CPSC Inspector General Concludes 2019 Data Breach Was Much More Significant Than Reported and Caused by Mismanagement and Incompetence
On September 25th, the CPSC Office of Inspector General (“OIG”) released its long-awaited report summarizing its investigation of the 2019 CPSC data breach. Most notably, the report finds that the data breach was larger and went on for longer than originally disclosed by the agency. The report further concludes that the primary causes of the data breach were mismanagement and incompetence, but rejects any speculation that the data breach was the result of outside hackers or a deliberate leak by a CPSC employee. The CPSC management response to the report does not fundamentally contest its findings. At a public hearing in 2019, Commissioner Dana Baiocco recommended an FBI referral, but it was decided to rely solely on the OIG for an independent review.
The CPSC data breach originally came to light in April 2019. Manufacturers affected by the breach received letters that month from the CPSC notifying them of the inadvertent disclosure of nonpublic manufacturer and product specific information. Such disclosures were in violation of Section 6(b), which provides procedures for and restrictions on CPSC’s public disclosure of manufacturer and product specific information. The purpose of 6(b) is to protect manufacturers and others, including consumers from CPSC’s disclosure of inaccurate or misleading information regarding products.
In the spring of 2019, CPSC reported that its “Clearinghouse”—the function but apparently not a formal office of the agency that processes information requests—released sensitive information to approximately 29 to 36 recipients. In reality, early on in the course of its investigation, the OIG determined that the breach greatly exceeded the agency’s estimates. In fact, due to the apparent scope of the breach, the OIG contracted with forensic auditors to conduct an independent review of the CPSC Clearinghouse employees’ communications from 2010 through 2019. The independent auditors determined that the CPSC employees inappropriately released sensitive information in 1,725 emails to approximately 556 recipients. These emails contained either Section 6(b) information or personally identifiable information. OIG also determined that hundreds of unauthorized CPSC employees had access to an unsecured shared drive containing Section 6(b) information and personally identifiable information.
So, why was the CPSC’s initial estimate so wrong? The OIG report states that the CPSC’s initial assessment of the scope of the data breach was incorrect because CPSC senior management inappropriately relied on Clearinghouse staff to assess the scope of the data breach. Clearinghouse staff likely used a poor methodology and the individuals performing the assessment lacked training or experience in handling data breaches. “This resulted in a minimization of the scope of the data breach and compromised the CPSC’s efforts to effectively respond to the data breach,” the report finds.
Ultimately, the OIG report concludes that the incompetence that caused the data breach was the result of a lack of “supervision, document policies and procedures, and training for non-supervisory and first level supervisory Clearinghouse employees.” Moreover, it is explicitly critical of CPSC management: “For years, agency management signed statements of assurance affirming that there were effective internal controls in place over the Clearinghouse, despite knowing this was not true.”
The report concludes with 40 recommendations to remedy the problems that caused the data breach and the agency’s ineffective response to the data breach. For example, the OIG recommends that the CPSC scrap the multiple data extraction tools it currently uses and implement a single data extraction tool, which should allow for increased searching mechanism while adequately blocking protected data from release. It also recommends extensive training for all Clearinghouse staff on the data extraction tool, the procedures for responding to requests for information, and Section 6(b).
It’s worth noting that the OIG also investigated the allegation that the data breach was caused in whole or in part by collusion between CPSC employees and Consumer Reports, a nonprofit consumer organization. The OIG found this allegation to be baseless—there was no evidence of Consumer Reports colluding with or having undue influence over CPSC employees.
The findings in the OIG report are troubling. There are important laws that must be complied with in carrying out this function, serious privacy and reputational concerns. Of course, this situation occurs in the private sector, but it is particularly egregious for a law enforcement agency.
As practitioners, the data breach undermines our ability to assure clients that their data will be treated with appropriate confidentiality, feeding into their worst fears about reporting to the government. One hopes that the CPSC has learned a tough lesson and will implement the OIG’s recommendations in order to better protect both Section 6(b) information and personally identifiable information. This is a critical base function for any CPSC Chair in the future.