CafePress Settles Multistate Probe over 2019 Data Breach

  • A bipartisan group of seven AGs, including Connecticut AG William Tong and New York AG Letitia James, reached a settlement with online retailer of personalized apparel and other items CafePress, Inc. (“CafePress”) to resolve allegations that it failed to protect the personal information of 22 million consumers in a 2019 data breach in violation of the states’ respective consumer protection laws.
  • According to the New York AG’s office, in February 2019, a hacker accessed CafePress’s network and obtained customer and seller information, including names, email addresses, passwords, physical addresses, and phone numbers, and in some instances, Social Security or tax identification numbers. CafePress became aware of a security flaw in its network after the hack and applied a patch to fix it, but it did not investigate the possibility of an intrusion and did not notify customers of the breach until six months after the hack took place.
  • Under the terms of the assurance of voluntary compliance, CafePress agreed to pay a total of $2 million to the states, of which $750,000 will be paid immediately and the remainder will be suspended pending CafePress’s compliance with the other provisions of the agreement, which include taking steps to better protect consumer information including creating a comprehensive security program and an incident response and data breach notification plan, adding safeguards and controls including encryption, segmentation, logging and monitoring, and data minimization, and third-party security assessments. Since the agreement was reached, substantially all of CafePress’s assets were bought by PlanetArt, LLC, which agreed to abide by the provisions of the agreement.