Privacy Plus+

Privacy, Technology and Perspective

FTC Announces Latest Data Security Settlement – CafePress. This week, let’s consider the Federal Trade Commission (FTC) data security settlements with both the current and former owners of CafePress, a U.S. clothing and merchandise retail platform.

The Complaint:  The FTC filed its complaint against both Residual Pumpkin Entity, LLC (the former owner of CafePress), and PlanetArt, LLC (which bought CafePress in 2020), alleging generally that CafePress failed to implement reasonable security measures to protect the personal information of buyers and sellers stored on its network.  A link to the Complaint follows:

https://www.ftc.gov/system/files/ftc_gov/pdf/CafePress-Complaint_0.pdf

In the Complaint, the FTC faulted CafePress specifically for:

·       storing personal information in clear text (even though passwords were encrypted, albeit weakly);

·       making deceptive data security representations in its privacy policy, in emails, and on other portions of its website, which stated, ““Safe and Secure Shopping. Guaranteed;”

·       having deficient data security practices, including:

o    failing to implement readily-available protections against “Structured Query Language” (“SQL”) injections, Cascading Style Sheets (“CSS”) and HTML injections, and cross-site scripting (“XSS”) and cross-site request forgery (“CSRF”) attacks;

o   storing passwords with a hashing algorithm but with no “salt” or other advanced security measures in place;

o   failing to implement a process for receiving and addressing security vulnerability reports from third parties, like security researchers;

o   failing to implement patch management policies;

o   failing to require strong passwords or otherwise establish or enforce rules sufficient to make user credentials (such as username and password) hard to guess; and

o   failing to implement reasonable procedures to prevent, detect, investigate, and respond to security incidents; and

·       Delaying notification to consumers after a hacker accessed millions of unencrypted email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates.

The Settlement:  In announcing the settlement, the FTC highlighted what it called the “shoddy security practices” described in the Complaint, as well as CafePress’s awareness of the “problems with its data security prior to the 2019 data breach.”  In addition to these security failures, the FTC focused on how CafePress “misled users.” To read the announcement about the FTC taking action against Cafepress for its “Data Breach Cover Up”, click on the following link:

https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover.

Links to settlement agreements, which, among other things, contain helpful information about what constitutes a sufficient information security program, at least in the FTC’s view, follow:

https://www.ftc.gov/system/files/ftc_gov/pdf/Residual%20Pumpkin%20Agreement%20Containing%20Consent%20Order.pdf

https://www.ftc.gov/system/files/ftc_gov/pdf/PlanetArt%20Agreement%20to%20Containing%20Consent%20Order_0.pdf

Under the terms of the settlement, both the former and current owners of CafePress are generally prohibited from making further misrepresentations about privacy and security, and are required to implement a comprehensive information security program, subject to independent third-party assessments, annual certifications of compliance, and mandatory reporting of security incidents.  In addition, the FTC has fined the CafePress owners $500,000.

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.