Who owns the liability? Scenario #1

Counterfeit drugs are currently a booming business. I am not going to go into detail about this, since a simple Google search will tell you all you want to know about the problem.

Pharmaceutical companies do not like counterfeit drugs making their way into the marketplace. Counterfeits cut into profits and make a drug company look bad. Pharmaceutical companies, however, are generally not liable for counterfeits making their way into the marketplace. If someone chooses to buy their heart medication over the internet and they get sugar pills that look like the real thing, and then die from using those pills, nobody can claim that the maker of the genuine drug is liable for this. If someone buys a counterfeit from a legitimate source (such as a genuine brick and mortar pharmacy), then the liability chain starts there, and a good investigation can probably trace the problem somewhere short of the company making the genuine drug. Once again, Big Pharma (my nickname for the pharmaceutical industry) is not liable.

Now we get to ePedigree, which is the huge initiative mandated by the Federal Government for all drug companies to implement a system to track and trace all drugs they produce. At least one of the goals of mandating ePedigree is to combat the enormous proliferation of counterfeit drugs. In essence, drug companies will have to put an identifier on the drugs they sell to insure that they can be traced all the way back to the manufacturing plant. If someone buys a counterfeit drug, the identifier will (ostensibly) not be present, and therefore the drug is a counterfeit. This is definitely an oversimplification of the ePedigree initiative, but the essence of what I am describing is valid.

One can imagine the enormous cost that Big Pharma must absorb in making this happen, not to mention everyone involved in the supply chain. In a word, this is an enormous headache to the entire industry. Counterfeits are definitely a problem, but the industry remains quite profitable despite the counterfeits on the market. It is difficult to ascertain the losses a company faces due to counterfeits, but they can determine the enormous cost of ePedigree, and the numbers simply do not look pretty. The bottom line is that Big Pharma is currently interested in implementing a system which is primarily low in cost. That is essentially the first reaction to any organization which is forced to comply.

So let me paint a scenario. Big Pharma is required to implement unique identifiers on their drugs. A drug counterfeiter makes a counterfeit copy of the identifier (such as an RFID tag), and attaches it to the bottle of counterfeit drugs. Someone buys the counterfeit drug over the Internet (the same counterfeit heart medicine I mentioned earlier) and dies from using the counterfeit. When checked for authenticity, the RFID tag shows that the drug was legitimate, and it is traced back to the source. Further investigation reveals that the tag itself was counterfeited. When asked about what security Big Pharma put in place to prevent this from happening, what will the answer be? Who owns the liability at this point?

Creating an insecure (i.e. clonable) ePedigree system introduces a method for a counterfeiter to introduce drugs which are deemed COMPLETELY VALID into the system. Nokia, for example, is currently implementing RFID readers into mobile phones. This could eventually make its way into the home, and someone who buys drugs over the Internet could "validate" their internet purchases. Pharmacies who receive counterfeit drugs with "valid" RFID tags would feel quite confident that the drugs are legitimate. After all, the ePedigree information says it is !

Several members of the RFID Security Alliance have, quite literally, met with Big Pharma and posed the issue of security in ePedigree, and the response has been less than promising. One company said they have absolutely no incentive to deal with security. Another said they will deal with security when it is a problem (this is ALWAYS a bad idea). Still others said they are not going to spend the money for security. These are all Fortune 10 companies. Big Pharma may deny this, but my sources are pretty darn good.

When faced with the question "Why didn't you make this more secure?", what is Big Pharma's answer going to be ?

Will they claim ignorance ?

Will they claim they are not liable ?

Tough questions...