Home Posts tagged threats
Law

Risky Business

By Michael Roundy and Scott Foster

 

Michael Roundy

Scott Foster

Scott Foster

Running a business in the legalized cannabis space is something in which hundreds of owners around the Commonwealth are now engaged. On most days, the fact that cannabis remains illegal federally is not on the top of the minds of these owners. However, a recent decision by the First Circuit Court of Appeals reminds us that the cannabis industry is not entirely free of the risks of federal prosecution and provides useful guidance on how best to avoid those risks.

Maine legalized medical marijuana in 2009, subject to stringent conditions and governed by detailed regulations. While state law permitted the medical use of marijuana, the federal Controlled Substances Act does not. However, each year since 2015, Congress has attached a rider to its annual appropriations bill that prohibits the Department of Justice from using appropriated federal funds to prevent any of the states “from implementing their own laws that authorize the use, distribution, possession, or cultivation of medical marijuana.”

In United States v. Bilodeau and two related cases, the two individual defendants and the companies they owned operated sites in Auburn, Maine, where they grew marijuana purportedly for use as medical marijuana. The operations were carried out under the color of facially valid paperwork as a Maine Medical Marijuana operation, and state inspectors found the site to be in compliance with Maine’s law.

Following an investigation by federal law enforcement, the defendants were indicted for knowing and intentional violation of the Controlled Substances Act. The government asserts that the illegal marijuana-distribution operation merely used the Maine Medical Marijuana program as a cover for its illegal, black-market marijuana operations, which included distribution of marijuana to individuals in several other states who were not qualifying medical-marijuana patients under Maine’s law.

“On most days, the fact that cannabis remains illegal federally is not on the top of the minds of these owners. However, a recent decision by the First Circuit Court of Appeals reminds us that the cannabis industry is not entirely free of the risks of federal prosecution and provides useful guidance on how best to avoid those risks.”

The defendants challenged the prosecution on the grounds that the government was prohibited from using federal funds to prosecute them, because of Congress’s appropriations rider, and sought an injunction from the District Court. The court denied the request because the Maine medical-marijuana law did not authorize the sort of conduct alleged. The defendants appealed.

The Court of Appeals considered the arguments raised by both parties. The government advocated for a view of the appropriations rider that would permit any prosecutions unless the defendants were in full, strict compliance with the state’s medical-marijuana laws. Any minor non-compliance would bring the case outside the rider and permit the Department of Justice to prosecute.

The court rejected this approach, finding that federal prosecution would hang as a sword of Damocles over participants in Maine’s medical-marijuana market, ready to drop at the occurrence of any minor, “even tiny” non-compliance or unintentional violations, and would likely deter market participation, which might also lead the state to water down its regulatory scheme and otherwise serve to thwart the state’s implementation of its laws relating to medical marijuana.

The defendants argued that the rider should prevent prosecutions of those who have valid state licenses to participate in the state’s medical-marijuana industry. The court rejected this other extreme as well, concluding that Congress did not intend the rider to create a safe harbor for blatantly illegitimate activity outside the scope of the state’s own medical-marijuana laws, merely because the defendants possess facially valid documents.

The court thus rejected the approach advocated by both the government and the defendants. The court adopted a middle-ground approach and declined to define its precise boundaries. It found that the conduct in the case at hand was clearly aimed at supplying marijuana to persons “whom no defendant ever thought were qualifying patients under Maine law” and that the medical-marijuana licenses were façades for such unauthorized sales.

The court also noted that Maine’s own medical-marijuana law expressly criminalized distribution to those not authorized to possess marijuana (medical patients) under the law. As such, federal prosecution for such conduct was considered unlikely to have any unwelcome effect on Maine’s implementation of its medical-marijuana laws. The Appeals Court therefore affirmed the District Court’s denial of an injunction, and the prosecution is permitted to proceed.

What this decision does not do is provide sufficient clarity for Massachusetts operators or regulators, especially around the question of what degree of non-compliance with the Massachusetts regulatory scheme may expose Massachusetts operators to federal prosecution.

While it seems unlikely that mere technical violations would lead to federal prosecution, could an operator faced with a summary suspension order (which occurs when there is “an immediate threat to public health, safety, and welfare”) find that not only is their license suspended, but they now face federal prosecution as well? Hopefully the Cannabis Control Commission will take this potentially serious threat into consideration as they weigh future enforcement actions in Massachusetts.

 

Michael Roundy and Scott Foster are both partners at Bulkley Richardson and members of the firm’s cannabis practice.

Cybersecurity Special Coverage

Risk and Reward

If the COVID-19 pandemic has taught businesses anything, it’s that employees, in many cases, can do their jobs from home — which can, in theory, lead to cost savings. But also expenses — the type of expense that, if ignored, can lead to much bigger losses.

We’re talking about data security. And what remote workers need depends, in many cases, on how long they plan on staying home, said Sean Hogan, president and CEO of Hogan Communications in Easthampton.

“We have some clients investing in the home office and planning on shrinking their bricks and mortar, so they’re going to save money on bricks and mortar or the lease,” he told BusinessWest. “But then they have to invest in bandwidth and security for the remote office. It’s a huge issue.”

And a sometimes messy one. In a shared workplace, Hogan noted, “you might have great security, firewalls, routers, you have security installed, you make sure all the security is updated, you constantly have the latest patches and revisions.”

But working from home poses all kinds of issues with the unknown, the most pressing being, what programs are running on home devices, whether those devices are loaded with viruses, and whether they can infect the company’s servers when they connect remotely.

“We’re trying to control security at someone’s own bandwidth at the house, where three, four, or five people may be trying to jump on at the same time,” he added. “It’s not shaped at all; it doesn’t prioritize any applications or traffic. Now, there are ways to do that — we can install SD-WAN software that allows us to monitor the connection and prioritize traffic like Zoom, Microsoft Teams, or GoToMeeting. That way, you don’t have everyone breaking up and having issues.”

Sean Hogan

Sean Hogan

“We have some clients investing in the home office and planning on shrinking their bricks and mortar, so they’re going to save money on bricks and mortar or the lease. But then they have to invest in bandwidth and security for the remote office. It’s a huge issue.”

But that doesn’t solve the issues of security holes in the home wi-fi — which have weaker protocols, allowing hackers easier access to the network’s traffic — as well as the human element that makes workers vulnerable to phishing scams, which are the top cause of data breaches, and insecure passwords, which allow hackers easy access to multiple accounts in a short period of time.

“The Internet has become the Wild West over the last 10 years,” said Jeremiah Beaudry, president of Bloo Solutions in Chicopee, starting with scam e-mails — from phishing attacks to realistic-looking but nefarious sites that try to wrench passwords and data from users and install malware on their computers.

“I get e-mails from clients three or four times a day — it used to be once or twice a week — saying things like, ‘I got this e-mail asking me to wire money to a client,’” he noted. “You can’t stop people from pretending to be someone else, and the language is getting more and more clever.”

That combination of possibly flawed technology and human errors make the home office a particular concern in the world of cybersecurity.

“Nobody has the exact answers right now for how to make the most secure connection at a remote office,” Hogan said, adding that going to the cloud has been an effective measure for many businesses, while others have taken the more drastic step of setting up physical firewalls at remote sites for key employees — say, for the CEO or CFO. “We’ll lock them down if they’re actually connecting to files and servers that are really confidential.”

Possible solutions are plenty, he said — but it all begins with knowing exactly what equipment remote employees are dealing with, and what threats they pose.

Viral Spread

COVID-19 isn’t the only fast-spreading infection going around, Hogan said. In fact, “45% of home computers are infected with malware. That’s an eye opener for many people. It’s a huge issue, and removing it is a huge challenge.”

One problem is the human element — specifically, how users invite threats in by not recognizing them when they pop up. Take the broad realm of phishing — the setting in which people receive such pitches can actually make a difference in how they respond, Beaudry said.

“It’s harder to sift through it when working from home; it’s not natural. You’re out of your element when you’re sitting at our desk in your pajamas, as opposed to being in your office at work. You may not be reading your e-mail as carefully as you normally would. You may not be on alert.”

A big piece of the puzzle is end-user awareness, he said. “You want to have your employees educated about what’s out there, so they know how to spot forgeries.”

Alex Willis, BlackBerry’s vice president of Sales Engineering and ISV Partners, recently told Forbes that companies trust their employees to do the right thing, and workers are generally honest, but trust can be a dangerous thing.

“The problem with just trusting people is that employees don’t always do this on purpose,” Willis said. “Sometimes, it’s just purely unintentional. They are working on a home machine that’s riddled with malware. They need access to corporate data. For instance, if the company issues a slow laptop to an employee and the employee has to get their job done, they are going to use their home computer that is faster to do the job. In that scenario, the home computer might not be as secure.”

Jeremiah Beaudry

Jeremiah Beaudry says home networks aren’t typically built to run as efficiently — or safely — as those in a workplace.

Again, it’s that issue of the unknown, Beaudry told BusinessWest. “You don’t know what they have going on with their home networks. We didn’t set up the home connection, we don’t know what they have, and everyone has different people on it. Some are borrowing it from their apartment complex or sharing it with the neighbors, and they expect the internet to work perfectly. It’s not going to.”

In an office, on the other hand, everyone is using the same network, running at the same speed, with the same level of security and firewall protection. “Then, when they go home, there are so many variables.”

The best-case scenario is to give employer-owned devices to employees so they can remotely manage information.

“You can put antivirus on an employer-owned device; when they’re using their own devices, you don’t know what they’re doing to protect it,” Beaudry added. “And if the employee is laid off or fired, you would have the ability to control any employer-owned data.”

At the very least, he said, companies should encrypt the traffic between their network and individual users’ home computers.

“We put monitoring agents on remote clients that monitor for any viruses or malware and will update their antivirus and malware protection in some cases,” Hogan added.

Vigilant Approach

None of this completely addresses the speed and efficiency issues of home devices. “Usually, in a home office, they pay for their own bandwidth, and the business can’t say, ‘we don’t want your kid playing Fortnite,’” Hogan said. “That’s the challenge.”

“I get e-mails from clients three or four times a day — it used to be once or twice a week — saying things like, ‘I got this e-mail asking me to wire money to a client.’ You can’t stop people from pretending to be someone else, and the language is getting more and more clever.”

“Some clients will pay for a second, business-only connection for remote workers, he added. “But that’s pretty extreme; not many are doing that.”

More popular — and effective — is the move to a virtual environment. Working in the cloud, he noted, means not worrying about the hub-and-spoke relationship between physical servers and computers that’s the biggest weak point for security. “Most of my clients have eliminated that weakness.”

For some clients, the cybersecurity issue is especially critical — take medical businesses, for whom privacy is paramount in the HIPAA era. “That changes the game completely,” Hogan said, noting that one resource for companies handling sensitive data is a SOC, or security operations center.

“Clients who really value security can sign up with a SOC team that responds in case of a breach,” he explained. “It’s a lot of monitoring, detecting, and responding.”

Delcie Bean, CEO of Paragus IT, said any investment in platform migration and remote work has to be accompanied by investment in strong security tools — and education.

“The legacy tools and technologies used to secure networks for the past 10 years need not apply for this next wave of mobile workers,” he told BusinessWest. “Security of the future will be a lot more about multi-factor authentication, deep encryption, and will involve a lot more end-user training as well as testing than the command-and-control style approach of the past.”

Hogan agreed. “Password management is so massive,” he said, noting that people resist simple protections like multi-factor authentication, or even just using complicated passwords, or different passwords for different sites.

“We are also dark-web monitoring pretty consistently,” he added. “The dark web has been on fire lately — a lot of breaches.” Once data fall into those hands, the damage is done, he added, “but the important thing is to know what got breached, and if you can tell what credentials are out there, so you can change them.”

The bottom line, Beaudry said, is to make sure employees use unique passwords and encrypt connections remotely, and not using tools that are potentially vulnerable.

“And there’s a long list of tools known to be exploited by hackers, so it’s good to check with an IT professional before using any remote desktop method,” he added. “Some methods require you to open firewall ports that can leave you vulnerable to ransomware and all sorts of awful data breaches. The main thing is to make sure your firewall is locked down and no unnecessary ports are open, and you have backups of all data.”

That’s a lot to consider when moving into an era of expanded remote work — some of which comes at a cost. But the cost of ignoring it is much higher.

Joseph Bednar can be reached at [email protected]

Technology

Into the Breach

Cybersecurity experts say there’s still plenty of misunderstanding when it comes to the reality of data threats. For example, it’s not just big companies being attacked — these days, everyone is a target, and data thieves are becoming more subtle and savvy with their methods. That means companies need to be more vigilant — but it also means career opportunities abound in a field that desperately needs more young talent.

Everyone knows what cybersecurity is. Fewer know what people who work in the field actually do — and how much they earn.

And that’s a problem, Tom Loper said, when it comes to drawing young talent into a field that desperately needs it — and will need it for many years to come, as the breadth and complexity of data threats continue to evolve.

“That’s why we need to start with the high-school students,” said Loper, associate provost and dean of the School of Science and Management at Bay Path University. “They don’t really understand cybersecurity, and that’s a big problem because we have this incredible shortage of folks qualified to work in cybersecurity.”

Bay Path is doing its part, he said, not only with two undergraduate programs in the field and a graduate program in cybersecurity management, but by actively promoting those tracks to incoming students with undecided majors.

“We allow them to take cyber courses that first semester just to try it out, and the whole faculty is steering them toward it because the pay is so good in this field. Most of the ones who take it, believe it or not, they stay in that field,” he said, noting that about 90 students are currently enrolled in the three programs. “That’s a pretty good number for a small school like this. Now, we’re trying to get more high-school students to understand.”

“Companies are becoming more savvy. They’re asking, ‘how protected am I?’ The word’s getting out there, but unfortunately, it’s getting out because someone hears that a friend or another company got attacked.”

Loper said Bay Path’s programs are tailored specifically to the requirements of various cybersecurity careers, so students can get entry-level jobs immediately and go on to earn whatever further industry certifications they may need. “We have graduates making $60,000 to $80,000 coming out of school with these degrees. And if they get some experience before graduation, they’re worth even more.”

Tom Loper said cybersecurity is a complex challenge best tackled from a region-wide, ‘ecosystem’ perspective.

To that end, Bay Path recently won a grant from the Mass Cyber Center at MassTech to support internship and workforce experiences for students. That’s just one aspect, he said, of the way the region can build a cybersecurity hub from what he calls an “ecosystem perspective,” one that encompasses high-school and college students, workforce-development programs, government agencies, and business sectors where cybersecurity is important. These days, that’s most of them.

“Companies are becoming more savvy,” said Mark Jardim, lead engineer at CMD Technology Group in East Longmeadow. “They’re asking, ‘how protected am I?’ The word’s getting out there, but unfortunately, it’s getting out because someone hears that a friend or another company got attacked. But they are calling us and saying, ‘how can we be more protected?’”

Chris Rivers, vice president of Phillips Insurance in Chicopee, agreed that more companies are coming around to the threat potential.

“It sometimes depends on whether they’ve had an incident or a near miss,” he said, adding that, while people may hear news reports about data breaches at large companies, no business of any size is totally immune.

In fact, “smaller businesses tend to have less security, and sometimes it’s easier for hackers to get in there, taking credit-card information or any type of information, really. Think of a law office, and the risk of private information being taken and used against clients.

“Things we’ve preached over the years still hold true — they just keep changing the vector of attack. And the damage to smaller companies is more significant because they often don’t have the resources to deal with it, and it’s painful.”

“If you have a breach and data is stolen,” Rivers added, “it can get pretty costly.”

Data security has become a primary form of business insurance at all commercial agencies, but a policy to recover damages, even a comprehensive one, isn’t enough; the long-term brand damage, Rivers noted, is much harder to quantify. “Once your reputation is gone, it’s gone.”

The fact that businesses are catching on to this reality, combined with high-tech advances that will making defending against cybercrime more challenging, has created significant opportunities in what promises to be one of the most important career fields over the next decade.

Human Nature

Charlie Christianson, president of CMD and its sister company, Peritus Security, said data breaches cost companies $11.5 billion in 2019. And the threats come in many forms.

“Things we’ve preached over the years still hold true — they just keep changing the vector of attack,” he told BusinessWest. “And the damage to smaller companies is more significant because they often don’t have the resources to deal with it, and it’s painful.”

The human element to data breaches is still prominent, as e-mail phishing schemes remain the number-one way cybercriminals gain access to networks. These often arrive with URLs that are very close to a legitimate address. More importantly, phishers are ever-honing their ability to replicate the tone, language, and content of the supposed sender.

“They look incredibly realistic,” Christianson said. “A week doesn’t go by where we don’t get one and say, ‘wow, this looks good.’ For people who don’t live it every day, it can be very easy to fall into the trap. The trick is to just stop and think about it before you click on it.”

These attacks are more specific and targeted in the past, he went on, but they’re not the only way data thieves are getting in. Another is through employees’ personal devices, which don’t typically boast the security features of a large corporate system.

“Devices are hit and used to launch an attack, or they’re infected and brought into a secure environment. What’s on that device can get into the corporate network and spread,” he explained, which is why many companies have tightened up their BYOD (bring your own device) policies.

“That’s slowing down as businesses are becoming aware of the risk,” Jardim added. “We’re actually seeing a trend of slowing down the bring-your-own-device idea in the workforce; companies are saying, ‘maybe we shouldn’t do that because attackers are using those vulnerabilities.’”

The trend known as the internet of things, or IoT, poses new threats as well, Christianson said.

“When people think about securing their network, they think about their computers, their servers, their tablets, things like that. But they don’t think about the SimpliSafe security system or the time clock that hangs on the wall or the voice-over-IP phone system they use every day. You have all these devices that aren’t being maintained — they just let them run.”

He knows of one company that was attacked through its security-camera system, and said segmenting networks is one way to minimize such a threat. “That shouldn’t be on same network as your finances.”

The defenses against breach attempts are myriad, from password portals and multi-factor verification of online accounts to geoblocking traffic coming from overseas.

“A lot can be done with training,” Christianson said. “The most important thing you have in your business is your people, and educating people how to act and what to do when they see something — to make your staff savvy — is one of the most beneficial things you can do.”

Mark Jardim (left) and Charlie Christianson say cybercrime is constantly evolving, and so must the strategies businesses employ to prevent it.

It’s definitely a challenge, Jardim added. “We have to protect every single door and window, we have to be right 100% of the time, and a hacker just needs to find one vulnerability.”

Cultivating an Ecosystem

That list of threats and defenses — which only skims the surface — drives home the need for a more robust cybersecurity workforce, Loper said.

“We believe you have to take a regional approach to cybersecurity,” he noted. “We don’t believe you can just think of yourself as island unto yourself. Whether you’re a big organization or a small organization, you’re part of the supply chain, and there are opportunities for breaches. Everyone is connected.”

Boosting workforce-development programs is one spoke on the wheel. “It needs more attention. At one point, we didn’t have enough tool and die makers. The Commonwealth got behind it, and now we have enough. Something like that is going to happen in the high schools, and across this region, where we’re retraining people to work in this space just because there are so many opportunities.”

“The most important thing you have in your business is your people, and educating people how to act and what to do when they see something — to make your staff savvy — is one of the most beneficial things you can do.”

One plan is to develop a ‘cyber range,’ which is a simulated IT environment that emulates the IT structure of businesses, Loper explained. “We can bring people into the cyber range and help them deal with threats to a simulated environment.”

All these strategies are running headlong into the rise, in the very near future, of 5G wireless connectivity, which will dramatically increase data speed — and perhaps security threats as well.

“The threat we have now is going to go on steroids with 5G and with IoT,” Loper said. “The opportunties for business development will be greater than ever, and the opportunities for penetration will be greater than ever as well. It’s amazing what’s happening with 5G — it’s mostly good, but pretty darn challenging.”

Those threats provide business for commercial insurers, and that coverage is important, Rivers said, but businesses have to think about their own common-sense defenses as well.

“As we do renewals or reach out to clients, we try to bring out what policies are available to them to protect them from different things,” he noted. “It’s easy for us to recommend everything, but there’s a cost, so we try to inform them what’s out there so they can make decisions — ‘do I want this? Do I want that?’”

Rivers cited a statistic from Philadelphia Insurance Companies, which reports that the average cost of a data breach is $204 per lost record, with more than half of such costs attributable to lost customers and the associated public-relations expenses to rebuild an organization’s reputation.

“It’s one thing to take the data out, but when your brand is affected because you’ve had this incredible breach, that’s something else,” Loper added. “Your brand is what people think it is; it’s not what you think it is, like in the old days. Now, just look on social media, and that tells you what your brand is. Cybersecurity is one of those things that, if not done properly, can undermine your brand so quickly.”

In the end, Jardim said, the idea is to minimize risk.

“I always joke, the most secure machine is one that’s shut off in a locked room, but you have to find a balance,” he said — one that employs measures from simple common sense to choosing the right firewall.

“We see clients who have $5 million businesses buying a $100 firewall from Staples. You’re not going to protect your infrastructrure with that. You need the right equipment for your size. You need professional stuff for your business — you can’t use the same equipment you buy for your house for your business.”

“Well, you can,” Christianson added quickly, noting just one more way people might take a limited view of cybersecurity threats — and come to regret it.

Joseph Bednar can be reached at [email protected]

buy ivermectin for humans buy ivermectin online
buy generic cialis buy cialis