Oregon Audit Finds Need for More IT Staff, Guidance for Regulating Marijuana

A recent audit shows the state of Oregon is lacking the enforcement needed to track illegal sales of marijuana, as well as the IT support necessary to secure the technology regulators use to monitor it.

by Noelle Crombie, The Oregonian / February 7, 2018
Seed-to-sale tracking systems often rely on employees scanning tags attached to marijuana plants. Courtesy Franwell

(TNS) — The Oregon Liquor Control Commission lacks "robust" monitoring and enforcement controls to track the state's $480 million marijuana industry, making illegal sales difficult to detect, a new audit concludes.

The Secretary of State's review raises alarms about how effectively the agency oversees the flourishing marijuana market in Oregon.

The report comes as Oregon finds itself in the federal crosshairs for its role as an illegal exporter of cannabis to other states. Just last week, Billy Williams, the U.S. attorney for Oregon, convened a summit to discuss the illicit marijuana trade.

Gov. Kate Brown, a steadfast defender of the industry, told Williams and others at the summit that the state has focused on instituting "extensive safety and tracking measures." In a letter last year to U.S. Attorney General Jeff Sessions, Brown highlighted the state's tight regulation of the burgeoning market.

But the audit, made public Wednesday, found that while the information systems themselves function well, monitoring and security are inadequate. The report cited a host of problems — from not enough inspectors to a reliance on marijuana businesses to report their own data.

Auditors, who also uncovered errors and outdated information in the agency's tracking systems, made 17 recommendations for improvements and noted that the liquor commission "generally agreed" with the findings.

"Until these issues are resolved," auditors noted, "the agency may not be able to detect noncompliance or illegal activity occurring in the recreational marijuana program."

They questioned the agency's practice of allowing Oregon's nearly 1,700 licensed marijuana businesses to self-report highly detailed information, including the number of plants in a grow operation and the weight of each harvest.

In a letter to the state's audits division, Steve Marks, the liquor commission's executive director, said the agency is following up on "all aspects" of the audit.

Marks on Wednesday called the audit "very helpful" and said the state's regulatory system for marijuana is "a work in progress."

"It's our highest value to stop black market diversion, to create a good consumer market," Marks said, adding that the agency has so far referred to police about 100 cases of potential criminal violations by marijuana businesses. "Those are fundamental to our mission. We have been building out staff and systems to do that."

Added Marks: "You are not going to magically move from zero to complete control over a new emerging industry in a short period of time."

It is the first audit of the systems that the liquor commission uses to regulate cannabis.

The agency last year sought money to hire an information technology officer, but lawmakers denied the request. Marks said the agency will again ask the Legislature for $197,000 during the current session to fund the position.

In addition to identifying numerous technical problems, auditors concluded that the liquor commission doesn't have enough inspectors to make occasional on-site visits to licensed cannabis businesses.

The agency has 23 inspector positions; 18 are filled. Auditors said Oregon fares poorly compared to Alaska and Nevada, where there's one inspector for every 18 marijuana licenses. In Oregon, auditors estimated that the state has one inspector for every 83 pot businesses.

"Until investigation standards and protocols are developed and a sufficient number of staff are trained, OLCC will not be able to perform needed on-site inspections with sufficient guidance and scrutiny to ensure marijuana businesses are complying with the law," auditors wrote.

Marks said the agency is budgeted to deply one inspector for every 100 licensed businesses, a ratio similar to states like Colorado and Washington, both home to legal marijuana markets. The agency employs one inspector for every 400 liquor licenses, said Marks.

The Secretary of State's Office identified a wide range of what it described as "significant weaknesses" in the agency's security practices related to Internet technology, including relying on a decade-old security plan and the failure to keep track of the hardware and software used by employees.

It also slapped the agency for failing to protect servers and workstations from viruses and malware, saying the lapse "significantly increases the risk that OLCC systems and its data could be compromised."

Auditors also called out the liquor commission for failing to perform "due diligence" on companies it hired to help license marijuana businesses and track cannabis at various stages.

For instance, they noted that the liquor commission failed to confirm that one of the companies, Florida-based Franwell, meets minimum security standards.

The company helped develop a seed-to-sale system that tracks the movement of marijuana among growers, processors, wholesalers, testing labs and retailers. The process is intended to ensure marijuana isn't diverted into the black market. Data about Oregon's marijuana businesses — from plant counts to retail sales figures — are stored on Franwell's servers.

The state so far has paid Franwell $1.8 million for its services, said liquor commission spokesman Mark Pettinger.

Auditors said the lack of assurance that the data hosted by Franwell is safe from disclosure or changes is "particularly significant" because the information is essential to regulating the marijuana industry.

The audit points out that the liquor commission has a history of "ineffective action" in response to security problems with its computer systems. Auditors said two outside reviews and one internal audit identified numerous problems, most of which weren't addressed.

"These long-standing issues significantly increase the risk that OLCC's network, systems, and data could be compromised," the audit notes. "While multiple individuals have responsibility for the IT systems and processes associated with these weaknesses, we found that OLCC lacks clear leadership and direction for its IT department."

©2018 The Oregonian (Portland, Ore.) Distributed by Tribune Content Agency, LLC.