Penalty Amount
$2,000,000
Consumers Affected
22,000,000
New Jersey joined a multistate $2 million settlement with online retailer CafePress over a 2019 data breach that exposed personal information of approximately 22 million consumers nationwide, including over 540,000 in New Jersey. The settlement requires CafePress to implement a comprehensive cybersecurity program, incident response plan, and third-party assessments for five years, with payment suspended pending compliance.
CafePress must pay $2 million (with $750,000 immediate, including $98,368 to New Jersey), implement a comprehensive information security program with regular updates and CEO reporting, develop an incident response and breach notification plan, enhance personal information safeguards (encryption, segmentation, penetration testing, password management, data minimization), provide clear consumer notice regarding account closure and data deletion, and undergo third-party security assessments for five years. The remaining balance is suspended contingent on compliance.
Entity
CafePress
Industry
RetailOfficial Press Release
https://www.njoag.gov/ag-grewal-joins-2-million-settlement-with-online-retailer-cafepress-over-2019-data-breach/
121820 CafePress AVC
https://www.nj.gov/oag/newsreleases20/121820-CafePress-AVC.pdf
New Jersey Attorney General Enforcement Page
https://www.njoag.gov/about/divisions-and-offices/division-of-consumer-affairs/
$500K
The FTC finalized an order against CafePress for failing to secure consumer data and covering up a data breach. The company must implement comprehensive security measures, and its former owner must pay $500,000 in redress to victims.
$370K
The FTC settled with CafePress for failing to implement reasonable data security measures, leading to multiple breaches that exposed Social Security numbers and other sensitive data. As part of the settlement, over $370,000 in refunds are being distributed to 20,044 consumers who filed valid claims.
A former employee of the New Jersey Department of Children and Families was indicted for allegedly leaking confidential child protection case information in exchange for bribes. The defendant, Susaida Nazario, misused her access to provide case details to an unauthorized individual, compromising sensitive children's data.
New Jersey Attorney General Matthew Platkin announced that New Jersey is joining a coalition of 22 states in suing Uber for deceptive practices related to its Uber One subscription service. The lawsuit alleges that Uber enrolled consumers without their knowledge and made cancellation extremely difficult, seeking restitution, penalties, and an injunction under New Jersey's Consumer Fraud Act and the Restore Online Shoppers' Confidence Act.
New Jersey Attorney General Matthew Platkin is leading a bipartisan coalition of 42 attorneys general in sending a letter to 13 tech companies, demanding that they implement safeguards for their AI chatbots to prevent harmful interactions such as sexually explicit conversations with children, encouraging self-harm, and spurring violence, following reports of serious incidents including deaths and self-harm.
The New Jersey Division of Consumer Affairs sent warning letters to over 3,000 auto dealerships reminding them of the state's data deletion law, which requires dealerships to offer to delete personal data from vehicles when accepting them for resale or lease. Failure to comply can result in fines of $500 for first offenses and $1,000 for subsequent offenses, aimed at preventing unauthorized access to sensitive consumer information stored in vehicle infotainment systems.