[BreachExchange] New York and Others Settle with CafePress Over 2019 Data Breach

[Destry Winant]

https://www.natlawreview.com/article/new-york-and-others-settle-cafepress-over-2019-data-breach

The operator of CafePress, an online retailer that sells customizable
mugs and other products, has reached an agreement with New York State
Attorney General Letitia James and six other State Attorneys Generals
to settle claims related to a 2019 data breach.  The breach stemmed
from a cyberattack that the company suffered in early 2019. Upon
learning of the attack, the company engaged a third-party
investigation firm that identified a vulnerability in the company’s
Structured Language Query (SQL) protocols. As a result, CafePress
looked at its database and two weeks of logs but did not find evidence
of any data breach.  Regardless, CafePress released a security patch
to fix the vulnerability and automatically reset the passwords of all
customer accounts, requiring all users to reset their passwords upon
logging in.

Several months later the website “Have I Been Pwned,” a site that lets
people see if their personal information has been compromised online,
added the email addresses associated with the CafePress customers
compromised by the breach to its website.  At that point, according to
the settlement, CafePress launched a full-scale investigation into the
matter. It found that customer information was available for sale on
the dark web. In the end, the company determined that as many as 22
million customer accounts, including consumer names, email addresses,
passwords, physical addresses and phone numbers as well as 186,179
social security and/or tax identification numbers had been impacted.
Although CafePress notified those impacted and offered two years of
credit monitoring and theft resolution services to customers whose
social security numbers were compromised by the breach, Attorney
General James was concerned both that CafePress failed to provide
sufficient protection for its customers’ personal information and also
that CafePress failed to notify their customers of the data breach
promptly.  The other states in the coalition led by Attorney General
James were Connecticut, Indiana, Kentucky, Michigan, New Jersey, and
Oregon.

The multi-state settlement agreement announced on December 18, 2020
requires CafePress to make a $2 million payment to the multi-state
coalition, $750,000 of which will be divided among the states
affected, and the remainder of which will be held in a suspended
account. PlanetArt, LLC, the company who purchased substantially all
of CafePress’s assets, has agreed to all provisions of the settlement.
As part of the settlement, the company has also agreed to several
specific data security steps it will take moving forward. Namely, that
it will:

- create and update a comprehensive information security program to
keep pace with technological improvements and security threats, and
report security risks to the company’s CEO;
- design and implement an incident response and data breach
notification plan to address threat preparation, detection and
anaFlysis, eradication, and recovery, which plan requires
investigation of incidents that are suspected to be security events;
- ensure that personal information safeguards and controls are in
place, including encryption, segmentation, penetration testing,
logging and monitoring, and risk assessment, password management and
data minimization plans;
- Provide clear notice to consumers regarding account closure and data
deletion; and
- Ensure that third-party security assessments occur for the next five years.

Putting it Into Practice: This settlement serves as a reminder that
state regulators expect companies not only to provide appropriate
protection to data they hold, but also to appropriately investigate
cyber-attacks and other suspected security incidents.