$500,000 Fine Paid for Not Incorporating Reasonable Security | ||
| DESCRIPTION | ||
On February 19, 2019, an attacker managed to breach the network of CafePress, a well-known online t-shirt company. It would be the first of several infiltrations over the week. In the end, the attacker made off with the personal data of more than 22 million customers that included email addresses, names, mailing addresses, phone numbers, and passwords. In addition, more than 180,000 Social Security numbers (SSNs), as well as thousands of partial payment card numbers and expiration dates, were compromised as well. What makes this attack from over three years ago relevant today is that the FTC just announced its ruling a few weeks ago concerning an investigation that stemmed from a filed complaint against the company. The complaint involved both the original owner of CafePress, Residual Pumpkin, and PlanetArt, who purchased CafePress from Residual Pumpkin in 2020. Upon the findings of their investigation, the FTC said that Residual Pumpkin failed to provide reasonable security for the personal information stored on its network. Some of the reasonable security measures found lacking included the following:
| ||
| IDENTIFY INDICATORS OF COMPROMISE (IOC) | ||
Residual Pumpkin, who owned CafePress at the time, was internally oblivious of the attack. It wasn’t until March 11 that a third-party security researcher contacted the company, alerting them of what they believed was an attack that took place three weeks prior that exploited a SQL vulnerability within their system. The researcher then demonstrated how the attack probably took place. Residual Pumpkin confirmed the vulnerability but determined that a breach had not taken place. This decision was made after reviewing only two weeks of log files. Days later, the company started investigating a spike in orders that they suspected were fraudulent. A month later, CafePress reset the passwords of all its accounts, but did not disclose to its customers the reason for doing so. Over the next several months, evidence began to trickle in from multiple sources that the compromised data of CafePress customers was for sale throughout the dark web. Finally, on September 4, 2019, CafePress alerted its customers of the data breach and offered victims two years of prepaid identity theft and credit monitoring. | ||
| CONTAINMENT (If IoCs are identified) | ||
In addition to the lackluster security measures taken by Residual Pumpkin, the FTC ruled that Residual Pumpkin was guilty of attempting to hide the data breach from the public and its customers. Their password reset proved insufficient as the attackers were still able to take over the involved user accounts. In addition, their failure to adequately respond to multiple reports of the breach resulted in an unreasonable delay in notifying the parties involved. Their lack of action increased the likelihood that the compromised information would be utilized. The FTC ruled that Residual Pumpkin must make a payment of $500,000 to the data victims. This is on top of $750,000 that had already been paid, according to an agreement made with the New York Attorney General earlier. | ||
| PREVENTION | ||
In addition to the settlement, Residual Pumpkin and PlanetArt are required to employ a set of comprehensive data security programs to address the problems that led to the data breach. Some of these include the implementation of a multifactor authentication (MFA) solution, reducing the retention period for stored data and using modern encryption standards for all personal information. PlanetArt is also required to notify those whose information was compromised and provide additional information on how to protect themselves. In the end, the CafePress incident serves as not only a classic case of failing to enact reasonable security measures, but it also stresses the importance of those purchasing or acquiring other companies to perform their due diligence in cybersecurity studies.
| ||
Define reasonable security for your working environment. Establish a defensible risk and security program with a Duty of Care Risk Analysis (DoCRA).
HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, duty of care, key acts and laws, and more that impact your risk management program. |
Frequently Asked Questions (FAQ) on Reasonable Security
Why is “Reasonable” Security Important?
“Reasonable security” language is found in most state and federal privacy laws, and regulators have ruled that you must show you took “reasonable” steps to protect sensitive information.
Reasonable security does not mean perfect security, but rather security that makes sense based on your risks and resources.
Organizations with reasonable security:
- Have a better chance of avoiding regulatory action after a breach
- Are better positioned during litigation and investigations
- Have more support from cyber insurance carriers and adjusters
- Instill more confidence with clients, partners, and stakeholders
What Laws Reference “Reasonable Security”?
In the United States, a variety of state and federal laws require organizations to have “reasonable security practices and procedures.” These include, but are not limited to:
- California Consumer Privacy Act (CCPA / CPRA)
- New York SHIELD Act
- Illinois Personal Information Protection Act (PIPA)
- Massachusetts 201 CMR 17.00
- Connecticut Data Privacy Act
- Gramm-Leach-Bliley Act (GLBA)
- Federal Trade Commission (FTC) Safeguards Rule
- General Data Protection Regulation (GDPR) – references “appropriate technical and organizational measures”
The laws do not specify exactly what controls you should use, but they do typically require some defensible evidence that you assessed and mitigated risk appropriately.
How Do You Demonstrate Reasonable Security?
The most effective way is through a documented, risk-based assessment process that allows you to show how your organization identifies, prioritizes, and mitigates risks.
A legally defensible risk assessment provides a fact-based argument that your actions were prudent, informed, and proportionate.
Key elements include:
- Risk identification: What data, systems, and processes are impacted?
- Threat and vulnerability analysis: What risks are credible and foreseeable?
- Impact assessment: What could cause harm to customers, partners, or operations?
- Control evaluation: What safeguards are reasonable under current conditions?
- Documentation: Written records of your findings, decisions, and mitigations.
Security and legal frameworks such as NIST SP 800-30, ISO 27005, CIS Controls, and DoCRA (Duty of Care Risk Analysis) can help define and prove what “reasonable” looks like in practice.
Is Reasonable Security the Same as Compliance?
No. Compliance meets minimum standards, but reasonable security shows you went above and beyond with due care.
What Is the Duty of Care Risk Analysis (DoCRA)?
The Duty of Care Risk Analysis (DoCRA) standard is an approach to establish and document reasonable security for an organization. It states that reasonable security is:
“Security that balances the interests of the organization with the interests of others who may be harmed if security fails.”
DoCRA helps organizations to review and justify risk decisions, not only from a compliance point of view but also with respect to fairness, proportionality, and legal defensibility. In essence, it considers an organization’s mission, objectives, and obligations. It effectively bridges security, business, and legal aspects in one defensible framework.
How Does HALOCK Help Organizations Demonstrate Reasonable Security?
HALOCK offers cybersecurity assessments that are risk-based, legally defensible, and aligned with the Duty of Care Risk Analysis (DoCRA) standard.
HALOCK assessment helps you to:
- Identify, quantify, and prioritize cyber risks
- Select and balance controls with business impact
- Document a reasonable security posture for regulators, courts, and clients
- Establish an accountability and continuous improvement process
