On December 18, seven states have entered into a settlement agreement with e-retailer Cafe-Press for $2 million stemming from a 2019 data breach that exposed information of approximately 22 million consumers. The breach affected consumers’ personal information, including usernames and passwords, Social Security numbers and/or Taxpayer Identification numbers.

Of the $2 million, $750,000 will be an immediate payment divided among the states: New Jersey, New York, Connecticut, Indiana, Kentucky, Michigan and Oregon.

According to the settlement agreement, if CafePress improves its data privacy practices, the states have agreed to suspend the balance of the settlement. Those improvements include implementing a comprehensive cybersecurity program that is updated and assessed regularly, a data breach notification plan (including preparation, detection, analysis, containment, eradication and recovery), as well as other safeguards like encryption, segmentation and penetration testing. CafePress must also update its disclosures to consumers including information on account closure and data deletion. The company must also have a third-party risk assessment for the next five years.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.