A number of retailers and manufacturers have recently received notices from the U.S. Consumer Product Safety Commission concerning a possible data breach. The CPSC’s letter advises recipients of an unauthorized release of confidential information that did not go through the procedures of 15 U.S.C. § 2055, also known as “Section 6(b)” of the Consumer Product Safety Act (CPSA).
Section 6(b) is intended to encourage candor between the CPSC and regulated companies, by assuring that sensitive information will be handled under procedures intended to ensure the accuracy and fairness of any disclosure. Section 6(b) restricts the CPSC’s public disclosure of manufacturer and product specific information, and applies to information from which the public can readily determine the identity of a manufacturer.
The breach appears to concern a mass inadvertent disclosure of nonpublic manufacturer and product specific information. It appears the information could have been released months ago, but the CPSC only recently discovered the issue. Based on the type of information retained by the CPSC, the disclosed information likely involves safety incidents specific to manufacturers and private labelers of consumer products.
The letter from the CPSC’s Office of General Counsel states: “[W]e recently discovered that nonpublic information identifying your company by name along with product model name and/or model number was released in error to the public without following the procedures in 15 U.S.C. § 2055.”
The CPSC also has sent a letter to recipients of the disclosed information, demanding that they return the information, or destroy it and certify destruction. The letter advises that the information “cannot be published or further disseminated.”
Although there is no real redress available to companies beyond possible retraction of any inaccurate disclosures, Section 6(b) and the CPSC’s implementing rules allow companies to know what information was disclosed. Companies who received such a notice should therefore consult with counsel and request information from the CPSC about the nature and extent of any documents and information disclosed, and the identity of the recipients.
Coincidentally, a CPSC oversight hearing held recently by the U.S. House Subcommittee on Consumer Protection and Commerce focused a significant amount of time and attention on the Section 6(b) procedures and their role.