Report of Investigation Regarding the 2019 Clearinghouse Data Breach

Reconvene the BRT to assess the full extent of the breach, and base its response on the totality of the breach.

Establish blanket purchase agreements for identity monitoring, credit monitoring, and other related services for data breach victims.

Complete and publish a document describing lessons learned after the BRT completes its work related to this breach.

Complete and document annual tabletop exercises. The tabletop exercises test the breach response plan and help ensure that members of the team are familiar with the plan and understand their specific roles. Tabletop exercises should be used to practice a coordinated response to a breach, to further refine and validate the breach response plan, and to identify potential weaknesses in the agency's response capabilities.

Conduct an annual Breach Response Policy plan review.

Establish and complete an annual schedule to review blanket purchase agreements for adequacy, complete and document the tabletop exercise, and publish the updated annual Breach Response Policy plan review.

Review all available data and establish an accurate identification of all data inadvertently released, internally and externally, from 2010 to 2019.

Obtain an independent review of a sample of Clearinghouse responses prior to 2010 to determine the need for an expanded scope of the review.

Establish a process for communicating and enforcing the implementation of recommendations previously agreed to by management, as required by law.

Implement a single data extraction tool to allow maximum functionality in searching multiple product codes while adequately blocking protected data from release. This tool should default to block ALL fields which may contain 6(b) information and PII data. This data tool must contain a standardized data dictionary to limit placement of restricted information to identified fields.

Once the new tool in Recommendation 17 is implemented, turn off and remove all other data extraction tools from the CPSC inventory of available IT tools.

Limit access to the underlying database and the data extraction tool to those with a bona fide need for access.

Annually update and require refresher training for all Clearinghouse staff on the use of the data extraction tool and policies and procedures for accomplishing Clearinghouse work, up to and including the AED for EPHA.

Develop, disseminate, provide training, and implement policies and procedures on how to use this new data extraction tool to all Clearinghouse staff, up to and including the AED for EPHA. These policies must include step-by-step instructions and checklists to aid staff in completing routine tasks. These policies must include guides and checklists for supervisory review of Clearinghouse staff work.

Require initial and annual refresher training for all staff on the importance of protecting 6(b) information and PII, including the rights of individuals and businesses, and how to recognize 6(b) information and PII in documents and how to securely handle this information.

Enforce Principle of Least Privilege and limit access to data on the P-drive to individuals with a bona fide “need to know.”

Determine, document, and implement a structure for the Clearinghouse.

Require the Office of Human Resources Management (Human Resources) to provide consultation to ensure that the organizational structure in EPDSI meets the current operational needs, meets span of control best practices, and perform a skills gap analysis. Human Resources will provide a written report of its findings.

Implement the recommendations from the Human Resources study.

Design, document, and implement control activities to respond to the results of the completed risk assessment process.

Develop and implement written guidance on the importance of the statements of assurance process and the related documentation requirements.