Indiana Attorney General Curtis Hill announced on Friday that Indiana and six other states have reached a $2 million settlement with CafePress, an online retailer of stock and user-customized products.
The settlement resolves a 2019 data breach that compromised the personal information of approximately 22 million consumers, including 312,000 Indiana residents. The breach compromised consumer names, email addresses, passwords, physical addresses, phone numbers, credit card numbers and expiration dates, and full, unencrypted Social Security and tax identification numbers.
Under the settlement, CafePress agreed to pay $2 million to Indiana and the six other states. This includes an immediate payment of $72,712.15 to Indiana and $677,287.85 divided amongst the other states. The remainder of the $2 million payment is suspended based on the company’s financial condition.
“Although it would be more beneficial for consumers if companies like CafePress took cybersecurity precautions before they were hit by data breaches, we are pleased that CafePress will now take necessary actions to protect their customers’ information,” Hill said. “Cyberattacks are the fastest-growing type of crime in our nation, and we will continue to hold accountable companies that don’t take basic, proactive measures to prevent them.”
In addition to the $2 million payment, CafePress has agreed to a series of provisions designed to protect consumers’ personal information from cyberattacks. Those include:
- A comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats, as well as regular reporting to the CEO concerning security risks;
- An incident response and data breach notification plan that must address preparation, detection, analysis, containment, eradication and recovery;
- Personal information safeguards and controls, including encryption, segmentation, penetration testing, logging and monitoring, a risk assessment program, password management and data minimization;
- Clear notice to consumers concerning account closure and data deletion; and
- Third-party security assessments for five years.
PlanetArt LLC, which purchased substantially all the assets of CafePress during the investigation into the data breach, agreed to the provisions of the settlement designed to protect consumer data.
Upon disclosing the breach in September 2019, CafePress offered two years of credit monitoring and theft resolution services at no charge to those whose Social Security or tax identification numbers were affected by the incident.
In addition to Hill, the attorneys general of New York, Connecticut, Kentucky, Michigan, New Jersey and Oregon participated in the settlement. New York Attorney General Letitia James led the multistate investigation into the data breach.