Tag Archives: Focus Article

Hacker

Ransomware: Lessons Learned from One Food Company’s Experience

By Food Safety Tech Staff
No Comments
Hacker

In fall 2021, G&J Pepsi-Cola Bottlers Inc, came face-to-face with a potential ransomware attack and was able to avert it. We spoke with G&J’s enterprise infrastructure director, Eric McKinney, and cybersecurity engineer, Rory Crabbe, to learn more about how they detected and responded to the attack, the steps they have taken to strengthen their cybersecurity, and what advice they have for other food companies in the wake of the near catastrophe.

What happened to G&J back in 2021, and when did you realize something was wrong?

McKinney: Around Labor Day of 2021, we received a really weird call. The callers were acting as if they were friends looking out for our best interest, and they alerted us to the fact that there may be compromises to our system. They showed us a spreadsheet of usernames in our active directory to verify that they were in our systems, and they said we could pay them to prevent an attack. We did not engage with them further—and we think they may have been part of it—but we believed that something was happening.

Eric McKinney
Eric McKinney

We went through all of our servers—we don’t have a large footprint, because we are a cloud first organization—but we did detect some software that should not have been installed on a couple of our servers. We removed that immediately, but we were unable to find the beacons that they leave behind that act as triggers to start encrypting your files.

We made the decisions that if anything happened, we were not going to negotiate, we were not going to try to get our systems back, we were going to shut everything down and roll back. I put myself on call and sure enough I got a call two days later at 3:00 a.m. from one of our people. He was logging in remotely to a server and he said, “Something don’t look right.” I go to his screen and I immediately see the locked files and realize this is really happening.

The thing that saved us ultimately is we use native platform backups. We use Microsoft Azure. So we immediately shut everything down and started rolling back our systems as far back as we could go. Those backup files were not compromised because we don’t leverage backups that tie to a file system within a server. The only way you can touch them is if you have our Cloud credentials, which are all multi-factored.

How did this affect operations?

McKinney: The net impact was our critical systems were down for about seven to eight hours, and we were recovering PCs for almost a week—there were 100 to 150 PCs that were impacted as it continued to move laterally through our organization, and we had to get them all flushed out. We had to roll the system back two weeks, so we lost two weeks of data. That impacted the accounting team the most.

We did experience an event—it was not an almost event. But we never lost a single case of sales and we never paid a single dollar. We took everyone’s computers and blew them away, handed them right back to them and said you’re starting fresh. Fortunately, this only affected employees’ files. They could still get their emails and the things that were in OneDrive.

The things that really worked in our favor were our Cloud-first strategy and getting away from a legacy client architecture. We were still able to communicate. We could send emails, we could set up Teams and we had all the tools to coordinate and get out of this and recover as quickly as we did. The second thing was having those native platform-based backups.

How did this change your digital and cybersecurity strategies?

McKinney: We were doing weekly backups, now we back up every day. And these are full system backups, which means that if you hit restore, the whole system lights back up not just the data but also your operating system that it runs on.

Crabbe: We also reached out to a lot of companies, including Arctic Wolf, who we ultimately began working with to help us figure out what we didn’t know. We worked with them to go through our environment and come up with ideas on how to improve. We are a big Microsoft shop, and we started utilizing a lot of the native tools that we already had such as Defender for Endpoint and the security portal. This addressed a lot of the low hanging fruit, such as automatic updates and not allowing outside vendors to contact us without going through a vetting process.

Rory Crabbe
Rory Crabbe

Arctic Wolf went through our system and sent us a list of recommendations, and a lot of what we did involved utilizing the native tools that we already had, shoring up our defenses, making sure the backups work and creating a disaster recovery plan.

McKinney:  We quickly went from being a business of convenience, where we said, “let’s allow USB drives,” to changing all of our technical policies by turning on all of our attack surface reduction rules. We blocked all logins from outside the U.S. and brought in new team members dedicated to cybersecurity.

I have some self-confidence issues due to this attack because your failures are put on display, and there is a feeling that if you were doing a better job this would have been prevented. But we were a very small team and we were responsible for cybersecurity, ERP (enterprise resource planning) initiatives, development initiatives, support and infrastructure initiatives and data initiatives. When you’re wearing all of these hats things do get missed, and in the end it ended up being one application update. One application patch was exposed, which set all of this off. in terms of where we’ve gotten better, we signed up with an MSP (managed service provider) to monitor our environment 24 hours a day seven days a week. In addition, these companies assist your team by keeping them up to date with the latest techniques and providing proactive communication on things that we should be doing to secure and protect our environment.

We’ve taken a lot of steps over the past two years and we still have a long way to go. We will never stop or become complacent.

There is a concern among some people that the Cloud is less secure, and it’s better to control your own servers. Is that a misconception?

Crabbe: When it’s on premise it is your responsibility. If something happens to your infrastructure, you’ve got to be on call and wake up to deal with that. So not only is the Cloud a reduction in personnel work; it’s also peace of mind. Microsoft has its own team of engineers, and they have physical security in place as well. The Azure building is protected by armed guards to protect the data from physical hackers. It’s a lot easier to apply security policies to something that’s in the Cloud because Microsoft can give you options for all kinds of things that you didn’t even know you needed. This makes it easier to visualize where you are and where you need to go.

McKinney: These are also publicly traded companies that have to follow all of the controls that come with being publicly traded. They’re going to do a better job than the one or two individuals that you have at your company who cannot work 24/7 365 days a year.

I appreciate you guys talking openly about this, because one of the issues that comes up in food defense and cybersecurity is people aren’t necessarily sharing information that could help others recognize vulnerabilities. Is it difficult to share this information?

McKinney: We didn’t want to talk about it for a long time. It’s hard to put your failures—or at least what is perceived as a failure—out there. But when you look around, you realize this can happen to anyone. It happened to MGM with all their resources. And one issue that isn’t discussed very often is, behind the business implications is an incredibly stressed out IT team that really is traumatized by an event like this.

In talking with others who have been through this, it’s often the most stressful thing that’s ever happened in their lives. It certainly is the most stressed out I’ve ever been. You’re thinking, I just cost my company millions of dollars. I shut down my business. We may not be able to get product to our people. So many things flash through your mind, and you really don’t want to talk about it or advertise it. Luckily for us, we had the right systems but most importantly we had really great executive support and great team members to help us recover.

When it comes to access management, companies have to balance convenience for their employees with the need for stringent security. Were employees understanding of the changes you had to make, and how did you communicate these changes in processes?

Crabbe: There was a lot of frustration with people saying this worked before, why can’t we do it now? One of the benefits of being a family-owned company is that we are a fairly small group, so we were able to deal with it on almost a case-by-case basis. We have an internal system that people can submit their issues or requests through, and we review them. For example, if somebody needs to move a device to a USB stick to take to an external vendor, we can look at that and say what alternatives do we have? Can we use OneDrive or another native tool to share that information? Does it have to be a USB stick? Or, if someone is going on vacation in Mexico, they can submit a ticket and we can allow them remote access from a specific country for a specific amount of time so they can log-in. We can tell them yes or no on a case-by-case basis and explain why we made the decision.

McKinney: This event also made us ask questions like, do we even need USB sticks? There are so many other tools we can use. A lot of the changes involved looking at more modern ways to collaborate. And a lot of that revolves around retraining and catching your workforce up with the new tools that we have available.

Based on your experience, what advice would you offer other companies?

McKinney: The IT spend in the food and beverage industry is typically small compared to industries like insurance or banking or health care. You need to capture all the signals from all your systems—emails being sent, open, received, etc.—and you must monitor those. Then you need the right algorithms and the right people to make sense of that data. If you are not able to maintain a large enough in-house team, investigate an MSP. They can ingest all the signals, funnel them and turn all that data into actionable items. Also, store your backups off site and limit access. Don’t store them with your production data.

Crabbe: Shore up your defenses using your native tools and create a disaster recovery plan. Those would be my two biggest recommendations for any company going forward. Dig deep and utilize what you’ve got. There’s probably a lot more available to you than you realize you have, and don’t be afraid to reach out to third-party vendors for help.

 

Jennifer Allen
Food Safety Attorney

Organic-Labeling Regulations

By Jennifer Allen
No Comments
Jennifer Allen

I have a tattoo on my arm of a stamp that proudly, if not entirely accurately, declares that I am “100% organic.” As a food lawyer and general foodie, it is very much on brand. I cover it with my sleeve whenever I go to court or otherwise feel that it is professionally appropriate to do so. But otherwise, my tattoo isn’t much of a liability, even if I display it to the world while proudly eating chemical-laden foods; to the contrary, it’s a fun conversation starter.

Unfortunately, the same cannot be said for food packaging. Food manufacturers who make that same claim, or others like it, without following the USDA’s stringent organic-labeling regulations, will face a lot more than a raised eyebrow, particularly since the USDA recently strengthened its enforcement ability with a new final rule that became effective earlier this year. So how can you let your more health-conscious customers know about the purity of your food without getting in trouble?

The safest and easiest way to do this is simply to identify any organic ingredients on the information panel of your packaging. If less than 70% of your ingredients are organic (by weight, excluding water and salt), then this is your only option. The ingredients listed as organic must in fact have been produced in compliance with the organic regulations and must not have come into contact with any prohibited substances. And you must keep records that allow the USDA to confirm this. Limiting your organic labeling to the information panel means that you don’t have to certify as an organic handler.

If more than 70% of the ingredients in your product are organic, then you probably want your customers to know that without having to read the ingredient list. Depending on the composition of your product, you want your principal display panel to declare that your food is “100% Organic,” “Organic,” or “Made with Organic” ingredients. The trade-off for making any of these claims is that you must certify as an organic handler, unless an exclusion or exemption applies to you. The ins-and-outs of certification are outside the scope of this article, but you can find them by referencing the regulations in 7 CFR 205. Although obtaining and maintaining certification is a rigorous standard, it allows you to use the USDA seal on your packaging.

Breaking Down the Three Types of Organic Claims

Let’s look at the broad requirements for these three types of claims. To make a claim that your product is “100% Organic,” all of your ingredients, and any processing aids, must have been produced in accordance with the organic regulations. Pretty simple, and common-sense.

To make an “Organic” claim, at least 95% of your ingredients, by weight, must have been produced in accordance with the organic regulations. Any nonorganic agricultural ingredients must meet a list of criteria, including that they are not commercially available in organic form and are not produced using certain prohibited processes. In addition, any nonagricultural ingredients including processing aids must be on the regulations’ list of approved substances.

To make a claim that your product is “Made with organic” ingredients, the product must contain at least 70% organic ingredients, by weight. In addition, all agricultural products must be produced without the use of sewage sludge, and cannot be irradiated or genetically engineered, and any nonagricultural ingredients including processing aids must be on the regulations’ list of approved substances. You are also limited to three ingredients or types of ingredients, and those ingredients must be included on the list of ingredients set forth in the regulations. The list currently consists of fish, fruits, grains, herbs, meats, nuts, oils, poultry, seeds, spices, sweeteners, vegetables and processed milk products. And all types of the ingredient (for example, tomatoes and tomato paste), must be organic, unless the non-organic type is identified separately as non-organic.

A major exemption for food manufacturers applies to producers of organic products whose agricultural income from organic sales is less than $5,000 a year. If this describes you, then you needn’t go through the rigorous certification process, but you must still follow the regulations for producing and handling organic products and all the applicable labeling requirements. The trade-off for avoiding the rigors of certification is that you may not use the USDA stamp on your products, and anyone who purchases your products cannot label them organic. And you must keep records sufficient to prove that any ingredients labeled as organic were in fact organically produced and handled and to verify the quantities that were produced from these ingredients.

To recap, absent an exemption or other exclusion, if you want to make a bold declaration about the organic nature of your ingredients, you will need to certify as an organic handler and follow all the relevant labeling regulations. For your efforts, you get to display the USDA seal on your products. If an exemption applies to you, you may make that bold declaration without certifying, but you do not get the added legitimacy of the USDA seal. If certification doesn’t make sense for you and no exemption or exclusion applies, then you may not make any bold declaration, and you are limited to listing the ingredients on the information panel.

Follow the regulations carefully. After all, what holds true for tattoos also holds true for organic labeling. Always think before you ink!

 

 

James Jones

Jim Jones to Serve as First FDA Deputy Commissioner for Human Foods

By Food Safety Tech Staff
No Comments
James Jones

James “Jim” Jones will serve as the FDA’s first Deputy Commissioner for Human Foods. Per the FDA’s announcement, Jones, in this new executive position will lead the charge in setting and advancing priorities for a proposed unified Human Foods Program (HFP). Program areas would include food safety, chemical safety and innovative food products, including those from new agricultural technologies, that will bolster the resilience of the U.S. food supply in the face of climate change and globalization, as well as nutrition to help reduce diet-related diseases and improve health equity. Jones is scheduled to begin at the FDA on September 24, 2023.

For more than 30 years, Jones has held various positions in the U.S. Environmental Protection Agency (EPA), stakeholder community and private industry where he has managed teams and provided strategic planning and thought leadership around issues related to chemical safety and sustainability in the environment. His work has focused on lessening the impact that chemicals and pollution have on the U.S. food supply. At the EPA, he was a principal architect of the 2016 overhaul of the Toxic Substances Control Act, the first update of that statute in more than 40 years. He was also responsible for decision-making related to the regulation of pesticides and commercial chemicals. He also led several national sustainability programs, including the EPA’s Environmental Preferable Purchasing Program and the Presidential Green Chemistry Awards Challenge. He is a seasoned leader whose experience managing change initiatives within the federal government will be invaluable as we continue to build a unified HFP.

“I’m delighted to welcome Jim to the FDA. His impressive career, extensive leadership experience, and passionate vision for the future of the Human Foods Program make him an ideal selection for this pivotal position,” said FDA Commissioner Robert M. Califf, M.D. “Our proposed reorganization is the largest undertaking of its kind in recent history for our agency. I’m confident that under Jim’s leadership, we will build a stronger organization that will be integrated with other components of the FDA and focused on keeping the foods we regulate safe and nutritious, while ensuring the agency remains on the cutting edge of the latest advancements in food science and nutrition. I’m looking forward to working with him when he joins us next month.”

Jones was an integral member of the Reagan-Udall Foundation’s Independent Expert Panel for Foods, which submitted a report in December 2022 on the operational evaluation of the FDA’s Human Foods Program. He holds a master’s degree in economics from the University of California at Santa Barbara and a bachelor’s degree in economics from the University of Maryland.

“Jim is among the most public-spirited and able government leaders I know.  I cannot think of a better choice for this crucial role.  In his 20 years in leadership positions at EPA, Jim demonstrated know-how to lead complex, science-based regulatory programs in a visionary and inclusive way. Jim knows food safety and the food system from his leadership of EPA’s pesticide program, and he knows the food safety and nutrition challenges FDA faces through his service on the Reagan-Udall Foundation Expert Panel,” said Mike Taylor, board member emeritus of STOP Foodborne Illness and former FDA Deputy Commissioner for Foods and Veterinary Medicine.

In the role of Deputy Commissioner for Human Foods, Jones will report directly to the FDA Commissioner. He will exercise decision-making authority over all HFP entities when the reorganization is in effect, including related Office of Regulatory Affairs (ORA) activities. He will provide executive leadership over the entire program as well as over resource allocation, risk-prioritization strategy, policy, and major response activities involving human foods. The leadership for Center for Food Safety and Applied Nutrition and Office of Food Policy and Response will report to Jones until the proposed HFP reorganization is implemented.

“I am very excited about the opportunity to serve as the first Deputy Commissioner for Human Foods at the FDA. I had the pleasure of serving on the expert panel that provided operational recommendations for the FDA’s foods-related activities, and I now look forward to helping the agency realize its vision for the proposed Human Foods Program, including carrying out important nutrition initiatives to improve the health of our country,” said Jones. “As a former pesticide regulator, I have a deep understanding of the unique needs of government programs involved in upholding safety of the U.S. food supply, as well as the important role that the agriculture community and state partners play in this paradigm. I am honored to serve the FDA and the country in this new capacity.”

 

 

 

Sonia Acuña-Rubio
Allergen Alley

Reducing the Risk of Undeclared Food Allergens

By Sonia Acuña-Rubio
No Comments
Sonia Acuña-Rubio

Each year, 200,000 people in the U.S. require emergency medical care due to allergic reactions to food. Common foods that trigger allergic reactions include certain types of seafood, dairy, nuts, wheat, soy and sesame. For some, food allergy reactions can be serious and even life-threatening, requiring immediate treatment via the drug epinephrine.

Allergens are also one of the leading causes of food recalls globally. As food allergies continue to impact individuals and families across the nation, food manufacturers and distributors must be vigilant when manufacturing, packaging and selling foods to consumers.

Understanding Allergen Regulations

Many countries aim to protect individuals with food allergies by enforcing government regulations. Such regulations can require product manufacturers to disclose ingredients in packaged food and beverages.

In the U.S., the FDA recognizes nine major food allergens: crustacean shellfish, eggs, fish, milk, peanuts, tree nuts, sesame, soybeans and wheat. Sesame is the newest recognized allergen and was added in 2022 as part of the Food Allergy Safety, Treatment, Education and Research (FASTER) Act. These allergens must be identified on labels for American food products.

Similarly, in Canada, the Canadian Food Inspection Agency (CFIA) has a list of 11 priority allergens, which includes eggs, milk, mustard, peanuts, crustaceans and mollusks, fish, sesame, soy, sulfites, tree nuts, wheat and triticale, which must be disclosed on pre-packaged foods sold in the country.

In both countries, products may be recalled due to improper labeling and announced via public notice. (A comprehensive list of recognized food allergens by country can be found on the Food Allergy Research and Resource Program (FARRP)’s website.)

Activating Your Allergen Management Program

A comprehensive and effective allergen management program protects your consumers and your company and is necessary to meet regulatory and GFSI (Global Food Safety Initiative)–benchmarked standard requirements. Creating an allergen management program involves developing processes and protocols and training employees to follow them.

Allergen cross-contact can occur when an allergenic food or ingredient is unintentionally incorporated into a food product. Food manufacturers and distributors should have a program that includes an allergen risk assessment, which helps to identify and manage any unintentional allergen contamination throughout the supply chain while tracing them throughout the facility. Good Manufacturing Protocols (GMP) should be followed for personal hygiene, handwashing, sanitation programs and more.

Managing Your Suppliers

Supplier communication is key to identifying allergens in raw materials. Use current supplier specifications and ingredient statements to identify allergens coming into the facility. Be alert for “may contain” statements and review your supplier’s allergen control policies and procedures.

In today’s food production environment, there are more supply chain disruptions than ever before. If there is a change in your raw materials or supplier, make sure that all documentation and finished product labels are updated.

Additional best practices when working with suppliers include:

  • Have a policy in place for label changes, noting that if a label from a product you purchase from a supplier changes, you must be notified of the change prior to the change being made and put into effect.
  • Ask for updated specifications/allergen information from suppliers on an annual basis. This could help to quickly identify issues if the supplier neglected to inform you of a change.

By identifying and listing sources in the facility, you can detect any ingredients and processing aids that contain or may contain allergens due to cross-contact or carry-over products. It is also important to prepare a master list of all ingredients in the facility and consider both primary and secondary ingredients, such as spices, colors and flavors.

Ask questions along the production process, identifying potential risks in recipes/formulas, traffic flow (of people, materials, and waste), potential crossovers of conveyors or pipe systems, shared equipment, storage practices, material segregation and airflow.

Avoiding Allergen Cross-Contact

Ensure that raw materials are labeled and segregated with incoming ingredient specification checks by weighing powders containing unique allergens in a separate and labeled area, covering totes or containers containing allergenic ingredients during transfer, and controlling the ventilation over lines where protein powders are dumped. Use product scheduling to maintain proper segregation.

Designate dedicated equipment, including utensils, if possible, as well as production sequencing or cleaning between allergen changeovers. Refrain from using original ingredient containers that previously held allergens. At the end of an allergen production run, conduct a complete and validated allergen clean.

Use documented visual inspection on each piece of equipment and environment between allergen changeovers and conduct regular labeling checks against the approved label/package design for each item produced. A third-party partner can be used to help develop and maintain supplier specifications, audit formulations, and review current packaging.

Protecting Consumers and Business Reputation

While ensuring products are free of any undeclared allergens may seem more challenging than ever before, establishing the right programs and practices can keep both your business and consumers healthy and safe. Implementing an allergen management plan, supplier checks, and allergen controls is key to avoiding cross-contact in the production process and throughout the supply chain, ensuing fewer disruptions in the manufacturing process, and ultimately, building trust with consumers.

Darin Detwiler

Bringing Food Safety to the Masses

By Food Safety Tech Staff
No Comments
Darin Detwiler

Food safety is set to gain national prominence with the release of “Poisoned: The Dirty Truth About Your Food.” The documentary from director Stephanie Soechtig was inspired by the book, Poisoned: The True Story of the Deadly E. Coli Outbreak That Changed the Way Americans Eat, by Jeff Benedict, which tells the story of the landmark 1993 Jack in the Box E. Coli outbreak.

The film premiered on June 9 at the Tribeca film festival and will launch on Netflix in Fall 2023. We spoke with Dr. Darin Detwiler, author, founder and CEO of Detwiler Consulting Group, and professor at Northeastern University, whose son Riley died as a result of the outbreak at just 16 months old, about his involvement in the documentary, who the film aims to reach, and changes that could be implemented to strengthen America’s food safety system.

How did the documentary come together and how did you get involved?

Tribeca Poisoned Premiere
Sarah Sorcher, Marion Nestle, Christine Haughney Dare-Bryan, Julie Marler, Bill Marler, Darin Detwiler

Dr. Detwiler: The film makers bought the rights to the book Poisoned by Jeff Benedict, But where Benedict’s book really looks at 1993 and the immediate aftermath of the Jack-in-the-Box E. coli outbreak, the filmmakers also wanted to look at the 30 years since the outbreak. We connected because I had written Food Safety: Past, Present and Predictions, and in that book I talk about 1993 and the immediate aftermath, but I also talk about the Peanut Corporation of America, the romaine lettuce outbreak and other landmark cases over the past three decades. I was a good resource for them in terms of my experience in 1993 with the death of my son, who was one of those four who died as a result of the E. Coli outbreak, and also in terms of my work with USDA and the FDA and my role as an academic who speaks on food safety and food safety policy.

Who is the intended audience in terms of who the filmmakers were hoping to speak to and in terms of who you hope to reach?

Dr. Detwiler: I love the fact that there are different audiences for the documentary. This is an opportunity for food safety professionals to understand the legacy of the E. Coli outbreak and the why behind the protocols, procedures, and expectations in regulatory compliance.

But what excites me is that this documentary was made for the general public, and it can hit the hearts and the stomachs of everyone. Everyone eats, and for more than 50% of people, their first job is somehow connected to food. Could this help someone who is working on a food production line better understand the history behind food handling and food safety requirements?

At the premiere there were so many questions from the audience and people were saying, “I had no idea you could get it E. coli without even eating a contaminated product. I had no idea this is still an issue.” This documentary could impact the decision making of several different categories of stakeholders who all have a role to play in terms of the bigger picture of food safety.

It must be painful to keep revisiting and telling the story of your son’s death.

Detwiler an Riley
Dr. Detwiler and son Riley.

Dr. Detwiler: It’s a way from me to pay respect to my son, and this might sound Pollyannaish, but it also helps to memorialize his story and extend the legacy of his life to new audiences.

If my son was alive, he’d be older than I am now—I was 24 in 1993 and Riley would be 31 today. For 30 years I have been sharing his story, and it has served two purposes. One is to help improve food safety at the core level and two is to keep my promise to myself. Right after my son died, I spoke with President Bill Clinton on the phone, and I said, “I feel like I need to help and be a part of this.” My thinking was, whatever I can do in terms of science or technology or laws and policy, we’re going to make it such that families in the future will not be dealing with these problems, but clearly they still are.

There was also a sense of, while I’m faced with losing my son, I don’t want to be faced with this notion that my son lost his father. When I do this work, in my mind it’s like I’m still spending time with him. I’m still there for him. And I do this not only for myself and my son but also for other people who have been affected by foodborne illness. To say “the CDC estimates that 48 million Americans become sick every year, that some 128,000 are hospitalized and 3,000 die every year,” that’s usually the most lip service anyone gives to the idea of foodborne illness. When I tell the story of my son’s illness and other family’s experiences, that puts a face and an emotion to those numbers. My goal is to not only impact those with the ability to change the industry, but also serve those 3,000 families every year—that’s 90,000 families since my son died—that live with that chair forever empty at their family table. I saw this documentary as being very important because the true burden of foodborne illness is represented, and representation is an important part of the healing and recovery from such an event.

I was surprised to learn that back in 1993 E. coli in beef wasn’t a significant concern on the federal level, but was more stringently regulated among a small number of states. Are there food safety risks today where you feel we’re lacking in oversight or regulation?

Dr. Detwiler: There were very few states that were reporting E. coli at that time, but within a year that had quadrupled. Today, we have Pulsenet and Foodnet, which are federal collections of data related to foodborne illness incidents, and we have much better—when you’re looking at multi-state outbreaks—data being collected.

One area that’s of interest is the FDA Food Code in that it is updated regularly, but there are some states that use very old versions of it. When I was doing my doctorate research just a few years ago in 2015-2016, there were some states that were using versions of the Food Code there were over 20 years old, and clearly the science has changed.

On the federal level, there are 15 different federal agencies that play a role in food safety as well as many different state agencies, but you don’t just have 50 states. Within those 50 states you have either the State Department of Agriculture or the State Department of Health overseeing food safety—each of which have two different missions and two different sources of funding. On top of that there are more than 3,000 different jurisdictions for food safety in the U.S. when you start looking at military bases, tribal reservations, universities and colleges, etc. In some places it’s regulated by the state and in others it’s by county or even by city. So there are a lot of moving pieces and a lot of different players, resulting in this patchwork of regulatory agency oversight.

Shortly after the 1993 outbreak, the USDA declared that E. coli was an illegal adulterant in meat, and today we rarely see cases of food safety failure related to E. coli and meat. However, there were no significant changes in FDA policy until FSMA was passed in 2010, and the rules didn’t start to be implemented until 2016.

Imagine if we had a single food safety agency. Imagine if there had been a single agency 30 years ago and if the change in policy hadn’t just impact food regulated by the USDA but instead impacted all foods.

Does this mean you support the potential move to create a single Human Foods program at the federal level?

Dr. Detwiler: I do support it and believe it would solve some of these gaps. When you look at other nations you don’t have the division among the states like we have here. Just the sheer number of agencies at the federal level, economically it doesn’t make sense. Look at what happened after 9/11. Suddenly you have the Department of Homeland Security that says we can cut through some of these problems by creating a federal agency that brings together all the different agencies involved in national security. Imagine if something like that was done in terms of food safety.

There are a lot of factors to consider, and this is a complicated issue. I don’t think this documentary will answer all the questions, but I hope that it will compel consumers to start asking these questions. That is where we can potentially see the greatest change and improvement in food safety.

You mentioned that in the documentary the film makers wanted to focus on the legacy of 1993, what in your words is the legacy of 1993?

Dr. Detwiler: In terms of the positive, it gained the media’s attention. We have a food safety culture and industry today that has radically grown when you look at magazines and websites and conferences and things like that. What I do find unfortunate is that it is focused on industry. Imagine if all the messaging about driver safety was kept within the automobile industry and not actually getting to drivers. This documentary fills a big gap by focusing on the consumer. We also have seen the positive impact of the USDA declaring E. Coli an illegal adulterant in meat.

Poisoned Film Screen

Some of the things the documentary highlights, however, is the issue of antibiotic resistance and salmonella still being legal in poultry. When you look at some of the things that haven’t changed—for example, we see cattle feed lots that are next to where romaine lettuce is grown, the idea that Hepatitis A could be prevented in the food industry and in restaurants if employees simply got the vaccine to prevent it, and the lack of consequences for food safety failures—there are still areas that are lacking.

Most people don’t realize that with Jack in the Box back in 1993, there were no state or federal charges filed even though the CEO acknowledged—in front of news cameras—that they violated state law on the minimum cooking temperature, resulting in hundreds of illnesses and hospitalizations and the death of four people.

For families who’ve lost a child or their child has been left disabled, these cases have all been settled out of court and out of the public eye. This documentary bypasses all of that and puts this information in a very public package.

Ana Allende
Food Genomics

Listeria Contamination Patterns in Produce Processors

By Food Safety Tech Staff
No Comments
Ana Allende

A study published in Frontiers in Sustainable Food Systems (May 2023) looked at Listeria monocytogenes (Lm) contamination patterns in three produce processing facilities—one with a cut iceberg lettuce line, one with a cut fruit line and one with a salad bowl line. Lead author Ana Allende, Ph.D., and her team from the CEBAS-CSIC research institute in Spain also tested biocides against resident Lm populations to gauge efficacy and potential loss of sensitivity.

The two-year project was designed to yield practical data about produce facilities’ environmental monitoring plans as well as the efficacy of sanitation programs.

Their first objective was to understand how different factors such as zoning, sanitary design and connectivity affected the probability of contamination in different fresh produce processing facilities. In the case of salad bowls, the ingredients included not only leafy greens and other vegetables but also proteins from meat, fish and cheese, or pastas from different sources.

The researchers divided the processing areas into three zones based on their proximity to contact with the produce. Zone 1 involved areas with direct contact, such as knives and conveyor belts. Zone 2 included surfaces that did not contact food but were in close proximity. Zone 3 included more remote noncontact surfaces, such as drains, floors and ceilings, that could potentially lead to contaminating zones 1 and 2.

The researchers conducted systematic sampling of the facilities at the end of the day before cleaning and sanitizing. They also resampled the three processing lines after the cleaning and disinfection activities. In addition to the more than 600 total samples from the three zones, the researchers collected 45 samples from raw ingredients and end products.

Findings

Regardless of the facility, the highest number of positive Lm samples came from Zone 3. Whole genome sequencing revealed that the same two serotypes of Lm were found on the three processing lines after the two samplings, before and after cleaning.

“This makes us understand that these serotypes are inherent and are moving from zone 3 to zone 1,” said Allende.

When evaluating the efficacy of biocides against resident Lm isolates, “we found, indeed, all of the isolates obtained from the environment after cleaning were sensitive to the biocides,” she said.

While the research aimed to provide relevant results for the three cooperating produce processors, it also has broader implications for the produce industry about how they should conduct environmental monitoring including sampling after processing just before cleaning, Allende said. In addition, it should help processors better understand the main contamination points in zone 1 and how they relate to identical or similar Lm sequence types in zones 2 and 3.

“One of the hypotheses we had was the raw material was introducing much of the Listeria,” she said. “This was before we did sampling and the whole genome sequencing to understand the isolates and that they were not all coming from the raw material. Some of the contamination was probably coming from zone 3 in the different processing facilities.”

Image: Ana Allende, Ph.D.

Apple Juice

FDA Sets 10 ppb Action Level for Inorganic Arsenic in Apple Juice

By Food Safety Tech Staff
No Comments
Apple Juice

The FDA has issued a final guidance “Action Level for Inorganic Arsenic in Apple Juice,” which identifies for industry the action level of 10 parts per billion (ppb) for inorganic arsenic in apple juice. The guidance supports the FDA’s goal to reduce exposure to environmental contaminants from foods commonly consumed by babies and young children.

The FDA noted that its testing results reflect a trend in reductions in the amount of inorganic arsenic in apple juice on the market, with an increasing percentage of samples testing below 3 ppb and 5 ppb. However, since the release of the draft guidance in 2013, the agency has identified some apple juice samples with inorganic arsenic levels above 10 ppb—the level the agency considers achievable with the use of good manufacturing practices.

Though non-binding, the FDA expects that the 10 ppb action level will help to encourage manufacturers to reduce levels of inorganic arsenic in apple juice. The agency said that it will continue its current practice of monitoring arsenic in apple juice samples and if testing identifies inorganic arsenic in apple juice above 10 ppb, the FDA will consider this action level, in addition to other factors, to determine whether to take enforcement action.

 

2019 FSC Audience
From the Editor’s Desk

Earn Up to 26 CE credits at the 2023 Food Safety Consortium

By Food Safety Tech Staff
No Comments
2019 FSC Audience

Food safety and quality professionals attending the 2023 Food Safety Consortium can gain up to 20 NEHA-recognized continuing education (CE) credits, while taking advantage of two days of high-level panel discussions and professional networking, “boots on the ground” education on the mitigation, regulation and control of key Food Safety Hazards, and their choice from four pre-conference workshops.

The Consortium will take place October 16-18 at the Hilton Parsippany in Parsippany, New Jersey, and feature leading industry professionals as well as high-level members of the FDA and USDA. Session highlights include:

  • Anti-Food Fraud Tactics for the Entire Supply Chain
  • Regulatory Audits
  • Food Safety Culture: Creating a “Speak Up” Culture
  • The Rise of Previously Unforeseen Hazards
  • FSMA 204: The Final Rule – Looking Ahead
  • Audited and Validated Allergen Control Plans
  • Recall Trends and Predictions
  • And more

View the full agenda and speakers

This year’s Food Safety Consortium is co-located with the Food Defense Consortium and Cannabis Quality Conference. The Consortium’s two-day program is recognized by NEHA (National Environmental Health Association) for 12.0 Continuing Education (CE) Hours. If you participate in one of the Pre-Conference Workshops or Trainings and attend the conference (a total of three days), you can gain 20 NEHA CE Hours (or up to 26 with the auditor training program).

Pre-Conference Workshops (held on Monday, October 16) include:

Food Safety Culture Design Workshop, presented by the Center for Foodborne Illness Research and Prevention in collaboration with Sage Media, will guide food industry professionals through the necessary steps to create an actionable food safety culture strategy.

CP-FS Credential Review Course. The Certified Professional – Food Safety (CP-FS) credential is the gold standard for those working in retail food safety, including cannabis edibles. Earning your CP-FS demonstrates your commitment to the health and well-being of your customers and shows the public you take their safety seriously.

Interested in becoming a food safety auditor or building your auditing skills? View the complimentary webinar, “What Does it Take to Become a Food Safety Auditor?” to learn more about this program.

Food Safety Auditor Training. This four-part series is designed to provide the knowledge, behaviors and technical skills attributed to a competent food safety auditor. The series includes three virtual 2-hour presentations conducted by a live instructor. These sessions are recorded and available for additional self-paced study for less experienced participants, while experienced auditors can refresh their understanding of auditing fundamentals before advancing to the more complex skills and critical thinking behaviors needed to audit high risk products. The course culminates with a full day of in-person instruction (Monday, Oct. 16) on advanced topics such as potential conflicts of interest, enhanced conflict resolution techniques and providing tips in advanced written communication skills to support the delivery of comprehensive audit reports.

The Seed to Sale Safety Workshop. Led by four veterans of cannabis quality and safety, this pre-conference workshop offers participants an interactive and engaging opportunity to learn about the novel seed-to-sale safety considerations associated with cannabis edibles. Participants will achieve an understanding of cannabis hazard analysis, learn the principles of cannabis edible GMPs, apply food safety best practices, identify risks in marketing and labeling and apply the fundamentals of state and federal regulatory compliance.

Register now for the 2023 Food Safety Consortium

Jennifer Allen
Food Safety Attorney

Protecting the Nation’s Tiniest Consumers

By Jennifer Allen
No Comments
Jennifer Allen

Does your company need to worry about regulations relating to foods designed for infants (considered to be anyone aged 0-12 months)? If you manufacture infant formula, then of course the answer is yes. But what if you manufacture baby food—those cute little jars of liquified goodness? Traditionally, those types of food haven’t been subject to any special FDA regulations. Manufacturers simply need to follow the regulations that govern all foods designed for consumption by humans of any age. That, however, is changing.

There is a growing push to limit, and ultimately eliminate, heavy metals, such as inorganic arsenic, lead, cadmium, and mercury, present in baby food. These elements are present in our food chain in amounts that are concerning to members of the U.S. Congress and other stakeholders because of modern manufacturing techniques, and they have an outsized effect on infant health.

Pending Legislation

On March 25, 2021, the Baby Food Safety Act was introduced in Congress. As of the time this article was written, it had not yet passed. If it passes, it will require manufacturers, within one year of its enactment, to reduce levels of inorganic arsenic in non-cereal foods to 10 ppb and in cereals to 15 ppb, levels of cadmium and lead to 5 ppb in non-cereals and 10 ppb in cereals, and levels of mercury to 2 ppb in non-cereals and cereals. Within three years of enactment, the Act requires that final regulatory levels be set that reduce these levels to an even lower amount. It also requires reevaluation of the current regulatory levels every five years thereafter.

But the Act would do much more than simply setting limits for heavy metals in baby food. It would also:

  • Add regulations to the Food Drug and Cosmetics Act requiring FDA to specifically regulate foods for consumers up to 36 months old
  • Require manufacturers to report levels of heavy metals biannually on their websites
  • Give FDA mandatory recall authority
  • Mandate creation of public awareness campaigns
  • Offer grants for farming research

Current FDA Actions

The FDA is already working to reduce heavy metals in baby foods. In August 2020, the FDA finalized guidance setting the limit for inorganic arsenic in baby rice cereals to 100 micrograms per kilogram. Fortunately, most manufacturers had already achieved those limits; sampling from 2018 showed that 76% of manufacturers were in compliance, up from 47% in 2014 and from just 36% between 2011 and 2013.

In early 2021, FDA launched an action plan to address heavy metals in foods consumed by infants and young children, called Closer to Zero. The overarching purpose of the plan is to gather data about heavy metal levels and then set tolerances for those substances, with the input from all stakeholders. Thus, the FDA has signaled its intent to act regardless of what Congress has in store.

More recently, the FDA issued draft guidance, titled “Action Levels for Lead in Food Intended for Babies and Young Children,” recommending that levels of lead be limited to 10 ppb in fruits, some vegetables, and yogurt, and to 20 ppb in root vegetables and dry cereal. The guidance is focused on processed foods, including foods served in jars, pouches, tubs, and boxes intended for children under two.

Whatever the ultimate outcome of these initial steps taken by Congress and FDA, one thing is clear: Concerns about heavy metals in the foods consumed by our tiniest citizens isn’t going away. So, if the product you manufacture or grow may be destined for a jar of baby food—even if you don’t think you manufacture baby food—it’s time to begin working to address the issue in your facilities and your fields.

Paul Damaren

Technology and ISO Compliance: Work Smarter, Not Harder

By Paul Damaren
No Comments
Paul Damaren

 ISO compliance is essential to maintaining high levels of food safety and quality. Trying to manage the ISO compliance process manually—with paper files or Excel spreadsheets—is an expensive, time-consuming, error-prone process. Manual systems make it difficult to spot noncompliance issues, track certification paperwork, and get real-time visibility across an enterprise. Technology can be a game-changer when it comes to achieving and maintaining ISO compliance.

SaaS-based quality and audit software can automate ISO compliance-related tasks, making it easier as well as more efficient and accurate to track quality metrics, document corrective actions, and generate reports. Additionally, this software can save time and costs, while reducing the risk of errors. It also provides real-time visibility into the compliance process, allowing organizations to quickly identify and address any issues that may arise, ensuring that they stay compliant.

Tech Trends to Watch

While technology has already elevated ISO compliance dramatically, there are some exciting trends we are watching that have the potential to significantly improve the process:

  • The rise of automation and the Internet of Things (IoT) are driving increased adoption of technology solutions for ISO compliance and quality management.
  • The use of data analytics and artificial intelligence (AI) are becoming more prevalent in ISO compliance, as companies look for ways to improve the accuracy and efficiency of their compliance efforts.
  • Consumer demand for transparency and sustainability is driving increased attention to ISO compliance and quality management. This will continue to intensify in the coming months and years.

Recently, we have seen large companies adopting technology to improve their quality and safety initiatives. Some notable examples include consumer goods giant Procter & Gamble, who implemented a comprehensive quality management system that incorporates ISO standards. P&G has worked hard to achieve ISO certification across many of its global operations, vowing to operate responsibly, build and maintain public trust in their products, and meet (or exceed) all legislative and regulatory safety requirements.

Similarly, Swiss fragrance and flavor manufacturer Givaudan has implemented a digital quality management system to automate quality data collection and analysis, helping the organization achieve compliance with ISO standards and improve product quality. They have developed a structured system to identify, assess, respond to, and mitigate risks to protect the company’s products and assets. They also vow to improve compliance with proper corporate governance guidelines and to follow all applicable laws and regulations. Hopefully, we’ll see more organizations following their lead.

The Benefits of Adopting Tech Solutions

There are many benefits to adopting new technologies to achieve ISO compliance. These include:

  • Automating essential tasks. Tech tools make it much easier to track metrics, document corrective actions, and generate reports, compared to manual methods. They also improve accuracy, allowing you to save time, money, and hassle. The more efficient, streamlined process lets you work smarter, not harder.
  • Reducing risk. Tech tools can help organizations increase their safety processes and protocols, achieve ISO compliance, and reduce the risk of food safety breaches that could cause major legal, financial, and reputational damage. Maximizing safety—and minimizing risks—can help boost key performance indicators (KPIs), including sales and profits, as well as customer loyalty, retention, and referrals.
  • Centralizing data. Many food businesses have overflowing file cabinets in their back offices, and they’d be hard-pressed to find a specific document quickly for an auditor. It’s far more effective and efficient to organize these documents through a tech solution that provides centralized, organized data and reports. This way, you’ll always have quick, easy access to information at your fingertips, allowing you to instantly track, manage, and find the various components of ISO standards—including certification documents, audit information, and operational records. This can save significant time (and frustration) over paper file systems.
  • Boosting visibility and transparency. Tech tools provide real-time visibility as well as a wider, deeper, more comprehensive view of your whole enterprise—or drill down by location. With access to real-time data, your organization can quickly identify (and fix) any noncompliance issues that may arise, allowing you to stay compliant. It also answers customers’ and investors’ calls for more transparent information about your business practices.
  • Boosting ROI. Companies may worry about the cost of purchasing tech tools—especially during our current economic uncertainty—but this is one of the smartest investments that your organization can make. Investing in modern technology solutions will save you money in the long run. Tech tools provide a huge ROI, by helping companies cut costs through energy efficiency, prevention of food safety breaches, and elevation of customer confidence, loyalty, and sales. Becoming ISP certified can also result in other lucrative benefits, such as attracting new investors, and helping to recruit and retain employees.
  • Reinforcing key messages to priority populations. Since ISO is widely considered the global gold standard, when you become ISO certified, you’re demonstrating that you prioritize safety, quality, consistency, and compliance, and that you’ve followed guidelines to provide consistently high-quality products and services. Being ISO certified demonstrates to key audiences, including your customers, investors, employees, and other stakeholders, that you’re investing the time, money, and energy into running as safely, effectively, and ethically as possible, and that protecting them remains your top priority.

Technology can make a dramatic difference in achieving ISO compliance, transforming the process from the manual methods that organizations have used for years. By automating the necessary tasks, you’ll save time, identify (and fix) areas of noncompliance, reduce errors and headaches, boost efficiency, increase visibility, and centralize data. Now is the time to ditch your paper certifications and overflowing file cabinets and embrace a smarter, easier, more efficient way of working.