Member Blog: How to Avoid the 4 Most Common Payroll Mistakes

To achieve your goals in business, your payroll system must be flawless. It is an aspect in which you must strive for perfection whenever possible. Avoiding payroll mistakes in the cannabis industry is especially crucial due to the highly regulated nature of the industry. Compliance with payroll regulations is essential to avoid legal repercussions and penalties from governing agencies. Additionally, accurate and timely payroll ensures proper compensation for employees, and maintaining precise payroll records promotes transparency and accountability, building trust with employees and stakeholders in an industry where transparency is vital.

It is better to be safe by managing your payroll as thoroughly as possible, if not you would be sorry you didn’t. Most people have most likely made these mistakes and have had minor consequences accompanying them. If these mistakes persist, the business owner often pays dearly for them. These common payroll mistakes have cost some their business.

Having Multiple Records for a Certain Payroll

It pays to have all your payroll information in a single database. This enhances security and ensures that you know where to look for your payroll information. If this has been your practice and your business uses tools like HCM software that helps you manage your employees and other business information, then this shouldn’t be much of a problem.

All you’ll have to do is use that same software to manage and process payroll information. If your business documents are disorganized, be sure to have them all in one place.

Not Updating Needed Information

Ensure that you are not complacent by relying on automated software to do everything. The system is not aware that your employee would be changing addresses therefore such info should be entered manually.

That error could lead to mistakes in filling that employee’s taxes as the bills might arrive at the wrong address. As much as simplifying a process is great, you still need to play your path in getting things done.

It would help you to set timely reminders in the system that should help you avoid the mistake of not keeping up with the latest information.

Weak Security System

Confidential information should remain so. To avoid your system being compromised, you should be using a payroll processing system with strong cybersecurity.

This has got to be the costliest mistake common to payroll processing. Every information concerning your business that is not available on your website and to your customers, is most likely not public information. Private information about your business should remain private.

Information in payroll systems is as sensitive as can be. There’s almost every piece of information you need to know about a person, and as such strict rules should apply to keeping them safe. A weak security measure means a weak business and a weak business means trouble.

Inaccurate or Delayed Tax Payments

In calculating taxes absolute precaution is required. If you are not a tax accountant you are probably not so proficient in this calculation. Your tax accountant (if your business has one) should learn how to adequately use the system to avoid delay or inaccuracy.

Bear in mind that inaccurate tax payment makes your business a tax defaulter. Your business as a taxpayer has the duty of tax calculations assigned to an accountant. Note that taxes ought to be paid within the required time bracket. The systems are programmed to make the tax payments when due.

The human capital management system does not only process payroll information but can also tell when employees qualify for federal or state tax credits.

In Conclusion

To maintain payroll accuracy and timeliness in the cannabis industry, it is crucial to avoid payroll mistakes. By opting for a third-party payroll provider like Tesseon you can benefit from our expertise and ensure that your payroll is consistently accurate and delivered on time, regardless of any industry-specific challenges. The Cannabis industry is both very young and extremely regulated, it is imperative that businesses stay vigilant and proactive to avoid costly mistakes.

Member Blog: Cannabis M&A – Protecting the Valuation Calculus Using Cyber Compliance and Due Diligence

by Rebecca L. Rakoski, Esq. and Patrick D. Isbill, Esq. of XPAN Law Partners

When it comes to the intersection of law, business, and technology, the legal cannabis industry is arguably at the center of all three. Relying heavily on creative, innovative technology to distinguish itself while continually analyzing profitability forecasts to take advantage of new business opportunities and having to monitor at the same time the changing data privacy regulatory landscape, it can all seem rather daunting when added up. Securing trade secrets and overseeing reputational management related to cybersecurity and data protection are some of the challenges rooted at the forefront of this industry, especially after last year’s stunning pace of mergers and acquisitions. Increasing consolidation of fragmented segments of the cannabis industry is foreshadowing a strategic, long-term business approach to achieving higher profits and revenue, leaning on market advantages such as relatively favorable interest costs for now and lower valuations.

Data security and past cyber events play a significant role in these transactions, as do regulatory compliance and data privacy laws. One of the primary, if not foremost, objectives of any deal involving a merger or acquisition is of course valuation. Poor cybersecurity practices, lack of a comprehensive security and data protection program, and digitally unsecured proprietary assets on the part of the target company could spell unforeseen financial, not to mention legal liability, headaches for the acquiring organization.

The business of legal cannabis is after all a highly unique industry because of the already intense regulatory oversight and the enormous amounts of data inherently built in and circulating throughout its diverse industry sectors. From cultivation and laboratory research to manufacturing that incorporates processing for global distribution and all the way out to consumer dispensaries, the aggregate value of such data is almost nothing short of priceless. Simply put, data equals money in today’s global digital economy. So when the acquiring organization fails to adequately perform its due diligence when it comes to cyber compliance, it may be in for a rude awakening post merger or acquisition, especially if this data has been unknowingly compromised.

Every company should first seek to identify and classify the type of data it is acquiring to determine regulatory compliance. Personally identifiable information (PII) and/or protected health information (PHI) and where either comes from, e.g., a consumer or patient, will go a long way to understanding whether state and/or federal laws have been violated. Next, discovery of a past cyber event or breach is critical. Compromised data from inadequate cybersecurity or failure to report potential violations of state data privacy laws to any of the corresponding state enforcement agencies could result in hefty fines and unexpected assumption of liability, not to mention the legal costs to fix it after the deal is done.

Almost every cannabis business knows from the outset it has very particularized regulatory requirements, but such knowledge does not obviate it from complying with additional regulatory data privacy and cybersecurity obligations. Regardless of the side of the transaction, businesses need to keep several key end goals in mind during an M&A deal. Questions include but are not limited to the following: (i) prior cyber practices; (ii) prior cyber incidents; (iii) documented cybersecurity and data privacy programs; (iv) whether those programs are operationalized or just “there” for window dressing; (v) whether there is cyber-liability insurance; and (vi) the nature and type of contractual obligations. All of these elements will help to determine the level of data privacy and cybersecurity maturity of a business which, in turn, affects the value of the data and practices of the targeted organization.

Poor data security and privacy practices can lead to a devaluation of the business calculus and create an unforeseen situation where an organization suddenly becomes a liability rather than the intended asset. In the current shifting legal and technological environment, ignoring or leaving cybersecurity and data privacy due diligence in an M&A transaction to the last minute can be a costly enterprise. In addition, the nature and type of contractual obligations in and around data privacy and cybersecurity can also create a potential for substantial liability if the organization has not operationalized its privacy and security program. Each part of this due diligence is interconnected and can wreak havoc if not properly assessed and, in some instances, immediately addressed.

Like water running downhill, any variation in terrain going forward will cause a parallel, and potentially unpredictable, directional shift.

All in, the industry is keenly aware of what consumers value – privacy. For example, trust in the product sold and confidence that their identity is secure topmost consumer surveys on the topic. Any cannabis business understands this fragile balance, and any path to growth in the industry must account for it. Same applies to trade secrets. Often the linchpin of a merger or acquisition will be the result of interest in innovative research or breakthrough technology developed by the target company. If it is discovered later that this proprietary work was potentially compromised or publicly disclosed, then the initial value used as the basis for negotiations could diminish exponentially if the work has been appropriated by a business competitor or industry rival looking for a market share advantage.

Due diligence is already part of the fabric of M&A deals. Reports suggest the large volume of global mergers and acquisitions overall is expected to continue this year from last despite worries over regulations and rising interest rates. But focusing on accounting and finances without spending time on determining past commitments to cyber readiness and compliance can unravel even the best of intentions. Valuation is a key calculus in these deals. Understanding the true value of what is being acquired or consolidated is essential to taking advantage of business opportunities for growth and return on investment for an industry primed for both.

Rebecca L. Rakoski, Esq. is Co-Founder and Managing Partner at XPAN Law Partners, LLP. Rebecca counsels and defends public and private corporations, and their boards, during data breaches and responds to state/federal regulatory compliance and enforcement actions.

Patrick D. Isbill, Esq. is also Co-Founder and Managing Partner at XPAN Law Partners, LLP. Patrick’s practice focuses on cybersecurity and data privacy compliance and enforcement, addressing the business needs and demands of highly regulated industries.

This article does not constitute legal advice or create an attorney-client relationship. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Member Blog: As Cannabis Sales Rise, So Do Questions About Privacy and Security

Frank Nisemboum, Vice President of ERP Sales at c2b teknologies

Legal cannabis is a big business that handles big data. From personalized data to protected health information to cannabis information that requires regulatory compliance with cybersecurity and data privacy laws–the entire cannabis industry faces data privacy and cybersecurity challenges not faced by other sectors.

But wait, other sectors have to navigate data concerns, too right? Cannabis is different. Aside from adhering to all the typical privacy concerns, cannabis data comes with a layer of complexity for cannabis operators due to industry-specific data collection and mandatory retention requirements surrounding it.

Growing Cannabis Data Collection

A cannabis customer provides a vast amount of personally identifiable information every time they buy legal marijuana products. These individuals present a government-issued ID card to confirm they are at least 21 for adult-use purchases or prove they have a prescription to access medical marijuana. The data collected on each transaction includes customer or patient name, date of birth, address, phone number, driver’s license or medical ID card numbers as well as email addresses and signatures.

Cannabis dispensaries also provide equally large amounts of operations data to METRC (Marijuana Enforcement Tracking Reporting Compliance), used in 13 states and the District of Columbia. METRC is not the only government reporting company used to maintain cannabis compliance. For example, California relies on the CCTT (California Cannabis Track-and-Trace) system to report the inventory and movement of cannabis and cannabis products throughout the cannabis supply chain.

Cannabis legalization is expected to spread across the country to all 50 states now that adult-use cannabis is permitted in 11 states and Washington D.C. and 36 states allow medical marijuana. Many of those states require all cannabis licensees, both annual and provisional, to use METRC to track marijuana products through the entire supply chain.

Cannabis cultivators, manufacturers, retailers, distributors, testing labs, and micro-businesses need to manage and maintain those records for a minimum of seven years. It’s a tremendous amount of valuable data for cannabis companies to track, the precious data cybercriminals and hackers seek out, including combinations of protected personal and health data like social security numbers and diagnoses with supplemental information like addresses, copies of ID cards.

If a cannabis company dispenses medical marijuana to patients or supports one who does, they fall into the regulatory oversight of the Health Insurance Portability and Accountability Act (HIPAA) and the Office of Civil Rights (OCR).

Safeguarding Cannabis Data

Legal cannabis and the data security issues it creates form multi-prong challenges from a legal and technological perspective. The cybersecurity and data privacy requirements don’t come with a roadmap cannabis operators can borrow from other industries due to the massive repositories of personalized data that require regulatory compliance with cybersecurity and data privacy laws.

The collection, storage, and security of all this valuable data raise many privacy and security concerns, especially when guidelines for collecting the information vary by state. For example, Ohio and California must house personal data using third-party software to track inventory and retail point-of-sales, whereas Illinois dispensaries cannot store any personally identifiable information onsite and instead use cloud or other off-location services.

Healthcare companies make attractive targets for hackers and often suffer data breach more often due to their huge storage of protected health information (PHI). Medical dispensaries and supporting companies handle PHI too, but PHI is not all a cybercriminal may want from a cannabis operation.

Employee records often contain background checks and financial data along with personally identifiable information such as name, date of birth, and SSN, all in one nice package. And cannabis data has been breached several times in recent years.

Cannabis Data Breaches Happen

Even as a newly legitimized industry, cannabis organizations have already experienced high-impact data and security breaches. In early 2020, a database breach that impacted almost 30,000 people connected to the marijuana industry resulting from an unsecured Amazon S3 data storage bucket was reported. The data breach included scanned versions of government-issued ID cards, purchase dates, customer history, and purchase quantities.

In 2019, a Canadian cannabis company exposed the electronic medical records of over 34,000 customers.

Between 2016 and 2018, the cannabis-tracking software provider MJ Freeway endured significant data breaches where over 1,000 dispensaries in 23 states were hacked. Less than six months later, hackers stole a portion of MJ Freeway’s source code and posted it publicly to social media.

Prior to that, Nevada’s Medical Marijuana Program database was breached in 2016, exposing sensitive personal data of over 11,000 people involved in the Nevada cannabis industry. This breach included names, social security numbers, race, as well as home and business addresses.

Cannabis Operators Short on Cybersecurity Budgets

Cannabis companies are responsible for securing their data to protect their customers and staff. To prevent data leakage, point-of-sale machines need endpoint protection, encryption, secure backups with proper network segmentation.

Unfortunately, some cannabis organizations fall short of installing appropriate cybersecurity measures that could have far-reaching effects on a cannabis user. Leaked personal data could have negative personal and professional consequences for the cannabis patient whose workplace prohibits cannabis use.

To avoid becoming an easy target, cannabis companies need to focus on data privacy and security just as much marketing and sales. The penalties from having a customer or employee’s personally identifiable information and cannabis-related data exposed can be too expensive to ignore and fail to give confidence that their data is secure.

Vice President of ERP Sales, Frank Nisemboum, is a trusted advisor at c2b teknologies who has guided organizations of all sizes enabling them to establish a technology presence and expand their business through technology. His proven ability to analyze the current and future plans of a company and work with team members to subsequently bring technology solutions to the organization result in improved processes and controls that assure continued growth and profitability.

Frank has worked in the ERP and CRM software selection, sales and consulting industry for almost 25 years. His strong ability to understand, interpret and match the needs of an organization to the right solution make him an asset to all of his clients.

c2b teknologies integration and engineering experts have partnered with leading cannabis industry experts to develop a software solution that provides a complete cannabis operations system. The best-in-class solution not only handles tracking of seed-to-sale activities but encompasses your entire cannabis operations with compliance needs handles along the way. Our passion for solving problems drives us to deliver innovative solutions for everyone we work with. Visit c2btek.com for more information.

Webinar Recording: #CannaBizSummit Speaker Series – Hacker-Proof Your Remote Operations

In case you missed it, watch this webinar recording from Monday, April 27. As companies reacted to the workplace changes COVID-19 required, many cannabis companies made rapid decisions to work-from-home, added curbside pickup, and enhanced delivery services. These decisions lead to additional security risks, and with hackers targeting companies more aggressively, these risks must be addressed to ensure business continuity.

In this webinar, GeekTek CEO/CTO Eric Schlissel and his guest Sophos Cyber Security subject matter expert Joey Ellison will discuss the current state of remote work, what to expect in the future and how to improve your organization’s security posture, moving from reactive to proactive protection. Intended for a non-technical audience, attendees will leave with clear next steps to improve their cybersecurity with minimal effort.

Speakers Include:

Eric Schlissel, CEO & CTO
GeekTek

Joey Ellison, Sr. Cyber Security Engineer
Sophos