FTC on CafePress: Important Takeaways

FTC issued a settlement in the matter of CafePress - what are important things to take from this:

Data minimization:

Storing information indefinitely on your network without a business need creates an unnecessary risk. (hello, data minimization as an FTC Art 5 cause of action and a nice tie-in with data minimization as legal requirements under #CPRA #CDPA #CPA)

M&A:

If you are acquiring a company - check its information security, its privacy reps and how it has handled incidents in the past or you may be left with the liability.

Transparency:

• If you have a data breach: Don't cover it up and don't lie about it, telling consumers to refresh their passwords only because you have updated your password policy;
• If you say that you are using information (eg. email addresses) for order notifications and receipts only, you cannot use them to send marketing emails.
• If you provide a check box to check for email marketing - you cannot send marketing emails even if it is unchecked.
• Be wary of using the following expressions in your privacy disclosure, they may come back to haunt you: "we value the trust you place in us"; "your privacy and trust are important to us"; "Safe and Secure Shopping. Guaranteed" ; "we pledge to use the best and most accepted methods and technologies to ensure your personal information is safe and secure"; "our servers are secure and your personal information is stored safely in our system"

Privacy Shield:

• Even though it does no longer operates for cross border transfer, the EU US Privacy Shield certification, certified companies must abide by its principles including: Choice (giving the opportunity to opt out); security (reasonable protection) and access (ability to access amend or delete data) and failure to do this is enforceable by the FTC.
• If you say that you will delete information pursuant to requests from EEA individuals, you have to do it (and if you don't, it will get found out if you have a data breach..)

Information Security Specifics:

• Don't store in cleartext personal information that includes answers to security questions, PayPal address, las four digits and expiration dates of credit cards and SSNs or Tax IDs of shopkeepers.
• Encrypt your using secure algorithms (SHA-1 hashing is not enough) and salt them.
• You must have a process for receiving and addressing security vulnerability reports from third-party researchers, academics, or other members of the public.
• You must implement patch management policies and procedures to ensure the timely remediation of critical security vulnerabilities.
• Only use updated and patched versions of database and web server software
• Establish or enforce rules sufficient to make user credentials (such as user name and password) hard to guess.
• Implement reasonable procedures to prevent, detect, or investigate an intrusion e.g.: maintain logs; properly configure vulnerability testing and scope penetration testing; comply with your own written security policies.
• Implement a process to reasonably respond to security incidents.

The Company is required to:

• Refrain from misrepresentations
• Implement a comprehensive information security program
• Designate a person to be in charge of it
• Institute sufficient safeguards. These specifically include:

(1) data minimization at collection; retention limitation and deletion.

(2) encryption of SSNs

(3) Data access controls

(4) not using security question and instead - using authentication, preferably through authentication services

(5) employee training

• Select only appropriate service providers
• Reassess your measures periodically, and after an incident
• Acquire biennial reviews from a third party assessor
• Undergo checks by a third party information security assessor
• Undergo annual certification
• Report data incidents to the FTC
• $500,000 payment to the FTC