Nessel announces $2M multistate settlement with CafePress over 2019 data breach

Michigan Attorney General Dana Nessel on Monday announced that a coalition of seven states reached a $2 million settlement with CafePress to resolve a 2019 data breach that compromised the personal information of about 22 million consumers, including more than 474,900 in Michigan.

CafePress is an online retailer of stock and user-customized products. The breach compromised consumer names, email addresses, passwords, physical addresses, phone numbers and, in some cases, Social Security or tax identification numbers, and the last four digits of credit card numbers and expiration dates. The compromised information was taken from accounts associated with the company’s website.

Under the settlement, CafePress has agreed to pay $2 million to the states. The settlement includes an immediate payment of $750,000 divided among the states, of which Michigan will receive about $91,000. The remainder of the $2 million payment is suspended based on the company’s financial condition.

Of the compromised Michigan consumers, 5,234 potentially had their Social Security numbers or tax identification numbers compromised. Upon disclosing the breach in September 2019, CafePress offered two years of credit monitoring and theft resolution services at no charge to those whose Social Security numbers and/or tax identification numbers were affected by the incident.

“As a growing number of services and customer-driven amenities become available online, a consumer’s personal information is more at-risk now than ever before,” Nessel said. “While there are steps we as consumers can take to protect our own personal information from falling into the wrong hands, companies must also take appropriate measures to safeguard that data to ensure their customers are protected from predatory attempts to capitalize on that information.”

Under the settlement, CafePress has agreed to a series of provisions designed to protect consumer personal information from cyberattacks. Those include:

• A comprehensive information security program with regular updates to keep pace with changes in technology and security threats as well as regular reporting to the CEO concerning security risks;

• An incident response and data breach notification plan that is required to encompass preparation, detection and analysis, containment, eradication and recovery. 

• Personal information safeguards and controls, including encryption, segmentation, penetration testing, logging and monitoring, a risk assessment program, password management and data minimization.

• Clear notice to consumers concerning account closure and data deletion.

• Third-party security assessments for five years.

PlanetArt LLC, which purchased substantially all the assets of CafePress during the states’ investigation into the breach, and now currently owns and operates the website, has agreed to these provisions of the settlement designed to protect consumer data.

Nessel has made consumer protection a top priority for her administration, and has previously issued consumer alerts to help people take the proper precautions to protect themselves and respond to various incidents, including data breaches.

Nessel’s office joined in the investigation with the attorneys general of New York, Connecticut, Indiana, Kentucky, New Jersey, and Oregon.