In its most recent cybersecurity enforcement decision, the U.S. Federal Trade Commission announced a draft settlement agreement with the current and former operators of the customized merchandise website CafePress.com. Although the unanimous consent order focuses primarily on the company’s lax security practices, which allegedly led to multiple data breaches, there are also a few data privacy claims that are worthy of attention, not least because they could signal how the FTC will approach privacy actions in the coming months and years.

On the security side, the lessons from CafePress are directly in line with accepted best practices. Breaches happen. To mitigate this risk, companies are expected to implement reasonable baseline standards and continuously monitor for vulnerabilities. According to the FTC complaint, CafePress failed to meet standard expected security practices in multiple ways:

• Procedures were not in place to detect and prevent network intrusions.
• Patches were not made to well-known vulnerabilities (e.g., SQL injection attacks).
• Personal data, including sensitive data like Social Security numbers and security questions, was stored in clear text.
• When data was encrypted (e.g., passwords), out-of-date and deprecated encryption standards were used (SHA-1) and the data was not salted.
• Password complexity rules were not put into place.
• No process was in place for receiving and addressing security vulnerability reports from outside parties.
• When vulnerabilities were found, processes were not in place to quickly respond and mitigate further harm (e.g., forcing password resets on breached accounts).

In its most glaring alleged misstep, CafePress also failed to properly notify consumers of data breaches when they occurred. Not only is timely breach notification a reasonable baseline practice, but it is of course required under delineated circumstances by breach laws in every U.S. state. For this reason, the FTC includes an unfairness claim in its complaint against CafePress. Failing to properly notify consumers can be an unfair practice under Section 5 of the FTC Act, in addition to directly violating state laws.

The FTC staff blog covering the CafePress case analyzes these alleged failures further, with particular attention to the timelines involved in the company’s response to breach incidents. The blog also offers a few general “compliance nuggets” for consideration:

• Don’t make it easy for data thieves to steal customer information. 
• Take security warnings seriously.
• Respond to security episodes honestly, transparently — and quickly. 

For privacy professionals and other FTC watchers, the compliance nuggets don’t stop there.

Purpose limitations matter

In its complaint, the FTC provides examples of CafePress’s up-front notices related to how it would use customer email addresses at the time that they were collected during the online order process. A mandatory email address field appeared with a notice that email addresses submitted would only be used for “order notification and receipt.” Nevertheless, the FTC alleges that emails submitted through this form were also used for marketing purposes. In some markets, CafePress even added an additional opt-in check box for customers to sign up for marketing communications. The FTC alleges that users presented with this option received marketing emails whether they checked the box or not.

This is a good reminder that explicit disclosures of purpose limitations at the time of collection will be seen by regulators as superseding general privacy policy language. If you tell your customers that you will only use a data field for a certain purpose, it’s important to verify that this statement is true. If you create an opt-in option, whether to comply with legal requirements or just to provide consumers with more control, make sure it functions as expected.

Data stored indefinitely 'without a business need'

The FTC frames a data minimization best practice—deleting personal data when it is no longer needed for the purpose for which it was collected—as an important part of a company’s security posture. As the FTC explains it, the former owner of CafePress “created unnecessary risks to Personal Information by storing it indefinitely on its network without a business need.” Specifically, the FTC refers here to the sensitive data points that CafePress kept about its business users, including social security numbers, which were allegedly not subject to a data retention policy in keeping with the business need.

This harkens to another privacy truism: if you don’t have the data, it can’t be taken from you. Whether this means timely deletion of data, or not collecting it in the first place, data minimization is core component of a robust privacy program.

The FTC’s framing of this issue signals its continued emphasis on data minimization. Commissioner Slaughter previewed this emphasis in her speech at IAPP’s PSR conference last fall: “Fundamentally, data minimization should mean that companies collect only the information necessary to provide consumers with the service or product they actually request and use the data they collect only to provide that service or product.”

Expect more FTC actions to focus on this core privacy principle.

Deletion means deletion

In this complaint, the Privacy Shield Frameworks again shows their lasting significance as a means of spreading certain data protection standards to U.S. businesses. The FTC faults CafePress’ alleged failure to properly delete personal data when it received requests from EU and Swiss customers, despite making a commitment to uphold the Privacy Shield deletion principle in its privacy policy. Instead of deleting user account information, the company allegedly “only deactivated user accounts when it received such requests.”

Although deletion can often be difficult to implement, it is a common data subject right in many jurisdictions. Any commitment to “delete” user data, whether flowing from a compliance requirement or a best practice, should be backed up with internal processes that will verify the full removal of the information. The FTC complaint notes that this matters for security too, alleging that European customers of CafePress who had requested account deletions nevertheless had their information exposed in a breach, as it had not actually been deleted.

The CafePress enforcement action adds to a growing pile of data breach cases with implications for privacy professionals, highlighting yet again the interrelated nature of data governance practices across any organization. It is likely not the last such case we will see out of the FTC in 2022.

Photo by ipse dixit on Unsplash