On December 18, 2020, State Attorney Generals from Connecticut, Indiana, Kentucky, Michigan, New Jersey, New York, and Oregon announced a $2 million settlement with CafePress over allegations that the online retailer failed to sufficiently respond to a 2019 data breach that impacted nearly 22 million customers.
CafePress allegedly failed to promptly detect a breach to their SQL database, which allowed an unauthorized individual to obtain customer’s personal information, and failed to initiate a full investigation until nearly 6 months after the breach. The settlement requires CafePress to implement comprehensive data security and data breach notification plans, and perform third-party security assessments biennially for the next five years.