C-AIR TIMES ISSUE #412 - Monday, February 29, 2016 08:02

New CPSC Requirements for Self-Balancing Scooters (Hover Boards)
Grunfeld, Desiderio, Lebowitz, Silverman & Klestadt LLP / Heather C. Litman, Esq.

In a recently published letter to “Manufacturers, Importers, and Retailers of Self-Balancing Scooters,” the Consumer Product Safety Commission (“CPSC”) urged the trade to make certain that self-balancing scooters (hover boards) comply with currently applicable voluntary safety standards, including all referenced standards and requirements contained in UL 2272 – Outline on Investigation for Electrical Systems for Self-Balancing Scooters. In addition, the CPSC indicated that all lithium ion battery products must comply with test requirements under UN/DOT 38.3 Transport of Dangerous Goods for Lithium Metal and Lithium Ion Batteries.

Importantly, the letter reflects that the CPSC Office of Compliance and Field Operations staff considers hover boards that do not meet the new standards to be defective, and possibly a substantial product hazard or imminent hazard. As a result, the CPSC will begin detaining and seizing hover boards that do not comply with these requirements. Similarly, the CPSC states that if its staff encounters such hover boards domestically, it may seek a recall of the products.

Link to CPSC Letter

CPSC Will No Longer Require Flammability Certifications for Most Adult Wearing Apparel
Grunfeld, Desiderio, Lebowitz, Silverman & Klestadt LLP

On February 24, 2016, the Consumer Product Safety Commission (“CPSC”) announced changes to the certification requirements for adult wearing apparel that is exempt from flammability testing.

Pursuant to the Consumer Product Safety Improvement Act, manufacturers of consumer products subject to a rule, standard or ban enforced by the CPSC are required to issue a general conformity certification (“GCC”). The GCC must certify that the product is compliant based on a test of each product or a reasonable testing program. However, certain products are exempt from testing pursuant to 16 C.F.R. §1610.1(d) based on fabric weight and fiber content.

The CPSC has announced in a statement of policy that it will no longer pursue compliance or enforcement actions against manufacturers, importers, or private labelers for failure to certify or to issue, provide, or make available a GCC with respect to adult wearing apparel that is exempt from flammability testing pursuant to 16 C.F.R. §1610.1(d). These changes are set to take effect on March 25, 2016.

Adult wearing apparel that is made entirely from one more of the following fabrics is exempt from flammability testing pursuant to 16 C.F.R. §1610.1(d):

(1) Plain surface fabrics, regardless of fiber content, weighing 2.6 ounces per square yard or more; and

(2) All fabrics, both plain surface and raised-fiber surface textiles, regardless of weight, made entirely from any of the following fibers or entirely from combination of the following fibers: acrylic, modacrylic, nylon, olefin, polyester, wool.

This change only applies to adult wearing apparel that is exempt from testing pursuant to 16 C.F.R. §1610.1(d), above. Although these products are now exempt from both flammability testing and certification, the CPSC can still bring an enforcement action if a product is ultimately found to be non-compliant with the flammability standard. Certification will continue to be required for adult wearing apparel that is not exempt from testing pursuant to §1610.1(d), as well as adult apparel items that may be subject to other CPSC regulations. These changes also do not apply to children’s apparel.

President’s FY 2017 Budget Request: Key Investments for Implementing the FDA Food Safety Modernization Act (FSMA)
U.S. Food & Drug Administration

Summary

In the past year, great strides have been made to implement the FDA Food Safety Modernization Act (FSMA), with five of seven rules becoming final in September and November 2015 to provide science-based protections for domestic and imported foods—for both people and animals.

FDA’s broad objective has been to provide needed food safety protections for the American public while also making the rules as flexible as possible and workable across the great diversity of the nation’s food system. The substance of these rules has been informed by current industry practices and by extensive outreach across the country and overseas to farmers, manufacturers, commercial food handlers, consumers, and government partners.

FDA requested, and received, a significant increase in FY 2016—$104.5 million in new budget authority—in anticipation of implementing the final rules. A further increase is essential in FY 2017, primarily in the key areas of state funding for produce safety and ensuring the safety of imported food, to fully realize the public health and public confidence benefits promised by FSMA. In his FY 2017 Budget Request, the President has proposed additional resources that include an increase of $25.3 million of new budget authority to implement FSMA.

Full implementation of FSMA helps address the significant burden of foodborne illness in the United States each year, which the Centers for Disease Control and Prevention estimate at 48 million illnesses, 128,000 hospitalizations, and 3,000 deaths. The economic losses to industry, including farmers, are enormous, estimated at over $75 billion per year. FSMA reflects the need for a modern, global food safety system that prevents problems rather than primarily reacting to them after they have occurred.

Status of Rulemaking

FDA issued four key proposed rules in 2013—produce safety, preventive controls for human food, preventive controls for animal food, and Foreign Supplier Verification Programs (FSVP) —and conducted extensive outreach to have in-person dialogue with farmers and other stakeholders and to see farms and other food operations first-hand.
Based on what was learned through these visits and from many of the comments received in response to the proposed rules, FDA took the unusual step of issuing supplemental proposals in 2014 that proposed significant revisions to the original 2013 proposals.
In addition, FDA issued three more key proposed FSMA rules in 2013-2014, covering accreditation of third party auditors, focused mitigation strategies to protect food from intentional adulteration, and sanitary transportation of human and animal food.
Five of the seven rules are now final. The final rules for preventive controls for human and animal foods were published in the Federal Register on Sept. 17, 2015; the final rules on produce safety, FSVP, and accreditation of third party auditors were published on Nov. 27, 2015.
The final rules for sanitary transportation and intentional adulteration are due to be sent to the Federal Register on March 31, 2016, and May 31, 2016, respectively.

Implementation

To ensure successful implementation of FSMA, FDA has begun crucial planning and taken initial steps in the following areas:

inspection modernization and associated FDA and state staff training;
guidance development, education and technical assistance for industry;
building state capacity to partner with FDA on FSMA implementation; and
establishing an import safety system that addresses problems before food from other countries reaches the U.S. border.

FSMA funding received through FY 2016 is enabling FDA to lay a strong foundation for the success of FSMA, but additional funding is needed to meet congressional and public expectations, primarily in the areas of produce safety and oversight of imported food.

FY 2017 Plans for Requested Budget Authority

With the increase of $25.3 million requested in the President’s Budget for FY 2017, FDA will build on work that began with FY 2016 funds in two key areas.

1.National Integrated Food Safety System - $11.3 million
Collaborating with state, local and tribal governments through the National Integrated Food Safety System is a central element of FDA’s strategy to achieve full, effective, and efficient implementation of FSMA. The requested funding will be used primarily to support state capacity to implement the produce safety rule by delivering education and technical assistance to farmers and providing on-going compliance support and oversight. The states have been clear that they cannot perform these essential functions in furtherance of national food safety objectives without federal resources.

2.New Import Safety Systems - $14.0 million
The priority will be implementing the FSVP rule, which makes importers responsible for ensuring that the foods they bring in from other countries are produced in a manner that is consistent with U.S. food safety standards. FDA will use its FY 2017 funding to hire staff to perform FSVP inspections and provide training, technical assistance and outreach. The agency will also expand its overseas presence, increasing and better targeting FDA inspections of foreign food facilities, as well as working with and assisting foreign governments to ensure the safety of food before it is exported to the United States.

Conclusion
Developing reasonable, effective, and flexible rules to create a modern, prevention-based food safety system is a formidable job, but it is just the first step in FSMA implementation. Much more needs to be done to lay the groundwork for smooth and effective implementation of FSMA in FY 2017.

Trade Facilitation and Enforcement Bill Signed Into Law
Library of Congress

President Obama signed into law Feb. 24 a broad customs reauthorization bill that includes provisions on trade facilitation and enforcement, import safety, intellectual property rights protection, trade remedies, duty-free entry, customs brokers, drawback, trade partnership programs and other topics.

To read Bill Summary & Status

To read entire Bill [pdf]

CBP Targets, Intercepts Illegally Imported HID Headlamps
U.S. Customs & Border Protection

SAN JUAN, Puerto Rico - U.S. Customs and Border Protection (CBP), working closely with the U.S. Department of Transportation (DOT), seized last Wednesday, a shipment of 380 imported High Intensity Discharge (HID) conversion kits. The domestic value of the shipment was approximately $7,227.

"Ensuring the safety of imported products is a top priority for CBP," said Edward Ryan, Assistant Director of Trade for Puerto Rico and the U.S. Virgin Islands. "The concerted targeting efforts and vigilance of CBP officers and import specialists at our ports of entry will help ensure that unsafe products from overseas markets do not reach our roadways."

CBP officers seized the shipment following the determination that the equipment failed to meet DOT requirements that headlamp replaceable light sources be marked with the light source type, the light source manufacturer's name or trademark, and the DOT symbol indicating certification of compliance with governing regulations.

ASUS Settles FTC Charges That Insecure Home Routers and “Cloud” Services Put Consumers’ Privacy At Risk
Federal Trade Commission

Taiwan-based computer hardware maker ASUSTeK Computer, Inc. has agreed to settle Federal Trade Commission charges that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk. The administrative complaint also charges that the routers’ insecure “cloud” services led to the compromise of thousands of consumers’ connected storage devices, exposing their sensitive personal information on the internet.

The proposed consent order will require ASUS to establish and maintain a comprehensive security program subject to independent audits for the next 20 years.

“The Internet of Things is growing by leaps and bounds, with millions of consumers connecting smart devices to their home networks,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “Routers play a key role in securing those home networks, so it’s critical that companies like ASUS put reasonable security in place to protect consumers and their personal information.”

ASUS marketed its routers as including numerous security features that the company claimed could “protect computers from any unauthorized access, hacking, and virus attacks” and “protect [the] local network against attacks from hackers.” Despite these claims, the FTC’s complaint alleges that ASUS didn’t take reasonable steps to secure the software on its routers.

For instance, according to the complaint, hackers could exploit pervasive security bugs in the router’s web-based control panel to change any of the router’s security settings without the consumer’s knowledge. A malware researcher discovered an exploit campaign in April 2015 that abused these vulnerabilities to reconfigure vulnerable routers and commandeer consumers’ web traffic. The complaint also highlights a number of other design flaws that exacerbated these vulnerabilities, including the fact that the company set – and allowed consumers to retain – the same default login credentials on every router: username “admin” and password “admin”.

According to the complaint, ASUS’s routers also featured services called AiCloud and AiDisk that allowed consumers to plug a USB hard drive into the router to create their own “cloud” storage accessible from any of their devices. While ASUS advertised these services as a “private personal cloud for selective file sharing” and a way to “safely secure and access your treasured data through your router,” the FTC’s complaint alleges that the services had serious security flaws.

For example, the complaint alleges that hackers could exploit a vulnerability in the AiCloud service to bypass its login screen and gain complete access to a consumer’s connected storage device without any credentials, simply by accessing a specific URL from a Web browser. Similarly, the complaint alleges that the AiDisk service did not encrypt the consumer’s files in transit, and its default privacy settings provided – without explanation – public access to the consumer’s storage device to anyone on the Internet.

In February 2014, hackers used readily available tools to locate vulnerable ASUS routers and exploited these security flaws to gain unauthorized access to over 12,900 consumers’ connected storage devices.

The Commission alleges that, in many instances, ASUS did not address security flaws in a timely manner and did not notify consumers about the risks posed by the vulnerable routers. In addition, the complaint alleges that ASUS did not notify consumers about the availability of security updates. For example, according to the complaint, the router’s software update tool – which allowed consumers to check for new router software – often told consumers that their router was on the most current software when, in fact, newer software with critical security updates was available.

In addition to establishing a comprehensive security program, the consent order will require ASUS to notify consumers about software updates or other steps they can take to protect themselves from security flaws, including through an option to register for direct security notices (e.g., through email, text message, or push notification). The consent order will also prohibit the company from misleading consumers about the security of the company’s products, including whether a product is using up-to-date software.

This matter is part of the FTC’s ongoing effort to ensure that companies secure the software and devices that they provide to consumers.

The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through March 24, 2016, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit comments electronically.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $16,000.