Report of Investigation Regarding the 2019 Clearinghouse Data Breach
Reconvene the BRT to assess the full extent of the breach, and base its response on the totality of the breach.
Establish blanket purchase agreements for identity monitoring, credit monitoring, and other related services for data breach victims.
Complete and publish a document describing lessons learned after the BRT completes its work related to this breach.
Complete and document annual tabletop exercises. The tabletop exercises test the breach response plan and help ensure that members of the team are familiar with the plan and understand their specific roles. Tabletop exercises should be used to practice a coordinated response to a breach, to further refine and validate the breach response plan, and to identify potential weaknesses in the agency's response capabilities.
Conduct an annual Breach Response Policy plan review.
Establish and complete an annual schedule to review blanket purchase agreements for adequacy, complete and document the tabletop exercise, and publish the updated annual Breach Response Policy plan review.
Develop and document a comprehensive crisis communication plan. This plan should include a process to ensure that there is an authoritative source for data related to any incident.
The crisis communication plan should include annual tabletop exercises and annual plan reviews.
The CPSC should document the results of each crisis communication plan annual tabletop exercise.
The CPSC should publish the resulting comprehensive crisis communication plan after any update.
Develop a process to ensure that all information reported to Congress and otherwise publicly reported is reviewed for accuracy and correctly contextualized and described.
Review all available data and establish an accurate identification of all data inadvertently released, internally and externally, from 2010 to 2019.
Obtain an independent review of a sample of Clearinghouse responses prior to 2010 to determine the need for an expanded scope of the review.
Establish policies and procedures to ensure that when the agency reports data related to a data breach or other violation of law or regulation, the reported data has been independently verified by a person outside of the responsible organization.
Establish a process for communicating and enforcing the implementation of recommendations previously agreed to by management, as required by law.
Implement a single data extraction tool to allow maximum functionality in searching multiple product codes while adequately blocking protected data from release. This tool should default to block ALL fields which may contain 6(b) information and PII data. This data tool must contain a standardized data dictionary to limit placement of restricted information to identified fields.
Once the new tool in Recommendation 17 is implemented, turn off and remove all other data extraction tools from the CPSC inventory of available IT tools.
Limit access to the underlying database and the data extraction tool to those with a bona fide need for access.
Require training for all Clearinghouse staff, up to and including the AED for EPHA, on the use and functionality of this new tool, procedures for responding to requests for information, and requirements to protect 6(b) information and PII data. Include this training as part of the onboarding for all Clearinghouse staff, up to and including the AED for EPHA.
Annually update and require refresher training for all Clearinghouse staff on the use of the data extraction tool and policies and procedures for accomplishing Clearinghouse work, up to and including the AED for EPHA.
Develop, disseminate, provide training, and implement policies and procedures on how to use this new data extraction tool to all Clearinghouse staff, up to and including the AED for EPHA. These policies must include step-by-step instructions and checklists to aid staff in completing routine tasks. These policies must include guides and checklists for supervisory review of Clearinghouse staff work.
Require additional training for Clearinghouse supervisory staff, up to and including the AED for EPHA, on effective review of Clearinghouse staff output.
Annually update and require refresher training for Clearinghouse supervisory staff, up to and including the AED for EPHA, on the effective review of Clearinghouse staff output.
Develop, implement, and require training for all Clearinghouse staff, up to and including the AED for EPHA, on a tracking system to monitor Clearinghouse receipt and fulfillment of all Clearinghouse data requests.
Require supervisory review of all completed Clearinghouse data requests.
Use the data from the tracking system to develop and publish annual statistics related to the work of the Clearinghouse.
Require initial and annual refresher training for all staff on the importance of protecting 6(b) information and PII, including the rights of individuals and businesses, and how to recognize 6(b) information and PII in documents and how to securely handle this information.
Enforce Principle of Least Privilege and limit access to data on the P-drive to individuals with a bona fide “need to know.”
Determine, document, and implement a structure for the Clearinghouse.
Require the Office of Human Resources Management (Human Resources) to provide consultation to ensure that the organizational structure in EPDSI meets the current operational needs, meets span of control best practices, and perform a skills gap analysis. Human Resources will provide a written report of its findings.
Implement the recommendations from the Human Resources study.
Design, document, and implement control activities to respond to the results of the completed risk assessment process.
Develop and implement written guidance on the importance of the statements of assurance process and the related documentation requirements.
Consider disciplinary action for the supervisors who did not accurately report the status of internal controls in the statements of assurance they produced. Document the results of the disciplinary review, to include the analysis supporting any decision to not perform disciplinary action.