The Federal Trade Commission (FTC) has issued a proposed settlement with online retailing platform CafePress over the company’s lax data security. The FTC’s complaint alleges that CafePress misrepresented its security practices and unfairly failed to implement reasonable security. This is the first data security order issued by the FTC since Chair Khan took the helm of the agency last year. While relatively consistent with past FTC orders, there are several novel provisions that may give some clues to where the FTC is headed on cybersecurity issues.
CafePress’ Lax Security and Multiple Breaches
CafePress is a platform that allows consumer “shopkeepers” to sell customized merchandise like t-shirts and coffee mugs to other consumers.
The complaint recites a laundry list of alleged bad security practices that FTC asserts contributed to multiple data breaches. Some of the more notable include:
- Storing sensitive personal information like Social Security numbers and security Q&As in clear, readable text;
- Failing to use readily-available protections against well-known vulnerabilities like Structured Query Language (SQL) injection attacks;
- Failing to take reasonable steps to protect passwords, such as by using outdated algorithms to “hash” passwords and failing to use a “salt” (random data that makes it harder to decrypt a hash);
- Failing to implement procedures for receiving and addressing third-party security vulnerability reports;
- Failing to implement patch management policies to ensure critical vulnerabilities are remediated quickly;
- Storing personal information indefinitely without a business need;
- Failing to implement basic, low-cost procedures to detect security incidents; and
- Failing to reasonably respond to security incidents by delaying disclosure of a breach, and failing to take appropriate steps to assess and remediate a breach.
According to the complaint, CafePress suffered multiple breaches because of these failures. In February 2019, a hacker stole more than 20 million unencrypted email addresses and encrypted passwords, along with millions of unencrypted names, physical addresses, and – importantly – security questions and answers that could be used to reset consumer accounts (e.g., “What’s your mother’s maiden name?” or “What’s your favorite pizza topping?”). Hackers also stole 180,000 unencrypted Social Security numbers and some unencrypted payment data (the last 4 digits of payment cards together with expiration dates).
CafePress didn’t disclose the breach to consumers – even after a foreign government notified them that stolen data was for sale on the dark web. When the company finally notified consumers, it claimed that a password reset had already secured consumer accounts. But the FTC argues this wasn’t true because CafePress continued to allow anyone to reset a password using the security questions that were stolen in the breach.
The complaint alleges actual injury to consumers who were extorted and scammed after attackers sold their personal information, and that CafePress’ unreasonable delay in notifying consumers of the breach increased the likelihood that those consumers would become victims of identity theft and fraud. These risks were further exacerbated by CafePress’ insecure password reset procedure, which left consumers vulnerable even after their passwords were changed.
The Proposed Order
Information Security Program
FTC’s information security programs have grown more complicated and complex over the years, and this order continues that trend. In addition to the usual bans on misrepresentations about privacy and security, reporting requirements, and third party assessments it includes some new provisions, such as:
- No more security questions – CafePress is required to replace any authentication measures based on the use of security questions and answers with multi-factor authentication. This is the first time the FTC has explicitly prohibited security questions and required multi-factor authentication instead.
- Multi-factor authentication—The order specifies that multi-factor authentication should be accomplished through a “secure authentication protocol, such as cryptographic software or devices, mobile authenticator applications, or allowing the use of security keys.” While not expressly prohibited, SMS text messages are notably absent from the list.
- Data minimization—The order requires CafePress to establish policies to “minimize data collection, storage, and retention.” Although this provision is relatively vague, this limitation on data collection appears to go further than FTC’s usual requirements to establish data deletion or retention procedures.
Somewhat unusually for a data security case, the order requires CafePress to pay $500,000 in monetary relief, presumably to be used as redress to shopkeepers who did not receive payable commissions when their accounts were closed. Although last year’s Supreme Court decision in AMG Capital Management LLC v. FTC ended the FTC’s ability to get redress in federal court, that decision does not cover an administrative consent agreement like this one.
To mitigate risks of a data breach and FTC enforcement, companies should take steps to ensure their security fundamentals are sound. Here, there were numerous low-cost steps that could have been taken to mitigate the risks of a breach. It’s also important to take security warnings seriously when they are reported – and have a process in place to investigate and respond to reports of an incident. Unreasonable delay in disclosing a breach, or failing to thoroughly investigate the cause of a security incident, will invite an enforcement action from the FTC. Companies should also consider whether they are authenticating users appropriately, especially for business accounts or accounts that store sensitive personal information.
Baker Botts regularly helps companies navigate complex privacy and security issues and has broad experience with the FTC’s data security and privacy investigations. For more information, please contact Maureen Ohlhausen, Ben Rossen, or another member of the firm’s privacy and cybersecurity practice.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.