AG Nessel announces $2M multistate settlement with CafePress over 2019 data breach

Posted at 4:30 PM, Dec 21, 2020
and last updated 2020-12-21 16:30:36-05

LANSING, Mich. (WSYM) — Attorney General Dana Nessel today announced that a coalition of seven states reached a $2 million settlement with CafePress to resolve a 2019 data breach. The data breach compromised the information of about 22 million people, including almost 475,000 in Michigan according to Nessel.

CafePress is an online retailer of stock and user-customized products.

The breach compromised consumer names, email addresses, passwords, physical addresses, phone numbers and, in some cases, Social Security or tax identification numbers, and the last four digits of credit card numbers and expiration dates. The compromised information was taken from accounts associated with the company’s website.

Under the settlement, CafePress has agreed to pay $2 million to the states, Nessel says. The settlement includes an immediate payment of $750,000 divided among the states, of which Michigan will receive about $91,000. The remainder of the $2 million payment is suspended based on the company’s financial condition.

Of the compromised Michigan consumers, 5,234 potentially had their Social Security numbers or tax identification numbers compromised, according to the Attorney General’s office. Upon disclosing the breach in September 2019, CafePress offered two years of credit monitoring and theft resolution services at no charge to those whose Social Security numbers and/or tax identification numbers were affected by the incident.

“As a growing number of services and customer-driven amenities become available online, a consumer’s personal information is more at-risk now than ever before,” Nessel said. “While there are steps we as consumers can take to protect our own personal information from falling into the wrong hands, companies must also take appropriate measures to safeguard that data to ensure their customers are protected from predatory attempts to capitalize on that information.”

Under the settlement, CafePress has agreed to a series of provisions designed to protect consumer personal information from cyberattacks. Those include:

  • A comprehensive information security program with regular updates to keep pace with changes in technology and security threats as well as regular reporting to the CEO concerning security risks;
  • An incident response and data breach notification plan that is required to encompass preparation, detection and analysis, containment, eradication and recovery;
  • Personal information safeguards and controls, including encryption, segmentation, penetration testing, logging and monitoring, a risk assessment program, password management and data minimization;
  • Clear notice to consumers concerning account closure and data deletion; and
  • Third-party security assessments for five years.

Attorney General Nessel has made consumer protection a top priority for her administration, and has previously issued consumer alerts to help people take the proper precautions to protect themselves and respond to various incidents, including data breaches.

Nessel’s office joined in the investigation with the attorneys general of New York, Connecticut, Indiana, Kentucky, New Jersey and Oregon.