In an FTC First, Proposed Order Requires Global Tel*Link Corp. to Notify Users and Facilities of Future Breaches
Time 2 Minute Read
Categories: Enforcement, Information Security, Security Breach

On November 16, 2023, the Federal Trade Commission released a proposed order in connection with a complaint filed in August of 2020 against Global Tel*Link Corp. (“GTL”) and its subsidiaries, Telmate and TouchPay, which offers communication and payment services for incarcerated individuals. The complaint centered around a security breach where a technician for a vendor of GTL placed unencrypted, personally identifiable information in a test environment to test a new search and storage software. The test environment allegedly was accessible on the internet without password protections which permitted an unauthorized actor to access and exfiltrate the data between August 11-13, 2020. Though GTL restricted access to the test environment, GTL allegedly failed to notify its customers for roughly nine months, while also falsely representing to prospective customers that it had never experienced a security breach.

In a first for the FTC, the proposed Order requires GTL to submit a report to the FTC within ten days of notifying any U.S. federal, state, or local entity of an incident. The FTC report requires GTL to specify the date an incident took place, as well as the type of information and number of consumers impacted by an incident, as well as, when applicable, providing a statement and a copy of a law enforcement agency’s request to delay notice to affected consumers on the basis that notifying consumers would interfere with an ongoing investigation. This FTC notification obligation for GTL is in addition to a 30-day window to notify consumers of future breaches.

Update: On February 23, 2024, the FTC finalized the proposed order in a 3-0 Commission vote. GTL and its subsidiaries are “required to implement a comprehensive data security program” that includes several risk management requirements and “procedures to minimize the amount of data it collects and stores.” In addition, GTL must “notify users affected by the data breach who did not previously receive notice and provide them with credit monitoring and identity protection products.”

Tags: Consumer Protection, Federal Trade Commission, Law Enforcement, Personal Information, Personally Identifiable Information
Print Email Twitter/X Linkedin Facebook

You May Also Be Interested In

Time 3 Minute Read
Connecticut AG Clarifies AI Compliance Obligations Under CTDPA

The Connecticut Attorney General recently issued a legal memorandum regarding the application of existing Connecticut laws, such as the Connecticut Data Privacy Act, to the use of artificial intelligence.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 3 Minute Read
Oklahoma Enacts Comprehensive Consumer Privacy Law

On March 20, 2026, Oklahoma Governor Kevin Stitt signed SB 546 into law, enacting the Oklahoma Consumer Data Privacy Act, which will take effect on January 1, 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
UK ICO Publishes Guidance on Recognized Legitimate Interest Basis

On March 23, 2026, the UK Information Commissioner's Office released new guidance clarifying the use of the new recognized legitimate interest lawful basis for processing personal information under UK data protection law.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook
Time 2 Minute Read
Alabama Enacts App Store Accountability Act Requiring Age Verification

On February 5, 2026, Alabama Governor Kay Ivey signed Alabama House Bill 161, the App Store Accountability Act, establishing age categorization, age verification and parental consent requirements for mobile application marketplace providers operating in Alabama, effective January 2027.

Continue Reading ›
Print Email Twitter/X Linkedin Facebook

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page