Senate investigation pins CPSC breaches on 'incompetence'

open lock (Alexander Softog/

A Senate Commerce Committee investigation released Oct. 17 attributed nearly two years' worth of data breaches at the Consumer Product Safety Commission to "incompetence and mismanagement."

Between December 2017 and March 2019, the commission released data on more than 10,000 manufacturing businesses as well as personal information on approximately 30,000 consumers, without redactions, including their street addresses, ages and genders.  Most of the information was sent to researchers at Texas A&M University and a publication, Consumer Reports, but the commission ultimately sent unredacted information to at least 29 organizations.

The report cites lack of training and poor software design as the chief culprits, and not "deliberate, bad-faith efforts" by senior managers.

A patchwork collection of three software applications used by employees to access CPSC data were found to be "convoluted and ineffective." One, a legacy application designed in 1997, was supposed to have been retired and replaced years ago, but employees told the committee its replacement was "of limited effectiveness," forcing them to continue using the legacy app. The third was a custom application developed by a since-retired employee, and users said it was not always clear which one they were to use for different projects. Two of the three programs had no written instructions for employees to consult.

Additionally, congressional interviews with CPSC staff found none of the employees reported instances where supervisors knowingly or intentionally directed them to break the law. What they did reveal is that the employees responsible "had little to no knowledge" of their legal obligations under the Consumer Product Safety Act to redact personally identifiable information. In fact, there was apparently no formal training program for employees of any kind beyond informal conversations with managers.

Former acting CPSC Chair Ann Marie Buerkle told the committee in June that staff were "routinely" trained on requirements to protect personal information and given specific instructions on how to comply with the law.

The investigation was initially opened after a senior CPSC official contacted the committee to express concern that Buerkle was not providing staff with information about the breaches. Buerkle, who is also a commissioner, is scheduled to leave the CPSC when her term expires this month.

The disclosure error was discovered by CPSC officials in April, who quickly moved to notify victims and contact the 29 organizations asking them to return or destroy the information. The committee recommended the commission conduct substantive formal trainings for new hires, review and simplify its technology systems and implement clear and consistent review processes for sensitive disclosures.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Management
    shutterstock image By enzozo; photo ID: 319763930

    Where does the TMF Board go from here?

    With a $1 billion cash infusion, relaxed repayment guidelines and a surge in proposals from federal agencies, questions have been raised about whether the board overseeing the Technology Modernization Fund has been scaled to cope with its newfound popularity.

  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

Stay Connected