New York and Others Settle with CafePress Over 2019 Data Breach

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP

The operator of CafePress, an online retailer that sells customizable mugs and other products, has reached an agreement with New York State Attorney General Letitia James and six other State Attorneys Generals to settle claims related to a 2019 data breach. The breach stemmed from a cyberattack that the company suffered in early 2019. Upon learning of the attack, the company engaged a third-party investigation firm that identified a vulnerability in the company’s Structured Language Query (SQL) protocols. As a result, CafePress looked at its database and two weeks of logs but did not find evidence of any data breach. Regardless, CafePress released a security patch to fix the vulnerability and automatically reset the passwords of all customer accounts, requiring all users to reset their passwords upon logging in.

Several months later the website “Have I Been Pwned,” a site that lets people see if their personal information has been compromised online, added the email addresses associated with the CafePress customers compromised by the breach to its website. At that point, according to the settlement, CafePress launched a full-scale investigation into the matter. It found that customer information was available for sale on the dark web. In the end, the company determined that as many as 22 million customer accounts, including consumer names, email addresses, passwords, physical addresses and phone numbers as well as 186,179 social security and/or tax identification numbers had been impacted. Although CafePress notified those impacted and offered two years of credit monitoring and theft resolution services to customers whose social security numbers were compromised by the breach, Attorney General James was concerned both that CafePress failed to provide sufficient protection for its customers’ personal information and also that CafePress failed to notify their customers of the data breach promptly. The other states in the coalition led by Attorney General James were Connecticut, Indiana, Kentucky, Michigan, New Jersey, and Oregon.

The multi-state settlement agreement announced on December 18, 2020 requires CafePress to make a $2 million payment to the multi-state coalition, $750,000 of which will be divided among the states affected, and the remainder of which will be held in a suspended account. PlanetArt, LLC, the company who purchased substantially all of CafePress’s assets, has agreed to all provisions of the settlement. As part of the settlement, the company has also agreed to several specific data security steps it will take moving forward. Namely, that it will:

  • create and update a comprehensive information security program to keep pace with technological improvements and security threats, and report security risks to the company’s CEO;
  • design and implement an incident response and data breach notification plan to address threat preparation, detection and anaFlysis, eradication, and recovery, which plan requires investigation of incidents that are suspected to be security events;
  • ensure that personal information safeguards and controls are in place, including encryption, segmentation, penetration testing, logging and monitoring, and risk assessment, password management and data minimization plans;
  • Provide clear notice to consumers regarding account closure and data deletion; and
  • Ensure that third-party security assessments occur for the next five years.

Putting it Into Practice: This settlement serves as a reminder that state regulators expect companies not only to provide appropriate protection to data they hold, but also to appropriately investigate cyber-attacks and other suspected security incidents.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.