FTC Announces Proposed Settlement with CafePress for Multiple Data Security Failures | Practical Law

FTC Announces Proposed Settlement with CafePress for Multiple Data Security Failures | Practical Law

The FTC has announced a proposed settlement with the owners of CafePress.com over allegations that they concealed data breaches and failed to implement reasonable security measures to protect buyers' and sellers' sensitive personal information.

FTC Announces Proposed Settlement with CafePress for Multiple Data Security Failures

Practical Law Legal Update w-034-8421 (Approx. 3 pages)

FTC Announces Proposed Settlement with CafePress for Multiple Data Security Failures

by Practical Law Data Privacy & Cybersecurity
Published on 16 Mar 2022USA (National/Federal)
The FTC has announced a proposed settlement with the owners of CafePress.com over allegations that they concealed data breaches and failed to implement reasonable security measures to protect buyers' and sellers' sensitive personal information.
On March 15, 2022, the FTC issued a press release announcing a proposed settlement with Residual Pumpkin Entity, LLC and PlanetArt, LLC, the former and current owners of CafePress.com, respectively, over allegations that they failed to secure buyers' and sellers' sensitive personal data and covered up multiple data breaches. CafePress is an online marketplace through which national and international consumers can purchase customized merchandise from individual shopkeepers.
Despite the privacy and security assurances in CafePress's website privacy policy and emails to consumers, the FTC alleges that CafePress:
  • Failed to adequately protect against reasonably foreseeable vulnerabilities that hackers could exploit to access to personal information on its network.
  • Stored personal information, including Social Security numbers and security questions and answers, in clear, readable text.
  • Stored personal information indefinitely on its network without a business need.
  • Failed to implement:
    • reasonable measures to protect passwords;
    • rules sufficient to make user credentials difficult to guess;
    • reasonable procedures to prevent, detect, or investigate intrusions; and
    • a process to receive and address third-party security vulnerability reports, which delayed its ability to identify vulnerabilities and properly respond to incidents.
  • Failed to reasonably respond to security incidents.
As a result of these inadequate security practices, the FTC further alleges:
  • CafePress did not address a February 2019 consumer data breach for months despite notifications from multiple parties.
  • Hackers used employees' personal information to attempt to change their payroll direct deposit information.
  • Employees' computers contained multiple malware infections.
The FTC entered consent orders requiring Residual Pumpkin Entity and PlanetArt to take certain actions, including:
  • Implementing a comprehensive information security program addressing the issues that led to the CafePress data breaches.
  • Implementing independent, third-party security program assessments.
  • Certifying their compliance with the consent order annually.
  • Notifying affected consumers of the data breaches with specific information about how they can protect themselves.
The FTC also required Residual Pumpkin to pay $500,000 in redress to the CafePress data breach victims.
The FTC will publish a description of the consent agreement package to the Federal Register, which will be subject to public comment for 30 days. The FTC will then decide whether to make the proposed consent orders final.
Counsel seeking additional information on data breach prevention tips should review the FTC's blog post published in connection with this proposed settlement.