The Federal Trade Commission (“FTC”) announced this afternoon an enforcement action against the former and current owners of online platform CafePress for failing to implement adequate cybersecurity and also for a cover up of a data breach in 2019.  This development underscores that data privacy remains a FTC priority and all companies are obligated to take cybersecurity seriously and promptly respond to a cyberattack.

As CPW previously covered, in February 2019, CafePress’ online databases were hacked, exposing the data associated with a total of 23,205,290 user accounts (the “2019 Data Event”).  The compromised data purportedly included users’ email addresses, passwords, names, addresses, phone numbers, the last four digits of customers’ credit card numbers, credit card expiration dates, and Social Security numbers.

Today the FTC announced that it had reached a potential resolution with the former and current owners of CafePress concerning allegations that it failed to secure consumers’ sensitive personal data and covered up the 2019 Data Event.  The FTC’s Complaint in the case “allege[d] that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions.”

Specifically, the FTC’s investigation revealed that prior to the 2019 Data Event, CafePress determined that certain accounts of shopkeepers at its online platform had been hacked and closed these accounts—charging the hack victims a $25 account closure fee.  The FTC also determined that prior to the 2019 Data Event, CafePress “experienced several malware infections to its network . . . but failed to investigate the source of such attacks.”

Compounding these missteps, the FTC press release accompanying release of the Complaint disclosed that:

[A] hacker exploited the company’s security failures in February 2019 to access millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates . . .[a month later after learning of the 2019 Data Event] CafePress patched the vulnerability but failed to properly investigate the breach for several months and . . . only told customers to reset their passwords as part of an update to its password policy.

Accordingly to the FTC’s, Complaint, this was notwithstanding that in April 2019 a foreign government notified CafePress that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers.  In fact, CafePress did not publicly disclose the 2019 Data Event until in September 2019 (and only after it had been reported in the news).

In addition to faulting CafePress’ cybersecurity, the FTC Complaint additionally takes issue with CafePress’ handling of customer information.  Specifically, the FTC alleged that CafePress “misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed”—an unfair and deceptive practice under Section 5 of the FTC Act.

As part of its resolution of these issues with the FTC, the current and former owners of CafePress agreed to pay $500,000 those impacted by the 2019 Data Event.  CafePress also committed itself to an enhanced information security program designed to address the deficiencies that led to the 2019 Data Event and earlier incidents.  This would, but not be limited to, replacing security questions with multi-factor authentication methods; minimizing the amount of data CafePress collects and retains; and encrypting Social Security numbers.

This case is yet the latest cautionary note underscoring that the federal government will closely examine a company’s response to a data breach or data event and hold it (and potentially officers and directions) accountable for failing to act appropriately.  For more on this, stay tuned.  CPW will be there to keep you in the loop.