What We Have Here Is a Failure to Communicate… Among Other Things

by Larissa Bungo

Larissa Bungo (Photo courtesy of the author)

Yes, if a tree falls in the forest and no one is there to hear it, the tree does make a sound. And, yes, if a data breach happens and you fail to timely notify affected customers, that’s an unfair practice. That’s just one of the lessons businesses can learn from the FTC’s proposed settlement with Global Tel*Link (GTL) and its subsidiaries, Telmate and TouchPay.

Another lesson? When it comes to safeguarding consumers’ personal information, the duty extends regardless of where the business stores the data and what it uses the data for—even testing. Read on to learn more. GTL is one of the country’s largest providers of communications and technology services for jails, prisons, and similar institutions, providing both communications and payment services for incarcerated consumers and their non-incarcerated contacts, including loved ones. According to the FTC’s complaint, in August 2020, unknown attackers accessed the personally identifiable information (“PII”) of hundreds of thousands of people who used GTL’s products when the data was left unprotected and accessible via the internet. This included: names, contact information, driver’s license numbers, passport numbers, Social Security numbers, payment card and financial account information, personal messages, health information, and grievance forms.

How did this happen? In the process of upgrading their search and analytics software, GTL allegedly moved a database containing PII to a test environment in the cloud. According to the FTC’s complaint, GTL left the database of PII unencrypted and did not take other measures to protect the data stored in the test environment, such as automated monitoring.  When a contractor employed by GTL to work on the software upgrade changed the security settings of the test environment, the environment—and all the PII it contained—was left accessible via the internet without password protection.

You can probably guess what happened next. One or more unauthorized people were able to access and download information from the database. A data security researcher notified GTL that the data was exposed—specifically, that he could access the database and view PII about GTL’s users. You guessed it. Next, someone downloaded information from the database and made it available on the Dark Web. Consumers began to tell GTL directly that they received alerts that their information was found on the Dark Web.

Can you guess what didn’t happen next? According to the FTC’s complaint, at least eight months went by where GTL and its subsidiaries failed to notify affected customers. Instead, the FTC alleged the company misrepresented its efforts to do so and falsely represented to prospective institutional customers that GTL hadn’t experienced unauthorized access to its data.

When GTL and its subsidiaries finally did notify consumers of the breach, the FTC alleges they chose to notify only a fraction of the affected users that their information was affected, denying hundreds of thousands of users any opportunity to take self-help measures such as implementing a fraud alert or credit freeze.

For years the FTC has stressed to businesses the importance of having effective breach detection and response as essential components of a reasonable data security program. The FTC’s settlement with GTL and its subsidiaries underscores these principles. It also makes clear that reasonable data security protections to safeguard consumers’ PII apply even when that data is being used for testing—and require a company to inventory and track the flow of consumers’ personal information. And, should a breach occur, businesses must promptly notify consumers about the incident, particularly when failing to do so puts the affected consumers at increased risk of harm, such as from identity theft.

You’ll want to read the six-count complaint for details on how GTL’s practices allegedly harmed consumers. To settle the case, GTL and its subsidiaries agreed to implement a comprehensive information security program with third-party assessments, to provide credit and identity monitoring for consumers not previously notified of the breach, and to notify affected consumers about the breach. The proposed settlement also requires GTL and its subsidiaries to notify the FTC and, in a first for an FTC order, affected consumers and facilities about future data breaches. Finally, under the agreement, GTL and its subsidiaries are prohibited from making misrepresentations about privacy, data security, and data breaches.

What are the key takeaways for your business?

  • Businesses must promptly notify consumers when a breach has occurred that puts them at increased risk of harm, such as identity theft. The GTL settlement requires GTL and its subsidiaries to notify the FTC of any future breach. The proposed Order adds a novel additional requirement. Whenever the duty to notify any government agency is triggered by a future data breach, GTL and its subsidiaries must also timely notify affected users and facilities.
  • Reasonable data security requirements apply regardless of where the business stores consumers’ personal information or what it uses that information for—including testing. A best practice is to avoid using PII for testing or development in the first place, but if using PII is unavoidable, then that PII must be protected to the same extent as in the production environment.
  • Businesses should inventory and track the flow of PII. Knowing what data is stored where is critical to a business’s ability to assess what protections are needed and timely identify consumers who should be notified following any breach.

Larissa Bungo is a Senior Attorney for the FTC’s Division of Consumer and Business Education. This post first appeared on the FTC’s Business Blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).