Yes, if a tree falls in the forest and no one is there to hear it, the tree does make a sound. And, yes, if a data breach happens and you fail to timely notify affected customers, that’s an unfair practice. That’s just one of the lessons businesses can learn from the FTC's proposed settlement with Global Tel*Link (GTL) and its subsidiaries, Telmate and TouchPay.
Another lesson? When it comes to safeguarding consumers’ personal information, the duty extends regardless of where the business stores the data and what it uses the data for—even testing. Read on to learn more. GTL is one of the country’s largest providers of communications and technology services for jails, prisons, and similar institutions, providing both communications and payment services for incarcerated consumers and their non-incarcerated contacts, including loved ones. According to the FTC’s complaint, in August 2020, unknown attackers accessed the personally identifiable information (“PII”) of hundreds of thousands of people who used GTL’s products when the data was left unprotected and accessible via the internet. This included: names, contact information, driver’s license numbers, passport numbers, Social Security numbers, payment card and financial account information, personal messages, health information, and grievance forms.
How did this happen? In the process of upgrading their search and analytics software, GTL allegedly moved a database containing PII to a test environment in the cloud. According to the FTC’s complaint, GTL left the database of PII unencrypted and did not take other measures to protect the data stored in the test environment, such as automated monitoring. When a contractor employed by GTL to work on the software upgrade changed the security settings of the test environment, the environment—and all the PII it contained—was left accessible via the internet without password protection.
You can probably guess what happened next. One or more unauthorized people were able to access and download information from the database. A data security researcher notified GTL that the data was exposed—specifically, that he could access the database and view PII about GTL’s users. You guessed it. Next, someone downloaded information from the database and made it available on the Dark Web. Consumers began to tell GTL directly that they received alerts that their information was found on the Dark Web.
Can you guess what didn’t happen next? According to the FTC’s complaint, at least eight months went by where GTL and its subsidiaries failed to notify affected customers. Instead, the FTC alleged the company misrepresented its efforts to do so and falsely represented to prospective institutional customers that GTL hadn’t experienced unauthorized access to its data.
When GTL and its subsidiaries finally did notify consumers of the breach, the FTC alleges they chose to notify only a fraction of the affected users that their information was affected, denying hundreds of thousands of users any opportunity to take self-help measures such as implementing a fraud alert or credit freeze.
For years the FTC has stressed to businesses the importance of having effective breach detection and response as essential components of a reasonable data security program. The FTC’s settlement with GTL and its subsidiaries underscores these principles. It also makes clear that reasonable data security protections to safeguard consumers’ PII apply even when that data is being used for testing—and require a company to inventory and track the flow of consumers’ personal information. And, should a breach occur, businesses must promptly notify consumers about the incident, particularly when failing to do so puts the affected consumers at increased risk of harm, such as from identity theft.
You’ll want to read the six-count complaint for details on how GTL’s practices allegedly harmed consumers. To settle the case, GTL and its subsidiaries agreed to implement a comprehensive information security program with third-party assessments, to provide credit and identity monitoring for consumers not previously notified of the breach, and to notify affected consumers about the breach. The proposed settlement also requires GTL and its subsidiaries to notify the FTC and, in a first for an FTC order, affected consumers and facilities about future data breaches. Finally, under the agreement, GTL and its subsidiaries are prohibited from making misrepresentations about privacy, data security, and data breaches.
What are the key takeaways for your business?
- Businesses must promptly notify consumers when a breach has occurred that puts them at increased risk of harm, such as identity theft. The GTL settlement requires GTL and its subsidiaries to notify the FTC of any future breach. The proposed Order adds a novel additional requirement. Whenever the duty to notify any government agency is triggered by a future data breach, GTL and its subsidiaries must also timely notify affected users and facilities.
- Reasonable data security requirements apply regardless of where the business stores consumers’ personal information or what it uses that information for—including testing. A best practice is to avoid using PII for testing or development in the first place, but if using PII is unavoidable, then that PII must be protected to the same extent as in the production environment.
- Businesses should inventory and track the flow of PII. Knowing what data is stored where is critical to a business’s ability to assess what protections are needed and timely identify consumers who should be notified following any breach.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.
HOW many times does data breaches happen before everyone gets the message? Encrypt! Always! React quickly if someone says there is a problem!