On March 15, 2022, the Federal Trade Commission (“FTC”) issued a proposed settlement with online custom merchandise platform CafePress in connection with the company’s alleged: (1) failure to implement reasonable security measures to secure consumers’ Personal Information; and (2) attempt to cover up a significant 2019 data breach. The proposed settlement would require CafePress to implement a comprehensive data security program and pay $500,000 in redress to victims of the data breaches. The FTC’s Complaint alleges that CafePress misrepresented its security practices and unfairly failed to implement reasonable security measures to protect the Personal Information of consumers and merchants stored on the company’s systems. Although similar in content to previous FTC orders, the current order addresses a myriad of unique provisions and provides a glimpse into the FTC’s future enforcement of cybersecurity issues.
Failure to Maintain Reasonable Security Practices and Prevent Security Breaches
According to the Complaint, in February 2019, a hacker exploited the company’s security failures accessing millions of consumer email addresses and passwords and unencrypted names, physical addresses, security questions and answers, Social Security numbers, and payment data.
Although CafePress became aware of the data breach in March 2019, the company failed to properly investigate the breach and notify affected consumers. The FTC alleged that CafePress’ inaction continued for several months even after receiving an April 2019 warning by a foreign government regarding the sale of the company’s consumers’ Personal Information on the dark web. CafePress notified consumers of the data breach in September 2019, instructing consumers to reset their passwords as a part of an update to its password policy. The FTC further noted that this security precaution was ineffective because during this time, passwords could be resent by answering security questions associated with customers’ email addresses, which security questions and answers themselves had been compromised in the data breach.
In its Complaint, the FTC provided a notably detailed account of the shortcomings in CafePress’ security practices which allegedly contributed to its failure to protect consumers’ Personal Information, including:
- Lack of established procedures to detect and prevent foreseeable network intrusions;
- Storing Personal Information, including sensitive data such as social security numbers and security questions, in clear and readable text;
- Storing Personal Information indefinitely without a business need, including neglecting to delete consumers’ Personal Information when consumers requested account deletion;
- Failure to implement patch management policies and procedures (g. Structured Query Language injection attacks) to ensure the timely remediation of critical security vulnerabilities and use of obsolete versions of database and web server software that no longer received patches;
- Failure to take reasonable steps to protect passwords, such as using outdated algorithms to “hash” passwords (Secure Hash Algorithm 1) and failing to “salt” passwords;
- Absence of processing procedures for receiving and addressing security vulnerability reports from third-parties;
- Lack of password complexity rules;
- Lack of action to mitigate further harm from security incidents (g. forced password resets on breached accounts);
- Failing to properly notify consumers of data breaches when they occurred.
The Proposed Settlement
As a part of the proposed settlement, former CafePress owner, Residual Pumpkin, is required to pay $500,000 in redress to the victims of the data breaches. CafePress’ new owner, PlanetArt, is required to notify victims of CafePress’ data breaches, as well as implement a robust information security program to address their security gaps and failures. In addition, both Residual Pumpkin and PlanetArt must undergo a third-party assessment of their information security programs.
Next Steps and Considerations
The FTC’s detailed Complaint provides businesses with valuable insight on what it may deem reasonable security measures to prevent and minimize data incidents, as well as what it considers appropriate steps in data breach response and mitigation.
As companies develop and review internal policies and procedures, they should evaluate the type of Personal Information that is handled and plan to implement sound privacy security measures such as: (1) protocols to limit access to Personal Information; (2) data minimization practices to delete Personal Information when requested by consumers and where there is no longer a legitimate business need for the data; (3) verifying third-party vendor compliance with privacy security policies; (4) regular employee security awareness trainings; (5) action-ready incident response plans; (6) secure access procedures such as password complexity, hashing, salting, peppering, and encrypting credentials; and (7) encrypting vulnerable Personal Information.