much capital will be required to get through the license application process.

This is also a legitimate question. Regardless of business projections, the simplest course is usually to list all financing the business has received to date, and to update the licensing authority if and when new or existing parties with financial ties to the business provide or pledge funds.

The owners are not sure if a funding source or a promised source of funds constitutes capitalization under relevant administrative rules.

This is an area where it is critical to know the rules and how they are interpreted by the governing agency. The question of who and what constitutes a “financial interest” holder in a business is often unclear and varies from state to state. In Washington, for example, the two groups that must report to the Liquor Control Board are “true parties of interest” and “financiers.” In California, it’s “owners and financial interest holders.” And in Oregon, it’s anyone with a “financial interest.” Each of these terms is defined in each state’s ever-evolving administrative rules (for example, Oregon only recently required disclosure of lenders). It’s important to get guidance on these issues because the penalties for nondisclosure can be severe — often including denial or loss of licensure.

The owners are not sure whether a licensing authority prefers to see a certain kind of capitalization (e.g. cash, sweat equity, debt, convertible debt) or if some ratio of the foregoing may be ideal.

In our experience to date, licensing authorities in Oregon, Washington and California do not really care how you have funded your business, as long as the source of funds is legitimate. That said, state reporting should be consistent with company records and tax filings, because the IRS definitely cares how the sausage was made and how you report that information. For example, the IRS may consider a company that is capitalized predominantly with straight debt to be “thinly capitalized.” In determining this, the Service looks at other businesses in the same industry for their debt-to-equity ratios. An old rule of thumb is also that any company with a debt to equity ratio greater than 3:1, or 4:1, is too thinly capitalized. How this analysis might be applied to cannabis businesses is an open question.

When it comes to capitalizing a cannabis company, primary goals should be: 1) structuring and running a legitimate business, and 2) accurate state and income tax reporting. Unfortunately, the former is more challenging in marijuana than in other industries, and the latter takes some knowledge of administrative rules and policy. But it can be done with a little planning and study, and it can be done correctly. At the end of the day, the license will follow.

cannabis copyright marijuanaCopyright is an aspect of intellectual property (IP) law less frequently considered by cannabis businesses than trademark, trade secrets or even patents it seems. Yet, like these other forms of intellectual property, copyrights can afford their holders with market dominance and profitability when utilized correctly. Almost all marijuana businesses own numerous unregistered copyrights, whether or not they realize it.

This post briefly covers the concept of copyright and how it applies to the cannabis industry.

What does copyright protect?

Copyright is a form of IP law that protects creative expression of ideas. Specifically, copyright protects original works of authorship, including literary, dramatic, musical, and artistic works, such as poetry, novels, movies, songs, computer software, and architecture.

The cannabis industry protects copyrights in a variety of ways. For example, the writing and photographs on a cannabis business’s website are copyright protected. This might include descriptions of a particular product or just the layout of the website itself. Physical media like labels, product tags, packaging, logos, instructional materials, and product design can all be protected by cannabis industry copyrights. Books that discuss cannabis production methods, such as Ed Rosenthal’s “Marijuana Grower’s Handbook,” also have copyright protection.

Is registration necessary for copyright protection? 

No. A work of authorship is protected the moment it is created and “fixed in a tangible form.” A work is fixed in a tangible form if its expression is sufficiently permanent to allow it to be communicated for more than a transitory duration. Accordingly, registration is not necessary for copyright protection.

However, registration affords significant benefits, particularly in the context of copyright infringement. These benefits include:

  • The right to sue for infringement;
  • Automatic proof that the registrant is the rightful owner of the copyright, which shifts the burden of proof on the defendant to show that the registrant is not the rightful owner or that her work is not protected; and
  • Additional remedies, like statutory damages and attorney’s fees, if the registrant prevails on her infringement claim.

Given the fact that copyrights are inexpensive and quick to register online, we recommend registration in most cases.

Are cannabis copyrights registrable and enforceable?

The Copyright Act contains virtually no prohibitions on what types of work are eligible for copyright protection, including cannabis-related work. Instead, the Copyright Act simply contemplates the level of originality in a given item. And on that point, the Act provides a decidedly low bar to registration, requiring only “a minimal degree of creativity.” For cannabis brands, federal copyright protection is available to protect most business creations, as long as those creations are sufficiently original to be copyrightable.

Nevertheless, it is important to remember that under the Copyright Act federal courts have exclusive jurisdiction over infringement actions. Therefore, like in patent infringement lawsuits, there is a potential risk that the federal illegality of cannabis would be raised in various litigation aspects and would impeded the enforceability of a cannabis copyright. To this date, no cannabis copyright infringement claim has been raised, making it impossible to determine whether cannabis copyrights are in fact enforceable.

What rights does copyright afford?

Copyright affords the holder the exclusive right to control his work through reproduction, distribution, public display and performance.  Copyright also gives the holder the right to be compensated for the use of his work.

How long does copyright protection last?

Generally, works created by individuals are copyright protected for the life of the author, plus 70 years. Works created anonymously, pseudonymously, and for hire are protected for 95 years from the date of publication or for 120 years from the date of creation, whichever is shorter. Compared to the maximum shelf life of a patent, or terms of trademark registration, copyright protections last incredibly long.

How does copyright infringement occur?

Copyright infringement occurs when an individual uses another’s work without permission. Typically, permission is granted through a licensing agreement, which transfers some of the owner’s exclusive rights to another. In addition, the terms of the license agreement may limit the transfer of those rights to a specific period of time, to a physical location or to the means through which the rights may be exercised.

Note, however, that the legal doctrine of fair use, which promotes freedom of expression, permits certain unlicensed uses of copyrighted works, such as criticism, comment, news reporting, teaching and research.

As this post highlights, copyright affords valuable protection of certain intangible business assets. As such, every cannabis business should take the time to determine which of its assets are copyrightable and whether registration would give them a competitive edge. Given the ease of registration and the rights associated therewith, it’s a no-brainer.

Oregon safety marijauana
The OSHA model. And a good look for cannabis business.

So, what is Oregon OSHA (“OR OSHA”)?

OR OSHA is the Oregon Occupational Safety and Health Act. This law requires employers to “furnish employment and a place of employment which are safe and healthful for employees.” In other words, employers are required to maintain safe workplaces. This means that employers are required to identify potential workplace hazards, prevent such hazards, and provide safety measures to employees to protect their health and safety, in all situations where hazards are inherent in the job or otherwise unavoidable. Does this law apply to cannabis employers? You bet.

OR OSHA also identifies certain conditions as inherently hazardous or unsafe, and regulates the condition or practice by imposing employer requirements to mitigate the condition or practice (think fall protection when on a ladder). The kind of marijuana business you run will dictate what OR OSHA regulations are triggered.

For example: marijuana producers are subject to the OSHA agricultural rules. These rules require employers to protect employees from things such as machine hazards, mold, electrical hazards, and heat exposure, among other things agricultural employees are subject to.  Marijuana processors must comply with special requirements for employees handling extraction chemicals. Retail operators must ensure employees are safe from slips, trips, and falls. Etc.

In addition to protecting employees from hazards at work, OSHA imposes reporting requirements on employers. Employers must report to OR OSHA within eight hours epodes like the death of an employee or a catastrophe. A catastrophe is defined as two or more employees fatally injured or three or more employees admitted to a hospital or an equivalent medical facility. Employers must report to OR OSHA within 24 hour of any employee being hospitalized, losing an eye or an amputation, or avulsion that results in bone loss. In addition to these reporting requirements, employers with 10 or more employees must record their injuries and illnesses that are a result of the work environment on a form called the OSHA 300 Log. Employers must also summarize the 300 log on a form called an OSHA 300-A.

Somewhat similar to the Oregon Liquor Control Commission (“OLCC”) — which is the state agency that administers marijuana licenses — OR OSHA has the power to investigate employers to determine whether or not they are compliant with OSHA requirements. OR OSHA does not have to provide advance notice of inspections, and the agency may randomly show up at an employer’s place of business to conduct an inspection.

So where might the agency show up? OR OSHA prioritizes inspections at locations that are determined to be the most unsafe. An OR OSHA investigator will investigate the employer’s property to determine if there are any violations. If there are violations, the investigator can issue a citation based on the type of violation. As with OLCC citation powers, the type of penalty associated with the citation depends on how serious the violation is.

OR OSHA safety requirements are comprehensive. The agency encourages employer compliance and has a series of free tools available to employers to assist with that compliance. OR OSHA’s most significant tool is its consultation services. Free of charge, an OSHA consultant will inspect a work site and provide safety, health, and ergonomic hazard assessments, recommendations to control and eliminate hazards, a written program evaluation, industrial hygiene services, training on health and safety topics, and assistance with safety and health programs. In short, a consultant will come out and point out potential OSHA violations and provide a plan to help with compliance.

Pro tip: A consultant is a great and free way to assess your compliance with OSHA prior to an inspector coming to your place of business.

Like with most employer regulations, compliance in the first place is the best way to avoid a hefty civil penalty or litigation. However, citations happen even when the best intentions are in place. This post has only scratched the surface of OSHA requirements. If you have additional questions, give us a call.