CPSC Unauthorized Disclosure Notifications: What to Do
Reportedly, the U.S. Consumer Product Safety Commission (CPSC) is notifying companies of what could be considered a data breach, an unauthorized release of confidential information that did not go through the procedures of 15 U.S.C. § 2055” – known colloquially as “6(b),” because they are found in Section 6(b) of the Consumer Product Safety Act (CPSA).
We do not know the nature or scope of the information that was released nor to whom or when. At least one publication seems to be releasing company-specific information about reported incidents that appears to have come from this unauthorized disclosure.
As discussed below, there is no real redress for the unauthorized disclosure, but, at a minimum, companies have a right to know what information was disclosed. Both Section 6(b) and the CPSC’s implementing rules provide for this. Additionally, in the FOIA context, the CPSC typically informs companies of the nature and source of the FOIA request. This is even more valuable in this case, since anyone who received this unauthorized disclosure is now in control of that information, and companies may wish to engage with them.
Coincidentally, the Section 6(b) procedures were a significant focus of a CPSC oversight hearing held by the U.S. House Subcommittee on Consumer Protection and Commerce earlier this week. Two key points from that hearing:
6(b) encourages candor between the CPSC and regulated companies. With the assurance that sensitive information – including information no other health and safety agency has any expectation of receiving – will be handled under procedures intended to ensure the accuracy and fairness of any disclosure, companies are more willing to share information with the agency.
Unfortunately, beyond seeking a retraction of any inaccurate disclosures, there is no post-release enforcement mechanism available to companies. The CPSC may face political repercussions for such an error, but, as the apparent notification demonstrates, manufacturers are not entitled to so much as an apology.
Perhaps not coincidentally, the CPSC’s Office of the Inspector General (OIG) seems to have foreseen the possibility of such an unauthorized release. In 2015, the OIG conducted an audit of the CPSC’s Freedom of Information Act (FOIA) systems and processes. The audit devoted much of its report to the CPSC’s implementation of “FOIAXpress,” the software system the agency uses to manage responses to FOIA requests. The audit found a lack of rigor in the process for creating user accounts and granting access:
This results in the possibility of critical agency documents being viewed and/or altered without a business need to do so, thus increasing the risk of compromising the integrity and confidentiality of these documents. If the integrity and/or confidentiality of these documents is compromised, there is a serious reputational risk to the agency and a serious potential risk to the individual or business to which the documents pertain.
The audit also found the CPSC had not adhered to the “Principle of Least Access,” giving too many users administrator access to the system. Startlingly, the OIG even found it “was able to log in to FOIAXpress using the default username and password, as the default password had not changed since the implementation of FOIAXpress in 2008.” Management noted that it had changed the password by the time the report was released and had implemented a 90-day change policy.
Presumably, to the extent that the Senate takes up CPSC oversight this session, this dramatic realization of the OIG audit’s forewarning will be a topic of discussion. Regardless, we hope that this unauthorized disclosure will spur the CPSC to re-commit itself to the security of its information-handling systems and the trust that Section 6(b) seeks to create between industry and the agency.