A data minimization requirement, a mandate to use multi-factor authentication, direct notice to consumers with an admission of wrongdoing, monetary relief. There’s a lot to pay attention to in the U.S. Federal Trade Commission’s proposed settlement with the current and former owners of CafePress, announced March 15. IAPP Managing Director, Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, has done an excellent job of teasing out the privacy lessons hidden in what is, on its surface, a data security case. Here I will focus on the data security aspects of the case while noting the important connection between the two.
By my reckoning, this is the FTC’s first data security settlement in over a year, the last being the November 2020 settlement with Zoom and the December 2020 agreements with SkyMed and Ascension Data. It is fascinating and instructive to see both the continuity and the ongoing evolution in the FTC’s cybersecurity enforcement.
On the continuity side, data security remains a bipartisan issue for the commission, with the two Democrats and two Republicans voting unanimously in favor of the complaint and settlement.
Also representing continuity are the long list of security failings identified in the complaint and the long list of technical security measures mandated in the settlement agreement. The latter contains the same broad requirements that have been in FTC data security settlements going back to Eli Lilly 20 years ago: identify internal and external risks; design and implement a comprehensive information security program with safeguards responsive to those risks; designate a qualified employee to be responsible for the program; train employees; test and monitor the program’s effectiveness and revise it as appropriate; and select and retain service providers capable of safeguarding personal information they access. But the proposed settlement, like all those after a court of appeals in the LabMd case castigated the commission for the broad generality of its “reasonable security” orders, also contains a list of very specific technical requirements, including encryption of all Social Security numbers; restricting inbound access to approved IP addresses; timely remediation of vulnerabilities and application of patches; and multi-factor authentication.
In terms of the ongoing evolution of the FTC’s approach, the requirement to adopt multi-factor authentication is notable. The proposed order for CafePress’ current owner states that it must replace authentication measures based on the use of security questions and answers with multi-factor authentication and not use security questions again. The Zoom settlement mentioned MFA, but it seemed to be optional: The Zoom order required technical measures designed to safeguard against unauthorized access “such as” firewalls, segmentation, and multi-factor authentication “or similar technology.” The CafePress order leaves no wiggle room and thus may signal a new impatience on the FTC’s part with anything other than MFA.
Also noteworthy — arguably revolutionary — is the consent order’s requirement that CafePress adopt policies and procedures to “minimize data collection, storage and retention.” Data minimization is, of course, a key element of fair information practices, but too often overlooked in a world obsessed with notice and consent. For some time now, Commissioner Rebecca Kelly Slaughter has been urging the commission to adopt and enforce a data minimization requirement. Going back at least as far as 2019, in the InfoTrax case, the commission required entities to delete information after it was no longer necessary. But CafePress may be the first settlement to mandate data minimization at the collection phase and may signal growing Commission support for bringing data minimization into the center of FTC enforcement. Almost certainly, one can expect it, as well, to be prominent in the potential FTC rulemakings on privacy and security.
CafePress also represents progress toward another of Commissioner Slaughter’s long-sought reforms: treating privacy and data security together rather than as distinct concerns. Indeed, Slaughter dissented in the Zoom case specifically because the commission had failed in that case to look at Zoom’s privacy practices.
In contrast, in the CafePress matter, which seems to have begun as a data breach case, the FTC did not confine its investigation or its complaint to security issues. Instead, in addition to calling out the company’s deceptive data security representations and its multiple security failings (just as it had in multiple other data security cases), the FTC also specifically focused on CafePress’ use of emails for marketing purposes, and alleged in its complaint that the company failed to honor deletion requests as it had said it would. The settlement order requires the company that now owns CafePress to adopt only a “comprehensive information security program,” but it does go on to say, as Commissioner Slaughter had urged, that that program must protect the privacy as well as the security, confidentiality and integrity of personal information. And the order specifically prohibits the company from further misrepresenting how it honors the privacy choices exercised by users.
The remedies ordered in the settlement reflect two other themes that the FTC has said are priorities: (1) providing notice to harmed consumers; and (2) obtaining monetary remedies for harmed consumers.
As to notice, building on its settlement over a year ago with Flo Health, the CafePress order will require the company to send a letter to consumers whose personal information was accessed as a result of the data breaches. The letter would include security advice to consumers, such as using different passwords for different accounts. Moreover, in the draft letter, CafePress would expressly tell consumers, “CafePress didn’t have reasonable practices to keep your information safe.” This is pretty remarkable, since settlements, including this one, always contain a statement that the respondent neither admits nor denies any wrongdoing. Commissioner Slaughter, along with former Commissioner Rohit Chopra (now head of the Consumer Financial Protection Bureau), has pushed for notice to consumers as part of FTC settlements. CafePress suggests this may become a standard feature of enforcement proceedings. It is also interesting that Commissioner Phillips, who opposed notice in the Flo Health case, voted for it here, probably because it met his criterion of providing advice to consumers on how they can “take action to protect themselves.”
Finally, the proposed settlement requires the former owner of CafePress to pay $500,000 into an FTC fund to be used for redress to victims of the data breaches. While that is a relatively small amount (from a relatively small company), it shows that the commission is still finding ways to obtain monetary recoveries despite the Supreme Court’s 2021 decision in the AMG Capital management case, which blocked the commission from further use of authority it had relied on to obtain restitution in cases alleging unfair or deceptive acts or practices.
All in all, the CafePress complaint and settlement orders deserve close attention by both privacy and data security practitioners and should prompt refresher sessions with product teams to go down the FTC’s lists of alleged failings and required corrective actions.
Photo by Dmitrij Paskevic on Unsplash
