Report: OLCC Has Problems With Security, Tracking Of Recreational Cannabis Industry

By Ericka Cruz Guevarra (OPB)
Portland, Ore. Feb. 7, 2018 6 p.m.
Edibles are displayed at the Shango Cannabis shop on the first day of legal recreational marijuana sales beginning at midnight in Portland, Oregon, Oct. 1, 2015.

Edibles are displayed at the Shango Cannabis shop on the first day of legal recreational marijuana sales beginning at midnight in Portland, Oregon, Oct. 1, 2015.

Steve Dipaola / Reuters

The Oregon agency charged with regulating the sale of alcohol and recreational cannabis has security issues that put its computer systems at risk of being compromised, potentially disrupting the agency’s business processes.


An audit of the

Oregon Liquor Control Commission


conducted by Secretary of State Dennis Richardson’s office found IT security issues that “significantly increase” the risk of compromise to the OLCC’s computer systems, including the lack of an agency-wide IT security management program.

“We are taking immediate action to obtain the necessary approvals to help us remedy issues as rapidly as possible,” Steve Marks, executive director of OLCC, said in a letter responding to the audit. “As resource stretched as the agency is with the high profile implementation of the marijuana program and improving overall IT management, we look forward to a complete marijuana program performance audit in 2018.”

The audit comes at the heels of a meeting hosted by U.S. Attorney for Oregon Billy Williams on

how to regulate legal marijuana

under the Trump administration.

In January, U.S. Attorney General Jeff Sessions lifted an Obama-era policy that took a hands-off approach to federal enforcement of cannabis laws, allowing federal prosecutors to decide how aggressively to enforce federal marijuana laws in states where it is legal. Williams has said he would do something about cannabis overproduction and diversion in Oregon.

Soon after voters legalized recreational marijuana in Oregon, lawmakers signed into law a bill that charged OLCC with regulatory oversight over the new industry, granting it authority to implement systems for marijuana licensing, tracking and rule-making.

The audit found problems with those tracking systems, in addition to an insufficient number of trained compliance inspectors that, according to the audit, inhibit the agency's ability to monitor recreational marijuana in Oregon.

"Until these issues are resolved, the agency may not be able to detect noncompliance or illegal activity occurring in the recreational marijuana program," the audit said.

Problems with OLCC's reporting system include: a self-reporting process for licensed cannabis businesses that allow them to input their own product inventory and sales data; no standard unit of measurement for marijuana weight in the system; a lack of established standards or baselines for data analytics and compliance monitoring; and a lack of protocols and trained staff to perform on-site inspections.

As for OLCC's IT security management practices, the audit found several weaknesses. For example, management at OLCC has not developed processes to identify IT security vulnerabilities and the agency's antivirus solutions are not effectively managed.

"Without robust device configuration management and monitoring, OLCC staff are less likely to detect unauthorized changes to critical security parameters," according to the audit. "Unauthorized changes to these configurations could leave affected devices vulnerable to internal or external attack or compromise."