← Back to knowledge base

Dispensary Security (Physical + Cybersecurity)

Dispensary Security (Physical + Cybersecurity)

Cannabis dispensary security operational playbook -- cameras, vaults, alarms, guards, emergency response, and integrated cybersecurity (POS, Metrc credentials, PII, vendor supply-chain risk).

Extends: sops.md §Security Procedures. That SOP is the index; this file is the operational playbook.

See also: legality.md for state-by-state regulatory baseline | tech-compliance.md for Metrc mechanics | sops.md for emergency response SOP index | internal-theft.md for employee fraud playbook

Data current as of early 2026. Regulatory retention windows, breach timelines, and vendor footprints cited with source year.

1. Overview & Threat Landscape

The Dual Surface

Cannabis dispensary security has always been a dual surface, but as of early 2026 it is finally being treated that way. The physical side -- cameras, vaults, alarms, guards, emergency response -- is the regulatory core every legal state enforces under license conditions. The cyber side -- POS integrity, Metrc credential hygiene, PII protection, third-party vendor supply-chain exposure -- was historically a footnote in operator playbooks. After the 2024-2025 breach wave (covered in detail in §4 below), that framing is obsolete.

This playbook treats physical and cyber as co-equal controls against a single class of threat: a loss of custody or control over the dispensary's regulated cannabis, cash, and compliance data. Whether a loss occurs via armed robbery, smash-and-grab, insider diversion, ransomware encrypting the POS, or credential theft that lets an outsider manipulate Metrc records, the regulatory consequence is the same -- a traceability break, a potential license impairment, and a reportable event.

Why Cannabis Is a High-Value Target

Three structural properties make cannabis retail an outsized attractive target relative to general retail:

  • High-density cash. Federal cannabis illegality under the Controlled Substances Act pushes most transactions to cash. A busy store holds $30K-$150K in the vault on any given day; a limited-license MSO can hold much more at the network level. [CITED: Cannabis Business Times 2024-2025 coverage]
  • High-margin portable inventory. A single vape cartridge case can carry five-figure street value. Concentrates and premium flower concentrate value per kilogram at levels that make smash-and-grab math work in ways it does not at a convenience store.
  • Regulator-visible data. Metrc and state tracking systems create a full audit trail of product movement, employee access, and inventory reconciliation. An attacker who manipulates these records (or who simply causes a POS outage that prevents correct recording) creates a regulatory problem, not just a business problem.

The 2024-2025 regulatory data reflects this: California issued 63 recall notices, 259 product SKUs, and ~25,000 units recalled in 2024 per MJBizDaily and CRB Monitor [CITED: 2024] -- the highest recall year on record. While not all recalls are security-driven, the volume confirms the regulator is actively enforcing and the stakes for losing custody of product are rising.

The 2024-2025 Shift

Two concrete events marked the moment cyber moved from IT trivia to top-5 operational risk:

  1. STIIIZY breach (November 2024). ~380,000 customer records exposed through a third-party point-of-sale processor, not through STIIIZY's own infrastructure. Dark-web leak claims attributed the attack to the Everest cybercrime group (attribution per dark-web claim evidence, not confirmed forensic attribution per independent analysts). [CITED: Clark Hill PLC 2025 legal alert, it4weed.com Year in Review 2025]
  2. Trulieve ransomware (2025). MSO operator hit by ransomware with operational disruption reported across multiple states. [CITED: it4weed.com Year in Review 2025]

Both events share a pattern: the attacker reached the dispensary through a vendor or a remote-access pathway, not through the physical store. Cannabis LP playbooks written between 2018 and 2023 do not account for that reality. This file does.

California Regulatory Body: The DCC

Every California citation in this file points to the Department of Cannabis Control (DCC) -- the agency that consolidated three prior California cannabis regulatory bodies in July 2021 under AB-141: the Bureau of Cannabis Control (the retail and distribution regulator), the Manufactured Cannabis Safety Branch (under the California Department of Public Health), and the CalCannabis Cultivation Licensing Division (under the California Department of Food and Agriculture). After the consolidation, the DCC is the single authoritative California cannabis regulator across the entire supply chain. [CITED: CA AB-141, 2021]

The California Code of Regulations reference for DCC cannabis regulations is 16 CCR Division 42, §§ 5000-5815, with the specific video surveillance rule at §5044. Cite by DCC Bulletin number for post-2021 regulatory guidance. Pre-2021 industry content and SEO articles still in circulation continue to cite the earlier regulator acronym and section numbering; that content is stale and operators using it as a current compliance reference will miss material rule changes that went in with the consolidation.

Scope

This file covers:

  • Physical security: camera surveillance, vaults and secure storage, alarms and monitoring, guards and armed-response posture
  • Emergency response for external threats (armed robbery, smash-and-grab, active threat) -- the internal-theft playbook lives in internal-theft.md
  • Integrated cybersecurity: POS security, Metrc and state-tracking credential hygiene, PII and loyalty data protection, third-party vendor supply-chain risk, 2024-2025 breach case studies, breach response playbook
  • Named vendor landscape for security integrators, camera systems, and monitoring services
  • Cross-references to legality, SOPs, Metrc mechanics, and employee-facing controls

This file does NOT cover:

How To Read This File

Section 2 (physical) is the regulatory core: the controls every legal state inspects. Section 3 (emergency response) is the operational protocol when physical controls are tested by an actual external incident. Section 4 (cybersecurity) is the co-equal playbook for the digital surface, built from named 2024-2025 breach case studies rather than IT-industry generalities. Sections 5-7 are reference material: named vendors, the consolidated state callout table, and the cross-reference index back to adjacent playbooks.

Operators using this file as a compliance walkthrough should read linearly. Operators using it to evaluate or re-baseline an existing program should start with §6 (state callout summary) to identify the hard compliance lines, then loop back to the relevant detailed sections.

2. Physical Security Framework

Framing

Physical security at a dispensary is built on four concentric rings:

  1. Perimeter -- exterior cameras, parking lot lighting, building envelope, exterior alarms, entry control
  2. Lobby / ID vestibule -- where customers enter, IDs are checked, and the sales floor begins
  3. Sales floor / POS -- where products are displayed, cash handled, and transactions occur
  4. Back of house -- vault, secure storage, Metrc room, manager's office, receiving dock

Each ring has a minimum camera coverage requirement, a minimum alarm/monitoring control, and an access-control expectation. The most sensitive ring (back of house) layers additional controls: dual-custody, time-delayed locks, restricted keys or keycards, and chain-of-custody logging for product movement.

Every legal state mandates some version of this four-ring model, though state rules vary on retention windows, resolution minimums, and armed-guard requirements. The rest of this section covers the universal baseline plus state callouts for California, Colorado, Illinois, and Nevada per D-01. For other states, see legality.md §State Compliance Grid.

Cameras & Video Surveillance

The universal baseline across legal cannabis states for video surveillance:

  • Retention: 30 days minimum of continuous recording. Most states require 40-90 days; a handful (Nevada routine) are shorter. Multi-state operators should default to the strictest retention in their portfolio (typically 90 days) to simplify training and vendor contracts.
  • Resolution: 1280x720 (720p) minimum at the camera sensor. Facial-feature identifiable resolution at choke points -- entrance, POS, transaction counter. Higher resolution (1080p or 4K) is now standard for new installations and provides substantially better evidence value.
  • Coverage: Entrances, exits, POS terminals, vault and secure storage rooms, receiving dock, parking lot (where property boundary permits), any point where cannabis product is accessible or handled. No coverage gaps between cameras.
  • Recording mode: 24/7 continuous, not motion-activated only. Most state rules specifically require continuous recording; motion-activated recording is not compliant.
  • Signal integrity: UPS (battery backup) on the NVR/DVR so a power outage does not break the recording chain. Off-site or cloud backup is strongly recommended and required in some states.
  • Access control: Recorded footage must be protected against tampering by staff -- the POS cashier should not have administrative access to the video system. Audit logs of who reviewed or exported footage are required in most jurisdictions.

State Retention Callouts

| State | Minimum Retention | Notable Nuance | |-------|-------------------|----------------| | California | 90 days (DCC §5044) | 24/7 recording; 7-year retention for most security-related records [CITED: cannasecure.tech 2026 guide] | | Colorado | 40 days | Easily accessible format required [CITED: getscw.com CO guide] | | Illinois | 90 days | Leads in cyber-hardening requirements alongside video [CITED: cannabistechnologypartners.com 2025] | | Nevada | 7 days routine / 60 days suspicious | Split retention based on event classification [CITED: deepsentinel.com 2025] |

California detail: DCC §5044 requires 24/7 continuous video recording with 90-day retention of footage. Cameras must cover all entrances, exits, areas where cannabis is handled, and the point-of-sale. The required resolution is 1280x720 minimum at a frame rate of at least 15 frames per second. The DCC also requires a 7-year retention of the broader set of security records (alarm logs, access logs, incident reports) separate from the 90-day video retention. Operators often confuse these two windows; the 90-day video retention is a hard compliance line, while the 7-year records retention applies to derivative logs.

Colorado detail: Colorado's 40-day video retention is shorter than CA but the access requirement is stricter -- footage must be retrievable "in an easily accessible format" on short notice for investigators. Colorado has been an early adopter of NVR-to-cloud continuous replication to meet this accessibility standard.

Illinois detail: Illinois matches California on the 90-day video retention line. Illinois has also led the legal-cannabis states in adding cyber-hardening language to its security rule set -- a pattern that other states are now following. Operators in IL should expect their physical video retention line and their cyber control posture to be inspected together at renewal.

Nevada detail: Nevada's split 7-day routine / 60-day suspicious retention is unique. Routine footage older than 7 days can be overwritten on rolling storage; footage classified as "suspicious" (incidents, law-enforcement requests, compliance events) must be preserved for 60 days. Operators must have a clear process for flagging suspicious footage at the NVR so it is not overwritten by routine recording.

Placement Matrix

| Camera Location | Minimum Resolution | Recording Mode | Notes | |-----------------|--------------------|----------------|-------| | Exterior entrance / exit | 1080p preferred, 720p minimum | 24/7 continuous | Facial-feature resolution at ~10 feet | | Parking lot (perimeter) | 1080p | 24/7 continuous | License-plate capture at key approach lanes if state permits | | ID vestibule / lobby | 1080p | 24/7 continuous | Capture both customer side and staff side | | POS terminal | 1080p or 4K | 24/7 continuous | Cover both cashier and customer; overhead angle preferred | | Transaction counter | 1080p | 24/7 continuous | Capture cash drawer and product handoff | | Sales floor (general) | 720p | 24/7 continuous | No coverage gaps between ceiling cameras | | Vault / secure storage | 1080p | 24/7 continuous | Two angles; door entry and interior | | Receiving dock | 1080p | 24/7 continuous | Capture manifest handoff, package inspection | | Metrc / back office | 720p | 24/7 continuous | Cover anyone accessing state tracking system | | Emergency exit | 720p | 24/7 continuous | Required in most states |

Common Failure Modes

Even well-equipped operators routinely fail video audits for the same reasons:

  • Camera drift: A camera bumped during cleaning shifts its angle over weeks; six months later the POS is no longer in frame. Quarterly angle-check walkthrough fixes this.
  • Storage full: NVR storage allocation was sized for 30-day retention; when the state requires 90-day and the store has upgraded to 4K cameras, storage overflows and recordings are overwritten under the retention window. Storage sizing must match the state retention line.
  • Single point of failure: NVR is in the manager's office with no UPS. A power blip ends recording for hours. UPS + cloud backup closes this.
  • Admin access diffused: Every manager has NVR admin credentials; shared passwords; no audit log of exports. A departing manager retains access for weeks after termination.
  • Analytics never enabled. Operator bought an AI-capable camera system (Verkada, Spot AI, Solink) but never enabled the analytics. License-plate recognition, people counting, unusual-motion detection -- all off. The investment is a third of its realized value.
  • No export rehearsal. Footage export has never been tested. When an incident occurs and law enforcement requests footage, the operator spends two days figuring out the export process and another day waiting for support from the vendor. Export rehearsal should be a quarterly exercise.
  • Audio tangle. Some states regulate audio recording (wiretap statutes) even where video recording is permitted. Operators who enable microphones on their camera systems without legal review can create liability. Review state wiretap rules before enabling audio.

Video Export & Evidence Chain

When footage is exported for a law-enforcement request, an insurance claim, or an internal investigation, a chain-of-custody process must hold:

  • Export logged. Who exported what, when, why. The NVR's own audit log is the primary record; a parallel written log is best practice.
  • Hash verification. Exported video files hashed on export (SHA-256 or similar); hash stored with the export log so tampering can be detected.
  • Copy count. One export copy goes to the requestor (LE / insurance); one retention copy stays with the operator. Never a single copy.
  • Retention of exported material. Exported footage held separately from the rolling NVR recording and not subject to the 30/40/90-day overwrite window. Treat as evidence, not as operational data.
  • Privileged review. If the footage is exported in contemplation of litigation, it may be subject to legal-hold / privilege considerations. Run with counsel before responding to third-party subpoenas.

Vaults & Secure Storage

The vault is the most regulated space in the dispensary. Universal baseline:

  • Construction: UL-rated vault door (UL 608 for modular vaults; Class M or higher TL-rated safes for smaller storage). Reinforced walls -- poured concrete or certified modular vault panels. No plumbing, HVAC ducts, or ceiling access routed through the vault.
  • Locks: Time-delay combination lock (10-15 minute delay on first opening of the day) combined with keyed backup. Dual-custody access -- two authorized individuals present for every vault opening.
  • Access control: Named-individual access list with state licensing verification. Biometric or keycard secondary to combination for audit-trail purposes.
  • Inventory organization: Product organized by Metrc package ID, with clear segregation of quarantine / recall / returns / destruction-pending material. Staged daily count material separate from main stock.
  • Capacity sizing: Vault holds one day's vault drop plus the inventory not on the active sales floor. Overflow goes to a secondary secure storage, not stacked on the floor.
  • Environmental controls: Temperature and humidity monitored if cannabis product is in long-term vault storage. Edibles and beverages with cold-chain requirements go to refrigerated secure storage, not ambient vault.
  • Audit logs: Every opening logged with timestamp, two individuals, purpose, and duration. Monthly audit reconciliation against Metrc.

Vault State Callouts

| State | Vault-Specific Rule | Notes | |-------|---------------------|-------| | California | DCC requires secure storage of all cannabis goods when not being used for display or sale | §5042 limited-access areas; §5043 restricted-access areas [CITED: DCC regulations 2025] | | Colorado | Commercial-grade vault or safe required; inventory must be segregated by license type | MED enforcement periodically inspects vault construction [CITED: MED rule 3-615 2024] | | Illinois | Restricted-access area with camera coverage; daily inventory reconciliation | IL pairs physical vault rule with cyber-hardening language [CITED: IL DFPR 2024] | | Nevada | Secured storage required; NVSC periodically audits vault access logs | Double-custody expected for vault openings [CITED: NVSC 2024] |

Cash Storage Layered Inside the Vault

Cash does not sit on shelves in the vault. A separate cash safe (typically a TL-15 or TL-30 rated safe) sits inside the vault, with its own dual-custody process and its own drop-safe timing. Daily drops go into the safe throughout the day; the armored carrier pickup empties the safe on a schedule. Cannabis cash flows are covered in depth in cash-handling.md -- this file covers only the physical vault construction context.

Alarms & Monitoring

Universal baseline:

  • Central-station monitoring: UL-certified central station monitoring the alarm panel 24/7/365. Response dispatch to law enforcement on signal.
  • Detection: Door contacts on every exterior door and vault door. Glass-break sensors on storefront. Motion detection in sales floor, back office, vault room. Vibration sensors on vault walls (high-value locations).
  • Panic buttons: Duress buttons at POS stations, manager's desk, vault. Silent signal to central station; no audible alarm (to avoid escalating an armed robbery in progress).
  • Integration: Alarm panel integrated with video system so an event triggers bookmarking in the NVR. Some states now allow (and Illinois is moving toward requiring) cyber-alarm integration -- alerts fire when the VMS (video management system) or alarm panel is tampered with remotely.
  • Testing: Monthly walk-test of each sensor; quarterly full-system test with central station; annual certification for UL-required systems.
  • Failover: Dual communication paths -- cellular plus wired. A cut phone line does not disable the alarm path.

Alarm State Callouts

| State | Alarm-Specific Rule | Notes | |-------|---------------------|-------| | California | DCC requires commercial-grade alarm on all restricted-access areas; central-station monitoring | §5045 alarm system requirements [CITED: DCC regulations 2025] | | Colorado | 24/7 monitoring; UL-certified central station preferred | MED audits alarm logs during inspection [CITED: MED rule 3-615 2024] | | Illinois | Alarm + access-control + video treated as an integrated system; cyber-alarm expected | IL leads on integrated monitoring expectations [CITED: cannabistechnologypartners.com] | | Nevada | Central station monitoring; alarm log retention required | NVSC may inspect log during renewal [CITED: NVSC 2024] |

Guards & Staffing

Guard posture is one of the most variable controls across states. The decision framework:

  • Licensed vs unlicensed: In most states, any paid security staff must hold a state-issued guard license. Unlicensed "greeter" or "host" staff cannot legally perform security duties (observation, intervention, access control).
  • Armed vs unarmed: Armed security requires a separate higher-tier license in every state that allows it at all, and is prohibited in some jurisdictions. The operational decision matrix: armed in markets where armed robberies of cannabis stores are materially elevated (urban footprints, known geographic clusters of incidents); unarmed in markets where armed presence changes the risk profile of normal operations more than it deters attackers. Insurance carriers have strong opinions and often dictate the answer.
  • Presence posture: Fixed-post guards at the entrance vs roving presence on the sales floor vs plainclothes LP vs visible marked-uniform. Most operators run a hybrid: marked uniform at entrance for deterrence; unmarked LP on the floor for detection.
  • Staffing level: Minimum two-person coverage at all times the store is open. At high-volume or high-risk locations, three-person minimum (one at entrance, two on floor / POS). Never a single-staff store for a licensed cannabis retailer in any state.

California BSIS Guard Card

California requires security guards to hold a BSIS (Bureau of Security and Investigative Services) Guard Card -- a state-issued license verifying the guard has completed required training (8-hour Powers of Arrest course plus 32 additional hours within the first six months) and passed a criminal background check. Armed guards need the additional Exposed Firearm Permit plus ongoing qualification. Dispensaries must verify the card on each guard and log the verification in the employee file. [CITED: CA BSIS 2025]

Guard State Callouts

| State | Guard-Specific Rule | Notes | |-------|---------------------|-------| | California | BSIS Guard Card required; armed requires Exposed Firearm Permit | Verification required by DCC at licensing [CITED: DCC / BSIS 2025] | | Colorado | Security guard licensing through DORA Private Investigator and Security Guard Licensing Program | Required for dispensary security staff [CITED: CO DORA 2024] | | Illinois | Private Detective, Private Alarm Contractor, Private Security Contractor Act registrations | Illinois distinguishes corporate license from individual guard license [CITED: IDFPR 2024] | | Nevada | PILB (Private Investigator Licensing Board) licensing; armed guards require Nevada CCW permits plus PILB authorization | NVSC coordinates with PILB on cannabis-facility guard staffing [CITED: PILB / NVSC 2024] |

The Armed-Guard Decision Matrix

| Factor | Points Toward Armed | Points Toward Unarmed | |--------|---------------------|-----------------------| | Geographic incident cluster | Recent armed robberies in corridor | Low-incident corridor | | Cash density | >$75K vault; weekly >$1M deposits | Moderate cash; frequent pickups | | Hours of operation | Late-night / 24hr | Normal retail hours | | Insurance carrier guidance | Requires or incentivizes armed | Requires or incentivizes unarmed | | Community / municipal posture | Permits armed retail security | Restricts or disallows armed retail | | Staff familiarity | Experienced former-LE staff available | Retail staff with limited training bandwidth | | Liability exposure | Operator accepts carrier-approved armed posture | Operator carries higher unarmed liability but avoids armed-escalation risk |

Armed posture is not inherently "more secure" than unarmed. Armed presence adds a significant liability exposure (negligent discharge, wrongful-force claims, training-gap liability) that must be weighed against the deterrence value. For many dispensaries, a visible-uniform unarmed presence combined with a robust camera-and-alarm system, silent-signal duress buttons, and a trained comply-and-observe robbery response is the correct posture.

Access Control (Key, Keycard, Biometric)

The four-ring framework at the top of this section only holds if access between rings is actually controlled. Universal baseline for the interior rings (sales floor to back-of-house; back-of-house to vault):

  • Named-individual access. Every employee with access to a restricted area is on a written access list tied to their state-cannabis-work permit where applicable. No "the key lives behind the register for whoever needs it."
  • Keycard or biometric preferred over physical keys. Physical keys can be duplicated; the termination process for a keyholder is "we changed the locks" which is operationally expensive. Keycard revocation on termination is same-day and costs nothing. Biometric (fingerprint, facial) is appropriate for the vault ring where a revoked keycard could still allow entry if the card were not recovered.
  • Logged every time. Every access event (door opens, vault opens, Metrc room entered) logs to an access-control audit system. Monthly review of anomalies -- an operator who enters the vault at 3am when the store is closed is a review trigger regardless of whether they had authorization.
  • Two-factor for high-security areas. Vault opening requires keycard + PIN, or keycard + biometric. A lost keycard alone does not open the vault.
  • Visitor access. Vendor representatives, regulatory inspectors, service technicians, and law-enforcement all enter through an escorted path. Visitor log maintained. Visitor access does not extend to the vault or Metrc room unescorted.

Lighting & Environmental Design

Passive security controls reduce incident frequency independent of the active controls:

  • Exterior lighting. Parking lot lit to a minimum of 1-2 foot-candles at ground level; entry canopy lit. Motion-activated flood lighting on secondary approaches. Dark parking lots are robbery magnets.
  • Sightlines. No hidden entry paths. Landscaping trimmed to maintain line-of-sight from the store to the parking lot. Exterior cameras not blocked by signage or greenery.
  • Signage. Visible "this area under 24-hour video surveillance" signage at entry and at parking lot boundaries. Deterrence signaling is part of the control.
  • Glass hardening. UL-rated storefront glass or security film. Bollards at the entrance to prevent vehicle-ramming attacks (a rising pattern for high-value retail).
  • Man-trap or vestibule. An entry vestibule that can be locked from inside after business hours and during an incident. ID verification and age gating happens here before the customer accesses the main sales floor.

Receiving-Dock Security

Dispensary inventory arrives via a licensed distributor in a sealed Metrc-tagged transfer. The receiving dock is a distinct ring with its own control expectations:

  • Appointment-based receiving. No walk-in deliveries. Every inbound transfer is scheduled; the dock is only open on schedule.
  • Dedicated camera coverage. 1080p coverage of the dock approach, the dock itself, and the manifest handoff.
  • Two-person handoff. One staff member accepts the manifest and inspects the transfer; a second staff member witnesses the count and logs into Metrc.
  • Isolation from the sales floor. Inbound product goes directly to a staging area (often a quarantine bay or a receiving-specific secure room), not through the sales floor.
  • Manifest verification before acceptance. If the manifest does not match the physical count, the package is NOT accepted in Metrc until the discrepancy is reconciled with the distributor. Receiving SOP detail in receiving-qc.md.

3. Emergency Response (External Theft / Armed Robbery)

See also: sops.md §Emergency Response Plan for the SOP checklist index. This section is the operational playbook that extends the SOP.

Internal-theft scope: Employee fraud, buddy-pass, return fraud, void abuse, and exception-based reporting live in internal-theft.md. This section covers ONLY external threats.

Armed-Robbery Response Protocol

The universal industry-accepted posture is comply and observe, not resist. Armed cannabis robberies are typically short-duration (under 2 minutes), high-motivation (cash + portable product), and frequently involve multiple perpetrators. Resistance escalates the risk to staff and customers far more than it protects the loss.

Staff-facing protocol (train every hire, retrain quarterly):

  1. Comply immediately. Do not negotiate. Do not reach for anything. Hands visible.
  2. Verbal de-escalation. "We're following the plan. Stay calm. Everyone is safe."
  3. Silent signal. Hit the duress / panic button as soon as it is safe to do so without alerting the robber. Do not announce or draw attention to the action.
  4. Observe. Number of perpetrators, height, weight, build, race, clothing, weapons visible, accents, tattoos, direction of travel. Do not stare; use peripheral attention.
  5. Do not pursue. Once perpetrators leave, lock the doors. Do not chase, do not follow to a vehicle, do not try to photograph the exit. The robbery is over; the investigation is starting.
  6. Preserve the scene. Do not move anything. Do not clean up. Do not let anyone into the affected area until law enforcement clears it.
  7. 911 call. Manager places the 911 call. Concise: "Armed robbery just occurred at [address]; perpetrators fled; scene secure; staff injured: yes/no; weapons visible: yes/no."
  8. Central-station response. Central-station monitoring has already received the silent signal and is dispatching in parallel; do not assume 911 replaces this path.

Post-incident:

  • Staff assembles in a designated safe area inside the store. No one leaves until law enforcement arrives and releases.
  • Manager retrieves the staff roster and customer count (from POS) to confirm no one is missing.
  • Store is closed for remainder of day (at minimum). Regulatory reporting begins within the state-specific clock (most states: 24 hours).
  • Internal debrief scheduled within 48-72 hours. Insurance carrier notified.
  • Video preservation: footage of the incident flagged and exported immediately to avoid automatic overwrite on the NVR. A second copy goes to law enforcement and a third to the insurance file.

Smash-and-Grab Response

Smash-and-grab -- typically after-hours forced entry through glass or exterior barrier -- is the other most common cannabis retail incident. Key controls:

  • Delay, not denial. UL-rated storefront glass, security film, bollards, retractable rolling shutters -- the objective is to slow entry enough that the police arrive before the product is out. Most smash-and-grab crews operate on a 90-second window.
  • Empty display. Every operator should clear displays into the vault at closing. A smash-and-grab into an empty display case gets the perpetrators nothing; one into a fully stocked display case pays for the risk.
  • Silent alarm on glass break + forced entry. Glass-break sensors signal central-station; forced door signal same. Central station dispatches LE before the perpetrators complete the entry.
  • Video flood lighting. Motion-activated exterior flood lights paired with IR-capable cameras. Most perpetrators avoid lit targets.
  • Post-event reset. Emergency glass replacement contractor on retainer. Insurance policy pre-understood for rapid claim. Metrc reconciliation of stolen product initiated the same day.

Active-Threat Response

Active shooter or other active-violence scenarios are covered by the broader Run, Hide, Fight federal-recommended framework. Integrate cannabis-specific considerations:

  • Panic buttons at every POS + manager's desk + vault should all trigger a lockdown signal and silent LE dispatch.
  • Back-of-house exit should be a working emergency egress, not a dead-end storage room. Review annually.
  • Staff training should include the active-threat scenario separately from the robbery scenario -- the response is different.
  • Customer evacuation: at a cannabis store, an active-threat evacuation has product-security implications (cannabis in display, customers in the middle of transactions). The SOP must give staff permission to prioritize life safety over inventory control and accept the product-loss consequences.

Post-Incident Regulatory Reporting

Every state requires notification to the cannabis regulator within a defined window after an incident involving loss of product, loss of cash, or a security event that triggered a 911 call. The universal pattern is:

  • 24 hours: Initial notification to the regulator (email or phone per state rule). California DCC uses a dedicated incident reporting pathway; Nevada NVSC uses a similar portal.
  • 72 hours: Written incident report with details, video flags, estimated loss, and Metrc package IDs of any lost/stolen product.
  • Metrc reconciliation: Stolen product must be documented in Metrc as a loss event; the specific Metrc workflow is state-specific (see tech-compliance.md for Metrc mechanics).
  • Insurance claim: Parallel path; the regulator report and the insurance file converge on the same underlying incident documentation.

Cannabis-specific wrinkle: An under-reported incident (for example, a small loss operators might be tempted to absorb rather than report) can itself become a compliance violation. Some operators have lost license renewals over failure to report. Default: report everything, at the thresholds the state rule sets.

4. Integrated Cybersecurity

Why Cyber Is Now a Top-5 Operational Risk

The shift is simple: a cannabis dispensary cannot operate without its POS. In limited-license markets, a two-day POS outage is a two-day revenue loss with no recovery path -- the customer went to a competitor. In all markets, a POS outage that prevents recording transactions in Metrc is a direct compliance violation; the clock runs even when the system does not.

This reframes cyber from a data-theft concern (historical framing: "what happens if customer data leaks?") to an availability concern (current framing: "what happens if we cannot take transactions?"). Both dimensions matter, but availability is the one that shows up in the P&L within a week.

Post-2024 breach case studies (detailed later in this section) confirm the pattern: most attacks do not target the dispensary directly. They target a vendor -- a POS processor, a marketing analytics platform, a loyalty CRM, an IT managed-service provider -- and pivot to the dispensary from there. The dispensary operator has limited visibility and limited authority over vendor security posture, yet bears the operational and reputational cost when a vendor is breached.

This section covers six cyber workstreams:

  1. POS security -- patching, MFA, session timeouts, individual accounts
  2. Metrc and state-tracking credential hygiene
  3. PII and loyalty data protection
  4. Third-party vendor supply-chain risk
  5. Named cannabis breach case studies (STIIIZY, Trulieve, MJ Freeway, Washington state)
  6. Breach response playbook

POS Security

Cannabis POS systems (Flowhub, Treez, Dutchie, Cova, Meadow, Blaze, etc.) sit at the intersection of cash handling, compliance reporting, inventory management, and customer data. They are the single highest-value target on a dispensary's network.

Universal POS Security Controls

  • Patch management: POS software and its underlying operating system must be on a defined patch cadence. Monthly minimum; critical security patches within 72 hours of vendor release. Operators on a 12-month-old POS build are a breach waiting to happen.
  • MFA required for all admin accounts. Every administrative account (store manager, inventory manager, compliance manager, IT) must require multi-factor authentication on login. SMS-based MFA is acceptable as a minimum floor; TOTP (Google Authenticator, Authy, 1Password, Duo) is the industry-standard baseline; hardware tokens (YubiKey) for high-privilege accounts.
  • Session timeouts: 15-minute idle timeout on back-office sessions; automatic lock on POS terminals after a defined inactivity window. Never a "stays logged in all day" manager session.
  • Individual user accounts. This is the single most-violated control in cannabis retail. Every staff member must have an individual login; shared logins (the "budtender1" account everyone uses) are non-negotiable anti-patterns. Individual accounts enable exception reporting, accountability, and swift access revocation on termination.
  • Role-based access control: Cashier cannot adjust inventory; inventory manager cannot modify prices; only compliance role can access Metrc functions. Principle of least privilege applied at the POS role level.
  • Credential revocation on termination: Same-day deactivation of the POS user account, the Metrc user account, and any shared resource (manager's Gmail, vendor portals). Weekly audit that terminated employees have no active credentials anywhere.
  • Logging and monitoring: POS audit logs retained per state rule; suspicious activity (multiple failed logins, after-hours admin actions, inventory adjustments during non-operating hours) triggers alerts to the compliance manager.

Shared-Login Anti-Pattern

A recurring finding in post-breach analysis is that shared logins are still common in cannabis retail. Two specific failure modes:

  1. The "budtender1" account. Everyone on the floor logs in as the same user. Exception reporting is meaningless because you cannot attribute behavior to an individual. When a theft or a fraud pattern emerges, investigation requires pulling video for every transaction because the POS attribution is gone.
  2. The "manager's browser." A back-office browser on the back-office PC is logged into the POS admin portal, the Metrc state portal, and the loyalty CRM simultaneously. Whoever sits at that desk has full administrative access regardless of their role. This is the equivalent of leaving the vault open.

Both patterns are covered in internal-theft.md from the employee-fraud angle. The cyber angle: they also create a massive external-breach surface if the endpoint is ever compromised.

Network Segmentation

A cannabis retail network has distinct security zones that must be separated, not collapsed into a single flat LAN:

  • POS terminals -- connected to the POS server, the payment processor, and Metrc. No general internet access beyond what the POS requires.
  • Back-office workstations -- general email, browsing, vendor portals. Isolated from the POS network except via explicitly permitted paths.
  • Camera / NVR network -- isolated on its own VLAN. No internet access beyond cloud backup. Camera devices are notorious for firmware vulnerabilities; keep them off the internet.
  • Alarm panel -- dedicated cellular or wired path, not dependent on the main LAN.
  • Customer / guest WiFi -- completely separate network. Never on the same VLAN as any operational system.

Flat networks (everything on one LAN) are a common finding in small-operator cyber audits. They mean a single compromised device -- a budtender's personal phone briefly on the guest WiFi that happens to be the operational network, a vendor's laptop that carried malware in -- can reach every system in the store.

Endpoint Hardening

Each POS terminal, back-office workstation, and NVR controller is an endpoint that must be hardened:

  • Full-disk encryption (BitLocker, FileVault).
  • EDR (endpoint detection and response) agent installed and reporting to a central dashboard. Examples: CrowdStrike, SentinelOne, Huntress, Sophos.
  • Automatic OS updates enabled within a managed window.
  • Local admin accounts removed or renamed; no "Administrator" account with a weak password.
  • USB / removable-media restriction where state rules permit; a thumb drive plugged into a POS terminal is a classic malware vector.
  • Known-good baseline image; rebuild from baseline on any suspected compromise rather than "clean in place."

Metrc & State Tracking Credential Hygiene

Metrc and the other state tracking systems (BioTrack in some states; LEAF in WA) carry a distinct and higher-risk credential posture than the POS. Reasons:

  • Regulator visibility. Every Metrc action is logged and visible to the state cannabis regulator. Anomalous Metrc activity can trigger a compliance audit even before the operator detects the breach internally.
  • Direct inventory manipulation. A compromised Metrc credential can adjust inventory, process transfers, and manipulate compliance records in a way that creates a direct regulatory violation.
  • Cross-license exposure. A multi-location operator has Metrc access across every license. Credential compromise is not confined to one store.
  • No recovery via backup. There is no "restore from yesterday" for Metrc the way there might be for the POS database. Damage to the regulator-visible record set is persistent.

Metrc Credential Controls

  • Separation from POS credentials. The Metrc login is not the same as the POS login. Different username, different password, different MFA factor. A POS breach should not be a Metrc breach.
  • Rotation policy. Metrc credentials rotate quarterly at minimum; immediately on any employment change; immediately on any suspected credential exposure.
  • Separation of admin and operator. The compliance manager who has administrative Metrc access does not use that credential for routine daily Metrc work. A separate operator-level credential handles the daily transfer accepts and inventory adjustments; the admin credential comes out only for state-required administrative actions.
  • MFA mandatory. Metrc's own MFA features are well-documented; every state Metrc tenant supports TOTP at minimum. There is no justification for a Metrc account without MFA.
  • Logged access. Who logged into Metrc, when, from what IP, and what they did. This log is retained per state rule and is often the first thing a regulator asks for after an incident.
  • Integration credentials separate again. A POS-to-Metrc integration uses its own service account with scoped API permissions -- not a human user's credentials. Treating integration credentials as "just another user" creates a shared-credential problem at the machine level.

Cross-ref: tech-compliance.md for Metrc feature mechanics and state-specific tenant differences.

BioTrack and LEAF Parallels

Not every state is on Metrc. Washington uses LEAF; some other states use BioTrack THC or state-developed systems. The credential-hygiene principles are identical:

  • Separation of admin and operator credentials
  • MFA required on every account
  • Individual-user logins with no shared credentials
  • Rotation on employment change
  • Integration credentials (POS-to-tracking) as scoped service accounts, not human logins
  • Logged access and periodic access review

The specific feature sets differ by vendor and tenant, but the threat model does not. A compromised tracking-system credential in any state is a direct regulatory exposure.

PII & Loyalty Data Protection

Cannabis customer PII carries a distinct risk profile:

  • Stigma sensitivity. Unlike general retail, a cannabis loyalty database link to an individual implies cannabis use -- which still carries employment, custody, immigration, and social consequences in many contexts. A breach is not just a privacy incident; it is a reputational weaponization risk for the affected customers.
  • Medical cannabis implications. State medical cannabis program data has HIPAA-adjacent implications in some states. The data may be technically outside HIPAA (not held by a covered entity), but the patient-information sensitivity is substantively similar. State medical cannabis regulators often impose rule-based confidentiality obligations that mirror HIPAA language.
  • Age-verification records. ID scan data (DOB, name, address, ID photo) is collected at every visit in most states. A breach of this data set is substantively an identity-theft database.
  • Payment card data. Less of a cannabis-specific issue (PCI DSS applies normally), but complicated by the patchwork of cashless ATM, ACH, and payment-processor arrangements cannabis operators run. PCI DSS scoping must be handled with the payment processor, not ignored.

PII Controls

  • Minimization. Do not collect what you do not need. Age-verification does not require storing ID scans after verification; confirm and discard.
  • Encryption at rest. Customer database encryption with key management separate from the database administrator.
  • Encryption in transit. TLS on every POS-to-vendor connection; no open HTTP for any customer-data flow.
  • Access control. Loyalty and customer data accessible only to defined roles; no bulk-export capability in the hands of line staff.
  • Retention limits. Age-verification scan data retained for the minimum period required by the state rule; loyalty data subject to defined retention and deletion windows per the operator's privacy policy.
  • Breach notification obligations. State privacy laws apply alongside cannabis regulations. California CCPA/CPRA, Colorado CPA, Illinois BIPA (biometric identifiers specifically), and Nevada SB 220 all impose notification obligations that run in parallel to cannabis regulator notification.

Third-Party Vendor Supply-Chain Risk

The 2024-2025 breach wave exposed a structural truth: most cannabis data breaches do not start at the dispensary. They start at a vendor.

Vendor categories that have been primary attack vectors:

  • POS processors. The STIIIZY breach traced to a third-party POS processor, not STIIIZY's own infrastructure. [CITED: Clark Hill PLC 2025 legal alert]
  • Marketing / analytics vendors. Email marketing platforms, SMS platforms, and analytics dashboards often hold a dispensary's full customer list and purchase history. A breach at the vendor leaks the dispensary's full customer database even though the dispensary's own systems were not touched.
  • Loyalty CRM vendors. Alpine IQ, Springbig, and similar platforms hold deep purchase history and customer profiles. Same exposure pattern.
  • IT managed service providers. The MSP has administrative access to the dispensary's networks; the MSP is breached; the attacker pivots into the dispensary.
  • Delivery platforms. Customer PII + delivery address combinations are high-value data sets that flow through delivery platforms.
  • Age-verification / ID-scan vendors. The ID-scan vendor holds ID-photo archives that make the data set even more sensitive than standard customer data.
  • Payment processors and cashless ATM providers. Stand between the dispensary and the banking infrastructure; breach-in-transit exposes transaction metadata that is otherwise not resident at the dispensary.
  • Cloud-video providers. The NVR-to-cloud replication path delivers camera footage to a vendor's cloud. A vendor compromise exposes every camera feed, across every store, going back the full retention window.
  • Third-party integration connectors. The shims that move data between POS, Metrc, loyalty, and accounting systems. Often the least-audited layer in the stack.

Vendor Vetting Checklist

Before signing any vendor contract that grants access to customer data, POS data, or inventory data:

  • [ ] SOC 2 Type II report on file (or equivalent); review annually
  • [ ] Demonstrated MFA on all vendor admin access to customer systems
  • [ ] Encryption at rest and in transit -- documented in writing
  • [ ] Breach notification SLA defined in contract (24 hours or sooner for confirmed incidents)
  • [ ] Indemnification language for vendor-caused breaches
  • [ ] Data residency / data retention / data deletion commitments in writing
  • [ ] Vendor's own vendor list (fourth-party risk) known and documented
  • [ ] Revocation path -- how the operator revokes vendor access on contract termination
  • [ ] Scope-of-access limited to what the vendor actually needs (principle of least privilege at the vendor level)
  • [ ] Vendor's incident response plan reviewed; includes cannabis-specific regulator notification path where applicable

Ongoing vendor management:

  • Annual review of vendor SOC 2 and incident log
  • Quarterly credential audit (does this vendor still need the access it has?)
  • Immediate access revocation on vendor contract termination
  • Fourth-party risk reviewed when vendor adds or changes sub-processors

Cannabis Breach Case Studies (2017-2025)

The following case studies define the modern cannabis cyber risk picture. Every LP playbook that omits these is operating on pre-2024 assumptions.

STIIIZY (November 2024)

  • Scope: ~380,000 customer records exposed.
  • Vector: Third-party POS processor, not STIIIZY's own infrastructure. The breach demonstrated the supply-chain exposure pattern.
  • Attribution: Dark-web leak claims attributed the attack to the Everest cybercrime group. Caveat: Everest attribution is based on dark-web leak claims, not confirmed independent forensic attribution. Industry reporting treats this as a plausible attribution but not a verified one.
  • Data types exposed: Customer names, addresses, DOB, ID-scan images, purchase history.
  • Operator impact: Reputational hit; state regulator review; civil litigation exposure; cost of customer notification and credit monitoring.
  • Lessons: Third-party vendor risk is primary, not tertiary. The operator's own cyber controls were not the point of failure; the vendor's were.

[CITED: Clark Hill PLC 2025 legal alert; it4weed.com Year in Review 2025]

Trulieve (2025)

  • Scope: Ransomware attack on a multi-state operator with operational disruption reported across several states.
  • Vector: Ransomware -- specific entry vector not fully disclosed publicly at time of writing.
  • Operator impact: Operational disruption to POS and back-office systems; cost of recovery; regulator notification across multiple state footprints.
  • Lessons: Ransomware in cannabis is now a named risk, not a hypothetical one. MSO footprints create aggregated exposure -- one breach affects multiple state-level compliance postures at once.

[CITED: it4weed.com Year in Review 2025]

MJ Freeway (2017, twice)

  • Scope: One of the first large-scale cannabis-industry breaches. Seed-to-sale platform used by many dispensaries.
  • Vector: Distinct incidents; one a ransomware-style attack, one a data exfiltration.
  • Operator impact: Dispensaries using MJ Freeway experienced POS outages; compliance data visibility to the state was impaired.
  • Lessons: The vendor-concentration risk -- many dispensaries sharing one platform -- means a vendor compromise is a multi-dispensary compromise. Diversification of critical vendor dependencies is a structural defense.

[CITED: multiple industry retrospective coverage 2017-2020]

Washington State Tracking System (2018)

  • Scope: Over 5,000 records exposed from the Washington state cannabis tracking system.
  • Vector: State-level system, not operator-level.
  • Operator impact: Data exposed was cannabis traceability data visible across licensees using the state's LEAF system.
  • Lessons: The state tracking system itself is part of the operator's attack surface. Operators rely on the regulator's cyber posture as much as their own.

[CITED: 2018 industry reporting]

Aggregate Pattern

Looking across the 2017-2025 case studies:

  • Vendor-pivot is the primary vector pattern
  • Ransomware is rising as a named risk (Trulieve 2025 is not expected to be the last)
  • State tracking systems are themselves targets
  • MFA adoption would have mitigated most credential-theft components
  • Third-party incident response SLAs were often inadequate in the affected cases

Breach Response Playbook

When a breach is suspected or confirmed, the operator's internal process runs on a defined clock. The universal pattern:

Phase 1: Detect (T=0 to T+4 hours)

  • Suspicious activity alert triggers (failed login storm, unusual POS admin actions, vendor outage notification, regulator inquiry).
  • Compliance manager and IT lead convene; incident response plan opens.
  • Internal comms go through a defined channel; no speculation over normal business Slack/email until scope is known.

Phase 2: Contain (T+4 to T+24 hours)

  • Identify the affected systems, credentials, and data sets.
  • Isolate affected systems -- disconnect from network if necessary, even if it creates an operational impact.
  • Revoke credentials suspected of compromise; rotate all admin credentials as a precaution.
  • Engage outside cyber incident response (retainer or emergency engagement).
  • Preserve evidence -- logs, snapshots, copies of suspicious artifacts -- for forensic review.

Phase 3: Eradicate (T+24 hours to T+7 days)

  • Forensic investigation to identify root cause, blast radius, and attacker dwell time.
  • Remove attacker access -- backdoors, persistence mechanisms, compromised accounts, malicious scheduled tasks.
  • Close the vulnerability that allowed initial access -- patch, reconfigure, remove vendor access, whatever is required.

Phase 4: Recover (T+7 days to T+30 days)

  • Restore systems from clean backup or confirmed-clean state.
  • Validate that attacker access is fully eradicated before reconnecting to production.
  • Reopen operations progressively, with enhanced monitoring.
  • Customer notification per state law and operator policy.

Phase 5: Lessons Learned (T+30 days to T+90 days)

  • Written post-mortem with timeline, root cause, response effectiveness, and remediation list.
  • Remediation tracked to completion with dates.
  • Board / ownership briefing.
  • Update of the incident response plan based on observed gaps.
  • External communication strategy (if warranted) -- customer letter, regulator report narrative, PR statement.

Regulator & Customer Notification Clocks

  • Cannabis regulator: Most states require notification within 24-72 hours of a security event with a reasonable suspicion of data exposure. California, Colorado, Illinois, and Nevada all have some version of this.
  • State privacy laws: CCPA/CPRA (CA), CPA (CO), BIPA (IL), SB 220 (NV), and state-level breach notification statutes in every state impose customer notification obligations on defined timelines (typically 30-60 days from discovery, with exceptions for ongoing LE investigations).
  • Payment-card notification: If PCI data is in scope, card-brand notification rules apply -- typically much faster (hours to days).
  • Federal: Some federal overlays (FTC safeguards, HIPAA if medical cannabis data is HIPAA-covered in the state) may apply.

The notification clocks run in parallel, not in sequence. The compliance manager does not wait for one clock to tick down before starting another.

Cyber Tabletop Exercises

A breach response plan that has never been exercised is a document, not a capability. The operator-level best practice is:

  • Annual tabletop exercise. Compliance manager, IT lead, ownership, outside counsel, and (where engaged) cyber insurance carrier walk through a scenario for 2-3 hours. Typical scenarios: ransomware encrypting the POS mid-day Saturday; vendor breach notification arriving on a Monday morning; Metrc credential compromise detected during routine log review.
  • Focus on decision points. The exercise should expose the decisions the operator has not pre-decided: Who authorizes paying a ransom? Who talks to the regulator first? How are customers notified and who drafts the letter? What happens if the POS is down for 72+ hours?
  • Written output. Every tabletop produces an action list with owners and dates. Items not closed before the next exercise are carried forward.
  • Outside facilitation. The exercise is meaningfully more valuable when facilitated by an outside cyber consultant or insurance carrier representative than when run by the same IT lead who would handle the real incident.

Business Continuity Posture

Cyber and physical incidents share a core business continuity question: can the operator continue trading, at some reduced level, while the primary environment is unavailable?

  • POS offline fallback. Most modern cannabis POS systems have an offline mode that allows transactions to continue without the central database. Offline transactions sync when connectivity returns. Operators must have this feature enabled, tested, and documented in an SOP -- the budtender must know what to do on a connectivity loss.
  • Manual transaction log. If the POS is truly down (not just offline from the central server), the store may need to log transactions on paper, then reconstruct them in the POS when service returns. This is a regulatory gray area in most states -- some states explicitly prohibit sales when Metrc reporting cannot occur. Know your state's rule before you need it.
  • Metrc offline provisions. Metrc itself has provisions for reporting backfill after an outage. The window and procedure vary by state tenant. Do not assume a 48-hour outage window is acceptable -- some state tenants require reporting within 24 hours of the event regardless of cause.
  • Cash lane fallback. Even a POS-operating store may lose its cashless ATM or debit processor during a cyber incident. Staff training includes cash-only operation; cash room controls (see cash-handling.md) must scale to a cash-only day.
  • Communications fallback. Store phone, manager's mobile, and a second-channel method (Signal, shared group text) pre-configured so staff can coordinate during an incident even if corporate email is down.

5. Named Vendor Landscape

Examples, not endorsements. The cannabis security vendor market is fragmented, state-specific, and evolving. Due-diligence every vendor against the vetting checklist above.

Security Integrators (Cannabis-Specialist)

  • Sapphire Risk Advisory Group -- cannabis-industry specialist security consultancy with risk assessment, penetration testing, and ongoing advisory services. Well-known brand in the cannabis LP space. [CITED: sapphirerisk.com; web search 2026]
  • Security 101 -- larger integrated security firm with cannabis-vertical capability. Cameras, access control, alarms, integration services. [CITED: web search 2026]
  • Guardian Integrated Security -- regional security integrator with cannabis-industry footprint. [CITED: web search 2026]

Camera & Video Management Systems

  • Verkada -- cloud-native video platform with AI analytics, license-plate recognition, people counting, and threat detection. Widely adopted in cannabis. Subscription model includes NVR-to-cloud archival. [CITED: verkada.com; web search 2026]
  • Avigilon (Motorola Solutions) -- high-end analytics, appearance search, and unusual-motion detection. Premium pricing; deep LP-feature stack. [CITED: avigilon.com; web search 2026]
  • Solink -- POS-linked video. Every transaction linked to the video of that transaction, enabling fast visual audit of exception reports. Strong fit for dispensary LP. [CITED: solink.com; web search 2026]
  • Eagle Eye Networks -- cloud video management platform; broad camera compatibility. [CITED: web search 2026]
  • Spot AI -- AI-driven video review with natural-language search over footage. Rapidly adopted in cannabis retail. [CITED: web search 2026]
  • BCD Video -- cannabis-vertical specialist with custom NVR and integrated systems. [CITED: web search 2026]

Alarm & Central-Station Monitoring

  • Most dispensaries use UL-certified central-station monitoring providers regardless of cannabis specialization. Major national providers (ADT Commercial, Securitas Technology, Vector Security) and regional UL-certified providers all serve cannabis retail. The key is UL certification, not cannabis specialization.

Cybersecurity & MSP Vendors

  • The cannabis-specialist cyber vendor ecosystem is thinner than the physical-security one, but growing. Generic cybersecurity vendors (CrowdStrike, SentinelOne for endpoint; Arctic Wolf, Huntress for managed detection; Duo, Okta for MFA) all serve cannabis retail on standard commercial terms.
  • Cannabis-specific MSPs are emerging but underrepresented in the LP vendor lists. When selecting, prioritize verifiable MFA enforcement, SOC 2 documentation, and cannabis-regulator notification experience over cannabis-industry branding.

Armored Carriers & Cash Services

For armored-carrier selection, vendor vetting, and cross-state transit risk (including the Empyreal 2022 seizure case), see cash-handling.md.

Cyber Insurance

Cyber insurance in cannabis is a fast-moving market. Until 2023-2024, most cannabis operators either could not obtain cyber coverage or obtained it with material carve-outs. After the 2024-2025 breach wave, the market is hardening in both directions: availability is improving for operators who demonstrate baseline controls (MFA, tested backups, documented incident response); pricing and exclusions are tightening for operators who cannot.

Selection criteria:

  • Cannabis-eligible carrier. Not every cyber carrier writes cannabis risk. Ask up front; do not waste cycles with carriers who will decline at bind.
  • Ransomware coverage posture. Some carriers exclude ransom payments entirely; some limit coverage; some require pre-authorization. Know the exclusions before the incident.
  • Regulator-notification coverage. Cannabis regulator notification is a category not all generic cyber policies contemplate. Confirm coverage for cannabis-specific regulator notification costs.
  • Incident response panel. Most cyber policies bring a pre-vetted incident response panel (forensics, counsel, PR). Evaluate the panel's cannabis experience; the generalist forensics firm may not know the Metrc regulatory context.
  • Business interruption coverage. POS outage revenue loss should be an explicit coverage category. Confirm the waiting period and the calculation methodology.

The cyber policy and the physical crime/theft policy should be reviewed together. Coverage gaps often sit at the intersection (e.g., an insider-facilitated cyber breach may not be fully covered by either policy read alone).

Training & Drills

A security program is only as good as the last time it was exercised. The training cadence:

  • Onboarding (day 1-14 of hire). Every new hire completes: security SOP review, emergency response (robbery) protocol, panic button location walkthrough, cyber hygiene (password policy, MFA enrollment, phishing awareness), Metrc credential protocol, and incident reporting process.
  • Quarterly refresh. Every employee sits through a quarterly 30-minute refresh. Topics rotate: robbery response, fire evacuation, active threat, cyber phishing, insider-threat recognition.
  • Annual drill. Full-store drill with local law-enforcement participation (where LE engages). Usually a robbery scenario run after hours with actors.
  • Post-incident retraining. Any incident triggers a training refresh targeted at the gap the incident exposed. This is part of the lessons-learned output.
  • Credential and access audit. Quarterly audit of who has what access -- POS, Metrc, alarm panel, NVR, vendor portals, physical keys/keycards. Revoke anything not justified by current role.

6. State Callout Summary Table

Consolidated summary of the four required state callouts across cameras, vaults, alarms, and guards. This table is the quick reference; detail is in §2 above. For baseline state legality (rec/med status, sales dates, tracking systems), see legality.md.

| Control | California | Colorado | Illinois | Nevada | |---------|------------|----------|----------|--------| | Camera retention | 90 days (DCC §5044) | 40 days | 90 days | 7 days routine / 60 days suspicious | | Camera resolution | 1280x720 minimum, 15 fps | State minimum; accessible format required | 1080p emerging standard | State minimum | | Records retention | 7 years security records | Commercial-grade | Integrated with cyber-hardening | Alarm log retention | | Vault rule | DCC limited/restricted access (§§5042-5043) | Commercial-grade safe/vault | Restricted-access + daily reconcile | Secured storage + dual custody | | Alarm rule | Commercial alarm + central station (§5045) | 24/7 monitoring, UL preferred | Integrated with video + cyber | Central station + log retention | | Guard license | BSIS Guard Card; Exposed Firearm Permit for armed | DORA PI/Security Guard License | IDFPR Private Security registrations | PILB licensing; CCW permit + PILB for armed | | State agency | DCC | MED | IDFPR / IDCA | NVSC / PILB | | Incident notification | 24h initial / 72h written | Per MED rule | Per IDFPR / IDCA | Per NVSC |

[CITED: DCC 2025; CO MED 2024; IDFPR 2024; NVSC 2024; BSIS 2025; PILB 2024]

For the full state-by-state legality grid (all legal states, sales dates, programs, limits), see legality.md §State Compliance Grid.

7. Cross-Reference Index

| Topic | File | Section | |-------|------|---------| | Security SOP checklist (the index this playbook extends) | sops.md | §Security Procedures | | Emergency response SOP checklist | sops.md | §Emergency Response Plan | | Opening & closing checklist | sops.md | §Opening Procedures / §Closing Procedures | | Employee background checks | sops.md | §Employee Background Checks | | State-by-state legality baseline | legality.md | §State Compliance Grid | | Metrc mechanics, state tenants, Retail ID | tech-compliance.md | §Metrc / §State Tracking Systems | | Internal theft patterns (buddy pass, void, return fraud) | internal-theft.md | Entire file | | Cash room, variance, armored carrier (incl. Empyreal 2022) | cash-handling.md | Entire file | | Payment processing (cashless ATM, ACH) | payment-processing.md | Entire file | | Loyalty CRM platform context (Alpine IQ, Springbig) | tech-crm-loyalty.md | Entire file | | Banking and 280E context | banking.md | Entire file | | Hiring and employment-practice baseline | hiring-retention.md | Entire file | | Receiving and QC operational playbook | receiving-qc.md | Entire file | | Waste-management operational playbook | waste-management.md | Entire file | | Recall operational playbook | recalls.md | Entire file |

Data current as of early 2026. Cannabis security rules, vendor landscapes, and breach case studies evolve quickly. Regulatory retention windows, incident notification clocks, and named-vendor details should be verified against state regulator publications and vendor documentation before operational use. Named case studies (STIIIZY 2024, Trulieve 2025, MJ Freeway 2017, Washington state 2018) are summarized from public reporting; investigative details may be incomplete or revised as additional disclosures occur.

See also: sops.md | legality.md | tech-compliance.md | internal-theft.md | cash-handling.md