Seven state attorneys general, led by New York Attorney General Letitia James, reached a settlement with Residual Pumpkin Entity LLC (formerly known as CafePress LLC) (“CafePress”), related to a 2019 data security incident, exposing 22 million customer accounts and as many as 186,000 social security and tax identification numbers.
Based on the state attorneys general’s Assurance of Voluntary Compliance, CafePress — an online retailer of customizable apparel, mugs, and other consumer products —– was the victim of a cyberattack on or before February 19, 2019. A third-party security researcher notified CafePress of a potential Structured Query Language (SQL) vulnerability.
SQL comes in many different versions and denotes a language that accesses databases, which website administrators often depend on to execute queries, retrieve data, and update records in online databases. When a website’s web application or plug-in is improperly coded, malicious actors can use SQL to inject their own malicious SQL statements to access information stored in databases.
The third-party security researcher, who notified CafePress of the vulnerability, later demonstrated “in real time using a custom script and listed information he had extracted for 19 accounts in CafePress’ customer databases, which included email addresses, passwords, and, for eight accounts, [s]ocial [s]ecurity or tax identification numbers.”
Initially believing the vulnerability did not result in a breach after checking its logs, patching an update to remediate the vulnerability, and resetting customer passwords, CafePress’ full investigation proved otherwise. CafePress later learned that its users’ personal information was exposed to bad actors when it found personal information for sale on the dark web, including social security and tax identification numbers. By September 2019, CafePress began notifying customers of the incident, starting with those at most risk.
The Assurance Follows Common Security Trends Helpful to All Businesses
The Assurance of Voluntary Compliance, entered into by the seven state attorneys general, spanned seven (7) pages and required CafePress to make the following changes to its business practices:
- create an information security program with distinct protocols, a timeline for review, the qualifications for the lead employee, and related training requirements for management-level employees;
- establish an incident response and data breach notification plan with distinct phases for (1) preparation, (2) detection and analysis, (3) containment, (4) eradication, and (5) recovery;
- prepare a security event report even if the security event does not require data breach notification;
- establish the following personal information safeguards and controls: (1) encryption, (2) segmentation, (3) penetration testing, (4) risk assessment, (5) password management, (6) logging and monitoring, (7) personal information deletion, and (8) account closure notification; and
- require biennial security program assessments.
As businesses are unique, all businesses should implement and maintain their own programs to protect personal information collection and storage. Businesses should view the terms above as a guidepost in their own comprehensive information security program. For business leaders unsure if their practices comply with these benchmarks and unsure where to start, read our post discussing ways business leaders could reduce their organizations’ cyber risks.
The Assurance of Voluntary Compliance Demonstrates the Enforcement Capacity of State Attorneys General Data Security Enforcement Divisions
Pulling back the onion demonstrated that the consent judgment has minimal enforceability. Based on the company’s present financial condition, $1,250,000 of the $2,000,000 settlement was suspended. Moreover, PlanetArt LLC, the recent purchaser of CafePress’ assets, was not required to comply with any of the injunctive terms because it does not collect, maintain, or use personal information.
While these decreased monetary penalties and enforcement terms likely reduced the number of participating states to the initial lead states investigating CafePress, the fact that the state attorneys general pushed this matter to settlement, despite thousands of data breaches occurring annually, demonstrated that they will take a case to the finish line in a way previously limited by resource constraints.
Over the past year, states — including Connecticut, New Jersey, and California — have invested in dedicated consumer privacy and data security enforcement divisions. With this bolstered enforcement capacity, states previously limited in resources may now have the ability to participate in nationwide investigations concerning privacy and security incidents. New York Attorney General Letitia James emphasized this commitment in her CafePress press release when stating, “My office is committed to protecting consumers, which is why we will continue to use every available tool to hold companies accountable when they fail to safeguard personal information.”
In 2021, state attorneys general will continue to bolster their current data security enforcement capacities, with the CafePress resolution demonstrating that companies must take steps to adequately protect personal information. Companies also should implement incident response plans, tested regularly through tabletop exercises, to prepare themselves if a data incident occurs.