May 6, 2021

Volume XI, Number 126

Advertisement

May 06, 2021

Subscribe to Latest Legal News and Analysis

May 05, 2021

Subscribe to Latest Legal News and Analysis

May 04, 2021

Subscribe to Latest Legal News and Analysis

CPSC Inspector General Concludes 2019 Data Breach Was Much More Significant Than Reported and Caused by Mismanagement and Incompetence

On September 25th, the CPSC Office of Inspector General (“OIG”) released its long-awaited report summarizing its investigation of the 2019 CPSC data breach. Most notably, the report finds that the data breach was larger and went on for longer than originally disclosed by the agency. The report further concludes that the primary causes of the data breach were mismanagement and incompetence, but rejects any speculation that the data breach was the result of outside hackers or a deliberate leak by a CPSC employee. The CPSC management response to the report does not fundamentally contest its findings. At a public hearing in 2019, Commissioner Dana Baiocco recommended an FBI referral, but it was decided to rely solely on the OIG for an independent review.

The CPSC data breach originally came to light in April 2019. Manufacturers affected by the breach received letters that month from the CPSC notifying them of the inadvertent disclosure of nonpublic manufacturer and product specific information. Such disclosures were in violation of Section 6(b), which provides procedures for and restrictions on CPSC’s public disclosure of manufacturer and product specific information. The purpose of 6(b) is to protect manufacturers and others, including consumers from CPSC’s disclosure of inaccurate or misleading information regarding products.

In the spring of 2019, CPSC reported that its “Clearinghouse”—the function but apparently not a formal office of the agency that processes information requests—released sensitive information to approximately 29 to 36 recipients. In reality, early on in the course of its investigation, the OIG determined that the breach greatly exceeded the agency’s estimates. In fact, due to the apparent scope of the breach, the OIG contracted with forensic auditors to conduct an independent review of the CPSC Clearinghouse employees’ communications from 2010 through 2019. The independent auditors determined that the CPSC employees inappropriately released sensitive information in 1,725 emails to approximately 556 recipients. These emails contained either Section 6(b) information or personally identifiable information. OIG also determined that hundreds of unauthorized CPSC employees had access to an unsecured shared drive containing Section 6(b) information and personally identifiable information. 

So, why was the CPSC’s initial estimate so wrong? The OIG report states that the CPSC’s initial assessment of the scope of the data breach was incorrect because CPSC senior management inappropriately relied on Clearinghouse staff to assess the scope of the data breach. Clearinghouse staff likely used a poor methodology and the individuals performing the assessment lacked training or experience in handling data breaches. “This resulted in a minimization of the scope of the data breach and compromised the CPSC’s efforts to effectively respond to the data breach,” the report finds. 

Ultimately, the OIG report concludes that the incompetence that caused the data breach was the result of a lack of “supervision, document policies and procedures, and training for non-supervisory and first level supervisory Clearinghouse employees.” Moreover, it is explicitly critical of CPSC management: “For years, agency management signed statements of assurance affirming that there were effective internal controls in place over the Clearinghouse, despite knowing this was not true.” 

The report concludes with 40 recommendations to remedy the problems that caused the data breach and the agency’s ineffective response to the data breach. For example, the OIG recommends that the CPSC scrap the multiple data extraction tools it currently uses and implement a single data extraction tool, which should allow for increased searching mechanism while adequately blocking protected data from release. It also recommends extensive training for all Clearinghouse staff on the data extraction tool, the procedures for responding to requests for information, and Section 6(b).   

It’s worth noting that the OIG also investigated the allegation that the data breach was caused in whole or in part by collusion between CPSC employees and Consumer Reports, a nonprofit consumer organization. The OIG found this allegation to be baseless—there was no evidence of Consumer Reports colluding with or having undue influence over CPSC employees. 

The findings in the OIG report are troubling. There are important laws that must be complied with in carrying out this function, serious privacy and reputational concerns. Of course, this situation occurs in the private sector, but it is particularly egregious for a law enforcement agency.

As practitioners, the data breach undermines our ability to assure clients that their data will be treated with appropriate confidentiality, feeding into their worst fears about reporting to the government. One hopes that the CPSC has learned a tough lesson and will implement the OIG’s recommendations in order to better protect both Section 6(b) information and personally identifiable information. This is a critical base function for any CPSC Chair in the future. 

Advertisement
©1994-2021 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume X, Number 281
Advertisement
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Charles Samuels Antitrust Attorney Mintz Levin Law Firm
Member

Chuck is an antitrust and regulatory lawyer who devotes a significant portion of his practice to assisting clients with consumer product safety and environmental regulations. He serves as general counsel to numerous trade associations. For the Association of Home Appliance Manufacturers, Chuck negotiated and drafted amendments to federal laws, including the Consumer Product Safety Act. Corporations in many industries, local governments, and state agencies are also on his client roster. He represents clients before a wide array of federal agencies, including the Consumer Product Safety...

202-434-7311
Shawn Skolky, Mintz Levin Law Firm, Washington DC, Corporate and Litigation Law Attorney
Associate

Shawn advises on many aspects of antitrust and competition law, including antitrust counseling, merger review, and private antitrust litigation, including class actions. His consumer product safety practice focuses on helping companies seeking representation on product safety reporting obligations, recalls, regulatory compliance, product safety investigations, and enforcement matters involving the Consumer Product Safety Act (CPSA) and other federal and state product safety laws.

202-434-7345
Evelyn French Compliance Attorney Mintz Law Firm
Associate

Evelyn focuses her practice on regulatory and compliance matters involving the Consumer Product Safety Act (CPSA) and other federal and state product safety laws. She helps companies seeking representation on product safety reporting obligations, product safety investigations, recalls, and other regulatory and enforcement matters. Evelyn also engages in trade association representation and has an antitrust practice in which she advises on many aspects of antitrust law, including merger review and private antitrust litigation.

Prior to joining...

1.202.434.7369
Advertisement
Advertisement