In April, the U.S. Consumer Product Safety Commission warned more than 10,000 manufacturers that it had accidentally disclosed detailed information about injuries involving their products.
But the commission declined to inform the nearly 30,000 consumers whose personal details had also been disclosed, according to internal commission documents Huffpost has obtained.
The incident highlighted a long-controversial provision of the 1972 Consumer Product Safety Act that gives companies almost total control over what the commission tells the public about their products and when. Consumer advocates say the provision has potentially deadly implications, preventing the agency from getting dangerous products off the market.
The commission blamed itself for releasing the private information. For two years, the agency had been mistakenly sharing unredacted spreadsheets with 36 different companies, journalists and researchers that had requested data from the commission’s National Injury Information Clearinghouse. Product and personal information is usually redacted in documents provided in response to such requests.
As a result of the disclosure ― which the government describes as a “breach” ― Consumer Reports obtained unredacted product injury spreadsheets that it used to expose a pattern of several dozen infant deaths in Rock ’n Play sleepers sold by Fisher-Price, which subsequently recalled the product. The commission had that data but hadn’t forced the company to stop selling the sleepers.
It was the second high-profile revelation this year that the five-member commission had failed to protect consumers. The Washington Post reported in April that acting chair Ann Marie Buerkle, a former Republican congresswoman President Donald Trump originally appointed to chair the commission in 2017, stifled enforcement efforts against a dangerous jogging stroller.
Buerkle announced last week that she had withdrawn her name from consideration to be the commission’s chair instead of just the acting one. Once her term ends this fall, if the Senate doesn’t confirm a new nomination, the commission could be left with an even partisan split, two Democrats and two Republicans.
The breach has roiled the commission, resulting in an intra-party fight as two Republicans call for an outside investigation and the panel’s Democrats side with Buerkle. Republican commissioner Dana Baiocco, who in her previous career advised corporate corporate clients on product recalls, suggested last week the breach might not have happened the way Buerkle has claimed.
“I’ve not been able to link information that went out the door with requests for this information,” Baiocco told a Senate subcommittee during a routine oversight hearing last Thursday ― seemingly implying that the data may have been leaked. Baiocco’s office declined to elaborate.
The consumer information disclosed had not included names, credit card or Social Security numbers, a commission spokesman said. And almost all of the people who received the documents agreed to delete them.
As soon as Consumer Reports gave the agency a heads-up about what it had obtained in April, the agency swung into action, sending emails and letters to the companies with products named in the documents. Officials also demanded that everyone who received the information delete it immediately.
What to do about the consumers themselves, on the other hand, presented a trickier question.
The commission set up a task force to evaluate just how badly they’d screwed up in releasing “personally identifiable information” ― in this case, a mix of varying details such as age, gender, race, address and incident summaries describing sometimes gruesome injuries. But the agency said the documents did not include Social Security numbers or credit card information ― the sort of material that digital thieves typically use to steal a person’s credit.
Nevertheless, bad actors still “could use the information to re-identify consumers, then run a very credible spear-phishing scam based on knowing your street address, your age and race and the day your kid was hospitalized,” said Ed Mierzwinski, senior director of the U.S. Public Interest Research Group’s federal consumer program.
“The CPSC should have notified the victims,” Mierzwinski said. “Full stop.”
But there were some mitigating factors. One was that the commission knew exactly to whom it had sent the documents, and most recipients had agreed to delete them. Information relating to 28,000 of the 29,700 potentially identifiable people had been “successfully clawed back with confirmation of destruction from the recipient,” according to commission documents.
Only Consumer Reports and a handful of others refused, as the agency seems to have no power to force them to hit the delete button.
The commission said in an internal memo that another reason not to notify consumers was that there was nothing it could do for those affected. If Social Security or credit card numbers had been divulged, for example, the commission could offer to pay for credit monitoring. Guidance from the Office of Management and Budget warns agencies that “mental pain and emotional distress” are legitimate concerns, but also that “over-notifying” people can be just as bad if there’s nothing to be done.
“Notification of potentially affected individuals in this case may result in creating embarrassment or emotional distress without providing other benefit,” the commission’s chief information officer said in a May 7 memo.
Still, commissioners continued to wrestle with what happened. At a testy May 22 commission meeting, Baiocco, a Republican appointed last year, formally introduced a resolution asking the Department of Justice to investigate the breach.
“I am not satisfied with where we are and, to this point, what we’ve done,” Baiocco told her fellow commissioners. “I’m concerned that a lot of the evidence as to what really happened here is gone.”
Buerkle said bringing in another agency would interfere with the investigation that the agency’s own inspector general had already begun. And she got backup from the panel’s two Democrats, who joined her in voting down Baiocco’s proposal, despite some concerns about how the breach affected consumers.
Democrat Elliot Kaye said at the hearing he was “particularly concerned about the people whose [personally identifiable information] has been put out there and put at risk.”
The commission’s other Democrat, Robert Adler, said it wasn’t the “crime of the century,” and that the continued focus on the breach had distracted from the agency’s mission to protect consumers.
“This was an innocent mistake made by some well-intentioned staff who have owned up to what they’ve done,” he said.