I was curious about what legal theory they were using to enforce this. It appears that 5/7 of the counts are just false or misleading statements - CafePress claimed to have good security but didn't. Another is just tangentially related to security. The interesting one is Count III:
> As described in Paragraph 11, Respondents’ failure to employ reasonable data security measures to protect Personal Information caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. This practice is an unfair act or practice.
...
> in violation of Section 5(a) of the Federal Trade Commission Act.
If I'm reading this correctly, it is saying that the FTC interprets poor security of user's data to be in violation the FTC act even outside of any promises given to the customer. That seems like a big stretch IMO.
It's the legal theory of "agree to these things or we're going to publicly try to nail your assets to the wall" - even if they actually can't do it, do you want to pay the costs of fighting it, or give the FTC their little PR moment.
> As described in Paragraph 11, Respondents’ failure to employ reasonable data security measures to protect Personal Information caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. This practice is an unfair act or practice. ...
> in violation of Section 5(a) of the Federal Trade Commission Act.
If I'm reading this correctly, it is saying that the FTC interprets poor security of user's data to be in violation the FTC act even outside of any promises given to the customer. That seems like a big stretch IMO.