Search

BETHESDA – Today the U.S. Consumer Product Safety Commission (CPSC) Office of Inspector General (OIG) issued a report examining the CPSC’s unauthorized release of sensitive information regarding thousands of people and businesses. The OIG ascertained, among other findings, that the scope of the data breach was greater than previously reported and that the data breach was the result of incompetence and mismanagement rather than outside hackers gaining access to the CPSC’s information technology systems.

The OIG agreed to investigate the CPSC’s Clearinghouse data breach after receiving numerous requests from Congress and CPSC Commissioners. The OIG initiated an administrative investigation to assess the scope, root causes, and the CPSC’s response to the data breach as well as several specific allegations of misconduct, including whether the data breach was deliberate.

The OIG quickly confirmed that the data breach was not the result of outside hackers gaining access to the CPSC’s information technology systems. In fact, CPSC employees caused the data breach by inappropriately releasing confidential information. However, early on, the OIG determined that the scope of the breach greatly exceeded the agency’s estimate. The OIG found:

• The inappropriate release of information began earlier and was of greater volume than believed by the agency.
• The root causes of the data breach were mismanagement and incompetence.
• The CPSC attempted to respond quickly to the breach. However, the CPSC’s response to the breach was hindered by its lack of preparation for dealing with data breaches and the errors made in assessing the scope of the breach.
• No evidence that the data breach was deliberate.

The OIG had previously brought many of the issues that led to the data breach to management’s attention; these problems were neither new nor unknown to the agency. Specifically, the OIG notified the agency about the lack of Internal Controls in the Clearinghouse, the lack of adequate encryption of PII, and the failure to restrict access to non-public data to those with a need for this access. The OIG is an independent office within the CPSC that performs audits and investigations of the CPSC, and prevents and detects fraud, waste and abuse.

BETHESDA – Today the U.S. Consumer Product Safety Commission (CPSC) Office of Inspector General (OIG) issued a report questioning over $1.7 million in grant awards. The OIG found CPSC’s Pool Safely Grants Program (PSGP) does not fully comply with government-wide grant requirements and its own procedures and as a result, during the period under review, the program was not effective. Additionally, the report noted the program lacked adequate oversight and an effective control environment.

The Virginia Graeme Baker Pool and Spa Safety Act (VGB Act) was enacted on December 19, 2007, to:

...improve pool and spa safety through the use of anti-entrapment devices and to encourage State adoption of minimum mandatory swimming pool and spa safety laws.

The VGB Act charges the CPSC with administering a grants program, the PSGP, which assists jurisdictions in enforcing laws and regulations related to preventing drowning accidents and educating the public.

The OIG report found that as a result of mismanagement an ineligible recipient received a grant; taxpayer funds were inappropriately spent; and there were several possible violations of fiscal law. The OIG questioned $1,722,084 in grant awards due to inadequacies in the grant award and oversight processes.

Further, the CPSC was not able to identify all funds spent on grants administration. CPSC staff did not accurately report grant information in government-wide reporting systems as required by law, thus hindering oversight by Congress and the American people. The report made 22 recommendations to the agency to correct these issues.

BETHESDA – Today the U.S. Consumer Product Safety Commission (CPSC) Office of Inspector General (OIG) issued a report on the results of the Fiscal Year (FY) 2020 Federal Information Security Modernization Act (FISMA) review. The OIG retained the services of Williams, Adley, & Co.-DC LLP (Williams Adley) an independent accounting firm to complete this review.

Overall, the OIG found that while the CPSC has made progress in implementing FISMA requirements, work remains to be done. This year Williams Adley took a new to CPSC approach in categorizing its 47 recommendations, many of which had been reported previously and were not implemented. Williams Adley identified two recommendations that address the root causes of many of the FISMA requirements. The OIG anticipates this new approach will help the agency address the deficiencies in their systems more effectively and in a timely manner.

The first of these root cause recommendations is to develop and implement a formal strategy to address information security risk management requirements as prescribed by the National Institute of Standards and Technology guidance. Once this is complete, CPSC management will be able to implement the second root cause recommendation by assessing the relative importance of risks and prioritizing them according to their potential impact on the agency’s business processes. This strategy document will provide the CPSC with the basis of an effective and risk-based plan to address IT security issues and provide agency management with a roadmap to prioritize the completion of the other 45 recommendations.

BETHESDA – Today the U.S. Consumer Product Safety Commission (CPSC) Office of Inspector General (OIG) issued a report on the results of a review of the CPSC’s National Electronic Injury Surveillance System (NEISS) program. Historically, the NEISS program gathered data on consumer-related injuries from hospital emergency rooms to measure the number of injuries associated with the thousands of different consumer products regulated by the CPSC. In 2000, the CPSC expanded the program to cover injuries outside of the jurisdiction of the CPSC, such as those related to motor vehicles, the work place, firearms, and tobacco. In addition to the CPSC, other government agencies, manufacturers, researchers, lawyers, and the general public also use data generated by the NEISS program. Federal agencies, such as the Centers for Disease Control and Prevention, reimburse the CPSC through Interagency Agreements for collecting and providing NEISS data for use in their programs.

The OIG retained the services of Kearney & Company (Kearney), an independent public accounting firm, to conduct this review. Kearney determined that the NEISS program did not have an adequate data governance program in place to ensure data quality. Additionally, the CPSC could not provide a legal opinion to support its decision to expand the NEISS program to include data on injuries outside of the CPSC’s jurisdiction. Finally, the CPSC could not sufficiently document estimated costs charged to other federal agencies as required by the Economy Act when using Interagency Agreements. The OIG made 12 recommendations to address these findings.