BREAKING: FTC Discloses Enforcement Action Against Online Platform For Covering Up Data Breach

The Federal Trade Commission (“FTC”) announced this afternoon a lawsuit against the former and current owners of the online platform CafePress for failing to implement adequate cybersecurity and also for covering up a breach. data in 2019. This development underscores that data privacy remains an FTC priority and all businesses are required to take cybersecurity seriously and respond quickly to a cyberattack.

As CPW previously covered, in February 2019, CafePress’ online databases were breached, exposing data associated with a total of 23,205,290 user accounts (the “2019 Data Event”). The compromised data allegedly included users’ email addresses, passwords, names, addresses, phone numbers, last four digits of customers’ credit card numbers, credit card expiration dates credit and social security numbers.

Today, the FTC announced that it has reached a potential resolution with former and current owners of CafePress regarding allegations that it failed to secure consumers’ sensitive personal data and covered up the event. data from 2019. The FTC’s complaint in the “alleged[d] that CafePress has not implemented reasonable security measures to protect sensitive information stored on its network, including plain text social security numbers, insufficiently encrypted passwords, and answers to password reset questions outmoded.

Specifically, the FTC investigation found that prior to the 2019 data event, CafePress determined that certain merchant accounts on its online platform had been hacked and shut down those accounts, charging victims of the hack $25 account closure fee. The FTC also determined that prior to the 2019 data event, CafePress “experienced multiple malware infections on its network . . . but did not investigate the source of these attacks.

To compound these missteps, the FTC press release accompanying the complaint statement revealed that:

[A] a hacker exploited the company’s security vulnerabilities in February 2019 to gain access to millions of email addresses and passwords with weak encryption; millions of names, physical addresses and unencrypted security questions and answers; more than 180,000 unencrypted social security numbers; and tens of thousands of partial payment card numbers and expiration dates. . .[a month later after learning of the 2019 Data Event] CafePress patched the vulnerability but failed to properly investigate the breach for several months. . . only told customers to reset their passwords as part of an update to its password policy.

As a result of the FTC complaint, however, in April 2019, a foreign government notified CafePress that a hacker had illegally obtained CafePress customer account information and urged the company to inform affected customers. In fact, CafePress didn’t publicly disclose the 2019 data event until September 2019 (and only after it was reported in the news).

In addition to challenging CafePress’s cybersecurity, the FTC’s complaint also challenges CafePress’ handling of customer information. Specifically, the FTC alleged that CafePress “misled users into using consumers’ email addresses for marketing purposes despite its promises that this information would only be used to fulfill orders consumers placed.” – an unfair and deceptive practice under Section 5 of the FTC Act.

As part of resolving these issues with the FTC, the current and former owners of CafePress have agreed to pay $500,000 to those affected by the 2019 data event. CafePress has also committed to a safety program information system designed to address deficiencies that led to the 2019 data event and prior incidents. This would include, but not be limited to, replacing security questions with multi-factor authentication methods; minimize the amount of data CafePress collects and retains; and encryption of social security numbers.

This case is yet the latest warning that the federal government will closely examine a company’s response to a data breach or data event and hold it (and potentially officers and management) accountable for not acted appropriately. For more, stay tuned. CPW will be there to keep you informed.

Data privacy will continue to be a priority issue in the second quarter of 2022, as this week’s developments show. Specifically, President Biden’s State of the Union address made explicit reference to concerns about children’s privacy. Also, today the Senate Commerce Committee voted 14 to 14, along party lines, to advance Federal Trade Commission nominee Alvaro Bedoya.

According to the White House press release ahead of President Biden’s State of the Union address, President Biden’s administrative agenda for the year will focus on mental health, particularly of children and disadvantaged populations. The press release explained that President Biden intended to call for a ban on the excessive collection of data about children and a ban on discriminatory algorithmic decision-making that “limits opportunities for young Americans “. In line with these broader themes, President Biden’s State of the Union address on Tuesday made explicit reference to children’s privacy. President Biden commented that “[i]It’s time to strengthen privacy protections, ban advertising targeted at children, [and] Demand that tech companies stop collecting personal data about our children. He further said that social media platforms must be held accountable for “the nationwide experiment they conduct on our children for profit”.

President Biden previously nominated Alvaro Bedoya, a privacy expert with an interest in surveillance and data security, to fill Commissioner Chopra’s seat. As commissioner, Bedoya’s likely priorities include the FTC’s enforcement of various privacy laws, including the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act, which could have further impact. on disputes brought under these laws. The 14-14 tied vote on Bedoya sets up a complicated path for confirmation in the Senate, which will be played out in the coming weeks.