In the latest of a flurry of FTC actions, the agency recently announced that it had entered into a consent order with CafePress, an online customized merchandise platform, over allegations that it failed to secure consumers’ sensitive personal data, covered up a data breach, and failed to abide by its own representations related to how it uses and discloses consumer data.¹ Both the current owner of CafePress and the company that sold CafePress in 2020 faced ramifications as a result of these allegations, including being required to develop written information security plans that addressed the underlying issues related to the security vulnerabilities identified by the FTC in its complaint. 

This decision highlights a number of key issues businesses should be paying attention to for FTC enforcement. First and foremost, data security continues to remain an area of priority for the agency. Businesses should implement appropriate safeguards to protect the information they process and should pay particular attention to any representations they have made. This settlement also emphasizes the need for businesses to conduct proper due diligence on privacy and security matters in relation to any merger or acquisition they may engage in. Finally, even though Privacy Shield has been deemed an improper transfer mechanism by EU courts, the FTC will continue to pay attention to representations that companies have made in the past regarding their Privacy Shield compliance.

Background of CafePress Settlement

According to the FTC’s Administrative Complaint, a hacker gained access to millions of email addresses and passwords as well as unencrypted names, physical addresses, and security questions and answers in February 2019.  The complaint alleged that the hacker gained accessed to more than 180,000 unencrypted Social Security numbers and tens of thousands of partial payment card numbers and expiration dates. The complaint alleged that CafePress failed to properly investigate the breach for several months, despite being notified that it had a security vulnerability and that hackers had obtained consumer data.  The complaint also alleged that CafePress did not inform impacted customers until September 2019—one month after the breach was reported widely.

Specific Allegations Against CafePress

The FTC claimed that CafePress violated both the unfair and deceptive prongs of the FTC Act. 

• Deceptive Misrepresentations: On deception, the Complaint alleged that the company deceived consumers by misrepresented that it had reasonable security controls to protect personal information against unauthorized access when this was not true. For example, the Company stated on its checkout pages, “Safe and Secure shopping. Guaranteed,” and stated on its privacy policy that “Your privacy and trust are important to us.” The Complaint alleged this was untrue because the company, among others, stored personal information such as Social Security numbers and security questions and answers in clear, readable text, and failed to implement reasonable measures to protect passwords such as using SHA-1 hashing algorithms. The Complaint also alleged that the company created unnecessary risks to personal information by storing it indefinitely on its network without a business need.
• Unfair Data Security Practices: On unfairness, the complaint alleged that the company’s failure to employ reasonable security measures to protect personal information caused, or is likely to cause, substantial injury to consumers, not outweighed by the countervailing benefits to consumers and not reasonably avoidable by consumers themselves. Notably, the FTC pointed to the fact that the company failed to implement standard security protocols such as regular penetration testing, data logging, and patch management policies and procedures, among others. In the FTC’s press release, Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, specifically pointed to the company’s failure to institute specific controls, like multi-factor authentication.

In addition, the FTC also alleged that the Company engaged in deceptive conduct related to its privacy practices.  

• Misrepresentation Relating to Privacy Shield Frameworks: The FTC alleged that CafePress represented that they honored requests of the EEA and Swiss privacy shields to erase data and restrict use of personal data for direct marketing but failed to honor those requests.
• Data Collection and Use Misrepresentation: The FTC also alleged that the company misrepresented its data collection and use practices. The complaint specifically cited the company’s use of a checkbox to obtain consumer consent to receive marketing emails.

According to the complaint, the company would send users marketing emails when they provided their email addresses even if they left the checkbox unchecked.

CafePress Penalties

Per the consent order, Residual Pumpkin Entity, LLC, the former owner of CafePress, will pay $500,000 in redress to victims of the data breaches. PlanetArt, the current owner of CafePress, will be required to notify impacted consumers and provide specific information about how consumers can protect themselves. Residual Pumpkin and PlanetArt will be required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure. Additionally, both companies will be required to implement comprehensive information security programs that address the underlying issues leading to the data breach. This includes data minimization efforts and encrypting Social Security numbers.

Ramifications for Future FTC Decisions

The FTC’s action here is just the latest in a string of recent actions by the Commission in the data privacy and security space.  For example, the FTC brought action against MoviePass over an alleged deceptive failure to maintain reasonable measure to protect consumer data, in June 2021, as we wrote about here.  More recently, in December 2021, the FTC brought an action against Ascension Data & Analytics, LLC to resolve the FTC’ allegations that Ascension failed to ensure one of its vendors was adequately securing personal data about tens of thousands of mortgage holders.

Companies that collect and store personal information of consumers should be sure to check their information security policies and procedures to ensure that it maintains best practices to protect personal information.  For example, the FTC’s complaint in CafePress cited the use of the safeguards set forth by National Institute of Standards and Technology, known as NIST, as a best practice tool to protect consumer personal information. Companies should compare their security practices to these standards, as well as past FTC decisions, to ensure that they are up to date on what the agency requires.