New Jersey and six other states have entered into a $2 million settlement with internet retailer CafePress resolving the investigation of a 2019 data breach that compromised information of approximately 22 million consumers, Attorney General Gurbir Grewal announced Dec. 18.
In New Jersey, the breach affected the usernames and passwords of 535,022, and another 5,034 New Jerseyans’ Social Security numbers and/or Taxpayer Identification Numbers.
The $2 million includes an immediate payment of $750,000 divided among the states. New Jersey will receive $98,368.
Based on the company’s agreement to improve its data privacy practices, as well as its current financial condition, the coalition of states has agreed to suspend the balance of the settlement, provided CafePress complies with the terms of the agreement, Grewal’s office said.
“Today’s settlement is important because it requires this online retailer to do what it should have done well before the credit card and other personal information of more than a half-million New Jersey consumers was compromised – develop and maintain a comprehensive cybersecurity program that is updated and assessed on a regular basis,” said Director of Consumer Affairs Paul Rodríguez, who was confirmed by the Senate Dec. 17. “We are committed to protecting the sensitive financial and other information of consumers, and will take action against any business that fails to meet its responsibility to do so.”
CafePress also agreed to implement a series of provisions designed to protect consumer personal information from cyberattacks, including a comprehensive information security program with regular updates to keep pace with changes in technology; a data breach notification plan covering preparation, detection and analysis, containment, eradication, and recovery; safeguards such as encryption, segmentation, and penetration testing; clear notice to consumers concerning account closure and data deletion; and
third-party security assessments for five years.
PlanetArt LLC, which purchased CafePress during the time of the states’ investigation, has agreed to the settlement provisions.
When it disclosed the breach in Sept. 2019, CafePress offered two years of credit monitoring and theft resolution services at no charge to those whose Social Security Numbers and/or Tax Identification Numbers were affected by the incident.
Deputy Attorney General Kashif Chand, chief of the data privacy & cybersecurity section in the Division of Law’s affirmative civil enforcement practice group, and Deputy Attorney General Cody Valdez of the data privacy & cybersecurity section, handled the CafePress matter on behalf of the state.
Attorneys general in New York, Connecticut, Indiana, Kentucky, Michigan and Oregon are also participating in the Café Press settlement.