The Federal Trade Commission (FTC) has taken action against Global Tel*Link Corp. and its subsidiaries for failing to adequately secure personal data and notify consumers after a data breach. The breach occurred due to changes made by a third-party vendor to the security settings for the data stored in the cloud, leaving the personal data of many customers accessible via the internet. Hackers accessed billions of bytes of exposed data, including sensitive information such as Social Security numbers and messages between incarcerated individuals and their loved ones.
Global TelLink waited approximately nine months to notify affected customers, causing harm to users who were unable to take necessary actions to protect themselves from identity theft. The company also falsely claimed in marketing materials that it had never suffered a data breach. As part of the proposed settlement, Global TelLink will be required to implement a comprehensive data security program, notify affected users, and provide credit monitoring and identity protection products. They must also notify the FTC and affected parties of any future data breaches within specific timeframes.
The proposed consent agreement will be subject to public comment for 30 days before the Commission decides whether to make it final. The FTC’s action aims to hold Global Tel*Link accountable for its failure to protect personal data and fulfill its promises of strong security practices. Violations of the consent order may result in civil penalties of up to $50,120.