Consumer safety agency accidentally disclosed personal data

The Senate Commerce Committee on Thursday issued a report that found the Consumer Product Safety Commission (CPSC) failed to properly handle the data of thousands of consumers, leading to an accidental data breach earlier this year.

The report recommended that the CPSC, which is in charge of ensuring that consumer products do not harm Americans, take steps to improve its handling of personal data after the CPSC clearinghouse made “improper disclosures” between December 2017 and March 2019 to 29 entities.

These disclosures contained the personal data of around 30,000 consumers, including street addresses, age and gender, along with information on 10,900 manufacturers.

Most of the disclosed data was sent to Consumer Reports and to a researcher at Texas A&M University as part of a response to information requests from these entities. The personal information included was not redacted as required by Section 6(b) of the Consumer Product Safety Act.

The committee, led by Chairman Roger Wicker (R-Miss.), was informed of the disclosures in April and subsequently sent letters to the agency and interviewed employees about the breach, concluding that “the series of improper disclosures is likely attributable to incompetence and mismanagement rather than deliberate, bad-faith efforts by senior managers or commissioners.”

The committee recommended that the CPSC implement formal training for all new employees on how to handle personal consumer data, review information technology used to process data requests and implement policies to ensure that CPSC management reviews all sensitive data requests.

Wicker wrote in a letter to acting CPSC Director Robert Adler on Wednesday that while the data disclosures were “concerning,” the committee concluded they did not occur due to deliberate steps, but were entirely accidental.