NEW JERSEY — New Jersey is part of a seven-state coalition that has entered into a $2 million overall settlement with internet retailer CafePress resolving the states’ investigation of a 2019 data breach. The data breach compromised the personal information of approximately 22 million consumers nationally, including more than 540,000 consumers in New Jersey, Attorney General Gurbir S. Grewal said Friday.
CafePress is an online retailer of personalized gifts and user-customized products. The breach compromised consumer names, email addresses, passwords, physical addresses and phone numbers for accounts associated with the CafePress website. In some cases, the last four digits of credit card numbers, expiration dates, and full, unencrypted Social Security or tax identification numbers were compromised.
The total payment to the states of $2 million includes an immediate payment of $750,000 divided amongst the states, of which New Jersey will receive $98,368. Based on the company’s agreement to improve its data privacy practices, as well as its current financial condition, the states have agreed to suspend the balance of the settlement, provided CafePress complies with the terms of the agreement.
“All businesses – but particularly companies that do all or most of their retail business online — have a duty to maintain security systems and practices that protect the sensitive personal information they collect from their customers,” said Attorney General Grewal. “When companies fail to create and maintain such protections, they put their customers at risk. We hold businesses accountable when their cyber security lapses end up harming consumers, and ensure that they take appropriate steps to prevent another breach.”
“Today’s settlement is important because it requires this online retailer to do what it should have done well before the credit card and other personal information of more than a half-million New Jersey consumers was compromised – develop and maintain a comprehensive cyber security program that is updated and assessed on a regular basis,” said Acting Director of Consumer Affairs Paul Rodríguez. “We are committed to protecting the sensitive financial and other information of consumers, and will take action against any business that fails to meet its responsibility to do so.”
In addition to the monetary terms, CafePress has agreed under today’s settlement to implement a series of provisions designed to protect consumer personal information from cyberattacks. Those include:
- a comprehensive information security program that includes regular updates to keep pace with changes in technology and security threats as well as regular reporting to the CEO concerning security risks;
- an incident response and data breach notification plan encompassing preparation, detection and analysis, containment, eradication, and recovery;
- personal information safeguards and controls, including encryption, segmentation, penetration testing, logging and monitoring, a risk assessment program, password management, and data minimization;
- clear notice to consumers concerning account closure and data deletion; and
- third-party security assessments for five (5) years.
PlanetArt, LLC, which purchased substantially all the assets of CafePress during the pendency of the states’ investigation, and now currently owns and operates cafepress.com, has agreed to the settlement provisions designed to protect consumer data.
The data breach that struck CafePress affected the usernames and passwords of 535,022 New Jersey consumers. Another 5,034 New Jerseyans’ Social Security Number and/or Taxpayer Identification Number were compromised.
Upon disclosing the breach in September 2019, CafePress offered two years of credit monitoring and theft resolution services at no charge to those whose Social Security Numbers and/or Tax Identification Numbers were affected by the incident.
In addition to New Jersey, the following states’ Attorneys General are participating in the Café Press settlement: New York, Connecticut, Indiana, Kentucky, Michigan and Oregon.