FRANKFORT, Ky – Attorney General Daniel Cameron announced a $2 million multistate settlement with CafePress for a 2019 data security breach, which compromised the personal information of approximately 22 million consumers nationwide, including 186,187 Kentuckians.
The settlement, reached between seven attorneys general and CafePress, resolves the coalition’s investigation into a data security incident announced by the retailer. Under the settlement, the online retailer has agreed to pay $2 million to the states. The settlement includes an immediate payment of $750,000 to be divided among the states, and Kentucky will receive $58,484.65. Due to the company’s financial condition, the remaining $1,250,000 is suspended.
“CafePress violated Kentucky’s Consumer Protection Laws by failing to adequately secure the personal information of customers in Kentucky and several other states,” Cameron said. “This settlement provides $58,484.65 to the commonwealth and requires CafePress to protect customers from future cyberattacks by adequately securing personal data.”
Early in 2019, online retailer CafePress experienced a data security breach that jeopardized consumer names, email addresses, passwords, physical addresses, phone numbers, and, in some cases, the last four digits of credit card numbers, expiration dates, and full social security or tax identification numbers associated with customer accounts on www.cafepress.com.
CafePress notified customers impacted by the breach and posted a notice on its website’s homepage in September 2019. The company also provided customers with compromised social security or tax identification numbers with two years of credit monitoring and theft resolution services at no charge.
In addition to the payment, CafePress has agreed to protect the personal information of customers from future cyberattacks by:
- Implementing a comprehensive information security program and incorporating regular technology updates to provide up-to-date security safeguards.
- Reporting identified security risks to the chief executive officer.
- Creating an incident response and data breach notification plan, containing preparation, detection and analysis, containment, eradication, and recovery provisions.
- Developing encryption, segmentation, penetration testing, logging and monitoring, risk assessment, password management, and data minimization safeguards and controls for the personal information of consumers.
- Providing clear notice to consumers concerning account closure and data deletion.
- Undergoing third-party security assessments for five years.
PlanetArt, LLC, which purchased CafePress during the coalition’s investigation and now operates www.cafepress.com, has agreed to the settlement provisions.
Cameron was joined by attorneys general from Connecticut, Indiana, Michigan, New Jersey, New York, and Oregon in the settlement.