FTC Finalizes Action Against CafePress for Covering Up Data Breach, Lax Security
CafePress Must Bolster Data Security Protections, Pay Half a Million Dollars
The Federal Trade Commission finalized an order against CafePress over allegations that it failed to secure consumers’ sensitive personal data including Social Security numbers and covered up a major data breach. The Commission’s order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.
In a complaint, first announced in March 2022, filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged that the online customized merchandise platform failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network and failed to adequately respond to several security breaches. The FTC alleged CafePress:
- Stored Social Security numbers and password reset answers in clear, readable text;
- Retained the data longer than was necessary;
- Failed to apply readily available protections against well-known threats and adequately respond to security incidents; and
- Covered up a major data breach resulting from its shoddy security practices.
Under the order finalized by the Commission, Residual Pumpkin and PlanetArt must implement comprehensive information security programs that require them, among other things, to:
- Replace inadequate authentication measures with multifactor authentication methods;
- Minimize the amount of data they collect and retain:
- Encrypt Social Security numbers; and
- Have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.
In addition, Residual Pumpkin must pay $500,000, which will be used to provide redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was accessed as a result of the data breaches and provide specific information about how consumers can protect themselves.
After receiving three comments, the Commission voted 5-0 to finalize the orders with Residual Pumpkin and PlanetArt and send responses to the commenters.