LANSING, MI (WKZO AM/FM) — Monday, Attorney General Dana Nessel announced that a coalition of seven states reached a $2 million settlement with CafePress to resolve a 2019 data breach that compromised the personal information of about 22 million consumers, including more than 474,900 in Michigan.
CafePress is an online retailer of stock and user-customized products. The breach compromised consumer names, email addresses, passwords, physical addresses, phone numbers and, in some cases, Social Security or tax identification numbers, and the last four digits of credit card numbers and expiration dates.
The compromised information was taken from accounts associated with the company’s website.
Under the settlement, CafePress has agreed to pay $2 million to the states. The settlement includes an immediate payment of $750,000 divided among the states, of which Michigan will receive about $91,000. The remainder of the $2 million payment is suspended based on the company’s financial condition.
Of the compromised Michigan consumers, 5,234 potentially had their Social Security numbers or tax identification numbers compromised.
Upon disclosing the breach in September 2019, CafePress offered two years of credit monitoring and theft resolution services at no charge to those whose Social Security numbers and/or tax identification numbers were affected by the incident.
“As a growing number of services and customer-driven amenities become available online, a consumer’s personal information is more at-risk now than ever before,” Nessel said in a statement. “While there are steps we as consumers can take to protect our own personal information from falling into the wrong hands, companies must also take appropriate measures to safeguard that data to ensure their customers are protected from predatory attempts to capitalize on that information.”
Under the settlement, CafePress has
- A comprehensive information
security program with regular updates to keep pace with changes in technology and security threats as well as regular reporting to the CEO concerning security risks; - An incident response and data breach notification plan that is required to encompass preparation, detection and analysis, containment, eradication and recovery;
- Personal information safeguards and controls, including encryption, segmentation, penetration testing, logging and monitoring, a risk assessment program, password management and data minimization;
- Clear notice to consumers concerning account closure and data deletion; and
- Third-party security
assessments for five years.
PlanetArt LLC, which purchased substantially all the assets of CafePress during the states’ investigation into the breach, and now currently owns and operates the website, has agreed to these provisions of the settlement designed to protect consumer data.
Attorney General Nessel has made
Nessel’s office joined in the investigation with the attorneys general of New York, Connecticut, Indiana, Kentucky, New Jersey and Oregon.