Listen to this post

On November 16, 2023, the Federal Trade Commission released a proposed order in connection with a complaint filed in August of 2020 against Global Tel*Link Corp. (“GTL”) and its subsidiaries, Telmate and TouchPay, which offers communication and payment services for incarcerated individuals. The complaint centered around a security breach where a technician for a vendor of GTL placed unencrypted, personally identifiable information in a test environment to test a new search and storage software. The test environment allegedly was accessible on the internet without password protections which permitted an unauthorized actor to access and exfiltrate the data between August 11-13, 2020. Though GTL restricted access to the test environment, GTL allegedly failed to notify its customers for roughly nine months, while also falsely representing to prospective customers that it had never experienced a security breach.

In a first for the FTC, the proposed Order requires GTL to submit a report to the FTC within ten days of notifying any U.S. federal, state, or local entity of an incident. The FTC report requires GTL to specify the date an incident took place, as well as the type of information and number of consumers impacted by an incident, as well as, when applicable, providing a statement and a copy of a law enforcement agency’s request to delay notice to affected consumers on the basis that notifying consumers would interfere with an ongoing investigation. This FTC notification obligation for GTL is in addition to a 30-day window to notify consumers of future breaches.

Update: On February 23, 2024, the FTC finalized the proposed order in a 3-0 Commission vote. GTL and its subsidiaries are “required to implement a comprehensive data security program” that includes several risk management requirements and “procedures to minimize the amount of data it collects and stores.” In addition, GTL must “notify users affected by the data breach who did not previously receive notice and provide them with credit monitoring and identity protection products.”