The Federal Trade Commission (“FTC”) announced this afternoon a lawsuit against the former and current owners of the online platform CafePress for failing to implement adequate cybersecurity and also for covering up a breach. data in 2019. This development underscores that data privacy remains an FTC priority and all businesses are required to take cybersecurity seriously and respond quickly to a cyberattack.
As CPW previously covered, in February 2019, CafePress’ online databases were breached, exposing data associated with a total of 23,205,290 user accounts (the “2019 Data Event”). The compromised data allegedly included users’ email addresses, passwords, names, addresses, phone numbers, last four digits of customers’ credit card numbers, credit card expiration dates credit and social security numbers.
Today, the FTC announced that it has reached a potential resolution with former and current owners of CafePress regarding allegations that it failed to secure consumers’ sensitive personal data and covered up the event. data from 2019. The FTC’s complaint in the “alleged[d] that CafePress has not implemented reasonable security measures to protect sensitive information stored on its network, including plain text social security numbers, insufficiently encrypted passwords, and answers to password reset questions outmoded.
Specifically, the FTC investigation found that prior to the 2019 data event, CafePress determined that certain merchant accounts on its online platform had been hacked and shut down those accounts, charging victims of the hack $25 account closure fee. The FTC also determined that prior to the 2019 data event, CafePress “experienced multiple malware infections on its network . . . but did not investigate the source of these attacks.
To compound these missteps, the FTC press release accompanying the complaint statement revealed that:
[A] a hacker exploited the company’s security vulnerabilities in February 2019 to gain access to millions of email addresses and passwords with weak encryption; millions of names, physical addresses and unencrypted security questions and answers; more than 180,000 unencrypted social security numbers; and tens of thousands of partial payment card numbers and expiration dates. . .[a month later after learning of the 2019 Data Event] CafePress patched the vulnerability but failed to properly investigate the breach for several months. . . only told customers to reset their passwords as part of an update to its password policy.
As a result of the FTC complaint, however, in April 2019, a foreign government notified CafePress that a hacker had illegally obtained CafePress customer account information and urged the company to inform affected customers. In fact, CafePress didn’t publicly disclose the 2019 data event until September 2019 (and only after it was reported in the news).
In addition to challenging CafePress’s cybersecurity, the FTC’s complaint also challenges CafePress’ handling of customer information. Specifically, the FTC alleged that CafePress “misled users into using consumers’ email addresses for marketing purposes despite its promises that this information would only be used to fulfill orders consumers placed.” – an unfair and deceptive practice under Section 5 of the FTC Act.
As part of resolving these issues with the FTC, the current and former owners of CafePress have agreed to pay $500,000 to those affected by the 2019 data event. CafePress has also committed to a safety program information system designed to address deficiencies that led to the 2019 data event and prior incidents. This would include, but not be limited to, replacing security questions with multi-factor authentication methods; minimize the amount of data CafePress collects and retains; and encryption of social security numbers.
This case is yet the latest warning that the federal government will closely examine a company’s response to a data breach or data event and hold it (and potentially officers and management) accountable for not acted appropriately. For more, stay tuned. CPW will be there to keep you informed.
© Copyright 2022 Squire Patton Boggs (USA) LLPNational Law Review, Volume XII, Number 74