The FTC Alleged That A Company And Its Subsidiaries Failed To Secure Sensitive Data Of Hundreds Of Thousands Of Users
UNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION
COMMISSIONERS: Lina Khan, Chair; Rebecca Kelly Slaughter; Alvaro M. Bedoya
In the Matter of Global TelLink Corporation, a corporation, also d/b/a GTL, also d/b/a ViaPath Technologies; Telmate, LLC, a limited liability company, also d/b/a ViaPath Technologies; and TouchPay Holdings, LLC, a limited liability company, also d/b/a GTL Financial Services.
DOCKET NO. C-4801
COMPLAINT
The Federal Trade Commission, having reason to believe that Global Tel*Link Corporation, a corporation, doing business as GTL, also doing business as ViaPath Technologies; Telmate, LLC, a limited liability company, also doing business as ViaPath Technologies; and TouchPay Holdings, LLC, a limited liability company, also doing business as GTL Financial Services (collectively, “Respondents”), have violated the provisions of the Federal Trade Commission Act, and it appearing to the Commission that this proceeding is in the public interest, alleges:
- Respondent Global Tel*Link Corporation, a corporation, also doing business as GTL and as ViaPath Technologies (“GTL”), is an Idaho corporation with its principal office or place of business at 3120 Fairview Park Drive, Suite 300, Falls Church, Virginia, 22042.
- Respondent Telmate, LLC, also doing business as ViaPath Technologies, (“Telmate”) is a Delaware limited liability company with its principal office or place of business at 3120 Fairview Park Drive, Suite 300, Falls Church, Virginia, 22042. Telmate is a wholly owned subsidiary of GTL.
- Respondent TouchPay Holdings, LLC, also doing business as GTL Financial Services, (“TouchPay”) is a Texas limited liability company with its principal office or place of business at 10005 Technology Boulevard West, Suite 130, Dallas, Texas, 75220.
- Respondents offer various products and services to jails, prisons, and detention facilities, to individual consumers incarcerated in these facilities, and to family, friends, and other contacts of incarcerated consumers.
- These products and services include communications services for incarcerated individuals to correspond with their non-incarcerated contacts, and payment services to provide incarcerated individuals with access to funds. Through these services, Respondents collect a significant amount of sensitive information from incarcerated individuals and their contacts, such as their names, addresses, passport numbers, driver’s license numbers, Social Security numbers, and financial account information.
- Respondents have made numerous promises to protect the sensitive personally identifiable information that they collect in connection with offering their products and services. However, as alleged below, Respondents failed to employ reasonable data security safeguards to protect this information. This failure resulted in a security incident that exposed hundreds of thousands of consumers’ information. Respondents then failed to provide timely notice to affected consumers so that they could take steps to protect themselves from identity theft. In addition, Respondents also made multiple misleading representations about the data security incident. Respondents’ data security failures constitute deceptive and unfair practices in violation of Section 5(a) of the FTC Act.
- Respondents have operated as a common enterprise while engaging in the unlawful acts and practices alleged below. Respondents have conducted the business practices described below through an interrelated network of companies that have, among other things, common ownership and control, common officers and managers, shared office locations, shared resources, and unified advertising. Because Respondents have operated as a common enterprise, each of them is jointly and severally liable for the acts and practices alleged below.
- The acts and practices of Respondents alleged in this complaint have been in or affecting commerce, as “commerce” is defined in Section 4 of the Federal Trade Commission Act.
RESPONDENT'S BUSINESS PRACTICES
-
Respondents contract with state Departments of Corrections, the Federal Bureau of Prisons, county and city jails, immigration detention facilities, and juvenile detention facilities (collectively, “Facilities”) to provide certain products and services to those Facilities, individuals incarcerated therein, and incarcerated individuals’ outside contacts. Respondents have contracted with public and private Facilities located in all 50 states, the District of Columbia, and Puerto Rico.
-
Individual users of Respondents’ products and services include people who are incarcerated in the Facilities. In marketing materials, Respondents have touted that more than 1.9 million incarcerated people, constituting “more than 85% of the U.S. inmate population,” use GTL’s services. These individuals include both people who have been convicted of crimes and are incarcerated in prisons and people, such as those held in jails in pre-trial detention, who have not been convicted of any crime. Additionally, in 2020, Respondents’ services were used by over 13 million consumers who were not incarcerated (e.g., family and friends of incarcerated people). GTL’s annual net revenue is over $600 million.
-
The precise products and services provided, and the costs of those products and services for individual consumers, vary by Facility. If a Facility chooses to engage Respondents’ services, Respondents often require by contract that they be the sole providers of those products and services within that given Facility. Therefore, incarcerated consumers and their outside contacts frequently do not have the option of choosing an alternative provider.
-
Incarcerated consumers access Respondents’ products and services using tablets and kiosks that are provided by Respondents and are available within Facilities. Consumers who are not incarcerated can access Respondents’ services through Respondents’ websites and mobile applications, including www.getttingout.com and the GettingOut mobile applications (collectively, “GettingOut”) and web.connectnetwork.com and the ConnectNetwork mobile applications (collectively, “ConnectNetwork”).
-
Once a consumer has created an account on GettingOut or ConnectNetwork, the consumer can use the same account to access products and services available through either brand. For example, consumers who have registered with GettingOut can use GettingOut or ConnectNetwork to communicate with incarcerated individuals using voice calls, video calls, or written messages similar to text messages or e-mail. They can also use GettingOut or ConnectNetwork to make financial deposits to an incarcerated person’s inmate trust account, allowing the incarcerated individual to use the funds for various purposes including purchasing items from Facility commissaries, posting bail, and paying fees or fines.
-
Respondents charge incarcerated consumers and their non-incarcerated contacts to use these services. These charges vary based on the services used and are established in Respondents’ contracts with Facilities. For example, to use their communications services, Respondents have charged consumers rates such as $0.18-0.25 per minute to make a voice call, $0.25 per minute to make a video call, $1.00 to leave a voicemail message, $0.25 to send a written message, and $0.25-0.50 for each photo or video attachment to a written message. To use their payments services to make a deposit, Respondents have in many instances charged consumers between $2.95 and $11.50 plus 3.5% of the deposit amount.
-
To create an account to use Respondents’ services, incarcerated consumers and their contacts are required to provide Respondents with certain personal information, including, in many cases, their names, addresses, government identification numbers such as passport numbers or driver’s license numbers, Social Security numbers, and financial account information.
-
Using the significant volume of information Respondents collect from incarcerated individuals and their contacts, Respondents also offer products and services that allow Facilities to surveil and investigate incarcerated consumers and their non-incarcerated contacts.
DATA SECURITY PROMISES
-
Respondents have made and continue to make various representations regarding their information security capabilities and practices. For example, Respondents market themselves to Facilities as an organization that is “security-focused from the inside out,” and that their “attention is focused on…security,” specifically “preventing data breaches and hacks.”
-
Since 2017, Respondents have disseminated a YouTube video highlighting the importance of data security in Respondents’ industry. The video features GTL executives making the following statements:
- “GTL is different in data security from our competition” and data security is “the cornerstone of what we do.”
- Data security is important for Respondents’ business because incarcerated users use Respondents’ services to “shar[e] confidential information,” including information related to commissary services, medical services, and phone services.
- “A facility that’s looking for a secure environment…should be asking those questions: have you had a breach? And if you’ve had one, what have you done to correct it?”
-
In seeking new or continued business from current and potential Facility customers, Respondents regularly respond to those Facilities’ Requests for Proposals (“RFPs”). In numerous instances, as part of the RFP process, Facilities have requested information about Respondents’ data security practices.
-
Since May 2017, as part of their RFP responses to Facilities seeking information about Respondents’ data security practices, Respondents have disseminated or caused to be disseminated a marketing document entitled “Information Security Framework.” This document states: “At GTL, we take information security and data protection very seriously. That’s why we’ve gone to exceptional lengths to safeguard each customer’s data and private information that is generated through the course of their relationship with us. Our security architecture provides our customers the reassurance that their data won’t fall into the wrong hands.”
-
The “Information Security Framework” document goes on to make the following statements regarding Respondents’ use of specific data security safeguards:
- “[C]ontrols are in place to limit access only from specific IP addresses. This means that access to customer data will be denied if a request is from an unknown IP address.”
- “[M]ultiple layers of 128-bit encryption and perimeter firewall protection prevent unauthorized access from the Internet.”
- “A robust centralized log monitoring solution provides alerts to the GTL Information Security Department based on predefined and internally developed alarm rules. This application is monitored to detect other anomalies that might indicate inappropriate use of GTL assets….GTL uses industry accepted log monitoring so[ft]ware to perform file integrity monitoring and to provide real time monitoring of application, security, and system event logs. Using this log monitoring so[ft]ware, the GTL Information Security Department monitors log events 24/7 and investigates all alerts.”
- “[A]ny changes to firewall hardware or so[ft]ware or security rules are approved by GTL’s Information Security Department, follow all change control policies and procedures, and are properly documented.”
- “Intrusion Prevention Systems are deployed to alert the GTL Information Security Department to potential attacks and automatically block such attacks. Many companies choose to rely on an Intrusion Detection System that simply alerts of potential attacks, but GTL’s systems automatically block suspected malicious traffic.”
-
Since May 2017, in response to RFPs from potential Facility customers, Respondents have also disseminated or caused to be disseminated a marketing document entitled “Solution Integration.” This document states: “Our integrated solutions also help enhance data and technology security. We follow security best practices, the latest encryption methodologies, and proper protocols to ensure our system offers the most robust data and wireless security in the market. Our technologies leverage multiple layers of firewalls, SSL, and best-in-industry security standards to ensure all data transmitted through our systems are secure.”
-
Respondents have also made security representations to individual consumers. Since at least January 2020, Respondents have disseminated privacy policies on their public-facing websites, including on the GettingOut website. These privacy policies have made and continue to make the following representation: “We seek to use industry standard physical, technical and administrative security measures designed to protect your personally identifiable information. However, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us in accordance with the ‘Contact Us’ section above.”
THE TEST ENVIRONMENT AND RESPONDENTS' DATA SECURITY PRACTICES
-
In operating and providing some of their products and services, Respondents rely on search and storage software (“Search Software”). In 2019, Respondents initiated a process to transition to a newer version of the Search Software.
-
The engineers working to plan and execute the Search Software update included employees of a third-party vendor (the “Vendor”) with which Respondents contract to provide software development and other services. Respondents’ employees supervised the day-to-day activities of engineers working on the Search Software update, including those employed by the Vendor.
-
In or about August 2020, Respondents copied a large volume of production data (i.e., real data from and about users of Respondents’ products and services) into an Amazon Web Services (“AWS”) cloud storage environment (the “Test Environment”) for the purpose of testing the new Search Software version.
-
The data copied to the Test Environment included personally identifiable information pertaining to numerous incarcerated, non-incarcerated, and Facility users of Respondents’ products and services, including communications services used by incarcerated consumers and their contacts and monitoring services used by Facilities.
-
Though the Test Environment contained personally identifiable information, Respondents failed to provide reasonable security for that information. Among other things:
- Respondents did not take any steps to encrypt or otherwise obfuscate the data that they transferred to the Test Environment, but rather stored consumers’ sensitive, personally identifiable information in clear, readable text;
- Respondents did not use automated monitoring software on the Test Environment, including free AWS features that would have generated alerts if the security settings of the Test Environment were changed;
- Respondents did not employ a perimeter firewall to protect the Test Environment;
- Respondents did not employ a log monitoring solution that provided alerts to the GTL Information Security Department to protect the Test Environment;
- Respondents did not employ an Intrusion Prevention System to protect the Test Environment;
- Though the Vendor had access to highly sensitive personally identifiable information held within Respondents’ systems, including the Test Environment, Respondents took no steps to vet or assess the Vendor’s data security practices;
- Respondents also did not provide, or require the Vendor to provide, the Vendor’s engineers with secure development training or with other data security training appropriate to their job duties; and
- Respondents did not take reasonable steps to inventory or track consumers’ personally identifiable information, including tracking which consumers’ personally identifiable information was transferred and the categories of personally identifiable information that they transferred to the Test Environment.
THE INCIDENT
-
On or about August 11, 2020, a technician employed by the Vendor changed the security settings of the Test Environment. As a result of this change, from at least August 11, 2020 to August 13, 2020, the Test Environment was left accessible via the internet without password protection or other access controls to prevent unauthorized persons from accessing and exfiltrating data from the Environment (“Incident”).
-
Approximately 649,500 unique individuals’ personally identifiable information was contained within the Test Environment at the time of the Incident.
-
This personally identifiable information included individuals’ full names; dates of birth; phone numbers; usernames or email addresses in combination with passwords; home addresses; driver’s license numbers; passport numbers; location information; information about individuals’ race, religion, and whether they are transgender; approximately 80,000 grievances submitted by incarcerated consumers to Facilities; and the content, dates and times, senders, and recipients of approximately 75,000 written messages that incarcerated and non-incarcerated users had exchanged using Respondents’ services. In numerous instances, the written messages contained payment card numbers, financial account information, and Social Security numbers.
-
The Test Environment also contained a database of deposit information, including data fields such as “account_posted_at,” “amount,” “card_owner_name,” “deposit_type,” and “dest_account_id.”
-
Beginning on or about August 12, 2020, there were multiple instances of access to the Test Environment from IP addresses not associated with Respondents. Unidentified individuals accessing the Test Environment from those IP addresses accessed approximately 44,000,000,000 bytes of data stored in the Test Environment. Forensic analysis conducted by or on behalf of Respondents has indicated that there was exfiltration of data from the Test Environment by one or more of these individuals.
-
Respondents learned of the Incident on August 13, 2020, when a security researcher contacted Respondents and stated that he had discovered “an unprotected, publicly available database instance which seems to be part of GTL / Telmate cloud infrastructure and contains non-public information, such as inmates’ personal details, emails, auth history, messages and much more.” After confirming the researcher’s findings, Respondents reconfigured the Test Environment so that it was no longer accessible from the internet.
-
On September 1, 2020, Respondents received a message from a company that provides identity monitoring services to consumers stating that the company’s engineers “believe[d] they [had] come across sensitive data related to GTL.” Following this communication, Respondents worked with the identity monitoring company to retrieve copies of data that had been released on the “dark web,” i.e., on websites that are used to buy and sell illicitly obtained data for use in connection with fraud, identity theft, and other criminal purposes. Subsequent data analysis suggested that the data provided by the identity monitoring company aligned with data believed to have been impacted in the Incident.
-
As early as November 2020, Respondents received multiple complaints from consumers stating that the consumers’ personally identifiable information obtained from Respondents had been located on the dark web. This personally identifiable information included names, addresses, phone numbers, dates of birth, and driver’s license issue states. Some consumer complaints also indicated that consumers had been alerted to fraudulent transactions on their credit cards following the Incident.
-
In part as a result of Respondents’ data security failures, hundreds of thousands of consumers’ personally identifiable information was exposed to the internet, was exfiltrated by unauthorized individuals, and was made available on the dark web. These failures resulted in financial injury to consumers, including because consumers experienced unauthorized payment card activity shortly after learning of the Incident from third-party credit monitoring services. Additionally, the public exposure of consumers’ communications with loved ones and sensitive information contained in grievance forms is, at a minimum, a serious invasion of privacy that may cause them stigma, embarrassment, and/or emotional distress. In some cases, that information, like consumers’ location information and whether individuals identify as transgender, has concerning implications for consumers’ safety.
MISREPRESENTATIONS TO CONSUMERS REGARDING THE INCIDENT AND FAILURE TO NOTIFY CONSUMERS
-
On September 4, 2020, Comparitech, a data privacy and security blog, published an article about the Incident. Comparitech’s article contains the following statement, which Respondents had provided to Comparitech on September 3, 2020 via e-mail:
- "Telmate, a GTL subsidiary immediately locked down the server as a precaution upon being made aware of a vulnerability in the data system due to the actions of one of our vendors. This vulnerability was swiftly corrected, the data security team was immediately supplemented with the assistance of third-party consultants and we continue to work closely with law enforcement authorities as we conduct further inquiry into this incident. Based on the current facts of the investigation, no medical data, passwords, or consumer payment information were affected. We continue to speak with and notify necessary parties, including the affected Telmate customers – a small subset of all GTL customers – about the incident and the actions we have taken to safeguard data. The security of the data we keep is of the utmost importance to us, and we are committed to doing everything we can to keep it safe."
-
Respondents’ statement to Comparitech was false or misleading. Among other reasons, the statement was false or misleading as to the severity of the Incident and the risk to individual consumers, because:
- Respondents stated that their investigation to date had not indicated that medical data or payment information was affected, but in fact, Respondents knew at least as of August 19, 2020, that some credit card numbers and medical information, including incarcerated consumers’ requests to see medical staff, were included in information affected by the Incident;
- Respondents’ statement failed to disclose additional categories of sensitive personally identifiable information that were affected or potentially affected by the Incident, including addresses, email addresses, Social Security numbers, passport numbers, and driver’s license numbers; and
- Respondents stated that “we continue to speak with and notify necessary parties, including the affected Telmate customers,” but, in fact, Respondents did not contact any affected individuals to notify them of the Incident until May 2021.
-
In or about May 2021, Respondents notified approximately 45,000 individual users that their personally identifiable information had been exposed as a result of the Incident. To date, Respondents have provided no notice to the potentially hundreds of thousands of additional users whose information was contained in the Test Environment at the time of the Incident and therefore may have been exposed.
-
Because Respondents delayed notifying individual users that their personally identifiable information had been or could have been affected by the Incident for approximately nine months, those users did not have an opportunity to take actions to protect themselves from identity theft, such as by implementing a credit freeze.
MISREPRESENTATION TO FACILITIES REGARDING THE INCIDENT
-
Additionally, on multiple occasions since the Incident, in connection with responding to RFPs by prospective Facility customers, Respondents have represented that Respondents have never experienced a data security breach or had not experienced a data security breach within a particular time frame that includes the dates of the Incident.
-
For example, since December 2020, Respondents have stated in their RFP responses to potential Facility customers that “there were no system incidents that resulted in a significant failure in the achievement of one or more of service commitments and system requirements throughout the period April 1, 2020, to September 30, 2020,” where “system requirements” are defined to include that “Logical access to programs, data, and computer resources is restricted to authorized and appropriate users, and such users are restricted to performing authorized and appropriate actions.”
-
In other instances, Respondents have submitted RFP responses stating that, e.g., Respondents have never experienced a data security breach or have not experienced a data security breach within the past five years.
Count I: Unfair Data Security Practices
-
As described in Paragraph 28, Respondents failed to employ reasonable and appropriate measures to protect consumers’ personally identifiable information.
-
This failure caused or was likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. This practice is an unfair act or practice.
Count II: Unfair Failure to Notify Affected Consumers of the Incident
-
As described in Paragraphs 38-40, Respondents failed to timely notify affected consumers that their personally identifiable information had been exposed as a result of the Incident.
-
This failure caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. This practice is an unfair act or practice.
Count III: Misrepresentations Regarding Data Security
-
As described in Paragraphs 17-23, in connection with the advertising, promotion, offering for sale, or sale of communications and payment services, Respondents have represented, directly or indirectly, expressly or by implication, that they implemented reasonable and appropriate measures to protect personally identifiable information against unauthorized access.
-
In fact, as described in Paragraph 28, Respondents did not implement reasonable and appropriate measures to protect personally identifiable information in the Test Environment against unauthorized access. Therefore, the representation set forth in Paragraph 49 is false or misleading.
Count IV: Misrepresentations to Individual Users Regarding the Incident
-
As described in Paragraph 38, in connection with the advertising, promotion, offering for sale, or sale of communications and payment services, Respondents represented, directly or indirectly, expressly or by implication, that they had no reason to believe that consumers’ sensitive personally identifiable information was affected by the Incident.
-
In fact, as described in Paragraph 39, Respondents had reason to believe that consumers’ sensitive personally identifiable information was affected by the Incident. Therefore, the representation set out in Paragraph 51 was false or misleading.
Count V: Misrepresentations to Individual Users Regarding Notice
-
As described in Paragraph 38, in connection with the advertising, promotion, offering for sale, or sale of communications and payment services, Respondents represented that they would timely notify users whose personally identifiable information had been exposed as a result of the Incident.
-
In fact, as described in Paragraphs 39-41, Respondents failed to provide timely notice to users whose personally identifiable information was exposed because of the incident. Therefore, the representation set out in Paragraph 53 was false or misleading.
Count VI: Deceptive Representations to Facilities Regarding the Incident
-
As described in Paragraphs 42-44, in connection with the advertising, promotion, offering for sale, or sale of communications and payment services, in multiple instances since the Incident, Respondents have represented to Facilities that they have never experienced a data security breach or that they had not experienced a data security breach within a particular timeframe that includes the dates of the Incident.
-
In fact, as described in Paragraphs 29-37, the representations set out in Paragraph 55 have been false or misleading.
Violations of Section 5
-
The acts and practices of Respondents as alleged in this complaint constitute unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.
-
THEREFORE, the Federal Trade Commission this 23rd day of February, 2024, has issued this Complaint against Respondents.
By the Commission.
April J. Tabor Secretary |
DECISION AND ORDER
DECISION
The Federal Trade Commission (“Commission”) initiated an investigation of certain acts and practices of the Respondents named in the caption. The Commission’s Bureau of Consumer Protection (“BCP”) prepared and furnished to Respondents a draft Complaint. BCP proposed to present the draft Complaint to the Commission for its consideration. If issued by the Commission, the draft Complaint would charge the Respondents with violations of the Federal Trade Commission Act.
Respondents and BC thereafter executed an Agreement Containing Consent Order ("*Consent Agreement). The Consent Agreement includes: 1) statements by Respondents that they neither admit nor deny any of the allegations in the Complaint, except as specifically statedin this Decision and Order, and that only for purposes of this action, they admit the facts necessary to establish jurisdiction; and 2) waivers and other provisions as required by the Commission's Rules.
The Commission considered the matter and determined that it had reason to believe that Respondents have violated the Federal Trade Commission Act and that a Complaint should issue stating its charges in that respect. The Commission accepted the executed Consent Agreement and placed it on the public record for a period of 30 days for the receipt and consideration of public comments. The Commission duly considered any comments received from interested persons pursuant to Section 2.34 of its Rules, 16 C.F.R. § 2.34. Now, in further conformity with the procedure prescribed in Rule 2.34, the Commission issues its Complaint, makes the following Findings, and issues the following Order:
Findings
The Respondents are:
-
Respondent Global Tel*Link Corporation, a corporation, also doing business as GTL and as ViaPath Technologies (“GTL”), is an Idaho corporation with its principal office or place of business at 3120 Fairview Park Drive, Suite 300, Falls Church, Virginia, 22042.
-
Respondent Telmate, LLC, also doing business as ViaPath Technologies, (“Telmate”) is a Delaware limited liability company with its principal office or place of business at 3120 Fairview Park Drive, Suite 300, Falls Church, Virginia, 22042. Telmate is a wholly owned subsidiary of GTL.
-
Respondent TouchPay Holdings, LLC, also doing business as GTL Financial Services, (“TouchPay”) is a Texas limited liability company with its principal office or place of business at 10005 Technology Boulevard West, Suite 130, Dallas, Texas, 75220.
The Commission has jurisdiction over the subject matter of this proceeding and over the Respondents, and the proceeding is in the public interest.
ORDER
Definitions
For purposes of this Order, the following definitions apply:
-
"Affected Consumer" means any individual consumer whose Personal Information was exposed by the Identified Breach if:
- The exposed information includes any of the following with respect to the individual consumer (hereafter for purposes of this definition, “Identifying Elements”):
- An individual’s first and last name, so long as it appears in conjunction with Personal Information other than a first and last name.
- A Social Security number (but not including only the last four digits of a Social Security number), driver’s license number, passport number, alien registration number, or other government-issued unique identification number.
- A unique numeric identifier assigned to an individual by a Facility in connection with the individual’s incarceration, such as a booking number.
- A unique financial identifier, including a full financial account number, full credit or debit card number, or electronic identification number.
- An email address or other online contact information, such as a user identifier or a screen name.
- Respondents have collected or maintained the exposed Identifying Elements in the ordinary course of business.
- Respondents have the technological capability to link the exposed Identifying Elements with the consumer’s valid mail or email address or other means of communicating with the consumer in writing.
- The exposed information includes any of the following with respect to the individual consumer (hereafter for purposes of this definition, “Identifying Elements”):
-
"Authorized User" means any employee, contractor, agent, customer, or other person that is authorized to access any of Respondents’ information systems or data.
-
"Change Management" means a documented process for making changes that affect risk to the security of networks, systems, and assets that store, process, or connect to systems that store or process Personal Information, including the identification, impact analysis, approval or rejection, prioritization, implementation, testing, and post-implementation review of such changes.
-
"Clear(ly) and conspicuous(ly)" means that a required disclosure is difficult to miss (i.e., easily noticeable) and easily understandable by ordinary consumers, including in all of the following ways:
- In any communication that is solely visual or solely audible, the disclosure must be made through the same means through which the communication is presented.
- A visual disclosure, by its size, contrast, location, the length of time it appears, and other characteristics, must stand out from any accompanying text or other visual elements so that it is easily noticed, read, and understood.
- An audible disclosure must be delivered in a volume, speed, and cadence sufficient for ordinary consumers to easily hear and understand it.
- In any communication using an interactive electronic medium, such as the Internet or software, the disclosure must be unavoidable.
- The disclosure must use diction and syntax understandable to ordinary consumers and must appear in each language in which the triggering representation appears.
- The disclosure must comply with these requirements in each medium through which it is received, including all electronic devices and face-to-face communications.
- The disclosure must not be contradicted or mitigated by, or inconsistent with, anything else in the communication.
-
"Consumer Report" has the meaning provided in the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. § 1681 et seq., and any amendments thereto.
-
"Consumer Reporting Agency" has the meaning provided in the FCRA, 15 U.S.C. § 1681 et seq., and any amendments thereto.
-
"Covered Incident" means any incident that results in Respondents notifying, pursuant to a statutory or regulatory requirement, any U.S. federal, state, or local government entity that Personal Information of or about an individual consumer was, or is reasonably believed to have been, accessed or acquired, or publicly exposed without authorization.
-
"Facility" or "Facilities" means a Jail or Prison, and any entity with which Respondents contract to provide any product or service in connection with the operation of a Jail or Prison.
-
"Future Affected Consumer" means any individual consumer whose Personal Information Respondents have reason to believe has been accessed, acquired, or publicly exposed without authorization in connection with a Covered Incident if:
- The accessed, acquired, or publicly exposed information includes any of the following (hereafter for purposes of this definition, “Identifying Elements”):
- An individual’s first and last name, so long as it appears in conjunction with Personal Information other than a first and last name.
- A Social Security number (but not including only the last four digits of a Social Security number), driver’s license number, passport number, alien registration number, or other government-issued unique identification number.
- A unique numeric identifier assigned to an individual by a Facility in connection with the individual’s incarceration, such as a booking number.
- Unique biometric data such as a face embedding, fingerprint, voice print, a retina or iris image, or any other unique physical representation.
- A unique financial identifier, including a full financial account number, a full credit or debit card number, or electronic identification number.
- An email address or other online contact information, such as a user identifier or a screen name.
- Respondents have collected or maintained the accessed, acquired, or publicly exposed Identifying Elements in the ordinary course of business.
- Respondents have the technological capability to link the accessed, acquired, or publicly exposed Identifying Elements with the consumer’s valid mail or email address or other means of communicating with the consumer in writing.
- The accessed, acquired, or publicly exposed information includes any of the following (hereafter for purposes of this definition, “Identifying Elements”):
-
"Identified Breach" means the exposure of Personal Information from systems of or controlled by Respondents that was discovered on or about August 13, 2020.
-
"Jail" means a facility of a local, state, or federal law enforcement agency that is used primarily to hold individuals who are:
- Awaiting adjudication of criminal charges.
- Post-conviction and committed to confinement for sentences of one year or less.
- Post-conviction and awaiting transfer to another facility.
- The term also includes city, county, or regional facilities that have contracted with a private company to manage day-to-day operations; privately owned and operated facilities primarily engaged in housing city, county, or regional inmates; facilities used to detain individuals, operated directly by the Federal Bureau of Prisons or U.S. Immigration and Customs Enforcement, or pursuant to a contract with those agencies; juvenile detention centers; and secure mental health facilities.
-
"Multi-Factor Authentication" means authentication through verification of at least two of the following types of authentication factors:
- Knowledge factors, such as a password.
- Possession factors, such as a token.
- Inherence factors, such as biometric characteristics.
-
"Nationwide Consumer Reporting Agency" means a Consumer Reporting Agency that regularly engages in the practice of assembling or evaluating, and maintaining, for the purpose of furnishing consumer reports to third parties bearing on a consumer’s credit worthiness, credit standing, or credit capacity.
- "Personal Information" means information from or about an individual consumer, including (1) a first and last name; (2) a physical address; (3) an email address or other online contact information, such as a user identifier or a screen name; (4) a telephone number; (5) a financial account number in conjunction with information that can reasonably be used to identify the corresponding financial institution; (6) credit or debit card information (including a partial credit or debit card number consisting of more than 5 digits of the full credit or debit card number); (7) information about or derived from the individual's government issued identification documents or credentials, such as an
image of a driver's license, state identification card, or passport, or a driver's license number, military identification number, or Social Security number; (8) date of birth; (9) a persistent identifier, such as a customer number held in a "cookie," a static Internet Protocol (*IP*) address, a mobile device ID, or device or component serial number; and (10) user account credentials, such as a login name and password (whether plain text, encrypted, hashed, and/or salted). -
"Prison" means a facility operated by a territorial, state, or federal agency that is used primarily to confine individuals convicted of felonies and sentenced to terms in excess of one year.
-
"Respondents" means Respondents, individually, collectively, or in any combination.
Provisions
I. Mandated Information Security Program
IT IS FURTHER ORDERED that Respondents, and any business that Respondents control directly, or indirectly, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Personal Information, must, within sixty (60) days of the effective date of this Order, establish and implement, and thereafter maintain, a comprehensive information security program (“Information Security Program”) that protects the security, confidentiality, and integrity of such Personal Information. To satisfy this requirement, Respondents must, at a minimum:
-
Document in writing the content, implementation, and maintenance of the Information Security Program;
-
Designate a qualified employee responsible for coordinating, overseeing, and implementing the Information Security Program and enforcing the Information Security Program (“Qualified Individual”);
-
Require the Qualified Individual to report in writing to Respondents’ board of directors or governing body or, if no such board or equivalent governing body exists, to a senior officer of Respondents responsible for Respondents’ Information Security Program at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident, if any. The report must include the following information:
- The overall status of the Information Security Program and Respondents’ compliance with this Provision, including by providing the written program and any evaluations thereof or updates thereto; and
- Material matters related to the Information Security Program, addressing issues such as risk assessment, risk management, and control decisions; service provider arrangements; results of testing, including any testing conducted pursuant to sub-Provision G of this Provision; Covered Incidents or violations of Respondents’ information security policies or procedures and management’s responses thereto; and recommendations for changes in the Information Security Program.
-
Assess and document, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, reasonably foreseeable internal and external risks to the security, confidentiality, or integrity of Personal Information within the possession, custody, or control of Respondents that could result in the (1) unauthorized collection, maintenance, use, or disclosure of, provision of access to, or destruction of, Personal Information; or (2) misuse, loss, theft, alteration, or other compromise of such information. The risk assessments must be written and must include:
- Criteria for the evaluation and categorization of identified security risks or threats Respondents face;
- Criteria for the assessment of the confidentiality, integrity, and availability of Respondents’ networks, systems, and assets and Personal Information, including the adequacy of the existing controls in the context of the identified risks or threats Respondents face; and
- Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the Information Security Program will address the risks.
-
Design, implement, maintain, and document safeguards that control for the internal and external risks identified in response to sub-Provision I.D. Each safeguard must be based on the volume and sensitivity of the Personal Information that is at risk, and the likelihood that the risk could be realized and result in the (1) unauthorized collection, maintenance, use, or disclosure of, provision of access to, or destruction of, Personal Information; or (2) misuse, loss, theft, alteration, or other compromise of such information. Such safeguards must also include:
- Policies, procedures, standards, and technical measures to systematically inventory Personal Information in Respondents’ control, including policies, procedures, and technical measures to track and inventory the transfer and storage of Personal Information among and within Respondents’ various networks, systems, and assets;
- Policies, procedures, standards, and technical measures to log and monitor access to networks, systems, and assets in Respondents’ control;
- Policies, procedures, standards, and technical measures to monitor all of Respondents’ networks, systems, and assets to identify and log anomalous activity and/or data security events, including unauthorized attempts to access or exfiltrate Personal Information from Respondents’ networks, systems, and assets. Such measures must require Respondents to determine baseline system activity, identify and respond to anomalous events and unauthorized attempts to access or exfiltrate Personal Information, and verify the effectiveness of monitoring and logging;
- Technical, organizational, and, as appropriate, physical controls to:
- Safeguard against unauthorized access to any network, system, or asset in Respondents’ control that stores, collects, maintains, or processes Personal Information, including properly configured firewalls; intrusion detection and prevention systems configured to identify and prevent unauthorized access to networks, systems, or assets that store, process, or connect to networks, systems, or assets that store or process Personal Information; file integrity
- monitoring tools; data loss prevention tools; properly configured physical or logical segmentation of networks, systems, and databases; restricting inbound connections to approved IP addresses; requiring that connections to the network, system, or asset are authenticated and encrypted; preventing the storage of unsecured access keys or other unsecured credentials on Respondents’ networks, systems, or assets, or in any cloud-based services; requiring and enforcing strong passwords and other credentials; and
- Limit Authorized Users’ access only to Personal Information that they need to perform their duties and functions, or, in the case of consumers, to access their own information, periodically audit Authorized Users’ levels of access based on their need to know, and terminate access within 30 days following a change in Authorized Users’ need to know (including because of the termination of employment or contract) or if Authorized Users engage in inappropriate access or usage;
-
Policies and procedures to document in writing the content, implementation, and maintenance of an incident response plan designed to ensure the identification of, investigation of, and response to the unauthorized access to Personal Information. Such incident response plan must include policies and procedures to ensure the timely investigation of data security events and the timely remediation of critical and high-risk vulnerabilities. Respondents must revise and update this incident response plan to adapt to any changes to their networks, systems, and assets;
-
Regular security training programs, on at least an annual basis, that are updated, as applicable, to address internal or external risks identified by Respondents under sub-Provision I.D of this Order, and that include, at a minimum:
- Security awareness training for all employees and service providers who have access to networks, systems, or assets that contain Personal Information on Respondents’ security policies and procedures, including the requirements of this Order, to be conducted when an employee begins employment or takes on a new role in which the employee has access to networks, systems, or assets that contain Personal Information, and on at least an annual basis thereafter;
- For information security personnel, security updates and training sufficient to address relevant security risks; and
- For developers, engineers, other employees, and service providers with job duties that relate to the development, design, implementation, updating, modification, or operation of systems or software that Respondents use to provide products or services, training in secure development principles, including secure engineering and defensive programming concepts;
-
Utilizing qualified information security personnel employed by Respondents or an affiliate or service provider sufficient to manage Respondents’ information security risks and to perform or oversee the Information Security Program, and verifying that key information security personnel take steps to maintain current knowledge of changing information security threats and countermeasures;
-
Protecting by encryption, at a minimum, all information about or derived from an individual’s government-issued identification documents or credentials, such as an image of a driver’s license, state identification card, or passport, or a driver’s license number, military identification number, passport number, or Social Security number, dates of birth, messages exchanged by users, and user account credentials held or transmitted by Respondents both in transit over external networks and at rest, except that, to the extent Respondents determine that encryption of this information, either in transit over external networks or at rest, is infeasible or would increase the risk of unauthorized access to consumers’ Personal Information, Respondents may instead secure such information using effective alternative compensating controls reviewed and approved by the Qualified Individual;
-
Adopting secure development practices and procedures for in-house developed applications utilized by Respondents for transmitting, accessing, or storing Personal Information and for evaluating, assessing, or testing the security of externally developed applications that Respondents utilize to transmit, access, or store Personal Information;
-
Adopting and implementing procedures for Change Management that apply to all networks, systems, and assets that contain Personal Information, which must include the following requirements as to each change subject to Change Management procedures:
- The change must be implemented by applying source code or configuration files to a network, system, or asset;
- The source code or configuration files required by sub-Provision I.E.10.a must be reviewed and approved, prior to their application, by a person with appropriate training or expertise other than the person proposing, planning, or implementing the change; and
- The means by which the reviewed code or configuration files are applied must be programmatic or automated, rather than manual, unless:
- The Qualified Individual makes a written determination that programmatic or automated application is impossible, and that such impossibility cannot be remedied without increased risk of unauthorized access to consumers’ Personal Information; and
- Respondents develop and implement alternative procedures, specifically approved and documented by the Qualified Individual, to ensure that the manual application of reviewed code or configuration files does not result in the introduction of error.
-
Requiring Multi-Factor Authentication for any of Respondents’ employees or contractors to access any information system in Respondents’ control that is used, in whole or in part, to store, collect, or transmit Personal Information, unless the Qualified Individual has approved in writing the use of reasonably equivalent or more secure access controls; and
-
Developing, implementing, and maintaining policies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures. Such policies and procedures must include the secure disposal of Personal Information in any format no later than two years after the last date the information is used in connection with the provision of a product or service to the consumer to which it relates, unless such information is necessary for business operations or for other legitimate business purposes, including to comply with a properly authorized civil, criminal, or regulatory investigation, or subpoena or summons by Federal, state, or local authorities; to comply with the consumer’s request; where the information is otherwise required to be retained by law or regulation; or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained. To the extent Respondents retain information for longer than two years after the last date the information is used in connection with the provision of a product or service to the consumer to which it relates, Respondents must document in writing the legitimate business purpose for which Respondents retain such information and must delete such information upon the conclusion of the stated business purpose. Respondents must periodically review Respondents’ data retention policy to minimize the unnecessary retention of data;
-
Assess, at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, the sufficiency of any safeguards in place to address the internal and external risks to the security, confidentiality, or integrity of Personal Information, and modify the Information Security Program based on the results;
-
Test and monitor the effectiveness of the safeguards at least once every twelve (12) months and promptly (not to exceed thirty (30) days) following a Covered Incident, and modify the Information Security Program based on the results. Such testing and monitoring must include vulnerability testing of Respondents’ networks, systems, and assets once every four (4) months and promptly (not to exceed thirty (30) days) after a Covered Incident, and penetration testing of Respondents’ networks, systems, and assets at least once every twelve (12) months and promptly (not to exceed thirty (30) days) after a Covered Incident;
-
Select and retain service providers capable of safeguarding Personal Information they access through or receive from Respondents, including by implementing policies and procedures to adequately vet and assess the service providers’ data security practices prior to contracting with the service providers and periodically thereafter. Respondents must also contractually require service providers to (1) provide regular security training programs to their employees; and (2) implement and maintain safeguards sufficient to address the internal and external risks to the security, confidentiality, or integrity of Personal Information; and
-
Evaluate and adjust the Information Security Program in light of any material changes to Respondents’ operations or business arrangements, a Covered Incident, new or more efficient technological or operational methods to control for the risks identified in Provision I.D of this Order, or any other circumstances that Respondents know or have reason to know may have an impact on the effectiveness of the Information Security Program or any of its individual safeguards. At a minimum, Respondents must evaluate the Information Security Program at least once every twelve (12) months and modify the Information Security Program based on the results.
Provided, however, that nothing in this Order shall prohibit Respondents’ authorized publication or disclosure, including in plain text, of an incarcerated person’s Personal Information to the extent that a Facility requires such disclosure by contract or for the purpose of locating, identifying, communicating with, or depositing funds for the use of such incarcerated person.
II. Information Security Assessments by a Third Party
IT IS FURTHER ORDERED that, in connection with compliance with Provision I of this Order, titled Mandated Information Security Program, Respondents must obtain initial and biennial assessments (“Assessments”):
-
The Assessments must be obtained from a qualified, objective, independent third-party professional (“Assessor”), who (1) uses procedures and standards generally accepted in the profession; (2) conducts an independent review of the Information Security Program; and (3) retains all documents relevant to each Assessment for five (5) years after completion of such Assessment and will provide such documents to the Commission within ten (10) days of receipt of a written request from a representative of the Commission. The Assessor may not withhold any documents relating to Assessments of Respondents from the Commission on the basis of a claim of confidentiality, proprietary or trade secrets, work product protection, attorney-client privilege, statutory protection, or any similar claim.
-
For each Assessment, Respondents must provide the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission with the name, affiliation, and qualifications of the proposed Assessor, whom the Associate Director will have the authority to approve in her or his sole discretion.
-
The reporting period for the Assessments must cover (1) the first 180 days after the issuance date of the Order for the initial Assessment; and (2) each two-year period thereafter for twenty (20) years after issuance of the Order for the biennial Assessments.
-
Each Assessment must, for the entire assessment period:
- Determine whether Respondents have implemented and maintained the Information Security Program required by Provision I of this Order, titled Mandated Information Security Program;
- Assess the effectiveness of Respondents’ implementation and maintenance of sub-Provisions I.A-I;
- Identify any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program;
- Address the status of gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program that were identified in any prior Assessment required by this Order; and
- Identify specific evidence (including documents reviewed, sampling and testing performed, and interviews conducted) examined to make such determinations, assessments, and identifications, and explain why the evidence that the Assessor examined is (a) appropriate for assessing an enterprise of Respondents’ size, complexity, and risk profile; and (b) sufficient to justify the Assessor’s findings. No finding of any Assessment shall rely primarily on assertions or attestations by Respondents’ management. The Assessment must be signed by the Assessor, state that the Assessor conducted an independent review of the Information Security Program and did not rely primarily on assertions or attestations by Respondents’ management, and state the number of hours that each member of the assessment team worked on the Assessment. To the extent that Respondents revise, update, or add one or more safeguards required under Provision I of this Order during an Assessment period, the Assessment must assess the effectiveness of the revised, updated, or added safeguard(s) for the time period in which it was in effect, and provide a separate statement detailing the basis for each revised, updated, or additional safeguard.
-
Each Assessment must be completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Unless otherwise directed by a Commission representative in writing, Respondents must submit an unredacted copy of the initial Assessment and a proposed redacted copy suitable for public disclosure to the Commission within ten (10) days after the Assessment has been completed via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin, “In re Global Tel*Link Corporation, FTC File No. 2123012.” Respondents must retain an unredacted copy of each subsequent biennial Assessment as well as a proposed redacted copy of each subsequent biennial Assessment suitable for public disclosure until the order is terminated and must provide each such Assessment to the Associate Director for Enforcement within ten (10) days of request. The initial Assessment and any subsequent biennial Assessment provided to the Commission must be marked, in the upper right-hand corner of each page, with the words “DPIP Assessment” in red lettering.
III. Cooperation with Third-Party Information Security Assessor
IT IS FURTHER ORDERED that Respondents, whether acting directly or indirectly, in connection with any Assessment required by Provision II of this Order, titled Information Security Assessments by a Third Party, must:
-
Provide or otherwise make available to the Assessor all information and material in their possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;
-
Provide or otherwise make available to the Assessor information about Respondents’ network(s), systems, and assets so that the Assessor can determine the scope of the Assessment, and visibility to those portions of the network(s), systems, and assets deemed in scope; and
-
Disclose all material facts to the Assessor, and not misrepresent in any manner, expressly or by implication, any fact material to the Assessor’s (1) determination of whether Respondents have implemented and maintained the Information Security Program required by Provision I of this Order, titled Mandated Information Security Program; (2) assessment of the effectiveness of the implementation and maintenance of sub-Provisions I.A-I; or (3) identification of any gaps or weaknesses in, or instances of material noncompliance with, the Information Security Program.
IV. Annual Certification
IT IS FURTHER ORDERED that, Respondents must:
-
One year after the issuance date of this Order, and each year thereafter, provide the Commission with a certification from a senior corporate manager, or, if no such senior corporate manager exists, a senior officer of Respondents responsible for Respondents’ Information Security Program that (1) Respondents have established, implemented, and maintained the requirements of this Order; (2) Respondents are not aware of any material noncompliance that has not been (a) corrected or (b) disclosed to the Commission; and (3) includes a brief description of all Covered Incidents during the certified period. The certification must be based on the personal knowledge of the senior corporate manager, senior officer, or subject matter experts upon whom the senior corporate manager or senior officer reasonably relies in making the certification.
-
Unless otherwise directed by a Commission representative in writing, submit all annual certifications to the Commission pursuant to this Order via email to DEbrief@ftc.gov or by overnight courier (not the U.S. Postal Service) to Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Global Tel*Link Corporation, FTC File No. 2123012.”
V. Credit Monitoring and Identity Protection Product
IT IS FURTHER ORDERED that Respondents must provide Affected Consumers enrollment in a credit monitoring and identity protection product (the “Product”) as set forth below:
-
The Product must be offered, provided, and maintained by an independent third party (the “Third Party”) that has been approved by the Associate Director for Enforcement for the Bureau of Consumer Protection at the Federal Trade Commission. Within 14 days of the effective date of this Order, Telmate and its successors and assigns must provide the name and qualifications of the Third Party to: DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Global Tel*Link Corporation, FTC File No. 2123012.”
-
Within one hundred and twenty (120) days of receiving approval of the Third Party from the Associate Director for Enforcement for the Bureau of Consumer Protection, Telmate and its successors and assigns must:
- Instruct or otherwise cause the Third Party to provide to each Affected Consumer receiving a notice pursuant to Section IX.B the means to register for or access the Product, such as an activation code; and
- Provide the Third Party with sufficient information regarding Affected Consumers to enable the Third Party to efficiently identify and communicate with each Affected Consumer, including, to the extent known, information regarding whether any Affected Consumer is currently incarcerated; if so, in what Facility.
-
After complying with sub-Provision B of this Provision, Telmate and its successors and assigns must, within thirty (30) days of learning the identity of an additional Affected Consumer, learning of any reason to believe that an Affected Consumer has not received the means to register for or access the Product, instruct or otherwise cause the Third Party to provide each such Affected Consumer with the means to register for or access the Product.
-
Telmate and its successors and assigns must require the Third Party to communicate with each Affected Consumer using methods of communication that are reasonably calculated to reach that consumer, including in light of the consumer’s incarceration status. The Third Party must be able to send and receive communications to and from consumers by mail.
-
To the extent that Respondents provide communications services, including voice or telephone services or services related to incarcerated consumers’ ability to send and receive mail, in any Facility in which any Affected Consumer is incarcerated, Respondents will coordinate in good faith with Facilities to allow Affected Consumers who are incarcerated to enroll in the Product via those communication services, including by requesting that Facilities add a telephone number that can be used for enrollment in the Product to the approved call list. Respondents will make reasonable efforts to ensure that calls and mail between Third Party and Affected Consumers are free of charge.
-
Affected Consumers must be eligible to enroll in the Product for a period of at least ninety (90) days following receipt of information from the Third Party about how to register for or access the Product. Telmate and its successors and assigns must cause the Third Party to provide each such Affected Consumer with two (2) years of enrollment in the Product beginning on the date that the Affected Consumer registers for the Product.
-
The Product must include:
- An option for Affected Consumers incarcerated in Facilities to receive automated credit monitoring alerts generated by the Product via a mechanism that is simple, accessible, secure, and free of charge to Affected Consumers and the Third Party, such as by providing a mechanism by which Affected Consumers can receive alerts by mail;
- Daily Consumer Report monitoring from each of the three Nationwide Consumer Reporting Agencies showing key changes to one or more of an Affected Consumer’s Consumer Reports, including automated alerts when the following occur: new accounts are opened; inquiries or requests for an Affected Consumer’s Consumer Report for the purpose of obtaining credit, including for new credit card applications; changes to an Affected Consumer’s address; and negative information, including delinquencies or bankruptcies;
- Automated alerts, using public or proprietary data sources:
- When data elements submitted by an Affected Consumer for monitoring, such as Social Security numbers, email addresses, or credit card numbers, appear on suspicious websites, including websites on the “dark web;”
- When names, aliases, and addresses have been associated with the Affected Consumer’s Social Security number in connection with information reported to the Consumer Reporting Agencies;
- When a payday loan or certain other unsecured credit has been taken or opened using the Affected Consumer’s Social Security number;
- When banking activity is detected related to new deposit account applications, opening of new deposit accounts, changes to an Affected Consumer’s personal information on an account, and new signers being added to an Affected Consumer’s account; and
- When a balance is reported on an Affected Consumer’s credit line that has been inactive for at least six months;
- One Million Dollars ($1,000,000) in identity theft insurance to cover costs related to incidents of identity theft or identity fraud, with coverage prior to the Affected Consumer’s enrollment in the Product, provided the costs result from a stolen identity event first discovered during the policy period and subject to the terms of the insurance policy;
- A customer service center to provide assistance with enrollment, website navigation, monitoring alerts questions, dispute assistance, fraud resolution assistance, and other assistance related to the Product;
- For Affected Consumers under the age of 18, the Product includes child monitoring services where the parent or guardian can enroll the Affected Consumer under the age of 18 to receive the following services: alerts when data elements submitted for monitoring appear on suspicious websites, such as websites on the “dark web;” and alerts when the Social Security number of an Affected Consumer under the age of 18 is associated with new names or addresses or the creation of a Consumer Report at one or more of the three Nationwide Consumer Reporting Agencies.
-
Respondents must not receive or retain any monetary benefit from the Product.
VI. Covered Incident Notification to Consumers and Facilities
IT IS FURTHER ORDERED that, following any future Covered Incident, Respondents must make reasonable efforts to identify each Future Affected Consumer and must provide notification to each identified Future Affected Consumer as follows:
-
Within thirty (30) days of any notification to a United States federal, state, or local entity of a Covered Incident, Respondents must provide, to each Future Affected Consumer, a notice including:
- The date, estimated date, or estimated date range when the Covered Incident occurred;
- A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known (unless otherwise prohibited by law);
- A description of each type of Personal Information that Respondents have reason to believe was accessed, acquired, or publicly exposed without authorization in connection with the Covered Incident;
- The acts that Respondents have taken to date to remediate the Covered Incident and protect Personal Information from further exposure, acquisition, or access;
- Information that a consumer can use to contact Respondents to inquire about the Covered Incident;
- A statement that the consumer can obtain information from the Federal Trade Commission (“FTC”) and the Nationwide Consumer Reporting Agencies about fraud alerts and security freezes; and
- The up-to-date toll-free numbers, addresses, and websites for the Nationwide Consumer Reporting Agencies and the FTC.
-
Within thirty (30) days of any notification to a United States federal, state, or local entity of a Covered Incident, Respondents must provide to:
- Each Facility that is associated with the Personal Information that is accessed, acquired, or publicly exposed without authorization; and
- Each Facility in which Respondents know that one or more Future Affected Consumers is incarcerated at the time of the Covered Incident (each a “Future Affected Facility”):
- The date, estimated date, or estimated date range when the Covered Incident occurred;
- A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known;
- A description of each type of Personal Information that Respondents have reason to believe was accessed, acquired, or publicly exposed without authorization in connection with the Covered Incident;
- The number of Future Affected Consumers and the number of Future Affected Consumers with a known relationship to the Facility;
- An explanation of how the Facility can obtain more information about which consumers were affected by the Covered Incident and steps the Facility can take to assist Future Affected Consumers; and
- The acts that Respondents have taken to date to remediate the Covered Incident and protect Personal Information from further exposure or access.
-
If Respondents identify an additional Future Affected Consumer more than thirty (30) days following the Covered Incident, Respondents must provide to the Future Affected Consumer, within thirty (30) days of such identification, a notice including the elements listed at sub-Provision VI.A.1-7, and to each Future Affected Facility, if any, that has not previously been notified pursuant to sub-Provision VI.B., a notice including the elements listed at sub-Provision VI.B.1-6.
-
Provided, however, that if a federal, state, or local law enforcement agency determines that any notice required under this Provision would interfere with an ongoing investigation, the notice can be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. A law enforcement agency may, by a subsequent written request, revoke such delay as of a specified date or extend the period set forth in the original request to a specified date if further delay is necessary.
VII. Covered Incident Reports to the Commission
IT IS FURTHER ORDERED that, within ten (10) days of any notification to a United States federal, state, or local entity of a Covered Incident, Respondents must submit a report to the Commission. The report must include, to the extent possible:
- The date, estimated date, or estimated date range when the Covered Incident occurred;
- A description of the facts relating to the Covered Incident, including the causes of the Covered Incident, if known;
- A description of each type of information that was affected by the Covered Incident;
- The number of consumers whose information was affected by the Covered Incident;
- The acts that Respondents have taken to date to remediate the Covered Incident and protect Personal Information from further exposure, acquisition, or access, and protect affected individuals from identity theft or other harm that may result from the Covered Incident;
- As applicable, a statement that Respondents have received a request from a federal, state, or local law enforcement agency to delay notice to Future Affected Consumers and Facilities on the basis that such notice would interfere with an ongoing investigation and a copy of such request; and
- A representative copy of any materially different notice Respondents will send or have sent to consumers or to any United States federal, state, or local government entity.
Unless otherwise directed by a Commission representative in writing, all Covered Incident reports to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Global Tel*Link Corporation, FTC File No. 2123012.”
VIII. Prohibition Against Misrepresentations About Security and Privacy
IT IS FURTHER ORDERED that Respondents, and Respondents’ officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, who receive actual notice of this Order, whether acting directly or indirectly, in connection with promoting or offering for sale any product or service must not misrepresent in any manner, expressly or by implication:- Respondents’ privacy and security measures to prevent unauthorized access to Personal Information;
- The occurrence, extent, nature, potential consequences, or any other fact relating to a Covered Incident actually or potentially involving or affecting Personal Information within the ownership, custody, or control of one or more Respondents;
- The extent to which Respondents have notified or will notify affected parties in connection with a Covered Incident;
- The extent to which Respondents meet or exceed industry-standard security or privacy practices; and
- The extent to which Respondents otherwise protect the privacy, security, availability, confidentiality, or integrity of Personal Information.
IX. Notification to Consumers Affected by the Identified Breach
IT IS FURTHER ORDERED that, within one hundred and twenty (120) days of Telmate receiving approval of the Third Party from the Associate Director for Enforcement for the Bureau of Consumer Protection pursuant to Provision V of this Order entitled “Credit Monitoring and Identity Protection Product”:- Respondents must post Clearly and Conspicuously on the home page of each of Respondents’ websites and the home screen of each of Respondents’ mobile applications that has been used to provide Telmate products and services an exact copy of the notice attached hereto as Attachment A (“Banner Notice”), including a hyperlink to an exact copy of the notice attached hereto as Attachment B (“Website and App Notice”). Respondents must leave these Notices in place for one year after posting them. Respondents must not include with the Website and App Notice any other information, documents, or attachments; and
- Telmate and its successors and assigns must provide a notice to each Affected Consumer to whom Respondents did not send written notice of the Identified Breach in May of 2021. The notice must consist solely of an exact copy of the notice attached hereto as Attachment C (“Direct Notice”). Respondents must not include with the Direct Notice any other information, documents, or attachments apart from those provided by the Third Party for credit monitoring enrollment.
X. Notification to Facilities
IT IS FURTHER ORDERED that, within one hundred and twenty (120) days of approval of the Third Party offering, providing, and maintaining the Product pursuant to the Provision of this Order entitled “Credit Monitoring and Identity Protection Product,” Telmate and its successors and assigns must provide a notice to all Facilities with a known, present relationship to one or more incarcerated Affected Consumers. The notice must describe Telmate and its successors and assigns’ obligations under the Provisions of this Order entitled “Notification to Consumers Affected by the Identified Breach” and “Credit Monitoring and Identity Protection Product,” including:
- All information necessary for the Facility to facilitate incarcerated Affected Consumers’ ability to receive communications required pursuant to this Order and to communicate with the Third Party;
- The identity of and contact information for the Third Party; and
- Information regarding how the costs of incarcerated Affected Consumers’ communications with the Third Party are to be billed or covered.
Such notice must be sent by first-class mail, postage paid and return receipt requested, or by courier service with signature proof of delivery.
XI. Acknowledgments of the Order
IT IS FURTHER ORDERED that Respondents obtain acknowledgments of receipt of this Order:- Each Respondent, within ten (10) days after the effective date of this Order, must submit to the Commission an acknowledgment of receipt of this Order sworn under penalty of perjury.
- Each Respondent must deliver a copy of this Order to: (1) all principals, officers, directors, and LLC managers and members; (2) all employees having managerial responsibilities for conduct related to the subject matter of the Order and all agents and representatives who participate in conduct related to the subject matter of the Order; (3) each business that Respondents control, directly or indirectly; and (3) any business entity resulting from any change in structure as set forth in the Provision titled Compliance Reports and Notices. Delivery must occur within ten (10) days after the effective date of this Order for current personnel. For all others, delivery must occur before they assume their responsibilities.
- From each individual or entity to which a Respondent delivered a copy of this Order, that Respondent must obtain, within thirty (30) days, a signed and dated acknowledgment of receipt of this Order.
XII. Compliance Reports and Notices
IT IS FURTHER ORDERED that Respondents make timely submissions to the Commission:
- One (1) year after the issuance date of this Order, each Respondent must submit a compliance report, sworn under penalty of perjury, in which each Respondent must:
- Identify the primary physical, postal, and email address and telephone number, as designated points of contact, which representatives of the Commission may use to communicate with Respondent;
- Identify all of that Respondent’s businesses by all of their names, telephone numbers, and physical, postal, email, and Internet addresses;
- Describe the activities of each business, including the goods and services offered; each means by which consumers can access each business’s goods and services, including each website or mobile application that consumers can use to access each service; the extent to which consumers can or must register or create an account or profile in order to access goods or services; the types of Personal Information that Respondents collect in connection with consumers’ use of goods or services, and the extent to which Respondents disclose any of that information to Facilities; the means of advertising, marketing, and sales; and the involvement of any other Respondent;
- Describe in detail whether and how that Respondent is in compliance with each Provision of this Order, including a discussion of all of the changes the Respondent made to comply with the Order; and
- Provide a copy of each Acknowledgment of the Order obtained pursuant to this Order, unless previously submitted to the Commission.
- Each Respondent must submit a compliance notice, sworn under penalty of perjury, within fourteen (14) days of any change in the following:
- Any designated point of contact; or
- The structure of any Respondent or any entity that Respondent has any ownership interest in or controls directly or indirectly that may affect compliance obligations arising under this Order, including: creation, merger, sale, or dissolution of the entity or any subsidiary, parent, or affiliate that engages in any acts or practices subject to this Order.
- Each Respondent must submit notice of the filing of any bankruptcy petition, insolvency proceeding, or similar proceeding by or against such Respondent within fourteen (14) days of its filing.
- Any submission to the Commission required by this Order to be sworn under penalty of perjury must be true and accurate and comply with 28 U.S.C. § 1746, such as by concluding: “I declare under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on: [date]” and supplying the date, signatory’s full name, title (if applicable), and signature.
- Unless otherwise directed by a Commission representative in writing, all submissions to the Commission pursuant to this Order must be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: “In re Global Tel*Link Corporation, FTC File No. 2123012.”
XIII. Recordkeeping
IT IS FURTHER ORDERED that Respondents must create certain records and retain each such record for five (5) years, unless otherwise specified below. Specifically, each Respondent must create and retain the following records:- Accounting records showing the revenues from all goods or services sold, the costs incurred in generating those revenues, and resulting net profit or loss;
- Personnel records showing, for each person providing services in relation to any aspect of the Order, whether as an employee or otherwise, that person’s: name; addresses; telephone numbers; job title or position; dates of service; and (if applicable) the reason for termination;
- Copies or records of all consumer complaints concerning the subject matter of the Order, whether received directly or indirectly, such as through a third party, and any response;
- A copy of each unique advertisement, marketing or business proposal (including any response to a Request for Proposal), or other marketing material making a representation subject to this Order;
- A copy of each widely disseminated representation by Respondents that relates to any Covered Incident or describes the extent to which Respondents maintain or protect the privacy, security, and confidentiality of any Personal Information, including any representation concerning a change in any website or other service controlled by Respondents that relates to the privacy, security, and confidentiality of Personal Information;
- For five (5) years after the date of preparation of each Assessment required by this Order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of Respondents, including all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and Assessments, and any other materials concerning Respondents’ compliance with related Provisions of this Order, for the compliance period covered by such Assessment;
- For five (5) years from the date received, copies of all subpoenas and other communications with law enforcement, if such communication relate to Respondents’ compliance with this Order or relate to any Covered Incident;
- All records necessary to demonstrate full compliance with each provision of this Order, including all submissions to the Commission.
XIV. Compliance Monitoring
IT IS FURTHER ORDERED that, for the purpose of monitoring Respondents’ compliance with this Order:
- Within ten (10) days of receipt of a written request from a representative of the Commission, each Respondent must: submit additional compliance reports or other requested information, which must be sworn under penalty of perjury, and produce records for inspection and copying.
- For matters concerning this Order, representatives of the Commission are authorized to communicate directly with each Respondent. Respondents must: permit representatives of the Commission to interview anyone affiliated with any Respondent who has agreed to such an interview. The interviewee may have counsel present.
- The Commission may use all other lawful means, including posing through its representatives as consumers, suppliers, or other individuals or entities, to Respondents or any individual or entity affiliated with Respondents, without the necessity of identification or prior notice. Nothing in this Order limits the Commission’s lawful use of compulsory process, pursuant to Sections 9 and 20 of the FTC Act, 15 U.S.C. §§ 49, 57b-1.
XV. Order Effective Dates
IT IS FURTHER ORDERED that this Order is final and effective upon the date of its publication on the Commission’s website (ftc.gov) as a final order. This Order will terminate 20 years from the date of its issuance (which date may be stated at the end of this Order, near the Commission’s seal), or 20 years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying settlement) in federal court alleging any violation of this Order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of:
- Any Provision in this Order that terminates in less than 20 years;
- This Order’s application to any Respondent that is not named as a defendant in such complaint; and
- This Order if such complaint is filed after the Order has terminated pursuant to this Provision.
Provided, further, that if such complaint is dismissed or a federal court rules that the Respondent did not violate any provision of the Order, and the dismissal or ruling is either not appealed or upheld on appeal, then the Order will terminate according to this Provision as though the complaint had never been filed, except that the Order will not terminate between the date such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.
By the Commission:
April J. Tabor Secretary |
ISSUED: February 23, 2024
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you..
Leave us a Message