Senate investigation pins CPSC breaches on 'incompetence'
Poor software design and lack of trainings were found to be responsible for a series of data breaches that touched 10,000 manufactures and 30,000 consumers.
A Senate Commerce Committee investigation released Oct. 17 attributed nearly two years' worth of data breaches at the Consumer Product Safety Commission to "incompetence and mismanagement."
Between December 2017 and March 2019, the commission released data on more than 10,000 manufacturing businesses as well as personal information on approximately 30,000 consumers, without redactions, including their street addresses, ages and genders. Most of the information was sent to researchers at Texas A&M University and a publication, Consumer Reports, but the commission ultimately sent unredacted information to at least 29 organizations.
The report cites lack of training and poor software design as the chief culprits, and not "deliberate, bad-faith efforts" by senior managers.
A patchwork collection of three software applications used by employees to access CPSC data were found to be "convoluted and ineffective." One, a legacy application designed in 1997, was supposed to have been retired and replaced years ago, but employees told the committee its replacement was "of limited effectiveness," forcing them to continue using the legacy app. The third was a custom application developed by a since-retired employee, and users said it was not always clear which one they were to use for different projects. Two of the three programs had no written instructions for employees to consult.
Additionally, congressional interviews with CPSC staff found none of the employees reported instances where supervisors knowingly or intentionally directed them to break the law. What they did reveal is that the employees responsible "had little to no knowledge" of their legal obligations under the Consumer Product Safety Act to redact personally identifiable information. In fact, there was apparently no formal training program for employees of any kind beyond informal conversations with managers.
Former acting CPSC Chair Ann Marie Buerkle told the committee in June that staff were "routinely" trained on requirements to protect personal information and given specific instructions on how to comply with the law.
The investigation was initially opened after a senior CPSC official contacted the committee to express concern that Buerkle was not providing staff with information about the breaches. Buerkle, who is also a commissioner, is scheduled to leave the CPSC when her term expires this month.
The disclosure error was discovered by CPSC officials in April, who quickly moved to notify victims and contact the 29 organizations asking them to return or destroy the information. The committee recommended the commission conduct substantive formal trainings for new hires, review and simplify its technology systems and implement clear and consistent review processes for sensitive disclosures.