A security plan utilizing the minimum technology and operational procedures to meet compliance requirements with regulations should not be mistaken as a security plan designed to protect the people and property within a cannabis facility. No single state’s security requirements meet the physical protection standards utilized by every type of business. Most state requirements include antiquated and misunderstood elements for security compliance or fail to address many areas entirely.
The Compassionate Use of Medical Cannabis Program Act was voted into law and went into effect on January 1, 2014, prior to the publication of the Joint Committee on Administrative Rules (the oversight committee in Illinois authorized to conduct systematic reviews of administrative rules promulgated by State agencies). Illinois has long been considered the first state to enact tough requirements for cannabis licensure including for security and most of their rules have been included, almost verbatim, into many other states’ rules.
A Security Framework is Critical
However, cannabis organizations, at least when it comes to security, tend to only implement the bare minimum of security required for compliance with the law. When it comes to protecting an organization’s assets, the most viable security plans contain many aspects, processes and procedures that are not included in the rules. Instead, they are written according to long-established security guidelines, standards, and best practices developed through years of security operations experience.
Every security plan should start with pre-employment background screening and vetting as part of the employment process. Most states require potential employees to submit to a fingerprint-based state and federal criminal history records check. If there are any convictions found, they are compared to the list of convictions that have been determined by the state to preclude the person from being able to work within a cannabis organization such as major drug crimes, domestic and other violent crimes, and felonies within a predetermined number of years since the conviction or completion of sentencing conditions (commonly 5-7 years).
A security plan that does not include a thorough background screening and vetting process is lacking, as employees are at the core of every business operation. A comprehensive background check will reveal additional information not provided in the fingerprint-based criminal records check, as required for compliance. Information such as repeated minor offenses, including traffic offenses (driving without insurance or DUI), trespassing, theft or fraud, disorderly conduct, unauthorized handling of sensitive material, committing security violations, corruption, links to criminal elements, significant financial concerns, and countless other indicators of behavioral concern that could lead to diversion, theft or fraud, can all be attained through a proper hiring program as outlined in the newly updated ASIS PBSV-2022 Pre-employment Background Screening and Vetting Guideline. Naturally, employee-related background checks cannot include any inquiries prohibited by local laws.
Integrate Technology That WorksIn today’s world of advanced technology, there is no excuse for using analog video or not having video evidence after a burglary. Mishaps will occur because a DVR is unsecured and in a manager’s office where it can easily be removed from the premises along with all the archived video it contains. The rules require recorded video image resolution to be at least D1 (704 x 480 pixels) with a 12” monitor connected and recording frame rate of at least 3 frames per second during alarm or motion-based recording. A security plan should include more than the installation of this minimal equipment. Instead. at least a 2MP IP (1920x1080) video system should be utilized which demonstrates significant enhancements in image quality and usefulness.
All rooms with a perimeter wall should be protected with a motion detection device. Perimeter glass windows and/or doors should have an extra layer of protection with glass break detection devices. Placing door contacts on the perimeter doors and monitoring the alarm is not enough. Recently, during a break-in, a convenience store was emptied of cases of carton cigarettes because the store had an intrusion alarm system that was armed at the time, but no alarm event was triggered. The system only consisted of door contacts and hold-up buttons. The perpetrators smashed out the glass in the entry door but did not open the door. Since the entry door did not have glass break detectors or motion detection devices, there was no alarm event. The door contacts remained closed while the perpetrators entered and exited the store with merchandise by crawling through the door.
Have an Inventory Security Plan
Although it is not required, an inventory security plan should also be implemented and include the securing of all cannabis product in a secured storage room or vault during non-operational hours instead of remaining in glass display cases on the dispensary floor, hanging on j-hooks, or sitting on shelves behind counters. The latter increases the vulnerability of and losses from robberies. There have been countless incidents in numerous states where windows or doors have been smashed to enter a facility or a vehicle driven through the storefront. Perpetrators remove a product from shelves and smash display cases to remove product that has been left out overnight. As such, all products should be stored overnight in secured storage areas.
Many states require inventory and cash to be secured in a safe and may also warrant the safe to be located inside a secured storage room as an added layer of protection. Most gun safes tout their UL ratings but do not disclose much. A typical gun safe is UL rated as a residential security container with the RSC rating. This rating comes in three levels. Level 1 is rated to resist an attack by one person with hand tools up to 18 inches in length (hammers (up to 3 pounds in head weight), chisels, adjustable wrenches, pry bars, punches, and screwdrivers) on the door, face, back, bottom, top or sides for a period of 5 minutes.
Level 2 resists an attack from two people with more tools (picks, high-speed carbide drills, and pressure-applying devices) on the door or face for a period of 10 minutes as well as any six-square-inch opening in the door or front face of the safe. Level 3 resists attack from two people with even more tools (and the size of the maximum attack opening shrinks significantly from six square inches to two square inches) on the door, face, back, bottom, top or sides for a period of 10 minutes. A suitable safe for a cannabis business needs more protective features than even a level 3 gun safe as explained below.
Safes weighing less than 750 pounds should also be secured to the floor or wall with lag bolts. Although these lightweight safes are compliant, they are considered residential safes as evidenced in their rating and may be breached in as few as 5-10 minutes, much less time than law enforcement response times to alarms. Accordingly, these safes should be avoided by cannabis businesses.
Cannabis organizations should utilize safes with a UL rating of TL-30 or TL-30x6. The TL-30 rating performance requirements mean the door successfully resists entry (defined as opening the door or making a six-square-inch opening entirely through the door or front face) for 30 minutes when attacked with common hand tools, picking tools, mechanical or portable electric tools, grinding points, carbide drills and pressure applying devices or mechanisms, abrasive cutting wheels and power saws. In addition, a minimum of 750 pounds in weight is required. The TL-30x6 is identical to the TL-30 rating with one exception: entry is defined as opening the door or making a six-square-inch opening entirely through the body, door, or front face.
There are many other examples that could be listed. Technical compliance with state regulations should only be the starting point when developing a security plan. Too often it seems, cannabis organizations have security plans designed entirely upon compliance that fall short of mitigating the risks the industry faces. Security consultants with boots-on-the-ground experience working within cannabis organizations can help protect assets beyond checking a box and ensure maximum protection and minimal inconvenience to the operation.
Prior to joining Guidepost Solutions as a Senior Security Consultant, Sutton worked as a director of security for Greenhouse Group and its Grassroots and Herbology banners, responsible for enterprise security risk management in all markets. He authored Security, Emergency Action and Fleet Safety Plans along with security training and operations manuals. He also conducted new hire background investigations and security advances at dispensaries as part of Transportation Security Plans in multiple states. Prior to Greenhouse Group, he worked as the director of security for Revolution Enterprises where similarly he was responsible for everything security in all states of operation.