The Complete Playbook for Handling Cybersecurity Incidents, Data Breaches & Compliance Emergencies
When the breach happens, you won’t have time to figure out what to do. This template tells you exactly how to respond—minute by minute, hour by hour.
HOW TO USE THIS TEMPLATE
Before an incident:
- Customize all sections with your business information
- Fill in contact information for your team
- Print physical copies (digital may be inaccessible during incident)
- Store copies in multiple locations (office, home, cloud)
- Review and update quarterly
- Conduct tabletop exercises annually
During an incident:
- Open this template immediately
- Follow the phase-by-phase instructions
- Use the checklists to ensure nothing is missed
- Document everything in the Incident Log
- Communicate using the pre-written templates
This template covers:
- Ransomware attacks
- Data breaches
- POS system compromises
- Metrc/compliance system failures
- Insider threats
- Physical security incidents with cyber components
SECTION 1: INCIDENT RESPONSE TEAM
1.1 Internal Team Contacts
Complete this section NOW, before any incident occurs.
Role Primary Contact Phone Email Backup Contact Phone
Incident Commander
IT Lead
Operations Lead
Compliance Officer
Communications Lead
Legal Counsel
Owner/Executive
1.2 External Contacts
Resource Company/Name Phone Email Account #
IT Support/MSP
Cybersecurity Firm
Cyber Insurance
Policy #:
Legal Counsel
PR/Communications
POS Vendor Support
Metrc Support (877) 566-6506 support@metrc.com
License #:
BioTrack Support
License #:
1.3 Regulatory Contacts
Agency Contact Info When to Contact
State Cannabis Regulator
Name:
Phone:
Email:
State Attorney General
Data breach notification
Phone:
Website:
FBI Cyber Division ic3.gov Major cybercrime
Local Field Office:
Local Police
Physical security component
Non-emergency:
1.4 Role Definitions
Incident Commander (IC)
- Overall authority during incident
- Makes final decisions on response actions
- Coordinates between all teams
- Authorizes communications and notifications
- Typically: Owner, GM, or designated senior manager
IT Lead
- Technical investigation and containment
- System isolation and recovery
- Evidence preservation
- Coordinates with external IT/security vendors
- Typically: IT manager, MSP primary contact
Operations Lead
- Maintains business continuity
- Manages staff during incident
- Coordinates manual workarounds
- Ensures customer service continues
- Typically: Store manager, operations director
Compliance Officer
- Regulatory notification requirements
- Documentation for auditors
- Metrc/BioTrack communication
- State regulator liaison
- Typically: Compliance manager, license holder
Communications Lead
- Internal staff communications
- Customer notifications
- Media inquiries
- Social media monitoring
- Typically: Marketing manager, owner
Legal Counsel
- Legal notification requirements
- Liability assessment
- Law enforcement coordination
- Contract review (insurance, vendors)
- Typically: Outside attorney
cannabisrisk.diySECTION 2: INCIDENT CLASSIFICATION
2.1 Severity Levels
Level Name Definition Response Time Example
1 CRITICAL Business operations halted, customer data compromised, regulatory violation imminent Immediate (within 15 min) Ransomware encrypting systems, active data exfiltration, Metrc completely down
2 HIGH Significant impact to operations, potential data exposure, compliance risk Within 1 hour POS system compromised, suspected breach, Metrc sync failure >4 hours
3 MEDIUM Limited operational impact, no confirmed data exposure Within 4 hours Phishing email clicked, malware detected and contained, single workstation compromised
4 LOW Minimal impact, no data exposure, easily remediated Within 24 hours Failed login attempts, spam/phishing emails (not clicked), minor policy violation
2.2 Incident Types
Check the type(s) that apply:
☐ Ransomware Attack
- Systems encrypted
- Ransom demand received
- Business operations impacted
☐ Data Breach
- Customer data accessed/stolen
- Employee data accessed/stolen
- Business data accessed/stolen
☐ POS Compromise
- Payment system affected
- Transaction data exposed
- Customer ID data exposed
☐ Malware Infection
- Virus/trojan detected
- Spyware identified
- Cryptominer found
☐ Phishing/Social Engineering
- Employee clicked malicious link
- Credentials compromised
- Wire fraud attempted
☐ Insider Threat
- Employee data theft
- Unauthorized access
- Sabotage
☐ Compliance System Failure
- Metrc down/inaccessible
- BioTrack sync failure
- Inventory discrepancy discovered
☐ Denial of Service
- Website/systems unavailable
- Network overwhelmed
- Online ordering down
☐ Physical Security with Cyber Component
- Stolen devices (laptop, tablet, phone)
- Break-in with system access
- Unauthorized facility access
☐ Vendor/Third-Party Incident
- POS vendor breached
- Cloud provider incident
- Payment processor compromised
SECTION 3: INCIDENT RESPONSE PHASES
PHASE 1: DETECTION & INITIAL RESPONSE
Timeline: 0-60 minutes
Immediate Actions (First 15 Minutes)
☐ STOP. BREATHE. DON’T PANIC.
Hasty actions can destroy evidence or make things worse.
☐ Document the discovery
- What was observed?
- Who discovered it?
- What time?
- What systems are affected?
☐ Do NOT:
- Turn off systems (unless actively spreading)
- Delete files or logs
- Attempt to “fix” things without documentation
- Communicate externally (yet)
- Pay any ransom (yet)
☐ Notify Incident Commander
Call: ______________________
If unavailable, call backup: ______________________
☐ Incident Commander activates response team
Initial Assessment (15-60 Minutes)
Incident Commander Actions:
☐ Convene response team (in-person or emergency call)
Conference bridge: ______________________ Backup: ______________________
☐ Gather initial information:
Question Answer
What systems are affected?
Is the incident ongoing or contained?
Is customer data potentially exposed?
Can we still operate the business?
Is Metrc/compliance affected?
What is the business impact?
☐ Classify severity level: ☐ 1-Critical ☐ 2-High ☐ 3-Medium ☐ 4-Low
☐ Classify incident type(s): (from Section 2.2)
☐ Assign roles:
- IT Lead: ______________________
- Operations Lead: ______________________
- Compliance Officer: ______________________
- Communications Lead: ______________________
☐ Establish communication channel:
- Primary: ______________________
- Backup (if primary compromised): ______________________
⚠️ DO NOT use company email if email system may be compromised. Use personal phones, Signal, or out-of-band communication.
☐ Begin Incident Log (Section 7)
PHASE 2: CONTAINMENT
Timeline: 1-4 hours
Goal: Stop the bleeding. Prevent further damage.
Network Containment
☐ Isolate affected systems
System Action Taken Time By
☐ Disconnected from network
☐ Disconnected from network
☐ Disconnected from network
Methods of isolation:
- Unplug network cable (preferred - preserves system state)
- Disable WiFi
- Disable network port on switch
- Block at firewall
⚠️ DO NOT power off unless malware is actively spreading and you cannot isolate otherwise. Powering off destroys volatile memory evidence.
☐ Block attacker access points
Action Completed Time
Change compromised passwords ☐
Revoke compromised API keys ☐
Block malicious IP addresses at firewall ☐
Disable compromised user accounts ☐
Change WiFi passwords ☐
Revoke VPN access for affected users ☐
☐ Preserve evidence
Evidence Type Location Preserved? Method
System logs
☐
Firewall logs
☐
POS transaction logs
☐
Security camera footage
☐
Email headers/messages
☐
Malware samples
☐
Screenshots
☐
Evidence preservation methods:
- Screenshot everything
- Export logs to external storage
- Create forensic disk images (if capable)
- Document chain of custody
Operational Containment
☐ Implement manual operations (if systems down)
Function Manual Workaround Responsible
Sales transactions Paper receipts, manual inventory
ID verification Visual check, paper log
Metrc reporting Manual tracking, report when restored
Customer check-in Paper sign-in
Inventory management Physical count, spreadsheet
☐ Notify staff of situation
Use template: [Staff Notification - Initial] (Section 6.1)
What to tell staff:
- We are experiencing a technical issue
- Follow these temporary procedures
- Do not discuss with customers unless asked
- Direct all questions to [designated person]
- Do not post on social media
What NOT to tell staff (yet):
- Specific details of the attack
- Whether customer data was stolen
- Ransom amounts or demands
- Anything that could leak externally
Vendor Notification
☐ Notify critical vendors
Vendor Contact Notified? Time Notes
POS Vendor
☐
IT Support/MSP
☐
Cybersecurity Firm
☐
Cyber Insurance
☐
Payment Processor
☐
Cyber Insurance - Critical: Most policies require notification within 24-72 hours. Check your policy.
Policy #: ______________________ Claims phone: ______________________ Notification deadline: ______________________
PHASE 3: ERADICATION
Timeline: 4-48 hours
Goal: Remove the threat completely.
Investigation
☐ Determine root cause
Question Finding
How did attacker gain access?
When did the attack begin?
What systems were accessed?
What data was accessed/stolen?
Is the attacker still present?
Were any backdoors installed?
Common attack vectors to investigate:
- Phishing email (check email logs)
- Compromised credentials (check login logs)
- Unpatched vulnerability (check patch status)
- Third-party vendor (check vendor access logs)
- Insider threat (check employee access)
- Physical access (check camera footage)
☐ Engage forensics (if needed)
For Severity 1-2 incidents, consider professional forensics:
Forensics firm: ______________________ Contact: ______________________ Retainer in place? ☐ Yes ☐ No
☐ Document attack timeline
Time Event Evidence Source
Removal
☐ Remove malware/threats
System Threat Found Removal Method Verified Clean?
☐
☐
☐
Removal methods:
- Antivirus/EDR quarantine and removal
- Manual deletion (document file paths)
- System wipe and rebuild (most thorough)
☐ Patch exploited vulnerabilities
Vulnerability Patch/Fix Applied? Verified?
☐ ☐
☐ ☐
☐ ☐
☐ Reset all potentially compromised credentials
Account Type Reset? MFA Enabled?
Domain admin accounts ☐ ☐
POS admin accounts ☐ ☐
Metrc/BioTrack accounts ☐ ☐
Email accounts ☐ ☐
Cloud service accounts ☐ ☐
VPN accounts ☐ ☐
WiFi passwords ☐ ☐
API keys ☐ ☐
☐ Verify systems are clean before reconnecting
System Scanned? Clean? Approved to Reconnect?
☐ ☐ ☐
☐ ☐ ☐
☐ ☐ ☐
PHASE 4: RECOVERY
Timeline: 24-72 hours
Goal: Restore normal operations safely.
System Restoration
☐ Restore from clean backups (if needed)
System Backup Date Restore Started Restore Completed Verified?
☐
☐
☐
⚠️ Verify backups are clean before restoring. Attackers sometimes compromise backups too.
☐ Rebuild compromised systems (if needed)
System Rebuild Started Rebuild Completed Configured? Tested?
☐ ☐
☐ ☐
☐ Reconnect systems to network
System Reconnected Time Monitoring Enabled?
☐
☐
☐
☐
☐
☐
Compliance Restoration
☐ Restore Metrc/BioTrack connectivity
Task Completed Time
Test Metrc API connection ☐
Verify sync is working ☐
Reconcile any missed transactions ☐
Document any inventory discrepancies ☐
Report discrepancies to regulator (if required) ☐
☐ Reconcile inventory
Task Completed Discrepancy?
Physical inventory count ☐ ☐ Yes ☐ No
Compare to Metrc records ☐ ☐ Yes ☐ No
Compare to POS records ☐ ☐ Yes ☐ No
Document and resolve discrepancies ☐
☐ Catch up on missed compliance reporting
Report Due Date Submitted Notes
☐
☐
Verification & Monitoring
☐ Implement enhanced monitoring
Monitoring Type Enabled? Duration
Increased log review ☐ 30 days minimum
Failed login alerts ☐ Permanent
Unusual traffic alerts ☐ 30 days minimum
File integrity monitoring ☐ Permanent
Endpoint detection alerts ☐ Permanent
☐ Verify no signs of re-infection for 48-72 hours
Check Day 1 Day 2 Day 3
No malware alerts ☐ ☐ ☐
No unusual network traffic ☐ ☐ ☐
No unauthorized access attempts ☐ ☐ ☐
All systems operating normally ☐ ☐ ☐
PHASE 5: NOTIFICATION
Timeline: Per regulatory requirements (typically 24-72 hours for breach)
Goal: Meet all legal notification requirements.
Notification Decision Tree
Was customer data accessed or stolen?
│
├── YES → Data Breach Notification Required
│ │
│ ├── How many customers affected?
│ │ ├── 500+ in single state → Media notification may be required
│ │ └── Any number → Individual notification required
│ │
│ ├── Was medical data involved?
│ │ ├── YES → HIPAA notification rules may apply
│ │ └── NO → State breach notification law applies
│ │
│ └── Continue to notification checklist below
│
├── NO, but could have been → Document investigation showing no access
│ │
│ └── Consider voluntary notification if customers may be at risk
│
└── NO, confirmed no data access → No breach notification required
│
└── Still notify: Insurance, regulator (if operations affected), vendors
Regulatory Notification Checklist
☐ State Cannabis Regulator
Item Details
Regulator name
Notification deadline
Contact method ☐ Phone ☐ Email ☐ Portal
Contact info
Notification sent ☐ Date:
Confirmation received ☐
Use template: [Regulator Notification] (Section 6.3)
☐ State Attorney General (if data breach)
Item Details
Notification deadline
Website/portal
Notification sent ☐ Date:
Confirmation received ☐
☐ Law Enforcement (if criminal activity)
Item Details
Agency contacted
Report number
Investigating officer
Contact info
Customer Notification Checklist
☐ Determine notification requirements
State Customers Affected Notification Deadline Method Required
☐ Prepare notification letter
Use template: [Customer Breach Notification] (Section 6.4)
☐ Set up support resources
Resource Details
Dedicated phone line
Email address
FAQ page URL
Credit monitoring vendor
Enrollment code
☐ Send notifications
Method Quantity Sent Date Confirmation
☐
☐
Website posting
☐
Other Notifications
☐ Cyber insurance claim filed
Item Details
Policy number
Claim number
Adjuster name
Contact info
☐ Credit bureaus notified (if SSN exposed)
Bureau Notified Date
Equifax ☐
Experian ☐
TransUnion ☐
☐ Payment card brands notified (if card data exposed)
Brand Notified Date
Visa ☐
Mastercard ☐
Other ☐
PHASE 6: POST-INCIDENT
Timeline: 1-4 weeks after incident
Goal: Learn from the incident and prevent recurrence.
Post-Incident Review Meeting
☐ Schedule post-incident review
Date: ______________________ Attendees: ______________________
Agenda:
- Incident timeline review
- What worked well
- What didn’t work
- Root cause analysis
- Gaps identified
- Remediation actions
- Template/process updates
☐ Document lessons learned
Category Finding Action Required
Detection
Containment
Communication
Recovery
Notification
Remediation Actions
☐ Security improvements
Improvement Priority Owner Due Date Completed
☐
☐
☐
☐
☐ Process improvements
Improvement Priority Owner Due Date Completed
☐
☐
☐ Training needs
Training Audience Due Date Completed
☐
☐
Documentation Finalization
☐ Complete incident report
Use template: [Final Incident Report] (Section 6.6)
☐ Archive all documentation
Document Location Retention Period
Incident log
7 years
Forensic report
7 years
Notification records
7 years
Insurance claim docs
7 years
Remediation evidence
7 years
☐ Update incident response template based on lessons learned
SECTION 4: SPECIFIC INCIDENT PLAYBOOKS
4.1 Ransomware Playbook
You see a ransom note. Systems are encrypted. What now?
Immediate (0-15 minutes)
☐ DO NOT pay the ransom immediately ☐ DO NOT turn off systems (evidence) ☐ DO NOT delete the ransom note
☐ Take photos of:
- Ransom note on screen
- Any error messages
- Affected systems
☐ Disconnect affected systems from network
- Unplug ethernet cables
- Disable WiFi
- Leave systems powered on
☐ Notify Incident Commander
First Hour
☐ Identify scope of encryption
System Type Encrypted? Backup Available?
POS terminals ☐ ☐
POS server ☐ ☐
Workstations ☐ ☐
File server ☐ ☐
Security cameras ☐ ☐
Other: ☐ ☐
☐ Identify ransomware variant
- Check ransom note for clues
- Search file extensions on nomoreransom.org
- Engage cybersecurity firm for identification
Ransomware variant: ______________________
☐ Check for free decryptor
- nomoreransom.org
- Vendor security blogs
- Cybersecurity firm resources
Free decryptor available? ☐ Yes ☐ No
☐ Notify cyber insurance IMMEDIATELY
Many policies cover ransomware response costs, including:
- Forensics
- Negotiation specialists
- Ransom payment (controversial but sometimes covered)
- Business interruption
Hours 1-4
☐ Assess backup integrity
Backup Date Accessible? Verified Clean?
☐ ☐
☐ ☐
⚠️ Attackers often delete or encrypt backups. Verify backups are accessible and uncompromised before relying on them.
☐ Implement manual operations
Function Manual Process Owner
Sales Paper receipts
Inventory Manual tracking
Compliance Phone to regulator
☐ Decide on ransom payment
Factors to consider:
- Is decryptor available for free?
- Are backups available and clean?
- How long to restore from backups?
- What is ransom amount vs. business interruption cost?
- Does insurance cover ransom payment?
- What are legal implications?
⚠️ FBI recommends NOT paying ransoms as it funds criminal operations and doesn’t guarantee data recovery. However, this is a business decision.
☐ If paying ransom (decision of last resort):
- Engage professional negotiators (insurance may provide)
- Verify attackers can decrypt (request proof)
- Negotiate price (often reduced 50-70%)
- Use cryptocurrency exchange recommended by insurance
- Document everything for insurance claim
☐ If NOT paying ransom:
- Proceed to restoration from backups
- Engage forensics to ensure complete removal
- Report to FBI (ic3.gov)
Recovery
☐ Wipe and rebuild affected systems
For ransomware, rebuilding is safer than attempting to “clean” systems.
☐ Restore data from clean backups
☐ Implement additional security controls before reconnecting
Control Implemented?
MFA on all accounts ☐
All passwords changed ☐
Endpoint detection installed ☐
Backups verified and secured ☐
Patches applied ☐
4.2 Data Breach Playbook
Customer data has been accessed or stolen. What now?
Immediate (0-15 minutes)
☐ Confirm the breach
- How was it discovered?
- What evidence exists?
- Is it ongoing or contained?
☐ Preserve evidence
- Do not delete logs
- Screenshot everything
- Export relevant logs immediately
☐ Notify Incident Commander
First Hour
☐ Determine scope of breach
Data Type Affected?
Records
Evidence
Customer names ☐
Addresses ☐
Dates of birth ☐
Driver’s licenses ☐
Passport numbers ☐
Medical cannabis cards ☐
Purchase histories ☐
Payment card data ☐
Social Security numbers ☐
Email addresses ☐
Phone numbers ☐
Employee data ☐
☐ Determine source of breach
Possibility Investigated Finding
External hacker ☐
Phishing attack ☐
Insider threat ☐
Vendor compromise ☐
Accidental exposure ☐
☐ Notify cyber insurance
Claim #: ______________________
Hours 1-24
☐ Engage forensics
For any breach involving customer data, professional forensics is strongly recommended.
Forensics firm: ______________________ Engagement started: ______________________
☐ Determine notification requirements
Jurisdiction
Customers
Notification Deadline Specific Requirements
☐ Prepare customer notification
See Section 6.4 for template.
☐ Arrange credit monitoring services
Most breaches involving SSN, financial data, or government IDs require offering credit monitoring.
Vendor Contact Cost per Person
Customer Notification (Per Timeline)
☐ Notification methods:
Method When to Use Completed
Email All affected with email on file ☐
Physical mail Required in most states ☐
Website notice Supplement, not replacement ☐
Media notice If 500+ affected in single state (some states) ☐
☐ Notification content requirements:
Most state laws require:
- Description of incident
- Types of data exposed
- Steps you’re taking
- Steps customer can take
- Contact information for questions
- Information about free credit monitoring (if offered)
4.3 Metrc/Compliance System Failure Playbook
Metrc is down, sync is failing, or inventory doesn’t match. What now?
Immediate
☐ Identify the issue:
Issue Type Symptoms
☐ Metrc system-wide outage Can’t log in, status.metrc.com shows issues
☐ API sync failure POS not syncing, API errors
☐ Credential issue Authentication errors
☐ Inventory discrepancy POS vs Metrc mismatch
☐ Our systems down Can’t access our own systems
☐ Check Metrc status page: https://status.metrc.com
System status: ☐ Operational ☐ Degraded ☐ Outage
If Metrc System-Wide Outage
☐ Document the outage
- Screenshot Metrc status page
- Note start time
- Note what functions are affected
☐ Implement manual tracking
Transaction Type Manual Process
Sales Paper receipt with package UID, quantity, time
Inventory adjustments Paper log with reason
Waste disposal Video + paper log + witness
Transfers Hold until Metrc restored
☐ Notify state regulator if outage extends beyond 4 hours
Phone: ______________________ Email: ______________________
☐ When Metrc restores:
- Enter all manual transactions
- Verify inventory matches
- Document resolution
If API Sync Failure (Our Side)
☐ Check our systems:
- Is POS operational?
- Is internet connection working?
- Can we log into Metrc directly?
☐ Check API credentials:
- Are credentials valid?
- Have they expired?
- Have they been rotated?
☐ Contact POS vendor support:
Ticket #: ______________________
☐ If not resolved within 1 hour:
- Switch to manual Metrc entry
- Document all transactions
- Notify state regulator if extending beyond 4 hours
If Inventory Discrepancy Discovered
☐ Determine scope:
Item POS Qty Metrc Qty Difference
Total discrepancy: ______ units / ______ grams
☐ Investigate cause:
Possible Cause Investigated Finding
Data entry error ☐
Sync failure ☐
Theft ☐
Unreported waste ☐
Receiving error ☐
☐ Conduct physical inventory count
Count performed by: ______________________ Date/time: ______________________ Result: ______________________
☐ If discrepancy > acceptable variance (typically ±2% or 6 units):
Notify state regulator within 24 hours
State Notification Requirement
California Report to DCC
Colorado Report to MED
Michigan Report to CRA
[Your state]
☐ Document resolution:
- Adjust Metrc with reason code
- Adjust POS to match
- File any required reports
- Retain documentation for 3+ years
4.4 Insider Threat Playbook
You suspect an employee is stealing data, stealing product, or sabotaging systems.
Immediate
⚠️ Handle carefully. Legal and HR implications are significant.
☐ Do NOT confront the employee
☐ Do NOT discuss with other employees
☐ Notify:
- Owner/executive
- Legal counsel
- HR (if applicable)
☐ Document your suspicions:
- What behavior was observed?
- When?
- By whom?
- What evidence exists?
Investigation
☐ Engage legal counsel BEFORE taking action
Employment law varies by state. Improper investigation can result in lawsuits.
☐ Preserve evidence discreetly:
Evidence Type Collected? Method
Access logs ☐
Email records ☐
File access logs ☐
Security camera footage ☐
Badge access records ☐
Metrc user activity ☐
Witness statements ☐
☐ Review employee access:
- What systems do they have access to?
- What data can they access?
- What have they accessed recently?
☐ Consider engaging professional investigator
For significant theft or data exfiltration, professional investigators can:
- Conduct forensic analysis
- Interview witnesses
- Preserve evidence for legal proceedings
Containment (Once Investigation Supports Action)
☐ With legal/HR approval, restrict access:
Action Completed Time
Disable network account ☐
Disable Metrc access ☐
Disable POS access ☐
Disable badge access ☐
Change shared passwords ☐
Revoke API keys they knew ☐
☐ Retrieve company property:
- Laptop
- Phone
- Keys
- Badge
- Documents
☐ Termination (with HR/legal guidance)
Post-Incident
☐ Determine if data was exfiltrated:
- Were customer records copied?
- Was proprietary information taken?
- Was inventory stolen?
☐ If customer data was stolen:
- Treat as data breach
- Follow Data Breach Playbook (4.2)
- Customer notification may be required
☐ Consider law enforcement report:
- Consult with legal counsel
- File police report if criminal theft
- Preserve evidence for prosecution
☐ Review access controls to prevent recurrence
SECTION 5: MANUAL OPERATIONS PROCEDURES
When systems are down, use these procedures to continue business.
5.1 Manual Sales Procedure
Use when POS system is unavailable.
Supplies Needed: ☐ Paper receipt books (pre-numbered) ☐ Calculator ☐ Price list (current) ☐ Manual inventory log ☐ Customer ID log sheet ☐ Cash box with starting drawer
Procedure:
Verify customer age
- Check government ID Record on Customer ID Log:
- Receipt #
- Customer initials
- ID type
- DOB
- ID expiration
- Verified by (employee initials)
Record sale on paper receipt
- Date and time
- Receipt number
- Product name(s)
- Package UID(s) - CRITICAL for Metrc reconciliation
- Quantity
- Price per unit
- Total
- Payment method
- Employee initials
Update manual inventory log
- Deduct sold items
- Record Package UID
- Note receipt number
Process payment
-
Cash: Make change, place in cash box
-
Debit (if terminal working): Process normally
-
Provide customer copy of receipt When POS restored:
-
Enter ALL manual transactions
-
Reconcile with Metrc
-
Verify inventory counts
-
File paper records (retain 3+ years)
5.2 Manual Metrc Tracking Procedure
Use when API sync is down but Metrc web interface is accessible.
Procedure:
- Log into Metrc directly: https://[state].metrc.com For each sale:
- Go to Packages → Active
- Find Package UID
- Record sale manually
- Note: This is time-consuming; prioritize accuracy over speed
For inventory adjustments:
- Document on paper with reason
- Enter into Metrc when accessible
- Retain paper documentation
For waste disposal:
- DO NOT dispose without documentation
- Video record the disposal
- Have witness sign paper log
- Enter into Metrc when accessible
For transfers:
- DO NOT complete transfers without Metrc
- Hold product until system restored
- If urgent, contact state regulator for guidance
5.3 Manual Inventory Count Procedure
Use for reconciliation during/after incidents.
Supplies Needed: ☐ Inventory count sheets ☐ Barcode scanner (if available) ☐ Calculator ☐ Two-person teams (counter + recorder)
Procedure:
- Stop all sales during count (or count after close)
- Assign zones to teams Count procedure:
- Counter: Physically count items
- Recorder: Write down Package UID and count
- Use tally marks for accuracy
- Double-count any discrepancies
Record:
- Package UID
- Product name
- Physical count
- Location
Compare to Metrc:
-
Export Metrc active packages
-
Compare physical count to Metrc count
-
Note all discrepancies
-
Investigate discrepancies before adjusting
SECTION 6: COMMUNICATION TEMPLATES
6.1 Staff Notification - Initial Incident
[INTERNAL USE ONLY - DO NOT SHARE]
To: All Staff
From: [Incident Commander]
Date: [Date]
Re: Technical Issue - Action Required
Team,
We are currently experiencing a technical issue affecting [describe affected systems in general terms].
IMMEDIATE ACTIONS:
1. [Specific instruction, e.g., "Do not use the POS system"]
2. [Specific instruction, e.g., "Use paper receipts for all transactions"]
3. [Specific instruction, e.g., "Direct all customer questions to the manager on duty"]
WHAT TO TELL CUSTOMERS:
"We're experiencing some technical difficulties. We can still serve you, but transactions may take a bit longer. We apologize for any inconvenience."
WHAT NOT TO DO:
- Do not discuss details of the issue with customers
- Do not post anything on social media
- Do not share information with anyone outside the company
- Do not speculate about what happened
We are working to resolve this as quickly as possible. Updates will follow.
If you have questions, please see [designated manager].
Thank you for your patience and professionalism.
[Name]
[Title]
6.2 Staff Notification - All Clear
To: All Staff
From: [Incident Commander]
Date: [Date]
Re: Technical Issue - RESOLVED
Team,
The technical issue reported on [date] has been resolved. Normal operations have resumed.
ACTIONS:
1. Resume normal procedures
2. [Any specific follow-up actions]
If you notice anything unusual with systems, please report immediately to [contact].
Thank you for your patience during this time.
[Name]
[Title]
6.3 Regulator Notification
To: [State Cannabis Regulatory Agency]
From: [License Holder Name]
License Number: [Number]
Date: [Date]
Re: Security Incident Notification
Dear [Regulator Contact],
In accordance with [state regulation reference], we are notifying you of a security incident affecting our licensed cannabis operation.
INCIDENT SUMMARY:
- Date/time discovered: [Date/Time]
- Type of incident: [Brief description]
- Systems affected: [List systems]
- Current status: [Contained/Under investigation/Resolved]
IMPACT ON OPERATIONS:
- [Describe operational impact]
- [Describe compliance impact, if any]
- [Describe any Metrc/tracking issues]
ACTIONS TAKEN:
1. [Action]
2. [Action]
3. [Action]
CUSTOMER DATA:
- Customer data affected: [Yes/No/Under investigation]
- If yes, types of data: [List]
- If yes, number of customers: [Number or estimate]
We are committed to full transparency and compliance throughout this incident. We will provide updates as our investigation progresses.
Please contact me directly with any questions.
Respectfully,
[Name]
[Title]
[Phone]
[Email]
6.4 Customer Breach Notification Letter
[COMPANY LETTERHEAD]
[Date]
[Customer Name]
[Address]
[City, State ZIP]
Re: Notice of Data Security Incident
Dear [Customer Name],
We are writing to inform you of a security incident that may have affected your personal information.
WHAT HAPPENED:
On [date], we discovered that [brief, factual description of incident]. We immediately [actions taken - e.g., "launched an investigation, engaged cybersecurity experts, and notified law enforcement"].
WHAT INFORMATION WAS INVOLVED:
Based on our investigation, the following types of your information may have been affected:
- [List specific data types, e.g., "Name, address, date of birth"]
- [E.g., "Driver's license number"]
- [E.g., "Transaction history with our dispensary"]
WHAT WE ARE DOING:
We take the security of your information seriously. In response to this incident, we have:
- [Action, e.g., "Engaged leading cybersecurity experts to investigate"]
- [Action, e.g., "Implemented additional security measures"]
- [Action, e.g., "Notified law enforcement"]
- [Action, e.g., "Notified state regulators"]
WHAT YOU CAN DO:
We recommend you take the following steps to protect yourself:
1. Monitor your financial accounts for any unauthorized activity
2. Review your credit reports for any accounts you did not open
3. Consider placing a fraud alert or credit freeze on your credit file
4. Be cautious of unsolicited communications asking for personal information
FREE CREDIT MONITORING:
We are offering you [12/24] months of complimentary credit monitoring and identity protection services through [Vendor Name]. To enroll, please visit [Website] and use enrollment code [CODE] by [Deadline Date].
FOR MORE INFORMATION:
If you have questions, please contact us at:
- Phone: [Dedicated line]
- Email: [Dedicated email]
- Website: [FAQ page URL]
We sincerely apologize for any inconvenience or concern this incident may cause. We are committed to protecting your information and maintaining your trust.
Sincerely,
[Name]
[Title]
[Company Name]
6.5 Media Statement
[COMPANY NAME] STATEMENT REGARDING SECURITY INCIDENT
[City, State] - [Date]
[Company Name] recently became aware of a security incident that may have affected some customer information.
Upon discovering the incident, we immediately took steps to secure our systems and launched a comprehensive investigation with the assistance of leading cybersecurity experts. We have also notified law enforcement and are cooperating fully with their investigation.
We are in the process of notifying potentially affected customers directly and are offering complimentary credit monitoring services.
The security of our customers' information is a top priority. We are taking additional steps to enhance our security measures and prevent similar incidents in the future.
We apologize for any concern this may cause our customers.
For more information, customers may contact [phone number] or visit [website].
###
Media Contact:
[Name]
[Email]
[Phone]
6.6 Final Incident Report Template
INCIDENT REPORT
[CONFIDENTIAL]
Report Date: [Date]
Incident ID: [Unique ID]
Report Author: [Name]
Report Status: ☐ Draft ☐ Final
═══════════════════════════════════════════════════════════
EXECUTIVE SUMMARY
[2-3 paragraph summary of incident, impact, and resolution]
═══════════════════════════════════════════════════════════
INCIDENT DETAILS
Classification:
- Severity Level: [1-4]
- Incident Type: [Type]
- Status: [Detected/Contained/Eradicated/Recovered/Closed]
Timeline:
- First indication: [Date/Time]
- Incident discovered: [Date/Time]
- Incident commander notified: [Date/Time]
- Containment achieved: [Date/Time]
- Eradication completed: [Date/Time]
- Recovery completed: [Date/Time]
- Incident closed: [Date/Time]
Duration:
- Time from first indication to discovery: [Duration]
- Time from discovery to containment: [Duration]
- Total incident duration: [Duration]
═══════════════════════════════════════════════════════════
SYSTEMS AFFECTED
[List all affected systems]
DATA AFFECTED
[Describe data affected, if any]
- Customer data: [Yes/No, if yes, describe]
- Employee data: [Yes/No, if yes, describe]
- Business data: [Yes/No, if yes, describe]
- Records affected: [Number]
═══════════════════════════════════════════════════════════
ROOT CAUSE ANALYSIS
Attack Vector:
[How attacker gained access]
Vulnerabilities Exploited:
[What weaknesses were exploited]
Contributing Factors:
[What enabled the incident]
═══════════════════════════════════════════════════════════
RESPONSE SUMMARY
Detection:
[How incident was detected]
Containment Actions:
[What was done to contain]
Eradication Actions:
[What was done to remove threat]
Recovery Actions:
[What was done to restore operations]
═══════════════════════════════════════════════════════════
NOTIFICATIONS
| Entity | Date Notified | Method | Response |
|--------|---------------|--------|----------|
| | | | |
| | | | |
═══════════════════════════════════════════════════════════
BUSINESS IMPACT
Operational Impact:
[Describe operational disruption]
Financial Impact:
- Direct costs: $[Amount]
- Indirect costs: $[Amount]
- Estimated total: $[Amount]
Reputational Impact:
[Describe any reputational effects]
Regulatory Impact:
[Describe any regulatory consequences]
═══════════════════════════════════════════════════════════
LESSONS LEARNED
What Worked Well:
1. [Lesson]
2. [Lesson]
What Could Be Improved:
1. [Lesson]
2. [Lesson]
═══════════════════════════════════════════════════════════
REMEDIATION ACTIONS
| Action | Priority | Owner | Due Date | Status |
|--------|----------|-------|----------|--------|
| | | | | |
| | | | | |
═══════════════════════════════════════════════════════════
ATTACHMENTS
☐ Detailed timeline
☐ Forensic report
☐ Notification copies
☐ Evidence inventory
☐ Cost documentation
═══════════════════════════════════════════════════════════
APPROVALS
Prepared by: _________________ Date: _______
Reviewed by: _________________ Date: _______
Approved by: _________________ Date: _______
═══════════════════════════════════════════════════════════
SECTION 7: INCIDENT LOG
Use this log to document ALL actions during an incident. This is your legal record.
Incident Log Sheet
Incident ID: ______________________ Date Started: ______________________ Incident Commander: ______________________
Date Time Action/Event By Whom Notes
Page ___ of ___
SECTION 8: QUICK REFERENCE CARDS
Print these on card stock and keep at each workstation.
Card 1: First Responder Quick Reference
╔═══════════════════════════════════════════════════╗
║ SECURITY INCIDENT? FOLLOW THESE STEPS: ║
╠═══════════════════════════════════════════════════╣
║ ║
║ 1. STOP - Don't panic, don't turn anything off ║
║ ║
║ 2. DOCUMENT - Note what you see ║
║ • What happened? ║
║ • What time? ║
║ • What systems? ║
║ ║
║ 3. CALL - Notify immediately ║
║ Incident Commander: _______________ ║
║ Backup: _______________ ║
║ ║
║ 4. ISOLATE - If instructed, unplug network ║
║ (Leave power ON unless told otherwise) ║
║ ║
║ 5. PRESERVE - Don't delete anything ║
║ ║
║ DO NOT: ║
║ ✗ Turn off computers ║
║ ✗ Delete files or emails ║
║ ✗ Try to "fix" it yourself ║
║ ✗ Tell customers details ║
║ ✗ Post on social media ║
║ ║
╚═══════════════════════════════════════════════════╝
Card 2: Incident Commander Quick Reference
╔═══════════════════════════════════════════════════╗
║ INCIDENT COMMANDER CHECKLIST ║
╠═══════════════════════════════════════════════════╣
║ ║
║ FIRST 15 MINUTES: ║
║ ☐ Assess situation ║
║ ☐ Classify severity (1-4) ║
║ ☐ Activate response team ║
║ ☐ Start incident log ║
║ ║
║ FIRST HOUR: ║
║ ☐ Contain the incident ║
║ ☐ Preserve evidence ║
║ ☐ Notify cyber insurance ║
║ ☐ Implement manual operations if needed ║
║ ║
║ CRITICAL CONTACTS: ║
║ IT Lead: _______________ ║
║ Legal: _______________ ║
║ Insurance: _______________ ║
║ Regulator: _______________ ║
║ ║
║ REMEMBER: ║
║ • Document EVERYTHING ║
║ • Don't make hasty decisions ║
║ • Communicate clearly ║
║ • Ask for help when needed ║
║ ║
╚═══════════════════════════════════════════════════╝
SECTION 9: APPENDICES
Appendix A: State Breach Notification Requirements
State Notification Deadline AG Notification Regulator Notification
California “Most expedient time possible” Required if 500+ DCC required
Colorado 30 days Required if 500+ MED required
Michigan “Without unreasonable delay” Required if 1000+ CRA required
Nevada “As soon as possible” Required CCB required
Illinois “Most expedient time possible” Required if 500+ IDFPR required
Massachusetts “As soon as practicable” Required CCC required
Oregon 45 days Required if 250+ OLCC required
Washington 45 days Required LCB required
[Your State]
Note: Requirements change. Verify current law at time of incident.
Appendix B: Evidence Handling Chain of Custody
Item Description Source Location Date/Time Collected Collected By Storage Location Access Log
Appendix C: Insurance Policy Quick Reference
Policy Type Carrier Policy # Coverage Limit Deductible Claims Phone
Cyber Liability
General Liability
Property
Business Interruption
Notification Requirements:
- Deadline: ______________________
- Method: ______________________
- Required documentation: ______________________
Appendix D: System Recovery Priority
Priority System RTO RPO Recovery Method Owner
1 POS
2 Metrc Integration
3 Security Cameras
4 Employee Workstations
5
RTO = Recovery Time Objective (how quickly must it be restored?) RPO = Recovery Point Objective (how much data loss is acceptable?)
ANNUAL MAINTENANCE CHECKLIST
Review and update this template at least annually:
☐ Update all contact information ☐ Verify insurance policy details ☐ Confirm regulatory contacts are current ☐ Review state notification requirements ☐ Test backup restoration procedures ☐ Conduct tabletop exercise with team ☐ Update based on lessons learned ☐ Distribute updated copies to all locations
Last Review Date: ______________________ Next Review Date: ______________________ Reviewed By: ______________________
CONCLUSION
When an incident happens, you won’t have time to figure out what to do.
This template gives you:
- Clear roles so everyone knows their job
- Step-by-step procedures so nothing is missed
- Pre-written communications so you don’t scramble for words
- Documentation tools so you have legal records
- Quick references so responders can act fast
Print it. Customize it. Practice it.
The difference between a minor incident and a catastrophic breach is often just preparation.
Questions about incident response?
Ask in #incident-response channel in our private Discord
Related Resources:
- The Complete Dispensary Cybersecurity Hardening Guide
- POS Vendor Security Assessment Checklist
- Metrc Security Configuration Guide
- Employee Security Training Materials
