Cybersecurity

Senate panel finds consumer agency accidentally disclosed personal data of thousands

The Senate Commerce Committee on Thursday issued a report that found the Consumer Product Safety Commission (CPSC) failed to properly handle the data of thousands of consumers, leading to an accidental data breach earlier this year. 

The report recommended that the CPSC, which is in charge of ensuring that consumer products do not harm Americans, take steps to improve its handling of personal data after the CPSC clearinghouse made "improper disclosures" between December 2017 and March 2019 to 29 entities. 

These disclosures contained the personal data of around 30,000 consumers, including street addresses, age and gender, along with information on 10,900 manufacturers. 

Most of the disclosed data was sent to Consumer Reports and to a researcher at Texas A&M University as part of a response to information requests from these entities. The personal information included was not redacted as required by Section 6(b) of the Consumer Product Safety Act. 

The committee, led by Chairman Roger Wicker (R-Miss.), was informed of the disclosures in April and subsequently sent letters to the agency and interviewed employees about the breach, concluding that "the series of improper disclosures is likely attributable to incompetence and mismanagement rather than deliberate, bad-faith efforts by senior managers or commissioners."

The committee recommended that the CPSC implement formal training for all new employees on how to handle personal consumer data, review information technology used to process data requests and implement policies to ensure that CPSC management reviews all sensitive data requests. 

Wicker wrote in a letter to acting CPSC Director Robert Adler on Wednesday that while the data disclosures were "concerning," the committee concluded they did not occur due to deliberate steps, but were entirely accidental. 

Wicker also noted that he intends to review the findings of the CPSC's inspector general on the disclosures and hopes steps taken as a result of the breach will "protect the consumers and manufacturers that entrust their sensitive information to the CPSC."

Joe Martyak, the director of communications at the CPSC, told The Hill on Thursday that "we take seriously the recommendations of this report and have already been taking action to improve staff training and security measures. We will continue to address these recommendations and look forward to the related report from our Inspector General."

The agency announced the data disclosures in April and detailed the steps it had taken in response, including immediately halting all disclosures through its clearinghouse to entities and immediately requesting the groups accidentally given this information to either return or destroy it. The CPSC also developed an "action plan" to inform all manufacturers that had data disclosed.

"CPSC considers unauthorized disclosure of information to be a serious issue," the agency wrote earlier this year.

-Updated at 5:35 pm to include a response from the CPSC. 

Outbrain