CafePress must enhance its data security practices, and its former owner, Residual Pumpkin, must pay $500,000 to provide redress to data breach victims, to resolve allegations the online retailer failed to secure consumers’ sensitive personal data and covered up a major data breach, the Federal Trade Commission announced on June 24.
The finalized FTC order resolves a complaint the agency first filed in March. In its complaint against Residual Pumpkin and PlanetArt, which bought CafePress in 2020, the FTC alleged CafePress “failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network and failed to adequately respond to several security breaches.”
CafePress’s information-security failures provide lessons for all companies. Specifically, according to the FTC, CafePress “stored Social Security numbers and password reset answers in clear, readable text; retained the data longer than was necessary; and failed to apply readily available protections against well-known threats and adequately respond to security incidents. CafePress also covered up a major data breach “resulting from its shoddy security practices,” the FTC stated.
Data Security Mandates
Under the FTC’s order, Residual Pumpkin and PlanetArt each must implement comprehensive information-security programs that require them, among other things, to:
- Replace inadequate authentication measures with multifactor authentication methods;
- Minimize the amount of data they collect and retain:
- Encrypt Social Security numbers; and
- Have a third party assess their information-security programs and provide the FTC with a redacted copy of that assessment suitable for public disclosure.
In addition, PlanetArt must notify consumers whose personal information was accessed as a result of the data breaches and provide specific information about how consumers can protect themselves.
The FTC voted 5-0 to finalize the orders with Residual Pumpkin and PlanetArt. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.