What is FDA’s role in policing food e-commerce? Will your operations be a new focus of FDA? Do these transactions occur in “the cyberspace,” “the internet,” or the “virtual world”? This post continues our review of the upcoming US FDA New Era in Smarter Food Safety public meeting on food e-commerce.
This is the third blog post in our multi-post series that focuses on the FDA “New Era of Smarter Food Safety” (SFS) blueprint. Other posts will include a review of the FDA public meeting, an e-commerce and food fraud overview, a country-level vulnerability assessment, an explanation of supply chain mapping and the use of criminology hot spot analysis, and possibly others.
A literature search was conducted to review e-commerce, cybersecurity, and related terms. This helps create a foundation built upon common definitions and usage of related terms in standards and certifications. Reviewing the many definitions of the term helps to avoid future misunderstanding.
ISO 27034 Guidelines for Cybersecurity
The International Standards Organization 27000 Information Security Management (ISO 27000) is a Management System Standard. Under the ISO 27000 series are sub-standards such as ISO 27001 for basic information technology requirements and ISO 27034 for cybersecurity. These standards include definitions that form the foundation of the requirements.
- Cybersecurity or Cyberspace security: preservation of confidentiality, integrity, and availability of information in the Cyberspace.
- the Cyberspace: complex environment resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form
- Internet or internetwork: a collection of interconnected networks
- the Internet: a global system of interconnected networks in the public domain
- Internet security: preservation of confidentiality, integrity, and availability of information in the Internet
- Virtual world: simulated environment accessed by multiple users through an online interface
E-Commerce Definitions from ISO
It is surprising that “e-commerce” was not defined in the ISO 27000 series. There were two ISO definitions, including ISO 9564 Financial services — Requirements for PIN handling in eCommerce for Payment Transactions, and ISO 15944 Information technology — Business Operational View. The definitions are simple, and the full scope is understood based on how they are used in the full text.
- eCommerce (ISO 9564): the buying and selling of products or services over open networks.
- Electronic Commerce (ISO 15944): category of business transactions involving two or more Persons, enacted through electronic data interchange, based on a monetary and for-profit basis.
E-Commerce and Related Definitions from the U.S. Government
Before reviewing the unmet regulatory needs, an important starting point is to review the definitions of E-Commerce. U.S. National Institute of Standards and Technology (NIST) is usually considered the primary source for definitions like this, but the U.S. Department of Commerce (DOC) is also critical since this is a classification of commercial trade.
- E-commerce and Electronic Commerce): (NIST SP 800-32) The use of network technology (especially the internet) to buy or sell goods and services.
- Electronic commerce (U.S. Dept of Commerce – DOC): includes all forms of business transactions, such as the purchase of goods or services, undertaken through electronic means, such as telephones, televisions, computers, and the Internet.
- Electronic Commerce (41 USC 2301): electronic techniques for accomplishing business transactions, including electronic mail or messaging, World Wide Web technology, electronic bulletin boards, purchase cards, electronic funds transfers, and electronic data interchange.
The general E-commerce definitions include sales that are business-to-business (B2B) or business-to-consumer (B2C). The NIST and DOC definitions narrow the scope to sales, while the USC (U.S. Code) expands to all business-related transactions conducted in any electronic format. The USC definition developed from the older Electronic Data Interchange (EDI) concept. Early EDI includes computers joined over the telephone or fax-type connections.
- Electronic Data Interchange (EDI) (ISO 14662): automated exchange of any predefined and structured data for business purposes among information systems of two or more Persons. Note: This definition includes all categories of electronic business transactions.
The original application of EDI was only business-to-business (B2B) and not business-to-consumer (B2C). The early use of EDI focused on a wide range of everyday business transactions to what now is referred to as E-business. E-commerce is usually narrowed to only the purchase transaction. Here, “E-business” is B2B.
- E-business versus E-commerce (GAO-02-404): In a transaction-based definition, electronic commerce is restricted to buying and selling, as distinct from conducting E-business (purchasing, selling, tracking inventory, managing production, handling logistics, and supplying communications and support services).
This literature review helps to understand the general terms and scope of E-commerce and cybersecurity. This is a solid foundation for reviewing the FDA food e-commerce focus.
FDA Food E-Commerce Focus
To continue the review of the FDA New Era in Smarter Food Safety public meeting on e-commerce, we will review the working definitions and scope that FDA published in the U.S. Federal Register.
- B2C e-commerce (FDA SFS E-Commerce): the manufacturing, packaging, labeling, storage, and delivery of human and animal foods sold directly to consumers through commercial transactions conducted electronically on the internet.
The subtitle of the event provides more detail on the scope and focus of the event: “Ensuring the Safety of Foods Ordered Online and Delivered Directly to Consumers.” This expands the FDA focus from only the electronic purchase transaction to all related operations (e.g., sourcing and production) and logistics (e.g., storage, handling, distribution, and delivery). The public meeting announcement further clarified the scope by providing examples of the types of problems.
- “The Summit will address a variety of topics related to human and animal foods sold through B2C e-commerce, including:
- Types of B2C e-commerce models (e.g., produce and meal kit subscription services, ghost kitchens, dark stores);
- Safety risks associated with foods sold through B2C e-commerce;
- Standards of care used by industry to control these safety risks;
- Types of delivery models (e.g., third-party delivery, autonomous delivery models);
- Regulatory approaches to food sold through B2C e-commerce, including challenges and gaps that need to be addressed; and
- Labeling of foods sold through B2C e-commerce.
While the FDA meeting title identifies “e-commerce” as the subject, a deeper review of the public meeting invitation notice helps narrows the focus to concerns about food safety hazards from entities that have not previously handled foods. The FDA has asked for public comments that will provide information to conduct food supply chain mapping in order to identify where there are new, unaccounted-for food safety hazards. Remember, the requirements for this type of assessment are part of the Food Safety Modernization Act requirement that “The hazard analysis must be written regardless of its outcome” (21CFR507.33 (a)(2) & 21CFR117.130).
Call to Action
This review of terms helps to identify two calls to action. The first is registering for the FDA food e-commerce meeting to hear the scope and then provide your comments. A second call to action is to map your food supply chain to identify where there is – or is not – a food safety hazard that falls within the scope of this FDA meeting.