Attorney General Tong Announces $2 Million Multistate Settlement with CafePress Over 2019 Data Breach(Hartford, CT) – Attorney General William Tong today announced that a coalition of seven states has reached a $2 million settlement with CafePress, Inc. stemming from a 2019 data breach of its user database that compromised the personal information of approximately 22 million consumers, including more than 236,000 Connecticut residents. CafePress is an online retailer of personalized items and apparel. The breach compromised consumer names, email addresses, passwords, physical addresses, phone numbers, and, in some cases, credit card information as well as full, unencrypted Social Security or tax identification numbers.
Pursuant to the settlement, CafePress has agreed to pay $2,000,000 to the states. The settlement includes an immediate payment of $750,000 to be divided amongst the states, of which Connecticut will receive $64,168.71. The remainder of the $2 million payment is suspended based on the company’s financial condition.
“CafePress retained highly sensitive personal information from their customers, including in some cases full Social Security Numbers and credit card information. They failed to protect that information, and as a result compromised the security of millions of consumers, including many in Connecticut. This settlement requires CafePress to pay a substantial penalty to the states, and to commit to strong protections going forward to ensure the security of consumer information,” said Attorney General Tong.
Under the settlement, CafePress has agreed to a series of provisions designed to protect consumer personal information. Those include:
• a comprehensive information security program that includes regular reporting to the CEO concerning security risks;
• an incident response and data breach notification plan that encompasses preparation, detection and analysis, containment, eradication, and recovery;
• personal information safeguards and controls, including encryption, segmentation, penetration testing, logging and monitoring, a risk assessment program, password management, and data minimization;
• clear notice to consumers regarding CafePress’ account closure and data deletion practices; and
• third-party security assessments for five (5) years.
PlanetArt, LLC, which purchased substantially all of CafePress’ assets during the pendency of the states’ investigation and currently owns and operates www.cafepress.com, has agreed to comply with the provisions of the settlement designed to protect consumer data.
Upon disclosing the breach in September 2019, CafePress offered two years of credit monitoring and identity theft protection services at no charge to those whose Social Security and/or tax identification numbers were compromised by the breach.
The New York Office of the Attorney General led the multistate investigation, assisted by the Attorneys General of Connecticut, Indiana, Kentucky, Michigan, New Jersey, and Oregon.
Assistant attorneys general Áine DeMeo, Michele Lucan, John Neumon, and Jeremy Pearlman, Head of the Privacy and Data Security Department, assisted the Attorney General in this matter.