The Federal Trade Commission (FTC) announced that prison communications provider Global Tel*Link Corp will now be required to disclose any future data breaches. The announcement comes after FTC charges claiming they failed to secure sensitive data of hundreds of thousands of users stored in a cloud environment and failed to alert all those affected by the incident.
In a complaint, the FTC says that Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing.
Global Tel*Link, which also does business as GTL and ViaPath Technologies, contracts with federal, state and local jails, prisons and similar institutions to provide communications services such as phone and video calls and payment services for incarcerated individuals. In the course of providing their services, Global Tel*Link and its subsidiaries collect personal information from consumers including their names, addresses, government identification numbers such as passport numbers or driver’s license numbers, Social Security numbers and financial account information.
As a result of changes made by the company’s third-party vendor to the security settings for the data stored in the cloud, the personal data of many Global Tel*Link customers was left accessible via the internet without any safeguards to prevent unauthorized people from accessing and removing data from the test site until a security researcher alerted the company about the security holes. A forensic analysis showed that a handful of hackers accessed billions of bytes of the exposed data. In early September, Global Tel*Link was notified again by an identity monitoring company that personal data belonging to Global Tel*Link users was available on the dark web, which is a collection of websites that are used to buy and sell illegally obtained personal data for fraud, identity theft and other nefarious purposes.
As part of the proposed order with the FTC, Global Tel*Link and two of its subsidiaries are prohibited from misrepresenting their data security practices and will be required, among other things, to:
- Implement a comprehensive data security program that includes several requirements such as the deployment of “change management” measures to all of its systems to help reduce the risk of human error, use of multifactor authentication and procedures to minimize the amount of data it collects and stores.
- Notify users of its products affected by the data breach who did not previously receive notice and provide them with credit monitoring and identity protection products.
- Notify consumers and facilities within 30 days about future data breaches or security incidents that trigger any federal, state, or local breach reporting requirements and provide information about what data was impacted and how many consumers were affected.
- Notify the FTC within 10 days of reporting a security incident to any local, state or federal authorities.