On November 16, the Federal Trade Commission (FTC) announced an enforcement action against Global Tel*Link Corporation and two of its subsidiaries (collectively, “GTL”), which provide communications and payment services to prisons, jails, and detention facilities, as well as to incarcerated individuals and their families, friends, and other associates. The FTC alleges that GTL implemented inadequate data security practices that resulted in the compromise of personal information, then failed to deliver adequate notifications regarding this incident to affected individuals. The FTC’s proposed order would require GTL to bolster its data security protections, notify all individuals affected by the data breach, and engage in prompt notifications for any future data breaches that it experiences.

Though the FTC’s allegations of GTL’s weak data security are consistent with recent enforcement actions that the Commission has undertaken, its focus on GTL’s data breach notifications is more unique, and suggests that the FTC may be applying closer scrutiny to companies’ incident response procedures moving forward. Specifically, the Commission’s approach in this complaint suggests that companies that experience data breaches must ensure that their data breach notifications are prompt and comprehensive in order to avoid FTC scrutiny. For example, in this enforcement action, the FTC penalized GTL for allegedly failing to notify additional users that were impacted by the incident and significantly delaying when it provided notice. Companies should be aware of this enforcement action when evaluating their legal obligations in the event of a security incident.

In this post, we summarize key elements of the FTC’s complaint against GTL, identify notable elements of the proposed order, and highlight key takeaways for companies to consider as they develop their own cybersecurity and privacy compliance programs. 

The Complaint

Global Tel*Link Corporation, together with its subsidiaries Telmate and TouchPay (collectively, “GTL”) provides communications and payment services to jails, prisons, and other detention facilities, as well as incarcerated individuals and their families, friends, and other contacts. Through these services, GTL collects a wide range of sensitive personal information from incarcerated individuals and their associates, including “names, addresses, passport numbers, driver’s license numbers, Social Security numbers, and financial account information.”

The FTC’s complaint centers on a data breach that GTL experienced in August 2020. As part of a process to implement a new version of a search software that it uses to deliver its products and services, GTL copied a large amount of user data to a cloud storage environment in order to test the new software. According to the complaint, this body of user data contained a vast array of sensitive information, including:

individuals’ full names; dates of birth; phone numbers; usernames or email addresses in combination with passwords; home addresses; driver’s license numbers; passport numbers; location information; information about individuals’ race, religion, and whether they are transgender; approximately 80,000 grievances submitted by incarcerated consumers to Facilities; and the content, dates and times, senders, and recipients of approximately 75,000 written messages that incarcerated and non-incarcerated users had exchanged using Respondents’ services. In numerous instances, the written messages contained payment card numbers, financial account information, and Social Security numbers.

On August 11, 2020, a third-party vendor technician changed the security settings of the test environment, which resulted in the environment being left Internet-accessible, with no password protection or other access controls in place, from approximately August 11–13. As a result, the personal information of roughly 649,500 individuals was left exposed. The test environment was subsequently accessed by unidentified individuals, and at least some of the data was exfiltrated from the environment and made available on the dark web.

The complaint alleges that GTL violated Section 5 of the FTC Act by engaging in unfair or deceptive acts or practices, including the following:

1. Unfair Data Security Practices. The complaint takes GTL to task for its data security practices, focusing specifically on an alleged lack of adequate safeguards in the company’s cloud-based test environment. For example, the complaint highlights how GTL stored the personal information in unencrypted clear text, and notes that GTL did not implement such measures as automated monitoring software, a perimeter firewall, or an intrusion prevention system in relation to its test environment.
2. Inadequate Data Breach Notifications. The complaint also critiques GTL for its response to the incident. The only data breach notifications that GTL delivered in relation to this incident were sent to approximately 45,000 individuals around May 2021. The FTC contends that this notification was both incomplete (failing to notify “hundreds of thousands of additional users whose information was contained in the Test Environment at the time of the Incident and therefore may have been exposed”) and unnecessarily delayed (taking place roughly nine months after the incident and thus depriving affected individuals of the “opportunity to take actions to protect themselves from identity theft”).
3. Misrepresentations Regarding Incident, Data Breach Notifications, and Data Security Practices. Finally, the complaint catalogues the numerous alleged misrepresentations that GTL has made about its data security practices, the August 2020 incident, and its response to that incident. Prior to the incident, the complaint observes, GTL routinely held itself out in promotional materials, contract bids, and public-facing privacy policies as a security-focused organization — a presentation sharply at odds with the inadequate data security practices it later displayed in the context of its test environment. And after the incident, GTL allegedly continued to engage in misrepresentations, such as by downplaying the scope of the incident in a statement to a data security blog and continuing to maintain in contract bids that it had never experienced a data breach.

The Proposed Order

The proposed order imposes several key requirements on GTL, including:

1. Information Security Program. As in many FTC enforcement actions that allege inadequate data security practices, this order requires GTL to implement an information security program and subject that program to third-party assessments. The information security program mandated by the order must include such practices as periodic risk assessments; cybersecurity safeguards (e.g., encryption, multi-factor authentication, data mapping, access controls, firewalls, and intrusion detection and prevention systems); an incident response plan; and employee training.
   • Change Management Procedures: Notably, as part of its information security program, GTL will also be required to implement change management procedures for systems containing personal information. For example, when implementing changes subject to these procedures, GTL will have to ensure that any relevant source code or configuration files are adequately reviewed by someone other than the person proposing or implementing the change, and that the code and files are implemented through programmatic or automated mechanisms (rather than manually). 
2. Notification and Credit Monitoring for Affected Individuals. The order will require GTL to deliver data breach notices to all individuals affected by the breach who have not previously been notified, as well as to post notices on the home screens of its websites and mobile apps. Additionally, the order requires GTL to provide affected individuals with a credit monitoring and identity protection service for at least two years.
3. Future Incident Notifications. The order provides that, if GTL experiences any future data breaches, it must provide notice to affected individuals and detention facilities within 30 days of providing notice to any federal, state, or local government entity. GTL will also be required to provide an incident report to the FTC within 10 days of providing notice to another government entity.
4. Prohibition on Future Misrepresentations. Finally, the order prohibits GTL from making misrepresentations about various elements of its data privacy and security practices, including any facts related to potential data breaches, the measures that GTL employs to protect personal information, and the extent to which GTL has notified or will notify individuals affected by a data breach.

Key Takeaways

1. Prompt and Comprehensive Incident Notification. As noted above, the FTC’s critique of GTL’s data breach notifications in this enforcement action centered on those notifications allegedly being both incomplete (failing to reach the vast majority of affected individuals) and delayed (taking place roughly nine months after the incident). Thus, companies seeking to avoid FTC scrutiny in the wake of a data breach should move quickly to identify and notify the full population of affected individuals.
2. Change Management. The proposed order’s special emphasis on change management procedures is likely a response to the factual context of this data breach, which was triggered in large part because of a change in security settings in a test environment that GTL was using to evaluate an updated software. Thus, companies looking to implement organizational changes with potential information security impacts would be well-advised to adopt some of the change management practices that the FTC required GTL to take in the proposed order, such as adequate review of source code and configuration files and the programmatic/automatic (rather than manual) implementation of such code and files.
3. Avoid Post-Incident Misrepresentations. Though perhaps an obvious observation, the GTL enforcement action also highlights the importance of companies avoiding misrepresentations in the aftermath of a data breach. As this case illustrates, that mandate should apply across all facets of a company’s external communications, including statements to the press, communications with affected individuals, and business development-related communications. To reduce the risk of such misrepresentations being made, companies that experience data breaches should consider developing internally vetted talking points about the incident for use by all company personnel to ensure that the company is presenting a consistent and accurate description of the incident across all of its external communications.