by Scott McClallen
A seven-state coalition announced a $2 million settlement with online retailer Cafepress.
The settlement resolves a 2019 data breach that compromised 22 million consumers, Attorney General Dana Nessel announced Monday.
Nearly 500,000 Michiganders’ data was breached, for which the state will receive $91,000.
The breach compromised consumer names, email addresses, passwords, physical addresses, phone numbers and, in some cases, Social Security or tax identification numbers, and the last four digits of credit card numbers and expiration dates.
The settlement includes an immediate payment of $750,000 divided among the states. The remainder of the $2 million amount is suspended because the company can’t pay it.
Of the compromised Michigan consumers, 5,234 potentially had their Social Security numbers or tax identification numbers compromised.
Upon disclosing the breach in September 2019, CafePress offered two years of credit monitoring and theft resolution services for free to those whose Social Security numbers and tax identification numbers were affected by the incident.
“As a growing number of services and customer-driven amenities become available online, a consumer’s personal information is more at-risk now than ever before,” Nessel said in a statement.
“While there are steps we as consumers can take to protect our own personal information from falling into the wrong hands, companies must also take appropriate measures to safeguard that data to ensure their customers are protected from predatory attempts to capitalize on that information.”
Under the settlement, CafePress has agreed to protect consumer personal information from cyberattacks, including providing:
- A comprehensive information security program with regular updates to keep pace with changes in technology and security threats as well as regular reporting to the CEO concerning security risks;
- An incident response and data breach notification plan that is required to encompass preparation, detection, and analysis, containment, eradication, and recovery;
- Personal information safeguards and controls, including encryption, segmentation, penetration testing, logging and monitoring, a risk assessment program, password management, and data minimization;
- Clear notice to consumers concerning account closure and data deletion; and
- Third-party security assessments for five years.
Nessel’s office joined the investigation with the attorneys general of Connecticut, Indiana, Kentucky, New Jersey, New York, and Oregon.
– – –
Scott McClallen is a staff writer covering Michigan and Minnesota for The Center Square. A graduate of Hillsdale College, his work has appeared on Forbes.com and FEE.org. Previously, he worked as a financial analyst at Pepsi.