The Federal Trade Commission (FTC) accepted a proposed consent agreement earlier this week that includes payment of $500,000 for consumer redress from CafePress, an online platform allowing consumers to purchase customized merchandise from other consumers or “shopkeepers”, arising from CafePress’s alleged failures to prevent, report, investigate, and remedy multiple data breaches.   

The Allegations in the Complaint

The FTC’s complaint asserts that the former owner of CafePress, Residual Pumpkin Entity, LLC, and its current owner, PlanetArt, LLC, maintained substandard security practices and failed to adequately protect consumer data, despite deceptively representing that its websites incorporated adequate safeguards to keep consumer’s confidential information “safe and secure.” Those failures were exploited by a hacker in February 2019, who ultimately accessed more than twenty million unencrypted email addresses and encrypted passwords, millions of unencrypted Social Security numbers, and the unencrypted last four digits and expiration dates for tens of thousands of credit cards. 

According to the FTC, upon learning of the data breach the following month Residual Pumpkin confirmed the vulnerability, issued a patch to remediate it, and even investigated a spike in suspected fraudulent orders and concluded the orders were related to stolen credit cards, but did not otherwise report the breach or further safeguard its systems. Residual Pumpkin also did not send out breach notifications to government agencies and affected consumers, nor did it post a notice of the breach on the CafePress website until September 2019. Instead, it simply sent out a notice to users in April 2019 to reset their passwords as part of an update to its privacy policy. The FTC further alleges that Residual Pumpkin falsely told consumers, law enforcement, and regulators that the April 2019 password reset effectively blocked the passwords from subsequent unauthorized use, when in reality Residual Pumpkin continued to allow passwords to be reset by answering a security question associated with an email address – information that was stolen in the breach – such that consumer information still remained vulnerable through November 2019.

Importantly, the February 2019 data breach was not the only security incident experienced by CafePress. Residual Pumpkin was allegedly aware of prior incidents where shopkeeper accounts were hacked, discovered a number of malware infections in May 2018, and in August 2018 learned that a slew of successful phishing attempts on an employee resulted in multiple security breaches. Despite knowledge of these incidents, Residual Pumpkin failed to take reasonable steps to detect, remediate, and prevent similar incidents from occurring. 

The Proposed Consent Agreement

As part of the proposed settlement, Residual Pumpkin agreed to pay $500,000 in redress to victims. CafePress will also be required to implement comprehensive information security programs, have a third party assess those programs, and provide the FTC with a redacted copy of that assessment that is suitable for public disclosure. PlanetArt, LLC, the current owner of CafePress, will also be required to notify consumers whose personal information was accessed during the data breaches and provide those consumers with specific information about how they can protect themselves. 

Lessons Learned from the Consequences of CafePress’s (In)actions

The FTC’s investigation, complaint, and proposed consent agreement with CafePress serve as an important reminder how one – or worse, a series – of inactions within a cybersecurity program can put the sensitive personal data of millions of consumers at risk. More importantly, the FTC takes the consequences of those inactions seriously, especially where those consequences could have and should have been avoided. 

Having a comprehensive information security program in place – and tested – is an important first step in preventing data breaches and other cybersecurity incidents from occurring. Such a program should include an incident response plan in the event that a data breach occurs so that the appropriate regulators, government agencies, and affected individuals are timely and properly notified. All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have data breach notification laws, and organizations must follow the law in each state where affected individuals are located, regardless of the location of the organization. Foley maintains a summary of applicable laws here. 

Setting aside that the FTC’s proposed consent agreement with CafePress underscores the potential consequences of covering up a data breach, organizations should be proactive in investigating, responding to, and reporting such incidents in accordance with state, federal, and international laws, as well as timely disclosing breaches to affected consumers. A failure to do so may not only result in penalties with the FTC, but also expose an organization to litigation. For example, a failure to provide proper notification to affected consumers may be deemed an unfair or deceptive trade practice in violation of Section 5(a) of the FTCA. Although there is no private right on action under Section 5(a), many states have enacted their own “Little FTCAs” or other unfair and deceptive trade practices acts that do allow private individuals to sue, thus opening an organization up to potential civil litigation. 

Having a comprehensive information security program in place may help shield an organization who falls victim to a breach from costly litigation. Several states have enacted or are examining safe harbor laws or affirmative defenses that help protect organizations with comprehensive information security programs from data breach litigation. Safe harbor laws provide organizations that are in compliance with certain established cybersecurity frameworks a legal defense to tort claims regarding the adequacy of the organization’s security protocols arising out of a security incident. It is also important to keep in mind that when an entity acquires a company that either a) does not have a cybersecurity program or b) fails to implement one, those failures can serve as a basis to establish a failure to meet industry standards, including claims against the acquiring company. Whether or not there is a safe harbor law in effect, an organization will be best served to handle and potentially defend itself from any resulting data breach litigation by maintaining and monitoring the effectiveness of its security program, and diligently investigating, reporting, and responding to any potential breach.