The Threats & Research Opportunities of the Cannabis Industry - Tracy Z. Maleeff

But yeah, I've had some people, you know, clasp their pearls when it's like, "Oh, you're talking about cannabis." Uh, it's another industry like everything else. So, this is really just what this talk is about. So, let's get started. Um, you know, my words, my thoughts, my opinions, my hopes, my dreams. Uh, anything that I express herein does not represent my employer nor any groups uh with whom I'm affiliated. So, thank you again. If you have any if you are not happy with something that I have said, please buy me a drink and talk to me about it later and don't take it out on any groups I'm involved with. Thank you. Okay. So, what this talk is not, it is

not procilitizing. I've had people concerned that this was a talk about why you should use cannabis. I don't care whether or not you use it. I'm talking about the financials and the security of it. So, this is not a procilizing talk. Uh, it's also not comprehensive. tried my best, but I only have so much time to present. So, uh, it is as comprehensive as I was able to to get. And then, no FUD. I'm not going to be scaring anybody or anything. So, what is this talk then? It's only about legal cannabis. And it is factual. You know, uh, in case you don't know, I'm a former librarian, so, uh, facts and citations matter to me.

So, I do, you know, I did put a lot of care into that. uh and basically I just want to kind of show you some best practices of doing research uh on this topic. Okay. So I have taken all of the links and citations and everything and put it on a blog post on my blog. So um if you want to just chill and listen to me, you can just take a picture and go to my blog post later and get all the links. I mean you're welcome to take pictures during but wanted to try and save you guys some time. Um, if you don't like QR codes, I also put the link there. Um, I

will have this slide again at the end of my talk. Uh, but just to let you know, you can just relax. I'm gonna have all the giving this to you. >> Thank you. Okay. Um, uh, what was I saying? Um, >> all the links. >> Thank you. Yes, thank you. The blog post has all the links and you can just relax and listen to me. Okay. So, what's in store for today? First, I'm going to give you some background information about the cannabis uh about cannabis and about the cannabis industry. And then we're going to uh go right into what the current status is, what things look like now. Then I'm going to give you the industry

risk profile, and then we'll go over some research best practices. That sound cool? Everybody good? All right, let's party. You may ask yourself, who wants to finish it? How did we get here? How did we get to this part this point where I'm even doing a talk on this this subject? So, what I'm going to give you is a micro dose of the history of cannabis in the USA. Uh, hemp madness 1600s. Hemp cultivation was popular and it was actually encouraged by the governing powers at the time. So, it was it was a crop. It was very useful, valuable, uh was grown a lot. Uh fun fact, uh hemp was allowed to be exchanged as legal tender in

Pennsylvania, Virginia, and Maryland. Now, hear me out. Sans is in Virginia. Let's see how many bales of hemp we can get to, you know, to get a cert, you know, to pay for one. Okay. So, so yeah. So, everything was foot loose and fancy free. Hemp was was everywhere. Um thing things were great. Oh, fear-mongering. So, what happened then? So, the Mexican Revolution of 1910, I'm sure you did not think this was where this talk was going, uh, but it is crucial to this topic. The Mexican Revolution in 1910 saw an influx of immigrants from Mexico into the US. Unfortunately, subsequently, fear and prejudice about the Spanish-sp speakaking newcomers, that's a quote from the article, uh, became associated

with marijuana. uh on go. So, so this was a a a really um dangerous time where and it's kind of reflecting current times where uh these Mexican immigrants who were just fleeing a a bloody revolution. Yes, they brought marijuana with them and uh because people were scared of these of the Mexicans and and fear and hate uh they decided to make marijuana, you know, the the scapegoat of everything. That was the cause of all the problems. That's why the Mexicans are, you know, are they were are claiming that they uh were committing violent crime because of marijuana. Um, another quick fun fact, if you look in some legal documents, marijuana is spelled M A R I H U A N A, not the J.

Um, and it still shows up in legal documents today because that's how they thought it was spelled and some of the legal documents just never changed it. All right. So, 1931, so you know, from 1910, ongoing anti-immigration fear-mongering coupled with questionable research linking marijuana to violent crime led to 29 states outlawing marijuana by 1931. So, I picked a random year here, 1956, to give you an example of of what it was what cannabis was like at in the 50s, you know, when there was a lot the you know, a lot of the um uh you know, the the communist witch hunts and things like that. Uh so despite more medical research done on marijuana and the

benefits for medicinal capacity um a first offense marijuana possession in 1956 was a minimum sentence of 2 to 10 years with a fine in today's dollars that would be almost $250,000. That's crazy, right? So let's move up to the 70s. uh the controlled substances act brought all the substances together in the US uh which were in some manner regulated under existing federal law and they were put into five schedules uh and I'll get to that uh in a second. Um another another fact uh Nixon had the opportunity to make marijuana legal in the 70s but he declined uh to do that. So, this is kind of how we're then stuck with uh this the schedules.

And then on our lastly on our timeline, let's legalize it. California legalized medical marijuana in 1996. They were really trailblazers. Uh 2012, Washington state and Colorado legalized recreational usage. So, let's talk about this. What do I mean by schedule one? So the reason so marijuana is listed as a schedule schedule one drug and there are some examples here of other drugs that are in schedule one and one of these things is not like the other is what I maintain. Um so the key components is that there's there's no ex current accepted medical use and a high potential for abuse. That's how these drugs were scheduled as schedule one. Uh what is currently maybe going to happen

is uh the executive branch has said that they will change it to schedule three which doesn't make it legal, it just makes it less difficult to to obtain and it will also open up banking opportunities. Again, I'll get to that later. So, uh so this is what the schedule one is is what I'm talking about in case you've ever heard that and didn't know what what that meant. So here we go. You are here. So this is billion with a B. The cannabis industry is a massive money maker. Uh that is one of the reasons why it is also good to hack or or for the criminal standpoint um is to hack it or you know to to try to to steal because

there's just money. They're making money handover fist and yeah, it's just going to expect it to to go up and and more. And this is also other products too, not just straight cannabis, the related products. Who knew cannabis was a job builder? That's a quite a quite a lot of jobs. I was surprised to see that. But it's also, you know, it's a money maker. It's a a job builder. and taxes. You know, the motivation for, you know, making this more accessible is for people to pay taxes on it. And you can see from this this excerpt here, you know, it's surpassing alcohol sales. So, yeah, if states want to get some money, this is one way that they could they

could do that. So, let's take a look. Again, we're in the present. This looks pretty cut and dry. Apologies for anyone with color blindness. The lightest of the grays is the uh orange and that means that they have recreational and medical. Uh the darker gray is just medical and the actual gray is that they have no programs. And you're like looking at this and going, "This seems pretty cut and dry, right? This looks pretty easy." Well, that's the simple version. It gets a little bit more complicated. So you'll see on the last one you'll see where North Carolina said that they didn't have any programs and then there it colored in. So at least decriminalized

it but they haven't done anything else with it. Um Texas for example says CBD only. Um but there's you know there's an asterisk to that. It's they have to go through a lot of hoops. It's not that you can just go go through that. So a lot of the states have very different rules. Even um jurisdictions within the states can have some different rules. Um all the green states here you see where it's fully legalized. A lot of them can have uh plants at home. They can grow their own marijuana. But it'll be different from state to state. Washington state you can have I think it's six plants whereas uh another state like Maine it might be one. So this is

really confusing right? This is everything's. So, imagine if you're running, you know, a a multi-state cannabis company or you're an MSSP with all these cannabis industry clients. There's different laws and things for every different jurisdiction. It's and it's crazy. It's all over the place. So, um it it's kind of like hurting cats uh at this point. So, hopefully if it if it's made schedule three uh and everything can become cohesive. And honestly, it reminds me of APS. Aren't those naming things all over the place? You know, one company calls calls it this, one company calls it that. I kind of had a little bit of PTSD looking at this map going, "This is this is the AP

model. This is what they do to us." So, let's go local here. So, what do we have locally? So, here in Pennsylvania, there is um medical u medicinal and I I have a medical marijuana license through my doctor. Um I have no with an asterisk for recreational. Um apparently it is being uh debated in the Pennsylvania Senate. Um what I read was is that uh the Republican party uh voted against the most recent plans, but not because they objected to cannabis. they just objected to it being sold through the state stores. So, they want to revamp the um the the pres the process the selling process of it, which kind of makes sense. I mean, the state stores

make sense, but they're also kind of a mess, too. If you ever try to order anything through the through the state store. So, um so stay tuned. That might be changing in 2026. Um Delaware. Do we have any Delaware people here? Um woo. So, you're recreational. You can you can do medical and recreational. And then Jersey, we got any Jersey folk here? Oh, hey Jersey. Okay. Uh so yes, you were also medical and recreational. So the reciprocity like the word means means that um so because it says no, it means that somebody from a state that has medical, say like uh where's our medical? say like North Dakota, um they wouldn't be able to come to Pennsylvania

and buy medical weed. Uh but Pennians can go to Washington DC and get cannabis legally there with our medical card because there is a reciprocity in Washington DC. So um that's something to be mindful of if you're traveling. Uh also remember now you do you, but technically crossing state lines with this product is illegal. Again, you do you. Your mileage may vary. I'm not going to I'm not judging. Uh but I do feel compelled to let you know that uh it was very clear in this article I was reading that it is very illegal. Uh even in between Delaware and New Jersey, they even gave the example of the Delaware Memorial Bridge. Even though Delaware

and New Jersey are connected with the Delaware Memorial Bridge and they're both yes to medical and recreational, you cannot take cannabis between those two states. So, I don't know. Maybe check the the river underneath the bridge. There might be a lot of like cannabis disposed or something. I don't know. I'm just kidding. All right. So, let's look at the industry risk profile. So, why is the cannabis industry a prime target? I've kind of touched on some of that. First, you know, it's fragmented, inconsistent. The laws are different everywhere. And then sometimes you get into, you know, local rules that supersede things. It's it's really confusing and I'm glad I'm not a law firm librarian anymore because

researching that would be a nightmare. Um it's cash heavy because it's a schedule one drug. You can't have banking. You have to have cash for everything. And uh that's a problem that I'll get that's a physical security issue that I'll get into in a couple slides. Um you know and then also you know the all the the regulatory consequences. You know, you have to make sure if you're going to have a company, have a cannabis company, you have to make sure you're on top of all these everchanging laws and things. Uh, and this last one here, does this sound familiar? This it's the growth is outpacing how they can lock down their systems. I'll show you in a couple

slides some company databases that were just wide open on the internet because I guess they don't know. Can you save that for the end, please? Because I'll lose my train of thought. Thank you. Um, so yeah, so the cannabis industry gets the same things as everybody else does. They get fishing. There's business email compromise. Uh, insider threat is actually a big one. Um, have some more info on on that. So, so this is why they're a prime target and in some ways it's really not different than any other industry, but the main factor is the product in this industry is illegal. So, that kind of makes this all kind of weird. But um you know this is this is

why they're a prime target and why they're we're probably going to be seeing more of these incidents in the industry. Okay, so let's start uh I was really proud of this slide. I thought this was cute. But um thank you Gemini. Um so let's start. So can the cannabis industry has their has supply chain. We all know I'm not going to bore you. We all know about all the issues with supply chain. So what does the supply chain of the cannabis industry look like? Well, first you have your green houses and your growth facilities. And now you might be thinking, well, what cyber security things are there? Well, um you have all those IoT devices. You

have the lights um that are, you know, you need special lights to grow uh grow this inside. You know, you need to have certain temperatures. Uh you you know, things need to be cultivated. So yeah, somebody could go in and and shut the lights off if it's, you know, connected and then you've lost all your crops and, you know, then you're out of business. So that's the that's the one concern. And then there's also just like physical people, you know, maybe physically stealing from the the field and stuff like that. So there's a lot of uh physical and uh digital security just even at the beginning with the green houses and grow facilities. Next we have the processing facilities.

Same thing. All this I IoT, industrial internet of things, all of those things are connected. These are, you know, these are processing facilities. Things could go down that could, you know, ruin the product. Um, you know, and that that's another thing to be worried about. Storage facilities. Now, this is an interesting one. um you know an HVAC HVAC could be compromised like all target um because the storage facility needs to be a certain temperature uh 70 degrees Fahrenheit or below is the optimal temperature for storing cannabis. So again if somebody goes in and messes with that wants to do wants to sabotage a competitor they could kill their whole stash by messing with the HVAC.

And next we have transportation. You know, there's there's a boat there, there's trains, there's trucks. Um, you know, that's that's another growing area of of areas for compromise. So, that's another thing. Something could be hijacked. Your you know, your whole value of your your business could be hijacked by something or uh somebody could take control of a train, you know, which is I see that happening. So, next is the dispensaries and the other markets. um you know you have to you have to transport it to there then once it's there is the dispensary physically secure uh are the other markets are these secure are you know are there opportunities for cyber theft or for physical theft and lastly the consumer

and the consumer is important because their PHI and PII are going to be in these cannabis systems especially if it's a medical marijuana license you know are going this is going to be registered with the state. So some people like myself like I wouldn't I'm I'm giving this talk so I don't care that people know that I have the license but not everybody's like that. Some some people might want to keep that private. So there's a a I think there's a lot more cyber security and physical security concerns for this industry that I think people realize and that's what I wanted to show with this this talk. So there we go. All right. physical security threats. Cash rules everything

around marijuana. Thank you. That's not really what it means, but um yes, it is cash only. Um if you've ever been to a dispensary, you'll know a lot of times they'll have a man trap, you know, where you have to go in, wait for the door to close, and then the other one will open. Um there'll be lots of cameras. Uh legally, they can't have the the merchandise out. it has to be, you know, back there. And there's also certain kind of locks you're supposed to have. I've seen all the requirements and it's dizzying. Um, there's like spec very specific locks you need to have for all these. So, also with cash is employee theft. Uh,

it's estimated that 90% of the cash theft at dispensaries is employees. um 10% was um like outsiders like other other like normal robberies type of things. Um but yeah, it's the insider thread is huge and you know when you're dealing with an allcash business uh and also um supply was also stolen, not just cash. So um so physical security is a really big threat and there but there's also so many requirements for it. Um I just want to tell you a qu a quick funny story. So, I was I was at a dispensary and um you know, a lot of them have like the you know, the frequent user plans and things like that. So, I was trying

to log in on my phone to get the app to come up and I was having a hard time. And long story short, the issue was me. The problem was between me and my my phone. But the woman working at the dispensary said, "Oh, we no wonder you can't get on the app. we have really tight security here and I don't think it'll let you get on the internet. And I'm like, what? And she said something like, "Our windows are really thick and stuff like that." And I was on the internet. It was just that I was using the wrong email to try and log into this app. So, um, of course, I had to make it a teachable

moment and be like, "Yeah, that's that's not the reason why that." And I also was asking her, I was like, "Do you think that the windows are like protecting you from stuff?" and she did. And so, bless her heart, I uh just made it a quick teachable moment. And but that gave me the thought of, well, if the the dispensary employees aren't really familiar with the cyber threats, uh maybe they should be because she was definitely she was trying to be helpful, but she was spouting a lot of um not good information. And uh but yeah, it was just me. I was using the wrong email address. So, that's just another thing that I think is interesting that um I

found that a lot of the the people there, they're not I they don't seem to be very familiar with the the cyber security threats, but whatever. You give me a minute and I'll talk talk to you about it. Whoops. Okay. Um digital security threats, you know, the usual. They're also susceptible to social engineering. I mentioned about PHI. Um again, it's no different than a lot of other industries. is just that you're dealing with an illegal product. But uh I'm going to show you some examples uh in a second about actual cyber attacks that have happened. Um another one of their uh Whoops. I'm going to do that first. Another threat is disinformation. And here's some actual

headlines with their citations. The last one I just love to keep in because it make it makes me laugh. Um, no. Schumer is not seeking to legalize marijuana use and sales on Amtrak. Could you imagine being on Amtrak and going to the cafe car and getting trophies or something? That's crazy. Um, so yeah, so disin misinformation, disinformation, malinformation. Um, that is also a threat. Uh, like this middle one, uh, the misinformation is, you know, is then, you know, uh, causing bills to be created and things like that. So mal dismiss information is uh is a threat as well. Okay. So let's talk about some actual cyber incidents. Um so most recently the Ohio marijuana card. Yeah. Uh

unencrypted non-pass protected database had about million records in it and was found. Um and I want to give a shout out to Jeremiah Fowler. I don't know him but uh he seems to be doing a lot of uh good independent research. Uh, so look him up. Uh, he I think he's on this list like twice, I think, for finding for finding things. So, yeah. So, if you're in Ohio and you have a medical marijuana card and, you know, you didn't want your spouse or your parents or somebody to know about it, well, it was just leaked on to the internet because they didn't bother to protect it. Uh, Mars Hydro and LG LED solutions. Okay, so this is an example of the IoT

compromise. industrial internet of things. Um the LG LED solutions, those are like the grow lights that you need in the the grow facilities, the hot lights. Uh so yeah, so this company, they had open databases, they had all that information, 2.7 billion records exposed. And I remember seeing I was when I was doing the research for this seeing lots of articles of of security-minded folks being like hey you know if you have equipment it is vulnerable and you know making it that simple. So yeah the these lights were compromised and as I mentioned before that could kill someone's crop if you wanted to sabotage them. I'm going to say this is called Stizzy. I've never I don't know how three eyes

are pronounced. Um, but I don't know if you have anybody ever heard of Everest, the threat group Everest. Uh, they compromised Stizzy um through their point of sale vendor. Um, so that and again, sound familiar. It's not not much different. Um, and again, they're they're getting information out there that some people don't want out there. And lastly, this is an older one, but again, third party. they had a third party compromised uh compromise um they and then Ontario was left without cannabis for a period of time until they got up and running again. So these are four examples and I believe Jeremiah Fowler was also involved with um was involved with one two and three. So that's why you should

look him up but he I think he just does general uh research. I don't think he's specifically to cannabis, but uh yeah, he's been doing great work finding stuff. Okay. So, there's a lot of information out there and I love doing OSENT talks uh and PII talks, but I didn't have a ton of time and there's so much information. I was trying to like wrap my arms around the world. So, I'm just going to kind of give you like the um the amuse bouch of the OSEN and PI uh just to kind of get you started and give you ideas. But first, I'm going to start off like when you when you look at cannabis, you know,

look at business news, you know, you look at industry news, you look at investors, you know, want to see what are investors in still investing in cannabis and who's doing it, who are some of the big companies that they're investing in because they're probably going to become targets now. Um, and then legal, you know, the laws are are changing. You have to stay on top of that. News in general, that's where you'll you'll pick up on the misinformation, the disinformation, and who are the vendors. Know who the vendors are. Uh, today's vendor may be tomorrow's, you know, uh, victim of a third party compromise. So, it's it's good to know who the players are in the

field and and where, you know, where they're going if you're interested in this this industry. Oh, I see you're taking a picture. I'll I'll hold. Okay. Okay. So, the first thing I'm going to start off with is um you can search for patents using the keyword cannabis, which I've highlighted there. So, why do you want to search for patents? Well, if anybody does competitive intelligence, you might want to see what your, you know, competitors are up to. or if you're just a cannabis afficionado and you want to know what what new things are maybe coming down the pike, uh you can easily go to uh the patent website for the US patent. Um so I just picked

this one randomly. Vaporizers having multiple heating elements. That sounds interesting. Uh so then I actually clicked through it and then I see it's through VPR brands. Oh, okay. So it's not just this guy out here doing it himself. It's this VPR brands. So then I go to Edgar, the SEC, Securities and Exchange Commission, and find out. Okay. So yeah, there it is. Sunrise Florida VPR brands. Uh you get the former names if you uh I also I think the former name is useful too because you can also see if there was any past um breaches in the other companies. Um and then the the sick there, the standard industrial classification, there's a number there. If you want to pivot to other similar

companies, you search by the sick code. I don't that's not cannabis or cyber security related, but uh from my years as a law firm librarian, uh that's a very useful way to to find similar items that you're looking for. Uh and I have the 10K highlighted. I don't if you don't know this already um companies uh that are you know registered with the the SEC uh they have to say when they have a breach a cyber or cyber incident it's going to show up in the 10k. So sometimes if you're wondering like how how does the information get out there so quickly uh even before the company has a chance to respond to a breach.

It's a lot of times because journalists are sitting on top of the SEC database waiting for 10Ks to be filed and scanning it for keywords, which I've learned over the years sometimes uh companies will spell cyber security is two words to kind of throw people off. I know that sounds stupid, but um I've I've seen them use all kinds of uh uh somebody was loving a thesaurus because there's I've seen ones where the terms are intentionally meant to uh not cause panic and fear, but it's like yeah that you got like I know what that means. So that is one way that you can follow a trail to find out what is up and coming

and who's doing it and what you know what else is in store and and also if you're you know curious go to other cannabis companies look up their 10Ks see if they've had any any issues. So as far as laws go I highly recommend Normal um it's it's normal.orglaws org/laws because they're they're going to be on top of the changes and it has it's very clearly marked out. So remember I was telling you about 1956 about the fine uh 250,000 and the 2 to 10 years. So yeah, Pennsylvania 30 grams or less is 30 days and 500 bucks. So um that is much better than $250,000. So, I recommend if you want to know what

your state or another state, if you're going on vacation and you don't want want to know what the laws are, don't guess. Don't use AI. Go to a real source. Um, and normal is one that I trust or just go directly to, uh, you know, whatever the state's you know, website is and look through there. Do not risk this because some of some states are are very strict. And also for international um in another version of this talk I give, I get more into the international stuff. Yeah, don't play with that. Um you know, Jamaica, for example, is cannabis is illegal. Yes, I know they grow it there, but it is illegal. Um and and so so you have to be careful

with that about transport and and laws, but you also want to look at this too. Maybe if you're looking to get a job in another state, you need to know, you know, what their laws are. And again, things are constantly changing. Um, so it's there's so many good reasons to to look up and compare uh what different states have. So some other sources that I recommend to get right to the source of of this uh the American Bankers Association, they have a cannabis banking group. Uh so if if your concerns are regarded to to banking, you know, they have newsletters, they have blogs, they have a site, you know, check out what are they putting out. Uh similarly,

American Bar Association has a Cannabis Law and Policy Committee. So, they're they're going to be on top of the changes. That's a good resource. U American Bar Association, their journal has a cannabis law section of their journal which has lots of good uh stories and information in there. Uh this one I highly recommend you can join. So, you know the Isax, you know, like different isacs. This is an ISAL. It's uh the cannabis information sharing and analysis organization. Uh, I believe it's free to join. I'm a member. Um, it's nonprofit. It's a good, you know, community resource. Uh, and there's a lot of, um, I know there's a lot of infosc people in it that because that's

how I found out about it. So, it's uh, it's a good resource. And, uh, lastly, the National Cannabis Industry Association. Uh, they're a trade association, but again, they're the oldest and the largest. And these groups are places where I would trust the material that they're putting out. So, I wanted to share them with you of, you know, try to stop just random Googling and clicking on whatever article and thinking that's the right information. When it comes to something like this, you can't be wrong. Okay? Go to the right sources for it. Okay. So, what's next? Uh, as I mentioned before, we're waiting for the executive branch to move marijuana from schedule one to schedule three. Uh

hopefully that will happen, but I don't know. So, we'll wait and see. Um again, Pennsylvania recreational cannabis for adults might be 2026. I know that the governor is very keen uh to get it passed because if you saw the map before, Pennsylvania is basically surrounded by uh states with with recreational. So, um I I think Pennsylvania will not want to lose that tax money and might get it together. But uh anyway, if you want to track it, those are the House bill and the Senate bill for Pennsylvania if you want to track it. And lastly, the Safer Banking Act. Originally, it was the Safe Act and then it became the Safer Banking Act and that's how you would look it up. Uh that

would that would make the financial segment of the cannabis industry be able to do banking and things like that. Um, but again, that first bullet point really is the major one that needs to happen for a lot of other things to fall into place. So, uh, as I promised, my QR code and link is up there again. Um, these are the ways to get in touch with me. Uh, feel free to subscribe to my blog. I I post uh every Friday, five for Friday, which is five stories from the week. I also on Mondays post what did I miss? It's the uh infosc news from over the weekend. As I say, I paid attention to

the news over the weekend, so you wouldn't have to. Uh and I have a lot more I have a lot of OSENT blogs on there as well. Uh so I must have talked a lot faster than I realized because I have time. But I know that lunch is next. So I also was trying to be very uh courteous and not make you late for lunch. So um that is my talk. Thank you for coming and I'm happy to answer questions.

Yeah.

>> One um do you know what became of uh it was just a drop in the fire, right? Uh the um when they reopened the government after the shutdown, didn't Mitch McConnell try to get something in about uh banning cannabis products? >> Um that that rings a bell. I'm not sorry. I'm not like super on top of like all the breaking news. I'm sorry. Um but but you can use use one of the sources I posted to look that up. That that does sound familiar. But um >> there was this moment where all the stoners I knew were panicking. >> Yeah, there there's some talk about Yeah, somebody was trying brought something forward about banning he uh

hemp. I almost put it that as a slide, but I didn't since nothing really became of it. I didn't know else. But yeah, there there are some people Yeah. trying to make hemp illegal. Um, yeah. So, they're not going to be able to use it as money in Pennsylvania or Virginia or anything. >> What about you mentioned about personal data in particular? Like I was wondering medical >> I'll try. Yeah. >> Does that fall under HIPPA? Like what does fall under HIPPA in terms of end users in terms of like if I go to a dispensary I'm a recreational customer. I'm not protected by Right. Are you? >> Yeah. Well, because also they don't they

don't know who you are because you're just going to go in and you don't have to show any ID or anything, right? >> I do in Maryland. >> You do in Maryland. Okay. >> And this is, you know, you're speaking about the uh educating the bud tenders a little bit like >> bud tender. That was the word I was trying to think of. >> sitting at the counter waiting for business and they still direct me back to a freaking internet kiosk to make an order. And then I put in a fake name, right? Yeah. And then I come up to the thing, they ask for my ID and they're like, "I'll see you in the system. I'm

not putting my [ __ ] in your third party. >> Okay. >> Duh. Right. Sorry. >> Yeah. No, I mean that's a great point. I don't know that I have an answer for it, but um I'm actually surprised that they would give you the product if the name didn't match um >> the ID. >> The that Yeah, that that surprises me that they would do that >> because again, my question just being like would I be better protected with a because I fall under HIPPO regulation and they have a more locked down AWS server somewhere. >> Uh well, no, that was one of the breaches on there though. Uh I'm just I don't know how to answer that

because >> usually I take their take them to the cleaners a little more >> if they violated my rights. >> Sure. >> Okay. >> I'm sorry. You had a question? >> Yeah. Yes. Two quick questions. So you cannabis industry. I saw you talked about more of like you know the recreation and traditional like like pharmaceutical or you know drug side but do you also encompass like textiles doing research facilities verifying the composition >> I well I mentioned this wasn't comprehensive I didn't have time time for all that now >> okay so but when we say the industry does it include those elements or like >> I mean this talk was about the legal cannib cannabis industry as a whole and

whatever falls under that there the elements that I showed I picked from this. So yes there are there is there is more to it like I said that's why I said this talk is not comprehensive. I wanted to focus more on like the consumer concerns and the cyber security concerns. So yeah >> one follow question. Um so uh from your experience like who are the entities that are most interested in threat research in this cannabis sector? Is it just >> me? Is it government entities? What was the >> I mean anybody can research an industry. I mean I als I you know I used to work at a law firm. So you you definitely you

would want to do I mentioned competitive intelligence. You might need to do background research. So, you want to look into a company um you know any kind of you know regular business research or I I mean it doesn't I'm not sure how to answer your question. Anybody can do this research and it can be used for all kinds of things. Venture capital companies might want to look into different aspects of the industry to see where to invest. So there's all kinds of practical applications for this. I just wanted to point out the cyber security elements because I don't think that's ever been discussed before. or I'm not aware of any other infosc talk that has covered

cannabis. So that's why I wanted to do this was just to kind of get it out there and get people talking. Okay. Yes. >> Um to your point, not many industries would actually be doing this, especially because it's hard for them to get paid for consulting when it's all cash business. So they have a real difficult time paying other vendors to do anything to have contracts. It's a huge liability for on business. By the way, they've actually

got >> I think he's going to lay down in the parking lot of dispensary and and say you got hit. >> It's not easy money. >> Yeah. >> But my bigger question here is because it's such an underdeveloped industry and everybody so hesitant to help it basically because it's not profitable at a certain point. There's lots of money, it's not profitable, so the bad guys are getting in and getting in there anyway. Um, do you have in speaking with people who are in this this industry, particularly the supply chain, uh, how often have you managed to convince them to patch their >> Oh, I Oh, I mean, I don't work in this. This is >> Let me rephrase

in talking with people who are in the industry and the community or seeing this um not maybe not that I can imagine it be very difficult to have uh those uh people in the industry to care about it versus other things. Have you seen anyone successfully like >> other than myself? I guess not. >> Oh, please go ahead. Go ahead, Kelly. >> Oh, yeah. not universal. I have a friend who used to work for a large

sense, right? But your average >> Thanks for coming. your average operation.

>> Yeah. >> And that's why talking about it more is hugely important, right? And having an informed consumer base who's going to ask those questions like the But other bits were really interesting. Thank you. >> Sure. Yeah. And just and just to share with you like this this talk came about Sorry, I'll get to you in a second. Um this talk came about I was literally floating in my pool and I was thinking um I was trying to think of topics um specifically OSENT that I haven't seen at conferences before. Um and I was brainstorming and all of a sudden it dawned on me. I was like cannabis. I don't think I saw cannabis. So

that that so because of my medical marijuana card, you know, I do so I do have an interest in it. Um because of my curious cyber security mind, I was like, "Oh, I think there's a lot of opportunities here." So really, this is just I like to do research because I'm a nerd. So this was this is all just about yeah trying to spread awareness, trying to highlight it and maybe if somebody does find a job opportunity or research opportunity uh out of it, then great. But yeah, it was this is more just like awareness raising. I wish I had good answers to some of all your great questions. >> I don't smoke, so I have zero exposure

to any of >> and I used to be really like anti- cannabis before and um but I use it for medical and because and I'll I don't mind sharing this. I actually had to switch over to medical marijuana because my doctor's like, "You're gonna kill your liver with all these other painkillers that I needed to take." You know, I wasn't abusing them, but he's just like, "Why don't we look at medical marijuana?" Because he's like, "Your liver is starting to like not >> Yeah. Exactly." So, >> Yep. Yeah. Like I said, it's just funny because Yeah. Like people who know me are like, "You do?" And I'm like, "Well, yeah, because I want to just keep my

liver and do that." Um, I'm sorry. I think you had a question then you had too. >> So, Have you ever talked to So like I know you said you talked to the heads behind the counter. Have you ever talked to like someone? >> No. Um >> let me think. I did talk to the the manager of one of the dispensaries just kind of chatting as I was waiting for stuff. Um I mean he was just like, "Oh, that's really interesting. Then send me your slides and blah blah blah." And that and then I never like heard anything. I mean I wasn't like looking to get a job out of it or anything but for the other side of that um

I don't even know what to call it but like the unregulated like people just >> Oh yeah on the street. Yeah. >> How I've always wondered like how will that flash >> Thank you. >> And I don't know >> uh you know what I I didn't want to touch the I didn't want to touch street drugs so I didn't look into any of that. So I'm >> Well, I would start with the ISEL the the ice. >> Yeah, >> I would try the Thanks for coming. And I'm sorry. You had a I'm sorry. Are you Are you good? I think we have one last question. I Oh, sorry. Hold on one second. Yeah. >> So, in the supply chain and grow,

process, store, transport, and dispense, it seems like grow process and dispense are industry specific, right? But in the storage and transportation, that's where you could use pre-existing. >> Yes, exactly. Yeah. >> Are there are there storage and transportation companies that are specializing in >> cannabis? Yeah. The um the one in Ontario that I mentioned that that third party was specifically their storage. Where was it? The Yeah. Oh, did I not? Yeah, I can. Yeah, there we go. Down there. Yeah, that that was um their their storage facility. Yeah, I'm not familiar with all the names just yet. Are we doing good for time? I got the five and I think you had a question. >> Yeah,

>> first of all, great pres. >> Oh, thank you. >> Oh, great. >> As a fellow, my only question is what's your favorite? >> Oh. Oh. Um, I just know them by their like silly names. >> Yeah. >> Like I like birthday cake. >> Um, there's one like gasoline or something. >> Sour Diesel. >> Oh, that's it. Yeah. Sour. Who said sour diesel? That's a I knew it was gasoline something. >> Um, yeah. I don't know. I I also like the um it's the the CBD THC combo. um that helps particularly for my specific ailments. Um so that's it's it's not I'm not chasing a high for that. I'm just chasing pain painfree. So um the the CBD

with the THC is is really helpful. Yeah. >> Yep. But yeah, birthday cake is awesome. Sorry. Yes. >> Are there any security things that you've seen that the cannabis industry is leading edge on rather than just No, they're no >> new technology. They're all about >> You know what? You know, kudos to you for giving them that that credit, but no, they're they're not. I think we have to cut off now. Uh but no, thank you all for coming. I really appreciate all your great questions. Thank you.