FTC Hits CafePress for Covering Up Data Breach, Lax Security
June 27, 2022
CafePress Must Bolster Data Security Protections, Pay
Half a Million Dollars
The FTC alleged CafePress:
Retained the data longer than was necessary;
Failed to apply readily available protections against well-known threats and adequately respond to security incidents; and
Covered up a major data breach resulting from its shoddy security practices.
Under the order finalized by the Commission, Residual
Pumpkin and PlanetArt must implement comprehensive
information security programs that require them, among
other things, to:
Minimize the amount of data they collect and retain:
Encrypt Social Security numbers; and
Have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.
In addition, Residual Pumpkin must pay $500,000, which
will be used to provide redress to victims of the data
breaches. PlanetArt will be required to notify consumers
whose personal information was accessed as a result of
the data breaches and provide specific information about
how consumers can protect themselves.