The FTC’s Full-Court (Cafe)Press

Written by: Brock Wolf, Esq.

Last month, the Federal Trade Commission (“FTC”) announced a proposed settlement with the online retailer of customized merchandise, CafePress. This settlement follows allegations that the company failed to implement reasonable security measures and attempted to cover up a 2019 data breach. The proposed settlement would call for CafePress to pay $500,000 in redress to affected individuals and implement a comprehensive data security program.

The Allegations

The FTC’s complaint was filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020. The FTC alleged that CafePress had numerous security shortcomings. Namely, CafePress:

• • stored Social Security numbers and security questions and answers in clear, readable text;
  • failed to implement protections against known security threats;
  • stored personal information indefinitely on its network without a business need;
  • failed to implement procedures to prevent, detect or investigate network intrusions; and
  • failed to reasonably respond to security incidents.

The FTC’s complaint alleges that a hacker exploited the company’s security failures in February 2019 and accessed millions of email addresses and passwords with weak encryption. The hacker also had access to millions of unencrypted names, physical addresses and security questions and answers. Over 180,000 Social Security numbers were accessed, as well as tens of thousands of partial payment card numbers and expirations dates. Some of the compromised information was found for sale on the Dark Web.

Upon being notified that hackers obtained consumer data, CafePress patched the security vulnerability, but did not further investigate the breach for several months. According to the complaint, CafePress did not inform affected consumers until September 2019. At that point, the breach had already been widely reported for one month. CafePress allegedly continued to engage in its lax security practices, leaving consumers at risk.

The Settlement

The proposed settlement calls for Residual Pumpkin and PlanetArt to implement comprehensive security programs that will address the shortcomings that led to the data breaches at CafePress. Both companies will be subject to third-party assessments of their security programs, and must provide the FTC with a redacted copy of the assessment for public disclosure.

Residual Pumpkin will be required to pay $500,000 in redress to victims of the breach. PlanetArt will be required to notify consumers whose personal information was accessed as a result of the breach, as well as provide information about how consumers can protect themselves.

What the CafePress Settlement Means for Businesses

The FTC’s complaint and proposed settlement with CafePress should serve as a reminder of the need to be proactive with cybersecurity programs. The FTC takes situations like this, where the consequences are avoidable, seriously.

Companies should have a comprehensive security program in place. Organizations need to be prepared to investigate and respond to breaches immediately upon discovery. Organizations also need to be prepared to timely notify affected individuals and government agencies.

In today’s world, it is not a matter of “if” a breach will happen, but “when.” By having a robust security program in place, organizations can shield themselves from costly litigation or government action. If a company instead chooses to cover a breach up, it can expect to face the consequences.