Breaking: CPSC Notifies Numerous Companies of Unprecedented, Unauthorized Disclosure of Information
Late this afternoon, the U.S. Consumer Product Safety Commission (CPSC) informed what could turn out to be a very large number of consumer product companies that it recently discovered what appears to be a mass inadvertent disclosure of nonpublic manufacturer and product specific information. Given the type of data CPSC retains in its databases, the information released almost certainly involves safety incidents that are specific to manufacturers and their products. Based on the letter sent to manufacturers from the CPSC’s Office of General Counsel, it also appears that CPSC sent this information to multiple recipients.
In CPSC’s letter, the agency stated: “[W]e recently discovered that nonpublic information identifying your company by name along with product model name and/or model number was released in error to the public without following the procedures in 15 U.S.C. § 2055.”
For those readers unfamiliar with this provision of the law, often referred to as “Section 6(b)," it provides procedures for and restrictions on CPSC’s public disclosure of manufacturer and product specific information. It applies to any information from which the public can readily ascertain the identity of a manufacturer or private labeler of a consumer product. The purpose of 6(b), as originally enacted, was to protect manufacturers from CPSC’s disclosure of potentially inaccurate or misleading information regarding their products.
CPSC’s letter notifying the manufacturers also states that CPSC staff has contacted the recipients of the information and has “requested” that they return the information to the agency or destroy the information and certify the destruction. Furthermore, CPSC informed the recipients that this information cannot be published or further disseminated. Based on the agency’s letter, it does not appear that those who received the data would be breaking the law if they held onto or used the data. The letter is phrased as a “request” for the recipients of the data to return or destroy it and it appears that the agency is not able to compel the recipients to do so.
We obtained a copy of what appears to be CPSC’s correspondence to the recipients of the unauthorized data release. It states:
“The U.S. Consumer Product Safety Commission (CPSC) staff writes to inform you that we recently discovered that on October 24, 2018 and November 7, 2018 nonpublic information identifying manufacturers by name along with product model name and/or model number was released in error to you without following the procedures in 15 U.S.C. § 2055. We seek immediate action from you by returning the documents containing nonpublic manufacturer specific information to the CPSC or destroying the nonpublic manufacturer specific information you received in error from CPSC staff and certifying destruction of that information. This information cannot be published or further disseminated by you."
Based on this it appears the information could have been released months ago but the agency only just recently discovered the issue and requested that the recipients certify that they returned or destroyed the information. While we do not know the full extent of the disclosure, it appears to be very large, and we believe it is unprecedented in scale. Consumer product manufacturers that have received this notice should start taking steps to determine the extent of the information CPSC released about their products and how it affects their company
Coincidentally, this incident follows Tuesday’s House hearing on oversight of CPSC, at which Section 6(b) and its role in the consumer product regulatory arena was discussed and debated at length. Suffice it to say, today’s notice of this significant unauthorized disclosure of information will only further put Section 6(b) in the spotlight.