The FTC/CafePress Settlement as Guidance for Businesses
The framework provided in the CafePress settlement emphasizes that accuracy and honesty is the best policy when it comes to data security and privacy.
May 06, 2022 at 02:10 PM
8 minute read
On March 15, 2022, the Federal Trade Commission (FTC) announced a proposed settlement with online sales platform, CafePress, concerning its handling and "cover-up" of a 2019 data breach incident. As part of the process, the FTC evaluated CafePress' data security and privacy policies and practices, which the FTC criticized as inadequate and misleading. FTC Takes Action Against CafePress for Data Breach Cover Up (March 15, 2022) (Settlement). The Settlement, which imposes a litany of security and privacy requirements on CafePress, provides guidance to all businesses about data security and privacy best practices and how to respond when, despite those efforts, a data breach incident occurs. See, e.g., Lesley Fair, Data breach prevention and response: Lessons from the CafePress case (March 15, 2022). It serves as an important reminder that any business that overstates or inaccurately describes its security and privacy practices, fails to update its technology, or does not provide prompt notice when a data breach occurs may be charged with an "unfair or deceptive" act in violation of §5(a) of the Federal Trade Commission Act (15 U.S.C. 45).
The FTC Complaint and Settlement
It is alleged that in February 2019 hackers exploited multiple security failures by CafePress' to obtain sensitive consumer information, including millions of names, physical and email addresses, and security questions, 180,000 unencrypted Social Security numbers, and tens of thousands unencrypted payment cards' last four digits and expiration dates. The stolen information was later found for sale on the dark web. The Complaint alleged that a month after receiving notice about the hack, CafePress patched the vulnerability the hackers exploited, but did not notify affected consumers. Instead, CafePress recommended that its customers reset their passwords as part of an alleged update to its password policy. It was not until September 2019 that CafePress notified the affected consumers. Even then, CafePress' security practices did not reduce consumers' risks, such as by allowing their customers to reset their passwords by answering security questions associated with the customer's email address—the same information that the hackers stole.
It is alleged that CafePress was aware of issues concerning its security practices since January 2018, when it learned that shopkeeper accountants had been hacked. CafePress also allegedly knew of several malware infections to its network, but never investigated those attacks prior to the February 2019 data breach. The Complaint alleged that CafePress violated §5(a) in its handling of the breach and in its misleading policy statements regarding its data security and privacy practices.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
The Kids Online Safety Act Threatens Free Speech and Opens the Door to Political Weaponization
6 minute readLaw Firms Mentioned
Trending Stories
- 1Pa. High Court: Concrete Proof Not Needed to Weigh Grounds for Preliminary Injunction Order
- 2'Something Else Is Coming': DOGE Established, but With Limited Scope
- 3Polsinelli Picks Up Corporate Health Care Partner From Greenberg Traurig in LA
- 4Kirkland Lands in Phila., but Rate Pressure May Limit the High-Flying Firm's Growth Prospects
- 5Davis Wright Tremaine Turns to Gen AI To Teach Its Associates Legal Writing
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
