The operator of CafePress, an online retailer that sells customizable mugs and other products, has reached an agreement with New York State Attorney General Letitia James and six other State Attorneys Generals to settle claims related to a 2019 data breach.  The breach stemmed from a cyberattack that the company suffered in early 2019. Upon learning of the attack, the company engaged a third-party investigation firm that identified a vulnerability in the company’s Structured Language Query (SQL) protocols. As a result, CafePress looked at its database and two weeks of logs but did not find evidence of any data breach.  Regardless, CafePress released a security patch to fix the vulnerability and automatically reset the passwords of all customer accounts, requiring all users to reset their passwords upon logging in.

Several months later the website “Have I Been Pwned,” a site that lets people see if their personal information has been compromised online, added the email addresses associated with the CafePress customers compromised by the breach to its website.  At that point, according to the settlement, CafePress launched a full-scale investigation into the matter. It found that customer information was available for sale on the dark web. In the end, the company determined that as many as 22 million customer accounts, including consumer names, email addresses, passwords, physical addresses and phone numbers as well as 186,179 social security and/or tax identification numbers had been impacted.  Although CafePress notified those impacted and offered two years of credit monitoring and theft resolution services to customers whose social security numbers were compromised by the breach, Attorney General James was concerned both that CafePress failed to provide sufficient protection for its customers’ personal information and also that CafePress failed to notify their customers of the data breach promptly.  The other states in the coalition led by Attorney General James were Connecticut, Indiana, Kentucky, Michigan, New Jersey, and Oregon.

The multi-state settlement agreement announced on December 18, 2020 requires CafePress to make a $2 million payment to the multi-state coalition, $750,000 of which will be divided among the states affected, and the remainder of which will be held in a suspended account. PlanetArt, LLC, the company who purchased substantially all of CafePress’s assets, has agreed to all provisions of the settlement. As part of the settlement, the company has also agreed to several specific data security steps it will take moving forward. Namely, that it will:

  • create and update a comprehensive information security program to keep pace with technological improvements and security threats, and report security risks to the company’s CEO;
  • design and implement an incident response and data breach notification plan to address threat preparation, detection and anaFlysis, eradication, and recovery, which plan requires investigation of incidents that are suspected to be security events;
  • ensure that personal information safeguards and controls are in place, including encryption, segmentation, penetration testing, logging and monitoring, and risk assessment, password management and data minimization plans;
  • Provide clear notice to consumers regarding account closure and data deletion; and
  • Ensure that third-party security assessments occur for the next five years.

Putting it Into Practice: This settlement serves as a reminder that state regulators expect companies not only to provide appropriate protection to data they hold, but also to appropriately investigate cyber-attacks and other suspected security incidents.