In the wake of 9/11, in response to concerns about a terrorist attack involving bioterrorism President Bush signed the Public Health Security and Bioterrorism Preparedness and Response Act of 2002.
The Bioterrorism Act, as it is known, is divided into five sections and deals with many different facets of the threat of bioterrorism. This article is focused on Section 306 of the Act, “Protecting Safety and Security of Food and Drug Supply.”
This section of The Bioterrorism Act, completed in December 2004, is comprised of new security guidelines for the entire food and beverage production industry, including agribusiness and animal feed supply. Philip Jan Rothstein, a business continuity expert, recently commented on the guidelines: “Like pharmaceuticals, health care and other industries which directly affect public health and safety, the food and beverage industry is governed by legal and regulatory requirements, as well as moral and ethical obligations. In the event of a public health crisis, access to business and operational records could become critical.”
The following organizations are required to comply with the Bioterrorism Act recordkeeping rule; food manufacturers, importers, processors, packers, trucking firms/transporters, distributors, wholesalers, and retailers. In all, according to the FDA, approximately 707,672 total facilities are covered under the recordkeeping rule. “Of course, protection and preservation of essential business records should be considered a due diligence priority even when no crisis is looming,” counsels Rothstein.
The new rules are designed to help the government track the source of contamination in the event of a terrorist event which targets the nation’s food supply. Since the Food and Drug Administration (FDA) is the government agency in charge of safeguarding the food supply from inadvertent contamination, it has taken on a large role in efforts to prevent, prepare for, and respond to incidents of food sabotage.
Records Protection Requirement
One of the most important elements of The Bioterrorism Act is the new FDA record protection requirements outlined in “Section 306: Establishment and Maintenance of Records for Foods.” The recordkeeping rule propels covered organizations (see below) in the food supply chain to establish and maintain easily accessible paper or digital records that “identify the immediate previous source of all food received, as well as, the immediate subsequent recipient of all food released.”
All businesses covered by this rule need to be in compliance within 12 months from December 9, 2004, and The Bioterrorism Act allows FDA to pursue civil action (as well as criminal action) to prosecute persons who fail to establish and maintain records as required by the final rule.
In a press release issued by the FDA in December of 2004, Dr. Lester M. Crawford, Acting FDA Commissioner, explained the reason for the recordkeeping rule: “The ability to trace back will enable us to get to the source of contamination. The records also enable FDA to trace forward to remove adulterated food that poses a significant health threat in the food supply.” In other words, if terrorists tried to sabotage the food supply, the records provided by the covered organizations will enable officials to identify first wherein the supply chain the contamination occurred and then, if necessary, immediately remove the product from stores, warehouses or distribution centers before too many casualties occur. Additionally, officials investigating a food contamination incident would most likely not even be able to determine whether the contamination was accidental or intentional until they pinpointed the source of the outbreak using the traceable records in the food supply chain.
What records need to be protected and made accessible?
Generally, FDA is concerned only with traceability, so any records that contain information regarding where the food came from and where it is destined are at issue. Excluded from coverage are the following types of records common among the food industry:
• Recipes for food (as defined in the rule)
• Financial data
• Pricing data
• Personnel data
• Research data
• Sales data (other than shipment data regarding sales)
Companies can maintain the required information in any format, paper or electronic. According to the requirements outlined in the recordkeeping rule, the requirements apply in varying degrees to certain categories of businesses. For human food, records must be maintained in ranges from six months to two years – depending on the shelf life of the food. The maximum record retention requirement for transporters of all types of food is one year.
One of the key aspects of Section 306 rule is that records must be retained at the establishment where the activities covered in the records occurred or at a reasonably accessible location. This is to ensure that when FDA has a “reasonable belief that an article of food is adulterated and presents a threat of serious adverse health consequences or death to humans or animals, any records or other information to which FDA has access must be available for inspection and copying as soon as possible, not to exceed 24 hours from time of receipt of the official request.”
What covered organizations need to do now:
The safeguarding of vital and irreplaceable paper and digitally stored documents is absolutely crucial for compliance.
Some potential approaches for Section 306 rule compliance include: onsite fireproof vault, onsite fireproof safes and/or file cabinets, and onsite data safes and media vaults that are specially designed to secure digitally stored information, i.e. discs and tapes.
Unfortunately, standard filing equipment is believed to offer fire protection by a large majority of consumers. This thinking, attractive in today's cost-conscious environment because it "seems" cheaper, is erroneous and potentially dangerous.
The stakes are high in this environment. Were terrorists to successfully attack the nation’s food supply, the cost in human life and the potential economic damage could be astronomical. It is imperative for covered businesses to put forth the best effort possible to comply with The Bioterrorism Act.
Most risk management experts cannot agree more. According to Tom Weems, a consultant specializing in Business Continuity Planning, “a few years ago, we defined vital records as those records critical to the operation of a business. That has changed. In today’s world, there is an ever-broadening set of records that businesses must protect for compliance purposes.”
Weems continues: “For some businesses involved in the food chain, protecting certain records is no longer just good business practice it is a federal requirement. Fair or not, like it or not, the requirements are real and the means of protecting those records must be real as well.”
Since covered businesses are now required to store these vital records onsite, the records are accessible and secured against risks such as fire or flooding. Therefore, experts advise seeking records storage products that are tested by Underwriters’ Laboratory (UL) or other nationally known independent testing labs – absolutely steer clear of equipment with manufacturers’ or non-independent ratings. UL is the best, as no other testing and standards organization matches their reputation.
One “trick” to be wary of is a product that claims to be “built to” a certain UL class specification claim. This is marketing-driven wordplay, pure and simple – and it leads the customer to falsely believe they are getting a UL rating. In reality, it’s just the manufacturer’s dubious claim – UL has never tested it, and how it will stand up to a real fire is anyone’s guess.
You won’t have to sacrifice aesthetics for safety, either. The top vendors in the industry offer well-designed and attractive media-rated safes, fire-resistant file cabinets, and fire safes for onsite records protection. You can readily find this equipment at your local office products dealer (in most office products catalogs) or increasingly on the Internet.
About the Author:
Van Carlisle became President/CEO of Fire King, one of the premier security and loss prevention companies in the nation, at age 24 in 1975 and acquired controlling interest in the company a year later. Having studied criminal justice at the University of Louisville and serving 6 years in the Air National Guard Security Police Force, Van brings a unique level of security expertise to the company.
For Further Information:
• Final Section 306 Rule: www.fda.gov/oc/bioterrorism/bioact.html
• Underwriters Laboratories Inc.
Underwriters Laboratories Inc. (UL) is an independent, not-for-profit product
safety testing and certification organization that tests products for public safety.
• Tom Weems is with Texas-based PreEmpt; www.PreEmptInc.com
• Philip Jan Rothstein, FBCI, is president of Rothstein Associates Inc. (Brookfield, Connecticut USA; www.rothstein.com)