FRANKFORT, Ky. (WYMT) - On Monday, Attorney General Daniel Cameron announced a $2 million multi-state settlement with CafePress, LLC.

The settlement comes following litigation from a 2019 data security breach that compromised the personal information of more than 22 million consumers, with approximately 186,187 Kentuckians among them.

The breach could have potentially given access to consumer names, email addresses, passwords, physical addresses, phone numbers, and, in some cases, the last four digits of credit card numbers, expiration dates, and full social security or tax identification numbers associated with customer accounts

In addition to the payment, CafePress agreed to a number of changes in order to protect consumers from potential future cyberattacks including:

Implementing a comprehensive information security program and incorporating regular technology updates to provide up-to-date security safeguards.

Reporting identified security risks to the chief executive officer.

Creating an incident response and data breach notification plan, containing preparation, detection and analysis, containment, eradication, and recovery provisions.

Developing encryption, segmentation, penetration testing, logging and monitoring, risk assessment, password management, and data minimization safeguards and controls for the personal information of consumers.

Providing clear notice to consumers concerning account closure and data deletion.

Undergoing third-party security assessments for five years.

The settlement involves Attorney General Cameron as well as the Attorneys General from Connecticut, Indiana, Michigan, New Jersey, New York and Oregon.

