The Federal Trade Commission has reached a settlement in the matter of CafePress.

Here are some things you should know:

Data minimization:

• Storing information indefinitely on your network without a business need creates an unnecessary risk. (Hello, data minimization as an FTC Art 5 cause of action and a nice tie-in with data minimization as legal requirements under CPRA, CDPA and CPA.)

M&A:

• If you are acquiring a company, check its information security, privacy reps and how it has handled incidents in the past or you may be left with the liability.

Transparency:

• If you have a data breach, don't cover it up and don't lie about it by telling consumers to refresh their passwords only because you have updated your password policy.
• If you say that you are using information (like email addresses) for order notifications and receipts only, you cannot use them to send marketing emails.
• If you provide a check box to check for email marketing, you cannot send marketing emails if it is unchecked.
• Be wary of using the following expressions in your privacy disclosure, they may come back to haunt you: "We value the trust you place in us," "Your privacy and trust are important to us," "Safe and Secure Shopping. Guaranteed," "We pledge to use the best and most accepted methods and technologies to ensure your personal information is safe and secure," "Our servers are secure and your personal information is stored safely in our system."

Privacy Shield:

• Even though it no longer operates for cross border transfer, EU-US Privacy Shield certified companies must abide by its principles including: Choice (giving the opportunity to opt out); security (reasonable protection) and access (ability to access amend or delete data). Failure to do this is enforceable by the FTC.
• If you say that you will delete information pursuant to requests from EEA individuals, you have to do it (and if you don't, it will get found out if you have a data breach.)

Information Security Specifics:

• Don't store in cleartext personal information that includes answers to security questions, PayPal address, last four digits and expiration dates of credit cards and SSNs or Tax IDs of shopkeepers.
• Encrypt your data using secure algorithms (SHA-1 hashing is not enough) and salt them.
• You must have a process for receiving and addressing security vulnerability reports from third-party researchers, academics or other members of the public.
• You must implement patch management policies and procedures to ensure the timely remediation of critical security vulnerabilities.
• Only use updated and patched versions of database and web server software.
• Establish and enforce rules sufficient to make user credentials (such as username and password) hard to guess.
• Implement reasonable procedures to prevent, detect, or investigate an intrusion (e.g.: maintain logs; properly configure vulnerability testing and scope penetration testing; comply with your own written security policies).
• Implement a process to reasonably respond to security incidents.

The Company is required to:

• Refrain from misrepresentations.
• Implement a comprehensive information security program.
• Designate a person to be in charge of it.
• Institute sufficient safeguards. These specifically include:

(1) data minimization at collection, retention limitation and deletion.

(2) encryption of SSNs.

(3) Data access controls.

(4) not using security question and instead - using authentication, preferably through authentication services.

(5) employee training.

• Select only appropriate service providers.
• Reassess your measures periodically and after an incident.
• Acquire biennial reviews from a third-party assessor.
• Undergo checks by a third-party information security assessor.
• Undergo annual certification.
• Report data incidents to the FTC.
• $500,000 payment to the FTC.

[View source.]