On March 15, 2022, the Federal Trade Commission (FTC) announced that it had filed a complaint against Residual Pumpkin Entity, LLC, formerly doing business as CafePress, and PlanetArt LLC, which purchased CafePress in 2020 (collectively, CafePress). The FTC alleged that CafePress, an online platform used by consumers who buy or sell personalized t-shirts, mugs and other merchandise, had, among other things, failed to implement reasonable security measures. and had incorrectly stated that she would use email addresses for the order. notification and receipt, when he was actually using email addresses for marketing purposes. As part of the proposed settlements with residual pumpkin and Planet Art, each is required to, among other things, annually implement, evaluate, test and monitor a comprehensive written information security program. Residual Pumpkin would also be required to pay a $500,000 fine.
The FTC Complaint
The complaint included both security and privacy claims. With respect to security, according to the FTC complaint, CafePress violated Section 5 of the FTC Act by engaging in unfair and deceptive practices by misrepresenting its data security practices, misrepresenting its response to incidents of data security and failing to employ reasonable security measures.1
In describing its security practices, the FTC claimed that CafePress “represents…that [it] implemented reasonable measures to protect personal information from unauthorized access. »2 However, CafePress did not have reasonable security measures, because CafePress:
- did not use readily available protections against well-known vulnerabilities, such as Structured Query Language (SQL) Injection, Cascading Style Sheets (CSS), HTML Injection, Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks;
- stored personal information, such as social security numbers and security questions and answers, in clear, readable text;
- used the outdated SHA-1 hashing algorithm to protect passwords and failed to salt passwords;
- has not implemented a procedure for reporting vulnerabilities by a third party;
- failed to implement patch management policies and used outdated software versions that were no longer receiving patches;
- did not establish strong password policies;
- stored personal information indefinitely without business necessity;
- failed to maintain adequate logging, properly configure vulnerability and penetration testing, and comply with its own written security policies; and
- failed to provide timely notifications of security incidents, adequately assess and remediate malware infections, and adequately prevent account takeovers.3
The FTC complaint further alleged that due to CafePress’ failure to implement reasonable security measures, as of February 2019 hackers were able to access more than 20 million unencrypted email addresses. and encrypted passwords; millions of names, physical addresses, and unencrypted security questions and answers; more than 180,000 unencrypted social security numbers; and tens of thousands of unencrypted partial payment card numbers and expiration dates.4 According to the complaint, CafePress failed to properly investigate the breach for months, despite receiving notices that its systems had been compromised and that its consumers’ personal information had been offered for sale online by several third parties. March 2019 to August 2019, including from a foreigner. government that asked CafePress to notify users of compromised accounts.5 In April 2019, CafePress asked all users who logged into CafePress to reset their passwords, but only said that CafePress was updating its password policy and only informed customers of the breach. in September 2019.6 Prior to this incident, CafePress also experienced several other security incidents, all attributed by the FTC to CafePress’ failure to implement reasonable security measures.7 The FTC’s complaint also alleged that CafePress’ practice of withholding $25 in commissions owed to merchants whose accounts were closed after the breach was an unfair practice.8
The complaint also included three privacy-related charges. First, according to the complaint, CafePress told consumers that it collected email addresses for order notifications and receipt, but actually used the email addresses for marketing purposes.9 Second, CafePress said it honored requests from residents of the European Economic Area and Switzerland to delete their personal information, but only deactivated accounts and did not delete associated account information. Third, CafePress told consumers that it adheres to the EU-US and Swiss-US privacy frameworks, including the principles of choice, security and access, when in fact it was not not the case.
The proposed settlement
The proposed settlement orders include terms that have been standard in many recent FTC orders, including a requirement that companies 1) implement comprehensive written information security programs with specific safeguards such as annual reviews Risk, Social Security Number Encryption and Data Retention or Deletion Strategies;ten 2) obtain biennial third-party assessments of corporate security programs; and 3) report future violations to the FTC.11
Orders in CafePress deviate from recent orders in several respects:
- As in other areas, the requirements of the order are related to the collection and use of personal information by companies. Unlike other recent orders, personal information is defined explicitly to include the personal information of employees, as well as consumers, consistent with FTC Chairman Lina Khan’s emphasis on protecting workers.
- Respondents are required to consult external experts when developing their security program. We’ve seen this requirement in the FTC’s consent order with Facebook, but not in typical data security orders.
- Orders to require “multi-factor authentication methods using a secure authentication protocol” as the required authentication method for CafePress users. This prescriptive requirement deviates from the FTC’s recently revised safeguard rule for financial institutions, which requires multi-factor authentication, but also allows chief information security officers (CISOs) to approve “reasonably equivalent controls “.
- Third-party reviews should indicate the number of hours each member of the review team worked on the review. This requirement will likely give the FTC an indication of the strength of the ratings.
- Respondents must submit redacted and unredacted copies of the ratings, suggesting that the FTC will make the ratings public.
- The order against PlanetArt requires notice of the regulations to consumers whose data has been breached, consistent with some similar requirements in recent FTC orders related to privacy.
- Finally, it should be noted that the FTC obtained monetary relief of $500,000 against Residual Pumpkin in this case, particularly after the United States Supreme Court reduced the FTC’s ability to obtain such relief the last year. Presumably, the FTC alleged that Residual Pumpkin’s conduct was dishonest or fraudulent, which would warrant follow-up action in federal court for relief and damages.
Key points to remember
To mitigate the risk of FTC enforcement action, businesses should be aware of the following key points:
First, companies should consult the Complaint and the Orders for guidance on what measures the FTC wants to see in an information security program. For example, the FTC faulted CafePress for not hashing and salting passwords using current and secure hashing algorithms, encrypting social security numbers and credit card numbers, and implementing patch management policies. Companies must implement encryption, appropriate access controls and authentication techniques, data minimization, vulnerability testing, and other administrative and technical safeguards to ensure the protection of personal information.
Second, companies must implement processes to prevent, detect, investigate, and otherwise take appropriate action upon becoming aware of a potential security incident. Companies should have an incident response plan that outlines containment and remediation processes, as well as escalation and investigation processes to ensure security incidents are handled in a timely and appropriate manner. Third parties, such as outside attorneys and third-party forensic providers, may assist in an investigation.
Third, it is important to be honest and transparent with consumers. For example, individuals whose information is affected by a data breach should be informed of the data breach and how they can take corrective action to protect their personal information. If a notice states that email addresses are collected and used for notifications and receipts, those emails should not also be used to send marketing emails. If a business agrees to delete personal information upon request, it must delete the personal information upon request, not simply deactivate the account. Similarly, companies should pay close attention to any representations that are made about their security practices and ensure that these statements can be supported.
Wilson Sonsini Goodrich & Rosati regularly helps companies solve complex privacy and data security issues, including helping many clients develop information security programs, respond to security incidents and data breaches , and to respond to FTC and other regulatory inquiries. For more information please contact Beth George, Maneesha Mithal, Tracy Shapiro, Megan Kayo, Roger Li, or another cabinet member privacy and cybersecurity practice.
Complaint, Residual Pumpkin Entity, LLC, FTC 12-14 (2022).
ID. at 12.
Identifier. at 3-5.
ID. at 5.
Identifier. at 5-6.
Identifier. at 7 O’clock.
ID. At 11 o’clock.
Agreement Containing Consent Order, Residual Pumpkin Entity, LLC, FTC 3-5 (2022); Agreement Containing Consent Order, PlanetArt, LLC, FTC 3-5 (2022).
Identifier. at 7-8; Identifier. at 7-8.