FTC Reminds CafePress That There Are Consequences for Data Breach (In)actions

The Federal Trade Commission (FTC) accepted a proposed consent agreement earlier this week that includes payment of $500,000 for consumer redress from CafePress, an online platform allowing consumers to purchase customized merchandise from other consumers or “shopkeepers”, arising from CafePress’s alleged failures to prevent, report, investigate, and remedy multiple data breaches.

The Allegations in the Complaint

The FTC’s complaint asserts that the former owner of CafePress, Residual Pumpkin Entity, LLC, and its current owner, PlanetArt, LLC, maintained substandard security practices and failed to adequately protect consumer data, despite deceptively representing that its websites incorporated adequate safeguards to keep consumer’s confidential information “safe and secure.” Those failures were exploited by a hacker in February 2019, who ultimately accessed more than twenty million unencrypted email addresses and encrypted passwords, millions of unencrypted Social Security numbers, and the unencrypted last four digits and expiration dates for tens of thousands of credit cards.

According to the FTC, upon learning of the data breach the following month Residual Pumpkin confirmed the vulnerability, issued a patch to remediate it, and even investigated a spike in suspected fraudulent orders and concluded the orders were related to stolen credit cards, but did not otherwise report the breach or further safeguard its systems. Residual Pumpkin also did not send out breach notifications to government agencies and affected consumers, nor did it post a notice of the breach on the CafePress website until September 2019. Instead, it simply sent out a notice to users in April 2019 to reset their passwords as part of an update to its privacy policy. The FTC further alleges that Residual Pumpkin falsely told consumers, law enforcement, and regulators that the April 2019 password reset effectively blocked the passwords from subsequent unauthorized use, when in reality Residual Pumpkin continued to allow passwords to be reset by answering a security question associated with an email address – information that was stolen in the breach – such that consumer information still remained vulnerable through November 2019.

Importantly, the February 2019 data breach was not the only security incident experienced by CafePress. Residual Pumpkin was allegedly aware of prior incidents where shopkeeper accounts were hacked, discovered a number of malware infections in May 2018, and in August 2018 learned that a slew of successful phishing attempts on an employee resulted in multiple security breaches. Despite knowledge of these incidents, Residual Pumpkin failed to take reasonable steps to detect, remediate, and prevent similar incidents from occurring.

The Proposed Consent Agreement

As part of the proposed settlement, Residual Pumpkin agreed to pay $500,000 in redress to victims. CafePress will also be required to implement comprehensive information security programs, have a third party assess those programs, and provide the FTC with a redacted copy of that assessment that is suitable for public disclosure. PlanetArt, LLC, the current owner of CafePress, will also be required to notify consumers whose personal information was accessed during the data breaches and provide those consumers with specific information about how they can protect themselves.

Lessons Learned from the Consequences of CafePress’s (In)actions

The FTC’s investigation, complaint, and proposed consent agreement with CafePress serve as an important reminder how one – or worse, a series – of inactions within a cybersecurity program can put the sensitive personal data of millions of consumers at risk. More importantly, the FTC takes the consequences of those inactions seriously, especially where those consequences could have and should have been avoided.

Having a comprehensive information security program in place – and tested – is an important first step in preventing data breaches and other cybersecurity incidents from occurring. Such a program should include an incident response plan in the event that a data breach occurs so that the appropriate regulators, government agencies, and affected individuals are timely and properly notified. All 50 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have data breach notification laws, and organizations must follow the law in each state where affected individuals are located, regardless of the location of the organization. Foley maintains a summary of applicable laws here.

Setting aside that the FTC’s proposed consent agreement with CafePress underscores the potential consequences of covering up a data breach, organizations should be proactive in investigating, responding to, and reporting such incidents in accordance with state, federal, and international laws, as well as timely disclosing breaches to affected consumers. A failure to do so may not only result in penalties with the FTC, but also expose an organization to litigation. For example, a failure to provide proper notification to affected consumers may be deemed an unfair or deceptive trade practice in violation of Section 5(a) of the FTCA. Although there is no private right on action under Section 5(a), many states have enacted their own “Little FTCAs” or other unfair and deceptive trade practices acts that do allow private individuals to sue, thus opening an organization up to potential civil litigation.

Having a comprehensive information security program in place may help shield an organization who falls victim to a breach from costly litigation. Several states have enacted or are examining safe harbor laws or affirmative defenses that help protect organizations with comprehensive information security programs from data breach litigation. Safe harbor laws provide organizations that are in compliance with certain established cybersecurity frameworks a legal defense to tort claims regarding the adequacy of the organization’s security protocols arising out of a security incident. It is also important to keep in mind that when an entity acquires a company that either a) does not have a cybersecurity program or b) fails to implement one, those failures can serve as a basis to establish a failure to meet industry standards, including claims against the acquiring company. Whether or not there is a safe harbor law in effect, an organization will be best served to handle and potentially defend itself from any resulting data breach litigation by maintaining and monitoring the effectiveness of its security program, and diligently investigating, reporting, and responding to any potential breach.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.