Response to Health Canada Request for feedback re:Cannabis Act

0 Replies

First things first. Thank-you for the opportunity to provide input to your program. This openness has not gone unnoticed and it will lead to better legislation. The following comments are related to your November 2017 Document “Proposed Approach to the regulation of Cannabis”.  Comments are only with respect to security elements.  You are intending to have a significant review of security requirements and this is applauded.


  1. Don’t completely abandon the Physical Security Directive. Vaults are a proven delay mechanism when used correctly. You won’t find a community bank branch in the country that will leave a million dollars in cash overnight in a vault.
    1. Modernize it. Terms such as AA line supervision are no longer common in the industry.
    2. Apply realistic values to the asset. This will accordingly align the asset value with the mitigation strategy.
  2. Apply different security strategies as opposed to less security when the primary risk event changes from a vault attack in the case of a large production facility to an armed robbery at a retail outlet.
    1. Time delay safes.
    2. Cash drop procedures
    3. Cash handling procedures (less cash on site).
    4. Training for industry workers exposed to this threat (like bank teller’s robbery training).
  3. Try to use more specific language in the new Act regarding security. Statements such as “be capable of making a visible recording of illicit conduct”[1] are frankly way to subjective. Let’s talk light levels, pixel density, angles of view, etc.. This will reduce the amount that licensed producers spend on consultants and the amount of over-spending on security integration.
  4. Consider going from 1 year to 6 or 9 months for the retention of video. Video is the single largest security investment and the storage requirements are a large part of this cost.
  5. Change the 2-year storage and video requirements for all applicants currently in flight if possible. Reducing unnecessary security cost will reduce production cost which will reduce organized crime threats.
  6. Increase the amount of intrusion detection particularly with respect to partitioning. The Physical security directive correctly speaks of security in layers and intrusion partitions are a robust and cost-effective mitigation strategy. Intrusion detection is relatively more mature and less expensive than video.
  7. Perhaps some thought to outsourcing personnel security clearances to private companies to reduce the backlog and then to do further background checks at routine intervals. Much of the financial burden on LP’s is due to process delay and backlog.
  8. Leave the seed to sale tracking in the private hands and enforce reporting only. This will allow for significant innovation in this space to drive competitive advantages and industry growth.
  9. Perhaps some thought to outsourcing the security reviews to industry professionals. This can reduce backlog, provide a more consistent review and allow for scale. It can also introduce elements of investigations and complaint handling that may be beyond current scope.

Background to support Recommendations:

Physical Security is intended to reduce risk. Risk is the confluence or the intersection set of Assets, Threats and Vulnerabilities.  Defining Risk Events require a threat attacking an asset through a vulnerability. Reducing any one of these reduces risk. To decide which of the risks are the greatest, an analysis of the probability of an event vs. the criticality of the event comes into play.

For example, two risks defined in the document are[2]:

  • legally produced cannabis being diverted to an illegal market or activity
  • illegal cannabis being a source of supply for the legal industry

For these risk events, the single identified asset is the cannabis. Considering cannabis as the asset, the logical and correct solution is “large quantities of high-value cannabis products being present on site would face proportionately higher physical security requirements compared to other licence classes[3]”.

The ACMPR correctly identifies the fact that persons can be a threat. The degree of mitigation to this threat by way of security clearances can be debated however most agree that some level of vetting is required.  What is missing is an appreciation that persons are also an asset. An employee being hurt or traumatized because of a robbery is a significant risk. This should be clearly addressed.

Production facilities, distribution facilities and retail facilities have significantly different threats and significantly different assets.

A large LP will have millions of dollars of cannabis in a contained location with very few un-vetted persons in the vicinity. Accordingly, security mitigation such as vaults and security clearances are appropriate for risk mitigation. The principle risk to these facilities would require a skilled forced entry or an inside threat. Despite all our griping, the Physical Security Directive appropriately takes this on. It has a track record of success not in just the Cannabis industry but in the pharmaceutical industry as well.

Where the asset is not as valuable, proportionately less security is logical. The fact that this document is suggesting less security for growing plants is a recognition of the difference in asset value and is applauded; as is the requirement for less vigorous Responsible Person In Charge supervision in these areas.

A retail outlet presents a different theatre (different assets, different threats).

  1. There is less cannabis on the facility (1 to 3 orders of magnitude less)
  2. There are more classes of threats that are in close proximity to assets (people and cannabis).
    1. unskilled opportunistic non-violent
    2. unskilled motivated non-violent
    3. skilled motivated non-violent
    4. unskilled violent
    5. skilled violent
  3. There is much less opportunity to vet customers

Given the fact that the asset levels are different and the threats are different, it is logical to assume that mitigation strategies should also be different. Examples may be time-lock safes, retail style access control and duress alarms.

[1] ACMPR 59(2)

[2] 2.3.4 Proposed Approach to the regulation of Cannabis

[3] 2.3.4 Proposed Approach to the regulation of Cannabis

Body Camera – Recording buffer sizeThought for the day on OSINT

Share Your Thoughts

Your email address will not be published. Required fields are marked *