Larissa Bungo (Photo courtesy of the author)
Yes, if a tree falls in the forest and no one is there to hear it, the tree does make a sound. And, yes, if a data breach happens and you fail to timely notify affected customers, that’s an unfair practice. That’s just one of the lessons businesses can learn from the FTC’s proposed settlement with Global Tel*Link (GTL) and its subsidiaries, Telmate and TouchPay.
Another lesson? When it comes to safeguarding consumers’ personal information, the duty extends regardless of where the business stores the data and what it uses the data for—even testing. Read on to learn more. GTL is one of the country’s largest providers of communications and technology services for jails, prisons, and similar institutions, providing both communications and payment services for incarcerated consumers and their non-incarcerated contacts, including loved ones. According to the FTC’s complaint, in August 2020, unknown attackers accessed the personally identifiable information (“PII”) of hundreds of thousands of people who used GTL’s products when the data was left unprotected and accessible via the internet. This included: names, contact information, driver’s license numbers, passport numbers, Social Security numbers, payment card and financial account information, personal messages, health information, and grievance forms.