The Federal Trade Commission has finalized an order with prison communications provider Global Tel*Link Corp. and two of its subsidiaries settling charges they failed to secure sensitive data of hundreds of thousands of users and failed to alert all those affected by the incident.
In a complaint first announced in November 2023, the FTC says that Virginia-based Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect sensitive personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing. Global Tel*Link waited approximately nine months to notify affected customers and only contacted 45,000 users—even though the breach may have affected hundreds of thousands of additional customers—that their personal data may have been compromised as a result of the data breach.
Under the FTC’s order, Global Tel*Link and its two subsidiaries are prohibited from misrepresenting their data security practices and will be required to implement a comprehensive data security program that includes several requirements such as the deployment of “change management” measures to all of its systems to help reduce the risk of human error, use of multifactor authentication, and procedures to minimize the amount of data it collects and stores. Other provisions of the order include a requirement that Global Tel*Link notify users affected by the data breach who did not previously receive notice and provide them with credit monitoring and identity protection products. The order also requires Global Tel*Link and its two subsidiaries to notify users of future security incidents that trigger any federal, state, or local breach reporting requirements.
After receiving one comment on the proposed order, the Commission voted 3-0 to finalize the complaint and order and to approve a response to the commenter.
Official news published at https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-finalizes-order-global-tellink-over-security-failures-led-breach-sensitive-data