Close this search box.
FTC’s Strange Action Against Cafe Press

EP 109: FTC’s Strange Action Against Cafe Press

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

July 5, 2022

The Federal Trade Commission unusually took action against the current AND former owners of CafePress over the February 2019 customer data breach. Why and what does it mean? Also, an update on the False Claims Act from Episode 96. Let’s find out with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

EP 96: “Normalizing Greater Accountability For Cybersecurity Fraud”


Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein partner at the law firm of K&L Gates, visit them at and

Kip Boyle: Hey Jake, what are we gonna talk about today on Episode 109 of the Cyber Risk Management Podcast?

Jake Bernstein: Hey Kip. Today we're gonna talk about two things actually, we're gonna first talk about the Federal Trade Commission's action against the current and former owners of CafePress and then we're also going to have a, Well I guess we'll see how quick it is, but an update on the False Claims Act which we last discussed in Episode 96. So yes, this is one of those legal episodes, but hey, I think that's okay, the last few have been less legal, so let's go ahead and dive in.

Kip Boyle: Yeah, we gotta keep the show balanced, but I gotta tell you the legal episodes that we make that I love the most are when we apply the law to business situations because that really helps cyber risk managers know the boundaries that you know, that exist so that they can provide the best advice possible to their senior decision makers. So I just think this is, these are great topics, but let's get going. CafePress alright, isn't that the company that lets you create and purchase in great volume like, you know, logoed coffee cups, t-shirts, you know the swag that you get at conferences.

Jake Bernstein: Yeah, no, it is, it is indeed. But the case really doesn't have a lot to do with the company's actual business at least not directly. Instead, this relates to a fairly massive February 2019 data breach that the original owners of CafePress Basically concealed. Now, shockingly, I know we're both shocked the breach didn't stay secret. It was actually publicized in September of 2019 and when regulators found out eventually, CafePress was investigated by the Federal Trade Commission where we had a complaint and settlement filed in March of 2022.

Kip Boyle: So that just happened.

Jake Bernstein: Relatively yes.

Kip Boyle: Now the wheels of justice grind a little slowly sometimes okay, but what makes this worthy of a podcast episode? I mean, gosh, there's, there's so many actions that are taken all the time. Why this one?

Jake Bernstein: It's a fair question. And the answer is that what makes this CafePress case interesting is that it also involves an “asset transaction” Which occurred about 18 months after the data breach actually was, was reported to have happened. And what's really interesting and why this is a podcast-worthy case is that the FTC sued both the former and current owners of CafePress. Now this made a pretty big splash in the mergers and acquisition or M&A community because normally new owners don't, aren't held liable for actions of the purchase company that, you know particularly those actions predate the acquisition by quite a fair margin in this case at least that's what that's what it looks like. That's why.

Kip Boyle: That's kind of why you buy assets right? Is because you're hoping to leave behind anything toxic. Right?

Jake Bernstein: That's exactly right. I mean that's that's why you would do an asset purchase instead of a kind of equity purchase right? That's the difference is an asset purchases just where you buy all the guts of the of the business.

Kip Boyle: It's like an estate sale right? When somebody like sells everything right? So you buy pieces and parts of their life but you don't assume their debts, you don't assume their liabilities. That's okay. So so this is fascinating and now I can see what we're talking about it because this is this is highly unusual. So what exactly happened?

Jake Bernstein: So there were two things really. First is that the FTC find the original owners of CafePress. You know this this part is less exciting the ones that owned it during the time of the data breach for frankly what was just an utter failure to secure personal data And the subsequent failure to report that breach to the victims and authorities and we will go into some detail on the breach itself but setting it aside for just a moment.

Kip Boyle: Okay so that's the vanilla part, what's the chocolate syrup part?

Jake Bernstein: The chocolate syrup part is that the FTC also demanded that the new owners sign one of those, one of the FTC's. You know now come in 20-year cybersecurity consent decrees, you know, we've talked a lot about those and several episodes but you know, as people do, you're probably wondering hey, you know, they bought the cafe, the new CafePress owners bought the assets, why did they get in trouble for this?

Kip Boyle: Right. Yeah, exactly. That's what I'm wondering. This is very uncommon in my experience, although I have to cop to the fact that I'm not an M&A expert, but this, this doesn't sound normal, is it?

Jake Bernstein: Well, it's not normal and just to be clear, I would not consider myself to be an M&A expert either. I've only really been into a lot of M&A work in the last year. Speaking of which, it's now been a year since I joined my new firm.

Kip Boyle: Oh, Happy Anniversary.

Jake Bernstein: Yeah, thank you. And but, but it's not it's not normal and but it's also not quite an accurate picture of what the FTC did. And so in order to kind of understand what the seemingly odd FTC action we do need to go back to talk about the data breach itself and what what led to the data breach.

Kip Boyle: I love this part of what we do here on the Cyber Risk Management Podcast because if you just looked at the headlines, which is sort of what we kind of did is just reviewed the headlines. You, you wouldn't really understand the full story, right? So..

Jake Bernstein: Not at all. This is one of those ones that the headline is just a teaser really.

Kip Boyle: Yeah. Yeah. Yeah. Yeah. So now in good Paul Harvey fashion for anybody who remembers Paul Harvey the radio broadcast, broadcaster. Now we're gonna tell you the rest of the story. And, and really the breach itself is kind of what caught my eye when I first saw this headline and shared it with you. Just the data breach itself was pretty interesting.

It's a decent-sized one too: over 23 million records stolen and uploaded to the dark web and there were all kinds of things in their email addresses very weakly encrypted passwords, millions of unencrypted names and physical addresses and even the security questions and answers for password recovery. Which is, which is awful because even if you don't know how to decrypt a weakly encrypted passwords, you can run a mock with the Q&A's. A 180,000 unencrypted social security numbers and even tens of thousands of partial payment card numbers and expiration dates now, you know it's obviously not the first time anything like this has happened.

And so it's easy for something like this maybe to get lost in the noise but CafePress ignored incidents and attacks going back quite some time a year or more before this large breach happened. And I think that's part of the story here is just the willful ignorance and just the just the refusal right by senior decision makers to, to you know, to take these things seriously. And I love the example that came up as we were doing the research for this episode where CafePress discovered that some of the shopkeepers' accounts had been breached as far back as January of 2018. They didn't investigate the attacks. What they did instead is they closed the accounts And then they charged the shopkeepers $25 as an an account closure fee? I just like, Oh my Lord, that's so brazen and awful.

Jake Bernstein: If you're gonna if you're gonna not bother to investigate it might as well charge the $25 fee on top of it. Just to be annoying. I don't know. But so I mean, look, we we have this obvious lack of encryption and and the, you know what must have been some decent vulnerabilities that led to the breach, but we also have this incredibly willful ignorance.

Just a clear failure to investigate attacks and incidents. And you know, to make matters worse, you know, CafePress didn't tell anyone about that huge February 2019 breach. They just quietly reset user passwords at the time and they only reported it a month after it was first reported in the media. So you know, just let's just say, not the greatest cyber risk management here.

Kip Boyle: Well, and I really think that this puts a light on something that I've been thinking about a lot lately, which is externalities. And in economics, an externality is when something happens and forgive me, I'm not an economist either, but when something happens and the person who did it isn't the one that gets hurt, other people get hurt, you know, So like think about, in the olden days, right, a factory that discharged waste water, dirty wastewater into a nearby stream.

Jake Bernstein: The classic externality.

Kip Boyle: Yeah. Right. And so like it's, it's great for the factory to just dump this waste and to pay no money to get rid of it, but everybody downstream suffers for that. And I think that we've got a similar thing going on here with CafePress is just going, you know, it doesn't bother us, we'll just do a password reset and keep going and I just can't help but to smell the sludge going into the stream when I read about things like this. Anyway, so yeah, and it turns out that the FTC found that the CafePress network Had been hit by even other things, other malware attacks before 2019. Again, none of that stuff investigated by CafePress are taken seriously in the least. Anyway. I just, there's a, there's a, there's a really interesting turn of phrase that I love to use in a situation like this, egregious. This is, this is egregious.

Jake Bernstein: You might say it's outrageous and egregious. Both the old Seinfeld lawyer. Yeah, so yeah, it is, it is egregious and it is outrageous, particularly in 2022.

Kip Boyle: So glad I never did business with them.

Jake Bernstein: Yeah, well many did clearly given given the numbers. Okay, So now we can start to make sense of the FTC's action against the new owners. So in September 2020 which was about a year after the breach was reported, about 18 months after it occurred.

This new owner and we're not gonna bother going into, you know, figuring out the names of the different companies, it doesn't really matter, but just know that the new owner purchased the CafePress in an asset deal, like as I mentioned, that means they bought the guts of the business rather than buying the legal entity. It's fairly common, somewhat boring event in the M&A world. So you might be wondering what, what happened and Kip, what, what did happen, tell us, kind of what you understand occurred here?

Kip Boyle: Yeah, yeah, absolutely. So the new owners come in and they do nothing, They make no changes. So, so what the FTC is saying in effect that, okay, well you said you bought the assets and you became the new owners when you did that, but really in all for all practical purposes, you, you really just ran the business in the same building with the same servers and the same employees and, and you didn't change anything at all. And so the whole idea if I'm getting this right, the FTC is saying, well, yeah, you bought the assets, so on paper it looks good, but in fact, you, you really kind of ineffective an equity purchase. I mean, would that be a fair way of characterizing what the FTC said?

Jake Bernstein: Sort of, I mean, I think it's, it's, they did the asset purchase, but then they did it, they kept everything exactly the same and the FTC kind of, I mean, as you said, the FTC made a big deal out of the fact that it was the same building with the same servers and the same employees the same practices. So even though it was an asset purchase, it was the same company, right being from the operating level, it was the same company. And really what the way I look at it is that the new owners simply let the old practices continue. And we can all agree that those practices were textbook examples of unreasonable cybersecurity.

Kip Boyle: Yeah, that's great. I love how we got the reasonable, unreasonable aspects.

Jake Bernstein: Exactly. So this is, and this is really important to understand the FTC's actions because even though it may have looked like the FTC was holding new owners accountable for actions of the previous owners, I think, you know, as we know, appearances can be deceiving and I think that once you dig into the facts, it's clear that what the FTC settlement really does is it really holds the new owners for accountable for what they didn't do after becoming after purchasing the assets. In other words, it's holding them accountable for their own failure to act, right? And there's an important lesson here.

Kip Boyle: Yeah. Now, okay, failure to act and because they just kept doing things the way that they had always been done, which we know was shoddy unreasonable cybersecurity, they could be held accountable without any reference at all to the purchase then, couldn't they? I mean, in a way, I mean they could just be like how do you say it? I want to get the legal term right. I don't know, I don't know if I'm saying it right, But, but de facto, you know, in in trouble just because...

Jake Bernstein: "Per se unreasonable", yes.

Kip Boyle: All on their own right, Without any reference to the prior, you know, things, so, okay, but if you buy a company that has unreasonable cybersecurity practices and you don't change them. Well, here come the regulators, right. And that's what happened here. So it's interesting. So the FTC's investigation really triggered because of a data breach that happened before the acquisition, but then once they started looking and kept looking and even though there was that asset exchange. You know, they just kept, they just kept watching. So, and, and here we are. This is, this is really interesting. I I'm sure the new owners, at least in the beginning thought that, you know, that the FTC wasn't gonna follow them around.

Jake Bernstein: That would have been the assumption that I would have made, I think, you know, had I been in their position, and not necessarily me personally, but just sure, and a typical owner in that position. The, and the interesting thing is like, I don't know actually, that, that the new owners would have been held liable like this if they would have been investigated without the past conduct, but only because the past conduct was, as we said, the trigger for the FTC to look.

And, you know, there's, there's, this is not an uncommon thing, right? You know, if if the FTC comes in for something like they're not at all bound to only look at that one thing, right? They are free to investigate any potential unfair deceptive acts and practices for...

Kip Boyle: Is that for any regulator or does it need a special power?

Jake Bernstein: No, it's not, it's, I wouldn't say it's a special power. It's more than, it's more of a scoping question, right? The FTC's powers are very, very broad. Much like state AG's operating under a Consumer Protection Act.

And you know, you compare that to like an environmental regulator, right? Environmental regulator has a very, has a relatively narrow kind of purview of what they can look at And so, you know, if I come in because you're discharging, you know, that sludge into the river literally this time not metaphorically. And I also happen to notice that your cybersecurity is bad. Well, that's not really within my enforcement capability, right? I don't, I just not how to scope exactly, but for the FTC, there's just a lot fewer things that are out of scope.

One of those might be ironically discharging sludge into a river. The FTC doesn't really have authority over that kind of thing, and you know, do these federal agencies talk to one another? They definitely can cooperate, but We don't we don't need to get too deep into the question. And the lesson here that I think is pretty stark though, which is if you're going to buy a company which, you know, happened a lot in 2021 and yeah, there's maybe a slowdown in 2022, but you know, that's to be expected.

First make sure that you conduct, you know, at least adequate cybersecurity and privacy due diligence. Then after the transaction closes, you must take action to correct any deficiencies that you identified during the due diligence phase of the deal. If you think about what happens in due diligence. The whole point of that phrase is to understand what has happened. So it's not like the new owners of CafePress, I guess, I guess I shouldn't say that if they didn't know then they utterly failed their due diligence, right?

If they if they did know then what were they thinking? You know, they utterly failed to correct there was just no way out of this right. You know and and I think if you don't, you know you've got you run the risk of having this lurking time bomb that that could go off and and could be could become your problem pretty rapidly. So..

Kip Boyle: Yeah, yeah yeah. I can't help to think about it. Go ahead. I'm sorry.

Jake Bernstein: No, I just think that that it's I don't think this will be the last time this happens.

Kip Boyle: Yeah, probably not. But I can't help but to think about the Verizon acquisition of Yahoo a few years ago and you know that was a huge deal right? Hundreds of millions of dollars. And when Verizon did their due diligence, they figured out that that Yahoo had a similar data breach that they had covered up and so forth. And but, but yeah, I'm sorry but Verizon detected it in due diligence and because of that They actually were able to decrease the acquisition price by something like $200 million. If I remember correctly.

Jake Bernstein: It was a fair amount of money.

Kip Boyle: Yeah. Right. But I think that's a good example of a due diligence around cyber risk that actually you know was done well on behalf of the acquirer and, and and hurt Yahoo because they concealed some stuff and ultimately analyze their investors who also didn't know that, that there was this defect around unreported data breaches and, but anyway, so, but Verizon actually went ahead with the acquisition, which kind of surprised me. So, but you know, hopefully they made the necessary corrections, but, but you know, I think the story there that I just, you know, summarized about Yahoo and Verizon, I think maybe explains why somebody who is selling isn't that interested in disclosing or even if they're not selling.

Jake Bernstein: No, their, I mean why exactly, there's there's some level of, you know, let's just get the deal closed and run away. It's possible, who knows exactly what was going on there.

Kip Boyle: Well, yeah, in this case who knows? But I can tell you, I have seen over the course of my career, plenty of management teams seriously consider and sometimes take the option of not reporting data breaches because they felt that it would diminish their reputation and the value of their firm. And so yeah, that's I've seen it in action. So that's that's why I wonder about it. But okay, so this is great. I love, I love this story.

I'm so glad we brought this FTC action with respect to CafePress two to our listeners. But there's one other thing we want to talk about before we wrap up the episode and that's and it's not an update to the False Claims Act itself. But, but it's some, it's it's a new action that uses the False Claims Act in a modern situation. And I say modern because I remember when we did that episode, there was a lot of talk about the fact that this is a law that Abraham Lincoln signed back in the day and it is it now has new life in it. So Jake, would you remind our listeners what the False Claims Act is for? Like why did Abraham Lincoln sign that?

Jake Bernstein: Yeah. And and and just to clarify, it's I would say that it's, it's never really gone away. It's a very, very important tool and and I kind of, I think the best way to just think of it is it's kind of like the FTC act, but where the government is the consumer, it's a way to protect the government from, you know, deceptive and fraudulent practices.

Kip Boyle: Okay, So, but but now what we're seeing is it's being applied in the cybersecurity realm.

Jake Bernstein: Right. Yeah. Yeah, that's what's different about it is that the False Claims Act has been used continuously since it was signed. And really what's going on is it's just it's use is being expanded. And if you recall that Episode 96. One of the reasons we did that episode was that the DOJ, Department of Justice had announced this big intention to use the False Claims Act to go after, you know, basically fraudulent companies that were defrauding the government with respect to cybersecurity and you know what So where that is, that's kind of the background here and now.

One of the key features of the False Claims Act is the concept of "relators" and basically how a whistleblower can use the False Claims Act to both help the government and be rewarded in the process. It's a way you know, the way it works is that if an individual brings a successful action under the False Claims Act, that individual receives some percentage of the recovery, we're not going to go into detail as to how that percentage is decided etcetera etcetera. But suffice to say it could be a lot of money.

Kip Boyle: Okay, So when I was in the military, there was a there was a kind of a similar program and the term that I remember is Fraud Waste and Abuse. And if you saw any of that as a member of the military or somebody working in a military facility, you know, you could report that and you could be rewarded For reporting that. And by the way everybody, we were not numbering our episodes before we got to about 100. So this is Episode 96 we're talking about, but that was recorded about about six months ago as we record this episode. So, So that was January 4, 2022 if you want to go into your podcast, you know, readers and and and go back and check out that that episode. Okay, so, but what, but the bottom line here is False Claims Act encourages people to step forward and make sure that the government knows that hey, it's being defrauded. So what's the update? What's new?

Jake Bernstein: So okay, so now the bad news is is that we didn't get, there's not as much detail available as I think everyone would like you and and we'll learn why. It's kind of funny, but the case is United States ex rel. Markus versus Aerojet Rocketdyne Holdings, Inc. and it is a quite fascinating example.

Kip Boyle: What's ex rel? Is that more latin?

Jake Bernstein: It is some latin and that just means that there is a "relator" in this case Brian Markus who is bringing the case on behalf of the United States government.

Kip Boyle: Oh, so he's the whistleblower.

Jake Bernstein: He's the whistleblower. And sometimes so sometimes the government itself will intervene in one of these cases, but it doesn't have to do that. And here we have so like I said, Brian Markus, he was an employee at Aerojet Rocketdyne, a company that designed and built rocket engines in, in the missile defense industry. So, you know, I don't know about you Kip, but I don't see a lot of missile defense industry purchases being made by the private sector. So we can be pretty, we, we can rest assured that this was a this is truly a government contractor situation.

Kip Boyle: Yeah, Yeah, for sure. By the way, question about Mr. Markus appearing in the complaint don't whistleblowers typically want some kind of protection from this kind of notoriety. I mean he could become unemployable, right?

Jake Bernstein: Well, I mean, yes and no, and I think the term whistleblower, you know, there's all kinds of whistleblower statutes and whistleblower protections in this case. Mr. Markus may not care about his employability as we will find out shortly.

Kip Boyle: Okay, okay. All right. I was just wondering if there was, you know, like some, some reason why his name would be so well.

Jake Bernstein: You have to. If you want to bring this case, you must, you must do it publicly to lawsuit.

Kip Boyle: So there's no whistleblower protection program. Okay, I guess I assumed there would be, but, but Mr. Markus wasn't just an employee right, according to what we've looked at, he was a senior director of cybersecurity and compliance at Aerojet. And so his tip off came from direct knowledge of noncompliance at the at the company. Did I read that right?

Jake Bernstein: You did. And it's pretty remarkable, he Mr. Markus blew the whistle on his employer by bringing a case that alleged that Aerojet failed to adequately secure itself against cyber attack in violation of government requirements for government contractors and you know the detail that we do have, it is quite fascinating, it seems like Aerojet repeatedly assured the government that all was Well, but it, it wasn't. And you know, there's so much that we could talk about here, but one of the things that I think is most important is the numbers. Okay, so so let's let's talk about that for the, there's a whole bunch of kind of legal, what I would call motions practice that that we could talk about. You know, the the the case case typically has to survive what's called a motion to dismiss. Then the case oftentimes may have to describe survive a motion for summary judgment and only after you survive these two things do you potentially get to go to trial?

Well, well, Mr. Markus case did survive both motion to dismiss and a summary judgment issue on summary judgment hearing on the issue of causation. This one's pretty interesting. The court ruled against the defendants basically, this company said, hey government, you got, you received what you bargained for functional rocket engines and there was no evidence of any kind of causation to connect Aerojets representations as to cyber security and the government's decision to enter into a contract with it. In other words, what what and this is the, this is the defendant.

What they were saying was is hey, you got your functional, you got your functional rocket engines, what's the problem? But the "relator" Markus, he successfully persuaded the court that the government's contract wasn't just for rocket engine but also for a company to satisfactorily store the government sensitive data on a system that met its cybersecurity requirements. Isn't this fascinating to think about this? There was nothing at all wrong with the rocket engines, False Claim was completely about the failure to adequately secure government data.

Kip Boyle: Wow. Yeah. Oh geez, this is, this is cool. So when we did our episode on the on the False Claims Act, this is exactly what we talked about what they want.

Jake Bernstein: This is what they wanted to see. This is exactly what they what the DOJ wants to see now. Okay, let's talk about numbers. So Kip, you know.

Kip Boyle: It's a big number.

Jake Bernstein: It's a big number, isn't it?

Kip Boyle: Really big, so uncle Sam wanted his $2. 6 billion dollars back, right?

Jake Bernstein: Well, so so the government never actually intervened. So what does, what happened here is that Markus, the plaintiff, he just said, you know, we should pay back, you should pay back the $2.6 billion in government contracts. Now here is the fascinating, the False Claims Act, you know we talked about this, it's very, very powerful, it allows for enhanced damages, treble damages which for some reason lawyers like to say trouble instead of triple penalties and attorney's fees But that $2. 6 billion dollar figure doesn't include any of that. That was just the demand on the way to trial and I believe it was something like April 26 2020 this case went to trial and it settled on April, 27th 2022. Sorry, did I say 2020 April 26 2022. You know, not that, you know, less than a month, less than a month ago. From when, when we're recording this.

And so we don't know the settlement though. And that's that's the, that's kind of the sad part. We don't know the settlement, but you can guess right If, if 2. 6 billion was the value of the government contracts, you know, let's see, the False Claims Act would have allowed, you know, in excess of, you know, probably not a few billion in penalties, enhanced damages, attorney's fees. We're just, it's an enormous amount of money, Right?

Kip Boyle: So if they can get out of it, if they, if they figure that they're gonna lose at trial than anything less than the worst case is desirable, right?

Jake Bernstein: It is, it is desirable. And so we don't know. We we will and we'll probably never know exactly how much money the government recovered or how, well, maybe we will know that at some point, I don't know that. I haven't looked into it.

Kip Boyle: I don't figure would be a public record of some kind of disclosure.

Jake Bernstein: I'd have to think about it. I think the disappointment of some people was that it would have been nice to see a quote, fully litigated case like this.

Kip Boyle: Or just what the details of the resolution right?

Jake Bernstein: Yeah and maybe it's out there we'll trust me if if there is further news on the subject like, like I said it was not that long ago as data performing.

Kip Boyle: We'll bring it, right? We'll come back on another update. If anybody's listening, if anyone listening knows what the additional details are, please send them to us.

Jake Bernstein: Yeah well we'll we'll search around and we'll find it if, if it exists but anyway this is just a, a prime example of how the False Claims Act can work in terms of cyber security, you know requirements and that is..

Kip Boyle: I gotta tell you I'm just fascinated by Brian Markus.

Jake Bernstein: Well, you see why I said he may not care about his future employability.

Kip Boyle: He may not. Right? But but but follow me on this so Brian Markus might have had the kind of payday that you know removed him from the need to worry about employability. I hope, I hope so. Right for his sake? I hope so but let's think about this for a second. Doesn't this cast a bit of a shadow on other people who have jobs similar to Mr. Markus. Right? So like if I'm the owner of another defense contractor similar to Aerojet and I'm looking at this right now aren't I? Starting to give some side eye to other people who have responsibilities like Mr Markus and I'm wondering oh crap, you know like I could have an insider you know, whistle blow me under the False Claims Act. Maybe I shouldn't have those people around, or maybe I should be really careful about what I let them see. I don't know, I'm just I'm wondering what the practical sort of, you know, impact is going to be.

Jake Bernstein: So it's a fair question. And I think what happened here and again, we'd have to go and and try to find the additional facts and maybe we'll do that. But my understanding from what I've read is that Mr. Markus and his team tried real hard to get this company to to stay in compliance right? I mean this is not a situation where, you know, he comes in and he's like, oh this this place sucks, you know, I'm gonna go see if I can get a huge payday. No, no, I think the situation here was more that they he wanted, you know, there were a lot of...

Kip Boyle: He was trying to get senior decision makers to do right is what you're saying.

Jake Bernstein: That's I guess that's what that is what I'm saying, that's what I'm trying to say and I think that, you know, to your point, to me what this is is, you know, if you're a senior decision maker and your senior cybersecurity and compliance officers are coming to you saying we need to do more, we have to, you know, I need the budget to fix this. You know, you should understand that the False Claims Act is lurking right. If they if if you are just completely uninterested in, in complying with these government requirements. You know, not only could your employees decide to blow the whistle, but you could lose everything.

Kip Boyle: Right. Yes, fascinating. Yeah. And reputation and so forth. So well this is great. So this is almost like a twofer episode, isn't it podcast episodes in one. I don't think we've ever done anything quite like this but but it's pretty cool. And it actually brings us to the end of the episode. Is any last words?

Jake Bernstein: Don't make a False Claim to the government.

Kip Boyle: Yeah, for sure. Right. And when you do your due diligence on an acquisition, make sure that you know what you're acquiring and make some changes for crying out loud.

Jake Bernstein: Yeah, that's a good point.

Kip Boyle: Okay, well that wraps up this episode of the Cyber Risk Management Podcast today we discussed both the CafePress FTC case and we looked briefly at a False Claims Act case involving a missile defense contractor. So I hope that was useful to you all. Thanks for being here. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably then please visit us at Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.