The U.S. FDA recently issued its final rule implementing the landmark Food Safety Modernization Act of 2011, a law making the most comprehensive revision to the U.S. food safety system in 70 years. The new rule focuses on insuring food security and preventing intentional adulteration, rather than responding to contamination, illness, or a crisis after the fact. Although the timing was coincidental, the terrorist attack in Nice, France during the summer shows how the failure to focus on seemingly mundane activities like the movement of a delivery van can have tragic consequences, and why this food security rule is essential.
In the rule published May 27, 2016 entitled “Mitigation Strategies to Protect Food Against Intentional Adulteration,” FDA states that the purpose of the “rule is to protect food from intentional acts of adulteration where there is an intent to cause wide scale public health harm.” It builds on existing requirements for all registered foreign and domestic food production facilities, applying food security protocols in a regulatory climate that is increasingly concerned about safety.
The approach is modeled on the preventive controls approach used for food safety. It includes the familiar Hazard Analysis and Critical Control Point (HACCP) approach used for seafood and juice processors, and the general hazard analysis and risk-based preventive controls approach underlying the rules governing Good Manufacturing Practices for food facilities. As FDA explains, food safety and food defense “are more similar than they are different.” Thus, the framework of the new rule requires an analysis be performed similar to the HACCP approach. This includes identification of significant vulnerabilities, development and implementation of mitigation strategies, and implementation of systematic management components to insure that measures are functioning.
The rule is flexible and rejects a “one-size-fits-all” approach. All facilities are required to conduct a vulnerability assessment and identify actionable mitigation strategies, while acknowledging “the mitigation strategies that [each] facility would establish and implement would depend on the facility, the food, and the outcome of the facility’s vulnerability assessment.” Because preventive control measures are process-oriented and can be scientifically validated, they are appropriately imposed more broadly. By contrast, security measures typically reduce physical access to prevent intentional contamination by an attacker, but cannot be scientifically validated.
What’s in the Rule?
The new rule requires development and implementation of “a written food defense plan that includes actionable process steps, focused mitigation strategies, and procedures for monitoring, corrective actions, and verification.” The Food Defense Plan sets forth steps each facility will follow to address risks and implement mitigation strategies, but the plan itself is obviously insufficient to avoid intentional adulteration. Thus, it requires implementation of the plan, and development and maintenance of records to document implementation, insuring qualified individuals are performing assigned functions and regular reassessments at least every three years or as needed (such as when there is a process change).
Actionable process steps. Key to any Food Defense Plan is identification of “actionable process steps” for “significant vulnerabilities” at the facility “for each type of food manufactured, processed, packed, or held.” It must evaluate potential public health impacts, the degree of physical access, and ability of an attacker (including an insider) to contaminate a product. FDA identifies four key activity types that indicate a significant vulnerability, although others may be identified in individual facility assessments. Those key activities are: bulk liquid receiving and loading; liquid storage and handling; secondary ingredient handling; and mixing and similar activities.
FDA also requires the Food Defense Plan include an explanation why each point, step, or procedure in a manufacturing process was or was not identified as an “actionable process step” where there was a “significant vulnerability” requiring a mitigation strategy.
Focused mitigation strategies. For each actionable step, facilities are required to identify and implement strategies to insure the vulnerability will be significantly minimized or prevented and the food will not be adulterated. The Food Defense Plan must not only identify these strategies, but also explain how they sufficiently minimize or prevent the vulnerability and will be monitored. In the event of a breakdown, corrective procedures must be identified in the Food Defense Plan.
FDA also requires companies to verify and document what has been done and verify that corrective actions are made by qualified individuals. The agency specifically requires a regular review of the monitoring and corrective action records to insure that they are complete, the activities reflected in the records occurred in accordance with the Food Defense Plan, that mitigation strategies are being properly implemented, and that appropriate decisions were made. FDA also requires that the Food Defense Plan include a description of these verification activities, and that records be created documenting the verification procedures.
Are There Exemptions?
Yes, based on size of the business and type of food being processed. Larger businesses covered by the rule may develop a Food Defense Plan that covers only a portion of a facility or certain product lines. Those that average less than $10 million annually qualify as “very small businesses” and are generally exempt.
The rule does not apply to farms covered by FDA’s Produce Safety Rule. It also does not apply to 1) the packing, re-packing, labeling, or re-labeling of food where the existing container of the food remains intact; 2) the holding of food (except the holding of food in liquid storage tanks); 3) most alcoholic beverage manufacturing; 4) on-farm manufacturing, processing, packing, or holding of eggs or game meats by small or very small businesses that conduct only those activities; or 5) animal foods.
When Are the Deadlines?
The Food Defense Rule is currently in effect, however, FDA is deferring enforcement in order to give businesses time to adjust to the rule and implement the necessary changes. Large businesses must be in compliance within three years, small businesses (those with less than 500 employees) have four years, and very small businesses have five years.
What About Public Relations and Legal Liability?
Before a crisis. There is a truism in Crisis & Reputation Management: “The best time to do damage control is before damage happens.” By addressing matters up front, you limit or eliminate any legal liability. Do not do the bare minimum. When safety and security are at stake, err on the side of caution. Your actions will demonstrate that the public’s well-being is your top priority, and this earns you invaluable goodwill.
It is best to be proactive. Putting controls in place in advance is a relatively modest expense with a high return on investment. They are invaluable to limit liability, or avoid it altogether.
Too often, people and companies think bad things will not happen to them, make half-hearted attempts to be prepared, or procrastinate until the proverbial eleventh hour. These companies end up on the wrong side of the media and the law, playing defense while scrambling to clean up a mess they were not ready for.
With the Food Defense Rule, your legal risks are greatest if someone gets hurt and you’ve failed to take appropriate action. FDA discussed just such a case—a 2013 incident in Japan involving an employee who poisoned seafood, resulting in at least 2,843 people getting sick and the recall of 6.4 million packages of frozen seafood.
In addition to possible fines, criminal penalties, and the FDA’s ability to suspend your food registration and put you out of business, you could face class action or individual lawsuits where the plaintiffs’ lawyers will argue that you intentionally failed to follow the law to save money in support of higher damage awards.
During a crisis. Unsure whether or not to disclose a problem or an investigation? Talk to your lawyer, then your public relations team. For public companies, the Security and Exchange Commission requires you to “disclose major events that shareholders should know about.” Whether the event in question rises to that level depends on the severity and size of the public company. For private companies, there are no clear rules beyond a requirement to disclose an imminent and substantial endangerment to the public.
From a brand and reputation perspective, it is best to disclose early and often. Consumers need and want to be reassured. When there is a threat to food safety, they care about one thing: How does it affect them. Failure to inform the public could lead to lawsuits being filed by plaintiffs’ lawyers looking to make a buck before the facts are known. Once a suit is filed, you have been damaged regardless of the merit of the allegations. As the bad publicity increases, the risk of additional lawsuits rises and you have to pay your own lawyers to defend the claims.
What do you need to tell the public? Before you say anything, you first must know what you want to achieve. Then you can reverse-engineer your strategy and figure out how to get there.
The basics: How did it happen? What are you doing to fix it? What does this mean for them? Each audience has different concerns—consumers, vendors, investors, and the media. But your messaging must be consistent. If there has been illness or loss of life, show empathy. If you are unsure of an answer, the best thing you can say is, “Let me check on that, and I’ll get back to you.” That gives you time to craft a well-thought-out response and make sure you have your facts straight. As a rule of thumb, you only need to share the most necessary information. Anything extra (or unplanned or inaccurate) leaves you vulnerable to follow-up questions that you may not want (or be prepared) to answer. This may increase your legal risk.
After the immediate crisis. The hardest part is behind you. The immediate threat is over, and you have figured out what happened. Now, how do you move forward?
You control the story, by either stopping the story or making sure that the audiences who are most important to you quickly hear what happened, what you have done to correct the problem, and the steps you are taking to make sure it never happens again.
Make sure you learn from what happened. Even if years go by without another mistake being made, people will remember what happened and wonder whether you really learned. They will view you more harshly if you did not learn anything. Indeed, the law allows subsequent violations to be treated by FDA more severely.
Gillott Bowe is a crisis public relations fixer and president of Gillott Communications LLC. She resolves issues both in and outside the media’s glare. She has been featured in The Wall Street Journal, The Washington Post, NPR, Forbes, and Eater. Reach her at firstname.lastname@example.org. Kaplan is a partner with Tucker Ellis LLP and co-chair of the firm’s Food, Cosmetics, and Nutritional Supplements practice. He advises business on FDA and FTC advertising and labeling compliance and environmental regulatory matters, and defends class action false advertising and unfair competition cases. Reach him at email@example.com.