Law360 (March 6, 2020, 4:27 PM EST) -- In Law360's latest installment of FDA Focus, King & Spalding's longtime U.S. Food and Drug Administration practice leader discusses how plaintiffs lawyers are capitalizing on warning letters, how regulators may strike an enforcement balance on CBD, the agency's scrutiny of medical device cybersecurity and a key change he would like to see in how inspection reports are handled.

Mark S. Brown, a Washington, D.C.-based partner, has spent the past quarter-century at King & Spalding LLP. He joined the firm in 1994 after nearly five years as associate chief counsel at the FDA and has led the firm's FDA practice since 2005. 

Prior to his stint at the FDA, Brown was a consumer protection lawyer at the Federal Trade Commission. He earned his bachelor's degree in political science at the University of Michigan and his law degree at Saint Louis University School of Law.

This interview has been edited for length and clarity.

What do you find rewarding about leading an FDA practice?

This is not just any FDA practice — it's the reason King & Spalding opened its second office in D.C. in 1979. The practice was built by some of the greatest FDA lawyers in the country, and it's the reason I joined the firm 25 years ago. Because the firm has entrusted me with the leadership of the practice, I have a great responsibility to build on its strong reputation, continue to grow the practice, compete for and win the best work, and navigate the practice through new challenges.

For me, what's especially rewarding is helping clients achieve great results, solving difficult problems and protecting the public health through the work that we do, the advice that we give and the decisions that we help clients make.

And beyond that, it's really developing the best FDA life sciences lawyers in the country, helping them achieve their personal goals, working together as a team and instilling the great culture of the firm in them so that they may carry it on and pay it forward.

What's a key skill for an FDA lawyer, aside from scientific prowess, that isn't taught in law school?

I'll give you two. First, I would say you need to tell clients what they need to hear, not what they want to hear. In a regulatory practice like this, where decisions have short- and long-term implications, the risks — and by that I mean risks to patients, to the public, to companies, to individuals — are often very significant. And the skill and the advice is: Don't be afraid to provide the client with advice that may be unwelcome. Be honest and straightforward.

Beyond that, I would say don't just identify issues. Develop solutions to problems. Early in my career, one of my mentors and supervisors taught me this: He basically said, "Don't come into my office merely having identified a problem without also bringing ideas about how to solve the problem." And clients come to us with difficult and complicated scenarios and problems, and they want your best thinking to help solve those problems.

FDA Commissioner Stephen Hahn has been in office since December. What's been his most notable move so far?

Arguably, the most important issue he has confronted is preparing for a potential coronavirus pandemic. This is a serious and complicated public health issue that poses numerous challenges associated with medical and consumer products offered for sale in the U.S.

The most recent reports show that the virus is spreading across the globe. The FDA has announced a list of specific actions Commissioner Hahn is spearheading to respond to the outbreak of the virus. Those actions reflect thoughtful analyses of the public health tools, resource allocation, surveillance activities and other measures to help ensure the safety and quality of FDA-regulated products for the American public.

What's one of the more important policy issues we're waiting for Hahn to address?

We are spending a lot of time talking with clients about medical device cybersecurity risks. We are helping with the development of proactive programs to assess risks and develop strategies and plans. Protecting against ransomware and other cyberattacks that could interrupt or impair treatment is a very real public health protection challenge.  

The FDA is very interested in the level of cybersecurity exposure for both legacy and new medical devices, and the agency is asking questions about strategies for preventing cybersecurity breaches and conducting risk assessments to understand vulnerabilities.

Currently, there is no statutory requirement — premarket or postmarket — that expressly compels medical device manufacturers to address cybersecurity. In the FDA's most recent budget, the agency identified a legislative proposal focused on cybersecurity of devices. This is an extremely important issue for all medical device companies.

On a related note, what pending FDA policymaking are you keeping an eye on? What are the potential implications?

There has been an enormous push — fueled by strong consumer demand — to formally legalize food and dietary supplements containing hemp-derived CBD. Our FDA and life sciences team has fielded a growing number of CBD-related questions from clients looking to expand their product offerings, clients with novel products and private equity firms looking to invest in CBD companies.

The FDA is in a box regarding its regulation of CBD. On the one hand, the agency has stated that it is committed to leveraging all the tools available to bring forward a pathway for CBD. On the other hand, the agency has said that it cannot conclude that CBD is generally recognized as safe, or GRAS, for use in human or animal food, because of a lack of scientific information.

Congress has specifically directed the FDA to develop and implement an enforcement discretion policy for products containing CBD. In response, the FDA agreed to submit a report to Congress regarding its progress in developing that policy. Even so, we don't expect the FDA to take immediate action to "legalize" CBD. It will be interesting to see how the FDA and Congress sort this out and develop a regulatory framework for CBD-containing products.

What's an FDA issue — new or old — that hasn't received as much attention as it deserves?

Consistent with the FDA's own statements in its Regulatory Procedures Manual, warning letters are deemed "informal and advisory," and the FDA does not consider them to be final agency action. In products liability and other business litigation, warning letters are used by plaintiffs lawyers as a weapon to establish violations of the Federal Food, Drug, and Cosmetic Act and to portray companies in a negative light, often influencing judges and juries. I don't think that tactic is as well known as it should be.

I would like to see the FDA add a box at the top of the first page of a warning letter — like the box on its guidance documents — that contains the following disclaimer in bold type: "Warning letters are informal and advisory and communicate to an FDA-regulated company or individual the issuing office's current, nonbinding position on a matter." That would clear up confusion and the misuse of warning letters in litigation or to influence stock prices.

If you could wave a magic wand and change or clarify one FDA policy, what would it be?

I would change the FDA policy that governs the release of establishment inspection reports. EIRs are narrative and comprehensive reports prepared by FDA investigators to reflect all aspects of an inspection, including its scope, findings and discussions with company personnel and executives.

Under the policy, the FDA's Office of Regulatory Affairs will not release the EIR related to an inspection classified as "official action indicated" — [which means that regulatory and/or administrative actions will be recommended] — until it receives confirmation that no further agency action is planned from the appropriate compliance branch or center.

We have seen several recent instances where the Office of Compliance in the FDA's Center for Drug Evaluation and Research classified an inspection as OAI and then placed a company on import alert or issued a warning letter based on information in the EIR that was not in the 483 [inspection summary] that was issued to the company at the close of the inspection.

In some cases, the owner of a facility classified as OAI, and then placed on import alert or given a warning letter, had no chance to respond to the issue following the inspection. In another recent case, the information in an EIR that prompted the OAI classification and the issuance of a warning letter was simply unsupported and incorrect.

The policy should be changed to require the FDA to immediately share the EIR and the basis for the enforcement action to give the company a chance to address and remedy the concern.

--Editing by Kelly Duncan and Jill Coffey.

This is part of a series of interviews with FDA practice leaders.

For a reprint of this article, please contact reprints@law360.com.