CafePress got its consumers’ sensitive personal data, including Social Security numbers, exposed. The claim against Residual Pumpkin Entity, former owner of CafePress and PlanetArt, current owner of CafePress was filled by the Federal Trade Commission. The main issue of the claim is that the organization had failed to ensure safety of client’s personal data (including Social Security numbers), and covered up the data breach.

According to the FTC experts’ opinion, sufficient measures, required for sensitive data protection of buyers and sellers weren’t implemented, and also there wasn’t an adequate respond to some security breaches. 

The FTC claims include the following:

“Stored Social Security numbers and password reset answers in clear, readable text; 
Retained the data longer than was necessary; 
Failed to apply readily available protections against well-known threats and adequately respond to security incidents;
Covered up a major data breach resulting from its shoddy security practices”.

According to the statement by the FTC, Residual Pumpkin must pay $500,000, which will be used to provide redress to victims of the data breaches, and comprehensive information security programs must be implemented in response for the incident.

This case illustrates the tendency, corresponding with regulations – more and more information security related acts will come into force, and regulators will monitor activities of all types of personal data operators more strictly.  In case security rules are violated, impose significant fines. One of the most crucial recommendation by the FTC in this case is that there is a need for usage of “comprehensive information security programs”. This is a reasonable measure, as in case such measures aren’t implemented, we will witness plenty of other data related incidents occurrence. Our experts also argue for the necessity of implementation of a new complex approach to organization’s security, which you can find in our blog post.