On March 15, 2022, the Federal Trade Commission filed a complaint and proposed consent orders to resolve allegations of data security failings by the Residual Pumpkin LLC and PlanetArt LLC , both formerly or currently doing business as CafePress (“respondents”), which host an e-commerce platform for the purchase of customized merchandise. Respondents’ business includes the routine collection of names, email addresses, telephone numbers, birthdates, passwords, social security numbers, employer identification numbers, and payment card information from both consumers and sellers of the hosted merchandise.
The complaint alleges that since 2018, the respondents failed to implement low-cost, standard protections against reasonably foreseeable vulnerabilities that could be used by bad actors to gain access to the personal information stored on the respondents’ network. The complaint further alleges that the respondents did not implement patch management policies and procedures to ensure timely correction of security vulnerabilities, and even used outdated software that was no longer supported by security patches. In addition, as alleged, the respondents stored personal information longer than business needs required, and failed to implement reasonable procedures to prevent, detect or investigate intrusions into its systems.
According to the FTC, these failures enabled a hacker to penetrate the respondents’ system in February 2019 and export over twenty million unencrypted email addresses and encrypted passwords, over 180,000 unencrypted social security numbers, and tens of thousands of unencrypted last four digits of payment card information, along with unencrypted expiration dates for those cards. And although the respondents were informed of the security incident on March 11, 2019, and even received an email from a foreign government on April 10, 2019 with detailed information demonstrating that a hacker had obtained access to user account information, the respondents merely asked users to reset their passwords, and waited until September 2019 to send breach notification letters to government agencies and affected consumers.
During the relevant period, the respondents represented to consumers that they were certified under both the EU-US Privacy Shield and the Swiss-US Privacy Shield frameworks, but, according to the complaint, did not comply with Privacy Shield principles, such as taking reasonable and appropriate measures to protect personal information from loss, misuse or unauthorized access, and offering individuals the opportunity to opt out of third-party disclosure of their personal information.
The complaint alleges, further, that the respondents caused marketing emails to be sent to consumers’ email addresses, despite having informed consumers that the email addresses would be used solely “for order notifications and receipt,” while disregarding consumers’ election not to opt into receipt of the marketing emails.
The respondents practices, which, as detailed in the complaint, include misrepresentations regarding data security and data security incident responses, privacy shield frameworks, consumer data deletion, misrepresentations, as well as unfair data security practices and unfair withholding of payable commissions following a security breach, constitute unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.
The proposed settlement requires the respondents to implement information security programs reasonably designed to correct the problems that led to the data breach, including the use of multifactor authentication, minimization of data collection and retention, encryption of social security numbers, training of employees, and the implementation of policies and procedures to ensure that all devices in the respondents networks are security installed and inventoried every year, and vulnerabilities remediated. The proposed orders also require the respondents to certify compliance annually, and to report security incidents within thirty days.
Residual Pumpkin will be required to pay $500,000 to be used for consumer redress and any attendant expenses for the administration of any redress fund, and PlanetArt must notify individuals whose personal information was compromised in the data breaches, in addition to providing consumers with information about how to protect themselves and their data; both respondents will be required to engage an independent third party to assess the establishment and implementation of appropriate data security programs, and to publish a redacted version of the third-party assessment.
The proposed consent agreements will be made available for public comment for 30 days, after which the FTC will make findings of fact and issue a final order vis-à-vis each respondent.
FTC press release | FTC Complaint |
Consent agreement and proposed order (Residual Pumpkin) | Consent agreement and proposed order (PlanetArt)