October 5, 2022

Volume XII, Number 278


October 04, 2022

Subscribe to Latest Legal News and Analysis

October 03, 2022

Subscribe to Latest Legal News and Analysis

New York and Others Settle with CafePress Over 2019 Data Breach

The operator of CafePress, an online retailer that sells customizable mugs and other products, has reached an agreement with New York State Attorney General Letitia James and six other State Attorneys Generals to settle claims related to a 2019 data breach.  The breach stemmed from a cyberattack that the company suffered in early 2019. Upon learning of the attack, the company engaged a third-party investigation firm that identified a vulnerability in the company’s Structured Language Query (SQL) protocols. As a result, CafePress looked at its database and two weeks of logs but did not find evidence of any data breach.  Regardless, CafePress released a security patch to fix the vulnerability and automatically reset the passwords of all customer accounts, requiring all users to reset their passwords upon logging in.

Several months later the website “Have I Been Pwned,” a site that lets people see if their personal information has been compromised online, added the email addresses associated with the CafePress customers compromised by the breach to its website.  At that point, according to the settlement, CafePress launched a full-scale investigation into the matter. It found that customer information was available for sale on the dark web. In the end, the company determined that as many as 22 million customer accounts, including consumer names, email addresses, passwords, physical addresses and phone numbers as well as 186,179 social security and/or tax identification numbers had been impacted.  Although CafePress notified those impacted and offered two years of credit monitoring and theft resolution services to customers whose social security numbers were compromised by the breach, Attorney General James was concerned both that CafePress failed to provide sufficient protection for its customers’ personal information and also that CafePress failed to notify their customers of the data breach promptly.  The other states in the coalition led by Attorney General James were ConnecticutIndianaKentuckyMichiganNew Jersey, and Oregon.

The multi-state settlement agreement announced on December 18, 2020 requires CafePress to make a $2 million payment to the multi-state coalition, $750,000 of which will be divided among the states affected, and the remainder of which will be held in a suspended account. PlanetArt, LLC, the company who purchased substantially all of CafePress’s assets, has agreed to all provisions of the settlement. As part of the settlement, the company has also agreed to several specific data security steps it will take moving forward. Namely, that it will:

  • create and update a comprehensive information security program to keep pace with technological improvements and security threats, and report security risks to the company’s CEO;
  • design and implement an incident response and data breach notification plan to address threat preparation, detection and anaFlysis, eradication, and recovery, which plan requires investigation of incidents that are suspected to be security events;
  • ensure that personal information safeguards and controls are in place, including encryption, segmentation, penetration testing, logging and monitoring, and risk assessment, password management and data minimization plans;
  • Provide clear notice to consumers regarding account closure and data deletion; and
  • Ensure that third-party security assessments occur for the next five years.

Putting it Into Practice: This settlement serves as a reminder that state regulators expect companies not only to provide appropriate protection to data they hold, but also to appropriately investigate cyber-attacks and other suspected security incidents.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume XI, Number 12

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

James Fazio Intellectual Property Attorney Sheppard Mullin Law Firm
Special Counsel

James Fazio is special counsel in the Intellectual Property Practice Group in the firm's San Diego (Del Mar) office.

Areas of Practice

James focuses on intellectual property and business litigation. He represents public and private companies in disputes such as those involving patent and trademark infringement, theft of trade secrets, fraud, breach of contract, unfair competition, false advertising and various business tort claims. James has more than 24 years of litigation experience and was selected by his peers among the top ten intellectual property...