Navigating The Legal Landscape Of Cannabis

A patchwork of laws and the unique nature of the cannabis business require creativity, agility, and cyber-awareness by counsel.

There’s no doubt that the cannabis industry is maturing as a sector.  Currently, there are 10 states plus D.C. which are fully legal, meaning licensed operators can sell medical or recreational marijuana.  A majority of states — 33 — are legal for medical marijuana.  Canada went fully legal in 2018, becoming the first 1st world country to do so. And the passage of the Farm Bill in December 2018 made hemp legal in the U.S.  In Colorado, one of the first states to go fully legal, cannabis is now a $6 billion industry.

Yet there are several major barriers to progress which make representing cannabis clients challenging.  Regulation is perhaps the most prominent.  In the U.S., marijuana is an FDA Schedule I drug and without national legalization, a host of problems occur when trying cases. Outside of regulation, mature business practices are not yet widely adopted in the industry.  Another looming area for cannabis lawyers is data privacy and security: the industry collects a significant amount of PII, much like healthcare, but without any laws (like HIPPA) protecting consumers.  Let’s break it down here.

  1. The tension between state and federal regulations complicates legal decisions and IP protection.

The question of crossing state laws with cannabis that is legal in one state and outlawed in another is a tricky one.  For example, in early January, drivers transporting hemp from a supplier in Kentucky to a Colorado company were pulled over for a traffic violation in Oklahoma.  The drivers were arrested and jailed for over a month for marijuana trafficking, as only medical marijuana is legal in Oklahoma and testing of a portion of the hemp samples read as marijuana, due to the levels of THC.  The Colorado company hasn’t yet recovered the inventory and the drivers still face charges.  This is a telling example of how things can get tricky, real fast.

Clients may assume that because marijuana is illegal at the national level, their case is doomed, even if the state they operate in has legalized medical and recreational sales. They might wonder if the state judicial system has enough expertise in the sector to handle a case effectively, or if they can find a qualified local attorney.  These are all valid points, yet the view is not so grim.

State cases have been heard at the U.S. District Court level, and with so far positive results for cannabis companies. “Federal courts continue to find ways around invalidating contracts simply because they happen to involve cannabis,” writes Daniel Dersham in Canna Law Blog. Dersham cited several cases in 2018, including Tarr v. USF Reddaway, Inc. and Bart Street III, Inc. v. ACC Enterprises, LLC, et al. 

Intellectual property rights around cannabis is another open question.  IP attorneys have been grappling with whether state trademark registration gives enough protection for their client’s brands.   Currently, federal trademark filings face continuous disapproval from the U.S. Patent and Trademark Office if the underlying products include anything prohibited by the federal Food, Drug, and Cosmetic Act.  This used to include all forms of marijuana products including hemp-derived CBD.  However, the Agriculture Improvement Act of 2018, known as the 2018 Farm Bill, was signed into law in late 2018 making significant changes to federal regulation of the industrial hemp industry giving IP attorneys some leeway when filing applications where the underlying products include CBD.  At this point, the U.S. Patent & Trademark Office hasn’t drawn a firm line in the sand as to how cannabis IP should be protected and practitioners are filing for trademark protection for clients in states where marijuana has been legalized as a strategy for at least securing state-level protection over cannabis trademarks.

Sponsored

  1. Immature business practices abound and need maturation.

In 2014, when the first states legalized recreational marijuana, participants in this new “green” economy came from all sorts of backgrounds and careers.  Not all of these upstarts were sound business professionals.  Some were backyard growers or had been laid off and were desperate to start anew.  Talented managers and scientists from aligned industries such as biotech and consumer products had a wait-and-see attitude in the industry’s early days.  Whether intentional or not, the lack of business operations acumen in this first group of startups has led to some shady dealings and poor decision-making.  Case in point: The founders of MedMen, a publicly traded company, found themselves on the wrong end of a lawsuit alleging that they withheld shares from shareholders and pocketed money intended for investment. Before taking on new clients, take a full inventory of the company’s leaders, finances, manufacturing processes, and business practices to make sure that you’re not walking into a landmine.

  1. Cybersecurity is a growing threat for data-rich sellers.

Cannabis companies are just as vulnerable to cyberattacks as other sectors, and the amount of data they are required to collect on buyers makes the industry a particularly enticing target for hackers. Recreational buyers must show a driver’s license or other government-issued ID to make a purchase, just as if they were buying alcohol.  In many cases that ID is scanned and stored in a database — a nice prize for hackers unless stringent security protections are in place.

Medical marijuana products, which can be more potent, require a medical marijuana card and applying for one requires that the consumer submit personal health data such as medical records and insurance information.  That data, too, is collected and stored online.  For now, consumers can’t buy any product containing THC unless they use cash. When banking laws change so that customers can use electronic payment methods, cyber risk will increase dramatically.  In the meantime, point of sale systems and SaaS platforms where client data is maintained remain vulnerable.

Sponsored

Cannabis companies, like other young companies, aren’t focused on cybersecurity.  Topics like manufacturing, distribution, testing, sales, and marketing take precedence.  Yet the risks of a breach are enormous, especially for most cannabis companies which are small, underfunded, and extremely vulnerable to lawsuits and negative public perception.  Some states, California and Oregon, notably, have even implemented cybersecurity regulations aimed at the cannabis industry.

Cannabis companies can head off these risks through implementing a thorough cybersecurity program, which should at a minimum consist of the following:

  • A business-aligned risk management strategy, updated at least quarterly;
  • Robust privacy and security policies governing employee access to and sharing of PII;
  • Modern security technologies including firewalls, antivirus software, data and file encryption, threat detection and monitoring, incident response, event management and predictive analytics; and
  • Breach response procedures.

Issues of cybersecurity within the cannabis industry are correctable through creating a “culture of security,” which should be a standard consideration in any business operation. Practical measures like keeping employees from connecting company devices to public WiFi, enforcing strong password control, and phishing awareness training are a few simple ways that companies in the space can significantly enhance their security.

Working with cannabis clients may seem risky at present day, but it’s also an exciting opportunity to become an expert in a new and dynamic sector.  By fully vetting the risks up front and staying abreast of frequent changes in local, state, and federal laws governing the sector, practitioners can gain a competitive edge and provide critical advice to a burgeoning industry that shows no sign of slowing down.


Jennifer DeTrani is General Counsel and EVP of Nisos Inc., a technology-enabled cybersecurity firm. She co-founded a secure messaging platform, Wickr Inc. where she served as General Counsel for five years.