FTC finalizes order over CafePress security issues

The Federal Trade Commission finalized settlement orders Friday that require online custom merchandise platform CafePress to beef up security and force the company’s former owner to pay half a million dollars to small business owners over allegations it left sensitive information vulnerable then tried to cover up a major breach.

The FTC announced an action in March against former CafePress owner Residual Pumpkin Entity LLC and PlanetArt LLC, which purchased the platform in 2020. In the agency’s complaint, it alleged the company had poor information security practices, including personal information including Social Security Numbers left in plaintext, and a series of cybersecurity incidents. 

CafePress also tried to cover up a major data breach in 2019, the FTC alleged, failing to notify affected customers until a month after it was widely reported. The agency’s commissioner’s voted 5-0 to finalize the orders. 

Representatives for Residual Pumpkin Entity and PlanetArt did not immediately respond to requests for comment.

Per the FTC’s announcement, the comprehensive security programs both companies must now deploy will require them to:

adequate authentication measures with multifactor authentication methods;

Minimize the amount of data they collect and retain:

Encrypt Social Security numbers; and

Have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.