Application Spotlight: Securing Missouri’s medical marijuana market

Application Spotlight: Securing Missouri’s medical marijuana market

 

Data and security will impact every medical marijuana facility. Not only does security represent a large percentage of scoring on facility applications, but the rules are also clear and strict on what is expected to be available at all facilities. The concept of data may seem pie-in-the-sky, but advancements and strategy have made following and exceeding the rules in an effective manner a realistic and accessible goal.

To better visualize what kind of security Missouri’s medical marijuana industry is looking at, Greenway Magazine spoke to three gentlemen who focus on security: Kevin Ellison, CEO at CST Solutions; Mac Johnson, CPP from Ceres Management Group; and Matt Buydos, a sales representative from Elliott Data Systems.

Security systems themselves have developed greatly over the last decade, implemented primarily for safety and liability purposes. With the advances in analytics, Buydos said systems themselves are proactive.

“Even though you may not have someone staring at a monitor of live video, with analytics, unusual motion or activity can trigger alerts to direct attention,” Buydos said. Video surveillance is vital for auditing purposes and overall state compliance.

A variety of programs and equipment can make an effective system seem unattainable.

“Security for a commercial business of any type is way more complex than most people think,” Ellison said. “The good news is that it is a very mature industry and any possible issue has been solved, it just may take experience in other industries to know how similar issues have been dealt with. When selecting a security company, two things have to be at the top of the list; 1) It needs to be a Missouri based company because those of us in Missouri know the regulations and the history behind them, 2) The company needs to have experience in more than just cannabis.”

The rules specify a variety of equipment, starting with a monitor and cameras. Cameras must capture footage in 1920×1080 pixel resolution at a rate of 15 frames per second in all lighting levels with remote access for the state and law enforcement in real time, upon request.

The cameras must cover all entrances and exits – including windows, the perimeters, and exterior, including at least 20 feet of space around the perimeter of an outdoor grow area, all point-of-sale locations, vaults and safes, and all marijuana itself – from two angles – where cultivated, cured, trimmed, processed, rendered unusable, and disposed.

Sixty days of footage must be able to be stored on- or off-site with on-demand recording access. Copies of recordings must be able to be provided upon request – and at the expense – of facilities. What would have been a room of servers less than two decades ago for that much footage from the specified equipment is now able to be physically stored in less space than a computer CPU tower.

“It will require about 50 Terabytes of storage and cultivation will be roughly 200 Terabytes,” Ellison said. “A lot of retailers have similar requirements so most camera manufacturers have storage device the size of a large desktop computer that can hold that much video.”

Additionally, Ellison said the regulations allow virtual – “cloud” – storage.

“We feel that it is preferable because it allows keeping the critical video off-site in case there is any physical building destruction such as a fire or natural disaster,” Ellison said. “Using cloud storage though does require a large internet connection which is not always an option.”

The rules specify notification to be set up in the event of failure – both audible and visual. Additionally, facilities must have battery backup capable for cameras and other equipment for 60 minutes in the event of a power outage.

All external doors must be equipped with a locking mechanism in the event of power failure.

A way to immediately and automatically alert local law enforcement of a breach in security is required, in addition to a manual, silent alarm at point-of-sales, reception, vaults, and the monitoring station able to immediately notify local law enforcement in the event of an unauthorized facility security breach.

Buydos said modern systems can take video, controlled access, and notifications a step further by using integrated products.

“Look for integrated products,” Buydos said. “It allows facilities to have a more proactive approach when it comes to compliance, safety, and auditing.”

Buydos shared that modern systems can have programs that work together in a way that controlled access cards will trigger video recording logs so that every card swipe has an image. Additionally, if integrated further, a system can recognize if a person swiping a card to gain access is indeed the authorized person.

“Find out what their integration capability with other platforms,” Buydos said. “We always suggest, rather than put all our eggs in one basket, to look at products that integrate with other parties.”

Buydos said that it isn’t always about the top of the line across the board, but what works best together to provide a top of the line system as a whole. “Picking an integrator that has a strong product portfolio is super important.”

Systems can also be designed to track contractors and visitors separately from employees through electronic logging. This can go a step further, allowing users to input into a “banned” list in the event a former employee, or even a former contractor, is terminated and attempts to seek access to a facility.

Though the security section of the rules doesn’t specifically talk about audits, other parts of the rules do. With required seed-to-sale tracking and live updates to the state, this state’s medical marijuana market will be a tightly closed loop system focused on limiting diversion to the black market. The security rules in-place set up a great environment for a quick and efficient audit of inventory – and of the workings of a security system.

“We treat security audits as a task similar to how mechanics handle engine rebuilds,” Ellison said. “We will check and test every sensor, every camera, and every access door module to make sure that every single piece of equipment works 100%. The security system we sell has a test feature that allows us to create a report for everything that passed as well as everything that fails.”

   

Overall, working with a security company to develop an overall strategy is vital – not only for compliance but for customer and employee safety.

“Employees and customers have to be a top priority and have to always feel safe,” Ellison said. “The best way to do that is by making the facility unappealing to criminals. My security background is working with large companies such as banks, national retailers, etc. How many people try to break into casinos every year vs. convenience stores? Casinos have learned how to give the impression that the risk is not worth taking the chance. Because of this I always start with asking myself ‘what about this facility would be the most intimidating in regards to breaking in?’ I enhance what will be intimidating and make sure that any weak areas look extra fortified. That means putting cameras in the places that criminals will look, it means making sure every employee knows the product vault would take over an hour to break into, and it means using the right equipment. Most people don’t know that there is a camera that can detect concealed weapons using radar, and those cameras have a distinct colored ring around the lens. Anyone thinking about robbing a dispensary will know about the color ring and seeing it in the dispensary serves as a good indicator that the security company is already watching them.”

This strategy is vital to execute in real life – and to communicate on facility applications.

“The security section of your application holds immense weight as reviewed and scored by DHSS. All of the expertise and detail that goes into the rest of your submission should be reflected in equal measure in your security plan,” Johnson said. “From a business continuity perspective, it is vital that ownership groups leverage third-party security consultants throughout the development, integration, and perpetual implementation of full-spectrum security programs. This ensures deliverables from vendors (guards & technology) are up to standard and offered at a competitive price. These professionals should also be able to provide risk reduction inputs to your insurance brokers and/or underwriters to maximize savings from a risk transference standpoint.”

Johnson said different facilities will have different security demands to consider.

“With the integration of regulated product tracking measures, such as the Metrc system approved here in Missouri, we are now seeing attempts to offset the risks of theft and diversion by establishing accountability at every point of transfer. This helps assign accountability through the supply chain, but it does not provide accurate tracking and management of harvest yields from plant to package at the point of origin. This means that the weakest link in the chain is the cultivation site based on ease of access and lack of product accountability prior to transfer. However, many Marijuana Infused Product (MIP) manufacturing sites will likely be co-located with cultivation sites. Without a sufficient effort to compartmentalize the two operations, the risk shifts significantly to the MIP site.”

But why?

“Stealing $10,000 in raw flower cannabis poses a logistical problem that stealing $10,000 in extracted compound simply does not,” Johnson said. “Without having a verifiable change of accountability, the risk of theft/diversion from MIP sites increases drastically. On a Venn diagram, this would be a crossing point between value per volume, and ease of access. Mitigation efforts would need to start with implementing a total change of accountability between the cultivation site and the MIP manufacturing site to ensure the refined flower harvest can be measured against an estimated extract yield.”

The loss could shut down a business for an undetermined amount of time.

“Compartmentalization measures are especially important for fully integrated operations upon loss of accountability of product,” Johnson said. “Inability to identify the exact origin of a product loss within the allotted 24-hour reporting period could result in an ‘all-stop investigative audit’ essentially halting the entire supply chain until the loss is accounted for. This type of disruption could end up costing groups not only tens of thousands of dollars in lost production and sales but possibly their operating licenses.”

The seriousness of security cannot be understated, which can be made or ruined by going with the right company for a facility – and the choice of a security provider goes beyond just providing a system. Ellison said this is a heavy consideration for CST.

“Our goal is to be the one company that customers need to call for any technology and security needs,” Ellison said. “Each of us has at least 25 years of experience in our respective fields and in that time we have gained a lot of real-world knowledge, but we also have built relationships with other companies that we have worked with in the past. Any areas that we do not have expertise in ourselves, we have partner companies that we reach out to so they can help us. For example, I have never installed razor wire, but I know the best fencing company in southern Missouri that I call anytime we need a high-security fence. It still is one call for the customer so they can focus on the rest of the business.”

Not only will every facility have to implement a complex security system, but all facility employees are also required to be trained.

“The training is broken up into three pieces,” Ellison said. “The first is education for employees on what to do when something does happen. We want the employees to know what to do and what to expect. Second, we train on the various aspects of the system and the protections that are in place. Third, we train the employees on being vigilant outside of work and to not discuss anything that might be of interest to criminals such as the system, cash and product storage, and other potentially compromising details.”

Johnson stressed that successful security implementation is something that a facility’s whole staff must understand and take seriously. Security isn’t a rule to check off, but a check off to a well-run business.

“Security is a team effort. Even a well-trained and dedicated security professional requires constant interaction with business operations, and communication from all levels of functioning staff,” Johnson said. “As with all regulated markets, security must be viewed as an asset essential to operations, not an overhead expense essential to your baseline compliance. That said, all security programs are not created equally. It is important to know where and when to spend, and to save.”

Being mindful and deliberate about what staff does, and how, is vital.

“One key thing to note in the regs is that the security manager is responsible for making sure the security is implemented and maintained, but that same person doesn’t have to perform the work,” Ellison said. “We have customers that are big enough to hire a full time dedicated security manager, and we have other customers where an owner serves as the security manager and CST performs all of the actual work while providing constant communication to the security manager.”

The biggest threat to any facility? Internal theft. Staff is not only the first step in having a secure store, but they can also be responsible for a store’s failure.

“Just like the ‘invisible hand’ theory in market economics, illicit trade also manifests itself based on two main inputs; transferable value, and accessibility,” Johnson said. These metrics allow security-risk analysts to identify weaknesses and develop plans to mitigate the risk that those weaknesses will be exploited. Unlike most other industries where raw materials with a closed market value eventually converge to make an openly valued end-product, cannabis holds openly transferable value at every stage from seed to sale. A successful criminal enterprise would understand this and search for the most vulnerable point within the supply chain.”

There is plenty to know for facility applicants and staff, but what about the patients? These systems are incredible orchestrations of technology, but not systems most patients will be unfamiliar with on the consumer side, Johnson said.

“Patients should use the same personal security measures implemented when picking up prescriptions from the pharmacy, or money from the bank: Pay attention to your surroundings, busier operating hours aren’t always a bad thing, and don’t hesitate to ask site security to keep an eye on you on your way to your car.”