Earlier this month, the Oregon Secretary of State’s office released a formal audit report (“Report”) of the Oregon Liquor Control Commission’s (OLCC) information technology systems as they relate to Oregon’s recreational cannabis regulatory enforcement. The Report, titled “Oregon Liquor Control Commission: Cannabis Information Systems Properly Functioning but Monitoring and Security Enhancements are Needed“, focused on two separate but related issues: 1) the OLCC’s Marijuana Licensing System (MLS) and Cannabis Tracking System (CTS), and 2) general IT security concerns and disaster recovery procedures. The Report and the OLCC’s formal written response (“Response”) paint a picture of an underfunded agency doing its best to establish appropriate procedures and processes in the face of a unique emerging marketplace, unexpected demand for licenses, strict statutory deadlines, an an ever-changing regulatory framework. It is also apparent that the Secretary of State and the OLCC worked well together during the audit process, as each party complements the other on transparency, professionalism, and common courtesy.
The audit was initiated to determine whether:
- the OLCC has sufficient technical controls in place to ensure that the MLS and CTS are supporting effective regulation of the recreational cannabis industry; and
- the OLCC has implemented sufficient security procedures to protect against known technical and physical threats.
Today we will focus only on issues raised relating to the MLS and CTS.
Marijuana Licensing System (MLS) and Cannabis Tracking System (CTS)
The Report and the Response provide an interesting look at how these two independent but related systems came to exist. When Oregon passed Measure 91 and then HB 3400 (2015), the OLCC was charged with creating and enforcing a regulatory framework for an entirely new industry with tight deadlines and insufficient resources. The OLCC reasonably decided that the only practical solution was to hire third-party contractors to provide Software as a Service (SaaS) solutions. The OLCC hired the company that created Colorado’s seed-to-sale tracking system to customize Colorado’s system to serve Oregon’s needs, resulting in the CTS, an online portal that allows OLCC licensees to input data about harvests, sales, etc. The OLCC hired a separate company to create its license application and renewal software, the MLS.
After hiring these vendors, OLCC was forced to repeatedly overhaul these systems in response to extensive legislative rewrites to the recreational program in 2015, 2016, and 2017. In recognition of these difficulties, the OLCC requested funding for a full time Chief Information Officer in the 2017 legislative session, but was denied. The Report and the Response both highlight the importance of filling this position, and the OLCC will be asking for additional funding from the legislature again this session.
In a nutshell, the CTS is Oregon’s licensee portal where licensees are required to self-report information about inventory, transfers and sales. The MLS is the OLCC’s online system for tracking license applications and licensee status.
We identified several weaknesses associated with OLCC’s new IT systems used for marijuana licensing and tracking. They include data integrity and maturity issues, and insufficient processes for managing marijuana computer programs and vendors. Until these issues are resolved, the agency may not be able to detect noncompliance or illegal activity occurring in the recreational marijuana program. – The Report
The Report identifies five general weaknesses in the CTS and related enforcement:
- the CTS relies on self-reported data that is inherently susceptible to inaccuracies;
- the CTS allows users to enter measurements in either metric or imperial resulting in additional errors;
- existing licensees are potentially abusing a policy that allows new licensees to introduce cannabis into the recreational regime from any source;
- inadequate data quality hampers the OLCC’s ability to monitor the Oregon market as a whole;
- the OLCC lacks sufficient trained staff for regular on-site inspections.
Even with the additional staff, OLCC may not be able to ensure an appropriate amount of scrutiny for marijuana businesses. Both Alaska and Nevada have approximately one inspector for every 18 recreational marijuana licenses. Currently, Oregon only has one inspector position for every 83 recreational marijuana licenses. – The Report
The Report also notes that the OLCC doesn’t take sufficient steps to monitor their third-party SaaS providers, has inadvertently stored test data in the active MLS database, and has insufficient controls over user accounts. Finally, the Report notes that the MLS and CTS are not set up to automatically update each other. For example, a licensee with revoked status in MLS could still have active status in CTS.
In its Response, the OLCC generally agrees with all of the Report’s findings and states that, subject to obtaining additional funding from the legislature, it will work diligently to implement the Report’s recommendations. The OLCC refers to the MLS and CTS as “state-of-the-art imperfection” and notes that while issues exist, the CTS system has already identified thousands of discrepancies that have led to investigative and enforcement actions, and that even bad data is meaningful.
Citizens and policy makers need to know that as important as the issues identified in this audit are, the OLCC is not dependent on the CTS system alone to identify licensees that are attempting to use the state system as a cover for diversion. The CTS system is one fundamental tool for successful enforcement and compliance . . . the audit recommendations focus on improving the overall effectiveness of the system which the audit acknowledges is properly functioning. – The Response
The take away here is that the CTS system is not broken. It is currently helping to limit diversion and promote public safety, but like any system, it can and should be improved. On the whole, the public and licensees should expect that the OLCC will be implementing regular, random on-site inspections to support the CTS, and refining the CTS system to eliminate opportunities for confusion or deliberate deception. Hopefully the legislature will recognize the importance of a robust and technically effective OLCC to the industry as a whole, and will provide the OLCC with sufficient funding to retrofit its systems and hire a Chief Information Officer.