Federal Trade Commission enters into Consent Agreement with CafePress requiring it to implement detailed security protections for 20 years and pay a $500,000 fine for covering up a data breach and having lax security.

June 27, 2022 |

The difference between the attitude and the actions of the Federal Trade Commission (the “FTC”) for privacy breaches and failing to implement proper data security and that of Australia is illustrated in the Consent Agreement between the FTC and CafePress regarding the latter’s data breach, its attempted cover up and its dreadful data security. The FTC imposes robust, stringent and long lasting proscriptions while enforceable undertakings in Australia are infrequent, last a short time and impose quite mild constraints on malefactors.  They are worlds apart. 

CafePress was hacked on 20 February 2019 and the data breach compromised more than 23 million accounts.  More than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates was accessed with some of that information available for sale on the Dark Web. 

CafePress carefully did everything wrong after discovering the data breach including:

  • while it patched the vulnerability, a month after the breach, it failed to properly investigate the breach for several months despite additional warnings including a warning in April 2019 from a foreign government
  • instead of telling customers that  a hacker had illegally obtained CafePress customer account information it instead only told customers to reset their passwords as part of an update to its password policy.
  • CafePress did not inform affected customers until September 2019—one month after the breach was reported widely.
  • CafePresses lax security practices still left many consumers at risk. It continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses, which had previously been stolen by hackers.

CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress discovered that certain accounts of shopkeepers had been hacked. It also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.

The FTC took action in March 2022 for the data breach and cover up.

Last week the FTC announced a Consent Agreement with Cafe Press.  The obligations under the Agreement will last 20 years and CafePress has to pay a fine of $500,000. 

The FTC Press Release provides:

The Federal Trade Commission finalized an order against CafePress over allegations that it failed to secure consumers’ sensitive personal data including Social Security numbers and covered up a major data breach. The Commission’s order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.

In a complaint, first announced in March 2022, filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged that the online customized merchandise platform failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network and failed to adequately respond to several security breaches. The FTC alleged CafePress:

    • Stored Social Security numbers and password reset answers in clear, readable text;
    • Retained the data longer than was necessary;
    • Failed to apply readily available protections against well-known threats and adequately respond to security incidents; and
    • Covered up a major data breach resulting from its shoddy security practices.

Under the order finalized by the Commission, Residual Pumpkin and PlanetArt must implement comprehensive information security programs that require them, among other things, to:

    • Replace inadequate authentication measures with multifactor authentication methods;
    • Minimize the amount of data they collect and retain:
    • Encrypt Social Security numbers; and
    • Have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

In addition, Residual Pumpkin must pay $500,000, which will be used to provide redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was accessed as a result of the data breaches and provide specific information about how consumers can protect themselves.

After receiving three comments, the Commission voted 5-0 to finalize the orders with Residual Pumpkin and PlanetArt and send responses to the commenters.

The Federal Trade Commission works to promote competition and protect and educate consumers. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.

Obligations of Cafe Press under the Consent Agreement include:

  • within 60 days establish an information Security Program which involves:
    • providing the written program and any evaluations  its board of directors at least once every twelve months and promptly
    • designating a qualified employee or employees to coordinate and be responsible for the Information Security Program;
    • assessing and documenting, at least once every twelve months internal and external risks to the privacy, security, confidentiality, or integrity of Personal Information that could result in the:
      • unauthorised collection, maintenance, use, or disclosure of, or provision of access to, Personal Information; or 
      • misuse, loss, theft, alteration, destruction, or other compromise of such information;
    • design, implement, maintain, and document safeguards that control for the internal and external risks Respondent identifies to the privacy, security, confidentiality, or integrity of Personal Information identified in response to sub-Provision II.
    • each safeguard must be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be realized and result in the:
      • unauthorized collection, maintenance, use, or disclosure of, or provision of access to, Personal Information; or e
      • the misuse, loss, theft, alteration, destruction, or other compromise of such information.
    • Safeguards will include:
      • technical measures to monitor all networks and all systems and assets within those networks to identify data security events, including unauthorized attempts to exfiltrate Personal Information;
      • policies and procedures to ensure that all code for web applications is reviewed for the existence of common vulnerabilities;
      • policies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures;
      • encryption of all Social Security numbers on Respondent’s computer networks;
      • data access controls for all databases storing Personal Information, including by restricting inbound connections to approved IP addresses,requiring authentication to access them, and limiting employee access ;
      • policies and procedures to ensure that all devices with access to Personal Information are securely installed and inventoried at least once every twelve months, including policies and procedures to timely remediate critical and high-risk security vulnerabilities and apply up-to-date security patches;
      • replacing authentication measures based on the use of security questions and answers to access accounts with multi-factor authentication methods that use a secure authentication protocol, such as cryptographic software or devices, mobile authenticator applications, or allowing the use of security keys;
      • training of all of employees, at least once every twelve months,on how to safeguard Personal Information;
    • assess, at least once every twelve months the sufficiency of any safeguards in place to address the internal and external risks to the privacy, security, confidentiality, or integrity of Personal Information, and modify the Information Security Program based on the results
    • test and monitor the effectiveness of the safeguards at least once every twelve months and modify the Information Security Program based on the results. The testing and monitoring includes vulnerability testing and penetration testing of the network once every four months
    • retain service providers capable of safeguarding Personal Information to implement and maintain safeguards sufficient to address the internal and external risks to the privacy, security, confidentiality, or integrity of Personal Information;
    • obtain appropriate guidance from, independent, third-party experts on data protection and privacy in the course of establishing, implementing, maintaining, and updating the Information Security Program; and
    • evaluate and adjust the Information Security Program in light of any changes to operations or business arrangements at least once every twelve (12) months and modify the Information Security Program based on the results.
  • there will be initial then biennial assessments :
    • from one or more qualified, objective, independent third-party professionals who:
      • use procedures and standards generally accepted in the profession;
      • conduct an independent review of the Information Security Program;
      • retain all documents relevant to each Assessment for five (5) years after completion of  Assessment, and
      • ill provide such documents to the FTC within ten (10) days of receipt of a written request from it.
    • the reporting period for the Assessments covers:
      • the first 180 days after the Order for the initial Assessment; and
      • each 2-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments.
    • each Assessment must
      • determine whether there has been implementation and maintenance of the Information Security Program 
      • assess the effectiveness of the implementation and maintenance of the Program
      • identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program;
      • address the status of gaps or weaknesses in, or instances of material non-compliance with, the Information Security Program
      • identify specific evidence examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is appropriate and sufficient to justify the Assessor’s findings.
  • one year after the issuance date of this Order, and each year thereafter, provide the FTC with a certification from a senior corporate manager that CafePress:
    • has established, implemented, and maintained the requirements of this Order;
    • is not aware of any material noncompliance that has not been corrected or disclosed
  • pay $500,000 to the FTC
  • must create and retain the following records:
    • accounting records showing the revenues from all goods or services sold;
    • personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses;telephone numbers; job title or position; dates of service; and (if applicable) the reasonfor termination;
    • copies or records of all consumer complaints and refund requests, whether received directly or indirectly, such as through a third party, and any response;
    • a copy of each unique advertisement or other marketing material making a representation subject to this Order;
    • for 5 years after the date of preparation of each Assessment required by this Order, all materials relied upon to prepare the Assessment including all plans, reports, studies, reviews, audits, audit trails, policies,training materials, and assessments, and any other materials for the compliance period covered by the Assessment.
    • for 5 years from the date received, copies of all subpoenas and other communications with law enforcement, if such subpoena or other communication relate to compliance with this Order.
    • for 5 years from the date created or received, all records that demonstrate non-compliance or tend to show any lack of compliance
    • all records necessary to demonstrate full compliance with each provision of this Order,including all submissions to the Commission.

Swingeing 20 year compliance obligations are foreign to the Australian regulators.  Unfortunately.  Enforceable undertakings in Australia are much more constrained. 

The inevitable side effect of the orders is the media coverage with associated reputational damage such as CafePress fined $500,000 for breach affecting 23 million users, CafePress Fined $500,000 After Massive Data Breach and FTC finalizes order over CafePress security issues, to name but a few stories. 


Leave a Reply