CPSC Data Breach: Requirements for Handling Sensitive Information
Many manufacturers were affected by the CPSC’s improper disclosure of a mountain of sensitive information, including both company data and consumers’ personally identifying information. While the full repercussions are not yet clear, the disclosure creates the risk that third parties will misunderstand and mischaracterize the information.
This incident also presents an opportunity for companies and CPSC observers to reexamine the processes that are intended to prevent unfair disclosures. The CPSC is often asked to disclose sensitive information, and typically companies can weigh in when the CPSC responds to these requests. But are companies really afforded meaningful opportunity to comment?
In this first of a two-part series following the recent major data breach at the U.S. Consumer Product Safety Commission (CPSC), we examine the procedures that the CPSC must follow in handling and disclosing sensitive information. Part two of our data breach series will cover why procedures matter and why efforts to abandon them are misguided.
A Statutory Obligation to Pursue Accuracy and Fairness
The Consumer Product Safety Act (CPSA) has information-disclosure provisions known as “6(b).” The rules establish a process by which companies can let the agency know if it has its facts wrong, and they require the CPSC to “take reasonable steps” to ensure fairness and accuracy.
Ultimately, 6(b) offers injunctive relief where the CPSC insists on making a disclosure that a company believes is inaccurate or unfair. But to obtain an injunction, the company must sue the CPSC in courts that frequently defer to agencies, and the litigation unfolds in public, which reduces its value in protecting information. Unsurprisingly, only a few companies have pursued 6(b) injunctions in the CPSC’s nearly half-century history.
Still, while injunctive relief may not be reasonably available in most circumstances, 6(b) requires the CPSC to take certain steps before it discloses information. What are those steps, and are they meaningful?
The CPSC must provide companies with notice and an opportunity to comment, but 6(b) does not require that the agency withhold a disclosure that it believes is fair and accurate. The CPSC can also require companies to respond quickly, with proposed disclosures going from notice to public statement in 20 days. In three weeks, a company may have to review the information, correct any issues, and decide whether to file suit.
Those 20 days can shrink if the CPSC determines “that the public health and safety requires a lesser period.” Occasionally, the CPSC has shrunk notice to as little as 24 hours.
Further, where the CPSC believes a situation is urgent, even the limited procedural guardrails come off. If the agency files an action to force a recall or reasonably believes that a product violates a rule, there is no pre-disclosure process required.
Finally, when mistakes happen, companies can ask the CPSC only to “take reasonable steps” to retract its errors, but it is unclear what that means. Is retraction available if the agency accurately relays inaccurate allegations? Moreover, a retraction may simply amplify the inaccurate information.
A Balance and a Trust
Companies face serious consequences when the CPSC discloses information about their products, and these consequences underscore the importance of 6(b)’s accuracy and fairness goal. The court in Relco  noted that, even when a disclosure is made in error, “[the CPSC’s] denouncement may well be tantamount to an economic death knell. Where a product is once shrouded with suspicion, especially suspicion cast upon it by the government, the harm is irretractable.”
Similarly, in GTE Sylvania, Chief Justice Rehnquist wrote for a unanimous Court that, because of its unique information-gathering powers, the CPSC is bound by “safeguards specifically designed to protect manufacturers’ reputations from damage arising from improper disclosure of information gathered and received by the Commission.”
Congress has recognized that there is a potential for unfair harm if the CPSC discloses inaccurate information. The statute reflects the timeless aphorism that modern pop culture most closely associates with Spider-Man: “With great power, there must also come – great responsibility!”
Stay tuned for part two of this series, where we will discuss the CPSC’s significant powers and why the CPSA should continue to direct that they be used responsibly.
 Pub. L. No. 92-573, 86 Stat. 1207 (1972) (codified as amended at 15 U.S.C. §§ 2051-2089).
 CPSA § 6(b), 86 Stat. at 1212 (codified as amended at 15 U.S.C. § 2055(b)).
 15 U.S.C. § 2055(b)(1)-(3).
 See Commission Finding That Shortens Periods For Issuing Information On Mesh Playpens, 63 Fed. Reg. 65,755 (Nov. 30, 1998).
 15 U.S.C. § 2055(b)(4).
 15 U.S.C. § 2055(b)(7).
 Relco, Inc. v. Consumer Prod. Safety Comm’n, 391 F.Supp. 841 (1975 S. D. Tex.) (holding plaintiff not entitled to injunction against CPSC’s administrative recall process.
 Id. at 846.
 Consumer Prod. Safety Comm’n v. GTE Sylvania, Inc., 447 U.S. 102, 111-12 (1980) (holding that 6(b) applies to responses to FOIA requests as well as to disclosures made at the Commission’s own initiative).
 Stan Lee, Steve Ditko, Artie Simek, Spider-Man!, Amazing Fantasy 15, at 11 (Marvel Comics June 5, 1962).