U.S. vapor product manufacturers must register all their products with the FDA by the new date of October 12, using an online system that has been plagued with problems. The most troubling bug, as previously reported, is data security: companies have been finding other companies’ proprietary information in their files. While the information leaked so far is not terribly sensitive, e-liquid manufacturers will be required to submit their trade-secret lists of ingredients for all their products next year.
Following the previous story, the FDA contacted The Daily Vaper to offer assurances about the situation. An FDA spokesman reported that the agency was aware of 18 cases in which one company received another’s information, noting that this was out of thousands of companies registered in the database and that “FDA has been in contact with both the companies whose information was shared as well as the companies who viewed or received the inadvertent disclosures.” In addition, the spokesman reports that the “technical issue was resolved soon after it was identified, and since then, no new issues have occurred.”
The problem was described only as “system anomalies” which were attributed to the high volume of system users simultaneously trying to meet the (since delayed) September 30 deadline. No comment was offered on why the FDA did not design a system that would be robust when faced with this inevitable crunch.
It is not clear that the FDA is aware of all the cases. Subsequent to that statement, one manufacturer told The Daily Vaper he received another company’s information but had not been contacted by the FDA. It seems unlikely this is the only such case. It is possible that the FDA has only tallied cases in which the company receiving the information proactively contacted them, though perhaps not even all of them. Another manufacturer says he contacted the FDA about having another company’s information in his files and got no response.
Whether there are 18 or 100 cases of this data leak, vapor product manufacturers remain unsatisfied. Skip Murray created the Facebook group that is functioning as the unofficial technical support system for FDA registrations, as well as a clearinghouse of problem reports. When presented with the FDA’s statement, she responded that “one disclosure of a competitor’s information is one too many. How are we supposed to feel safe when we submit our ingredient listings?”
One manufacturer who was contacted by the FDA after receiving another company’s information noted that it felt like the FDA mostly just wanted an assurance that the leaked information would not be disclosed. Taking advantage of the contact, the manufacturer asked for help with various other immediate problems, including being locked out of the system for a week, unable to make a final submission despite numerous unanswered inquiries. The FDA responded only with their boilerplate information which had already proved unhelpful.
Other manufacturers report that the FDA began the process of resolving their data leak issues, only for the agency to go silent without ever finishing. One company reports that the FDA acted only after intervention by their congressman’s office. Another manufacturer who says he never received another company’s information was told by the FDA that he did, and was then pressured to state on a recorded phone call that he would not divulge or use any of the (nonexistent) information. The FDA is apparently very worried about the implications for their data security problems, perhaps because of how it will affect their reputation among pharmaceutical companies.
Users of the FDA submission system remain frustrated with a litany of problems. Commenters on the Facebook group report problems logging in, lockouts, session timeouts, products missing from previous submission entries and a collection of more subtle and complex problems. These are in addition to the ongoing frustrations with the complicated instructions and unfriendly system that other group members were able to help with.
All of these problems were reported within the last day, eight days before the final deadline, ahead of the upcoming deadline crunch. Many companies’ repeated attempts to contact the FDA for help with these problems, via email and phone calls, have gone unanswered.
Thus it appears that the FDA’s technical team responded quickly, and perhaps even successfully, to the data leak problem. But they are not responding to the collected bug reports and ongoing confusion that the FDA has been asked about, let alone the information they could glean from the Facebook group in which volunteers are trying to help clean up the mess.
The Facebook group is also filled with triumphant posts from manufacturers who have completed their submissions successfully. These includes words like “miracle” and “fingers crossed.” It seems unfortunate, to say the least, that companies are describing successful navigation of a mere registration requirement as a miracle.
Regulation is a fact of life for businesses, a perfectly reasonable part of the social contract. But regulations usually exist before a business enters the marketplace and change only incrementally, with the regulator taking care to make sure compliance is a smooth process. An entrepreneur can normally survey the field and observe whether the regulatory requirements are too daunting to attempt. Companies already in the market can adjust to reasonable changes in requirements, and incremental changes allow regulators to make sure they really work. The imposition of the FDA’s registration requirement on existing small vapor businesses, forcing companies to desperately deal with broken infrastructure and opaque instructions, is straight out of Kafka.