Hidden privacy lessons in the FTC’s CafePress security enforcement

Cobun Zweifel-Keegan writes:

In its most recent cybersecurity enforcement decision, the U.S. Federal Trade Commission announced a draft settlement agreement with the current and former operators of the customized merchandise website CafePress.com. Although the unanimous consent order focuses primarily on the company’s lax security practices, which allegedly led to multiple data breaches, there are also a few data privacy claims that are worthy of attention, not least because they could signal how the FTC will approach privacy actions in the coming months and years.

Cobun then lists some of the salient security take-homes from the FTC action and what they might signal going forward.

Read his column on IAPP.

And may I take this opportunity to point out that one of the things FTC faulted CafePress for was that no process was in place for receiving and addressing security vulnerability reports from outside parties.

How many times have I and others lamented the failure of entities to post contact info for those wishing to report a vulnerability or a breach?  And even with this enforcement action, I bet we still won’t see the majority of entities posting such information on their websites.  Maybe if FTC does another 20 or so of these, this will begin to have an impact?


About the author: Dissent

Comments are closed.