FTC Finalizes Action Against CafePress for Covering Up Data Breach, Lax Security | Federal Trade Commission
FTC Finalizes Action Against CafePress for Covering Up Data Breach, Lax Security
CafePress Must Bolster Data Security Protections, Pay Half a Million Dollars
June 24, 2022
Tags: Consumer Protection Regional Offices Southwest Region Bureau of Consumer Protection Privacy and Security Consumer Privacy Data Security Privacy Shield
The Federal Trade Commission finalized an order against CafePress over allegations that it failed to secure consumers’ sensitive personal data including Social Security numbers and covered up a major data breach. The Commission’s order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.
In a complaint, first announced in March 2022, filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged that the online customized merchandise platform failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network and failed to adequately respond to several security breaches. The FTC alleged CafePress:
Stored Social Security numbers and password reset answers in clear, readable text;
Retained the data longer than was necessary;
Failed to apply readily available protections against well-known threats and adequately respond to security incidents; and
Covered up a major data breach resulting from its shoddy security practices.
Under the order finalized by the Commission, Residual Pumpkin and PlanetArt must implement comprehensive information security programs that require them, among other things, to:
Replace inadequate authentication measures with multifactor authentication methods;
Minimize the amount of data they collect and retain:
Encrypt Social Security numbers; and
Have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.
In addition, Residual Pumpkin must pay $500,000, which will be used to provide redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was accessed as a result of the data breaches and provide specific information about how consumers can protect themselves.
After receiving three comments, the Commission voted 5-0 to finalize the orders with Residual Pumpkin and PlanetArt and send responses to the commenters.
The Federal Trade Commission works to promote competition and protect and educate consumers. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.
CafePress Must Bolster Data Security Protections, Pay Half a Million Dollars
June 24, 2022
Tags: Consumer Protection Regional Offices Southwest Region Bureau of Consumer Protection Privacy and Security Consumer Privacy Data Security Privacy Shield
The Federal Trade Commission finalized an order against CafePress over allegations that it failed to secure consumers’ sensitive personal data including Social Security numbers and covered up a major data breach. The Commission’s order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.
In a complaint, first announced in March 2022, filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged that the online customized merchandise platform failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network and failed to adequately respond to several security breaches. The FTC alleged CafePress:
Stored Social Security numbers and password reset answers in clear, readable text;
Retained the data longer than was necessary;
Failed to apply readily available protections against well-known threats and adequately respond to security incidents; and
Covered up a major data breach resulting from its shoddy security practices.
Under the order finalized by the Commission, Residual Pumpkin and PlanetArt must implement comprehensive information security programs that require them, among other things, to:
Replace inadequate authentication measures with multifactor authentication methods;
Minimize the amount of data they collect and retain:
Encrypt Social Security numbers; and
Have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.
In addition, Residual Pumpkin must pay $500,000, which will be used to provide redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was accessed as a result of the data breaches and provide specific information about how consumers can protect themselves.
After receiving three comments, the Commission voted 5-0 to finalize the orders with Residual Pumpkin and PlanetArt and send responses to the commenters.
The Federal Trade Commission works to promote competition and protect and educate consumers. Learn more about consumer topics at consumer.ftc.gov, or report fraud, scams, and bad business practices at ReportFraud.ftc.gov. Follow the FTC on social media, read consumer alerts and the business blog, and sign up to get the latest FTC news and alerts.
