On March 15, 2022, the Federal Trade Commission (FTC) announced it had filed a complaint against Residual Pumpkin Entity, LLC, formerly doing business as CafePress, and PlanetArt LLC, which bought CafePress in 2020 (collectively, CafePress). The FTC alleged that CafePress, an online platform used by consumers who bought or sold customized t-shirts, mugs, and other merchandise, had, among other things, failed to implement reasonable security measures, and misrepresented that it would use email addresses for order notification and receipt, when in fact it used email addresses for marketing purposes. As part of the proposed settlements with Residual Pumpkin and Planet Art, each is required, among other things, to implement, annually assess, test, and monitor a comprehensive written information security program. Residual Pumpkin also would be required to pay a $500,000 penalty.
The FTC’s Complaint
The complaint included both security and privacy allegations. With respect to security, according to the FTC’s complaint, CafePress violated Section 5 of the FTC Act by engaging in unfair and deceptive practices by misrepresenting its data security practices, misrepresenting its response to data security incidents, and failing to employ reasonable security measures.1
In describing its security practices, the FTC claimed that CafePress “represented … that [it] implemented reasonable measures to protect Personal Information against unauthorized access.”2 However, CafePress did not have reasonable security measures, as CafePress:
- failed to use readily available protections against well-known vulnerabilities, such as Structured Query Language (SQL) injection, Cascading Style Sheets (CSS), HTML injection, cross-site scripting (XSS), and cross-site request forgery (CSRF) attacks;
- stored personal information, such as Social Security numbers and security questions and answers, in clear, readable text;
- used the deprecated SHA-1 hashing algorithm to protect passwords and failed to salt passwords;
- failed to implement a third-party vulnerability reporting procedure;
- failed to implement patch management policies and used outdated software versions that no longer received patches;
- did not establish strong password policies;
- stored personal information indefinitely without a business need;
- failed to maintain adequate logging, properly configure vulnerability and penetration testing, and comply with its own written security policies; and
- failed to timely provide notifications of security incidents, adequately assess and remediate malware infections, and adequately prevent account takeovers.3
The FTC’s complaint further alleged that, due to CafePress’s failure to implement reasonable security measures, in February 2019, hackers were able to access more than 20 million unencrypted email addresses and encrypted passwords; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of unencrypted partial payment card numbers and expiration dates.4 According to the complaint, CafePress did not properly investigate the breach for months, despite receiving notices that its systems had been compromised and its consumers’ personal information was posted for sale online from several third parties from March 2019 to August 2019, including from a foreign government who requested CafePress to notify users of compromised accounts.5 In April 2019, CafePress required all users who logged into CafePress to reset their passwords, but only advised that CafePress was updating its password policy, and did not inform customers of the breach until September 2019.6 Before this incident, CafePress also experienced several other security incidents, all of which the FTC attributed to CafePress’s failure to implement reasonable security measures.7 The FTC’s complaint also alleged that CafePress’s practice of withholding $25 in commissions owed to shopkeepers whose accounts were closed after the breach was an unfair practice.8
The complaint included three privacy-related counts as well. First, according to the complaint, CafePress told consumers it collected email addresses for order notifications and receipt, but in fact used the email addresses for marketing purposes.9 Second, CafePress represented that it honored requests from residents of the European Economic Area and Switzerland to delete their personal information, but only deactivated accounts and did not delete the associated account information. Third, CafePress told consumers it adhered to the EU-US and Swiss-US Privacy Frameworks, including the principles of choice, security, and access, when it in fact did not.
The Proposed Settlement
The proposed settlement orders include terms that have been standard in many recent FTC orders, including a requirement that the companies 1) implement comprehensive written information security programs with specific safeguards such as annual risk assessments, encryption of Social Security numbers, and data retention or deletion policies;10 2) obtain biennial third-party assessments of the companies’ security programs; and 3) report future breaches to the FTC.11
The orders in CafePress depart from recent orders in a few respects:
- As in other matters, the order requirements are tied to the companies’ collection and use of personal information. In contrast to other recent orders, personal information is defined explicitly to include the personal information of employees, as well as consumers, in keeping with FTC Chair Lina Khan’s emphasis on protecting workers.
- Respondents are required to consult with outside experts as they develop their security program. We have seen this requirement in the FTC’s consent order with Facebook, but not in typical data security orders.
- The orders require “multi-factor authentication methods that use a secure authentication protocol” as a requisite authentication method for CafePress users. This prescriptive requirement departs from the FTC’s recently revised Safeguards Rule applicable to financial institutions, which requires multi-factor authentication, but also allows chief information security officers (CISOs) to approve “reasonably equivalent controls.”
- The third-party assessments must state the number of hours that each member of the assessment team worked on the assessment. This requirement will presumably give the FTC some indication of how robust the assessments were.
- Respondents must submit redacted and unredacted copies of assessments, suggesting that the FTC will make the assessments public.
- The order against PlanetArt requires notice of the settlements to consumers whose data was breached, consistent with some similar requirements in recent FTC privacy-related orders.
- Finally, it is notable that the FTC obtained monetary redress of $500,000 against Residual Pumpkin in this matter, particularly after the U.S. Supreme Court curtailed the FTC’s ability to obtain such relief last year. Presumably, the FTC alleged that Residual Pumpkin’s conduct was dishonest or fraudulent, which would justify a follow-on federal court action for redress and damages.
To mitigate risk of an FTC enforcement action, companies should be aware of the following key points:
First, companies should look to the complaint and orders for guidance on what measures the FTC wants to see in an information security program. For example, the FTC faulted CafePress for failing to hash and salt passwords using current and secure hashing algorithms, encrypt Social Security numbers and credit card numbers, and implement patch management policies. Companies should implement encryption, access controls and proper authentication techniques, data minimization, vulnerability testing, and other administrative and technical safeguards to ensure the protection of personal information.
Second, companies should implement processes to prevent, detect, investigate, and otherwise take appropriate action as soon as they become aware of a potential security incident. Companies should have an incident response plan that outlines the containment and remediation processes, as well as the escalation and investigation processes to ensure security incidents are timely and appropriately addressed. Third parties, such as outside counsel and third-party forensic vendors, can help with conducting an investigation.
Third, it is important to be honest and transparent with consumers. For example, individuals whose information is affected by a data breach should be informed of the data breach and how they can take remedial action to protect their personal information. If a notice indicates that email addresses are collected and used for notifications and receipts, then those emails should not also be used to send marketing emails. If a company commits to delete personal information upon request, then the company should delete personal information upon request, and not simply deactivate the account. Relatedly, companies should pay close attention to any representations that are made about their security practices and make sure that such representations can be supported.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues, including assisting numerous clients with developing information security programs, responding to security incidents and data breaches, and responding to FTC and other regulatory investigations. For more information, please contact Beth George, Maneesha Mithal, Tracy Shapiro, Megan Kayo, Roger Li, or another member of the firm’s privacy and cybersecurity practice.