December 1, 2022

Volume XII, Number 335


November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis

BREAKING: FTC Discloses Enforcement Action Against Online Platform for Data Breach Cover-Up

The Federal Trade Commission (“FTC”) announced this afternoon an enforcement action against the former and current owners of online platform CafePress for failing to implement adequate cybersecurity and also for a cover up of a data breach in 2019.  This development underscores that data privacy remains a FTC priority and all companies are obligated to take cybersecurity seriously and promptly respond to a cyberattack.

As CPW previously covered, in February 2019, CafePress’ online databases were hacked, exposing the data associated with a total of 23,205,290 user accounts (the “2019 Data Event”).  The compromised data purportedly included users’ email addresses, passwords, names, addresses, phone numbers, the last four digits of customers’ credit card numbers, credit card expiration dates, and Social Security numbers.

Today the FTC announced that it had reached a potential resolution with the former and current owners of CafePress concerning allegations that it failed to secure consumers’ sensitive personal data and covered up the 2019 Data Event.  The FTC’s Complaint in the case “allege[d] that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions.”

Specifically, the FTC’s investigation revealed that prior to the 2019 Data Event, CafePress determined that certain accounts of shopkeepers at its online platform had been hacked and closed these accounts—charging the hack victims a $25 account closure fee.  The FTC also determined that prior to the 2019 Data Event, CafePress “experienced several malware infections to its network . . . but failed to investigate the source of such attacks.”

Compounding these missteps, the FTC press release accompanying release of the Complaint disclosed that:

[A] hacker exploited the company’s security failures in February 2019 to access millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates . . .[a month later after learning of the 2019 Data Event] CafePress patched the vulnerability but failed to properly investigate the breach for several months and . . . only told customers to reset their passwords as part of an update to its password policy.

Accordingly to the FTC’s, Complaint, this was notwithstanding that in April 2019 a foreign government notified CafePress that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers.  In fact, CafePress did not publicly disclose the 2019 Data Event until in September 2019 (and only after it had been reported in the news).

In addition to faulting CafePress’ cybersecurity, the FTC Complaint additionally takes issue with CafePress’ handling of customer information.  Specifically, the FTC alleged that CafePress “misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed”—an unfair and deceptive practice under Section 5 of the FTC Act.

As part of its resolution of these issues with the FTC, the current and former owners of CafePress agreed to pay $500,000 those impacted by the 2019 Data Event.  CafePress also committed itself to an enhanced information security program designed to address the deficiencies that led to the 2019 Data Event and earlier incidents.  This would, but not be limited to, replacing security questions with multi-factor authentication methods; minimizing the amount of data CafePress collects and retains; and encrypting Social Security numbers.

This case is yet the latest cautionary note underscoring that the federal government will closely examine a company’s response to a data breach or data event and hold it (and potentially officers and directions) accountable for failing to act appropriately.  For more on this, stay tuned.  CPW will be there to keep you in the loop.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 74

About this Author

Kristin L. Bryan Litigation Attorney Squire Patton Boggs Cleveland, OH & New York, NY
Senior Associate

Kristin Bryan is a litigator experienced in the efficient resolution of contract, commercial and complex business disputes, including multidistrict litigation and putative class actions, in courts nationwide.

She has successfully represented Fortune 15 clients in high-stakes cases involving a wide range of subject matters.

As a natural extension of her experience litigating data privacy disputes, Kristin is also experienced in providing business-oriented privacy advice to a wide range of clients, with a particular focus on companies handling customers’ personal data. In this...

Kyle Dull Data Privacy & Cybersecurity Lawyer Squire Patton Boggs Miami Florida

A former assistant attorney general, Kyle has extensive experience investigating and litigating privacy and advertising law violations. He now draws on that experience to advise clients on their own data privacy, cybersecurity and advertising risks, and is regularly retained by corporations to defend and resolve enforcement actions.

Kyle has a solid understanding of domestic and international privacy laws and counsels digital media companies looking to protect their digital property and avoid potential legal issues by negotiating and drafting licensing, joint venture and data...

+1 305 577 2840