FTC Clamps Down on GTL For Failing to Secure Personal Data in Breach

The FTC will require Global Tel-Link, a provider of inmate communications services, and two of its subsidiaries to notify consumers of any future data breaches “as part of a proposed settlement over charges they failed to secure sensitive data of hundreds of thousands of users stored in a cloud environment,” said the agency Thursday. The commission also alleges that GTL and the subsidiaries “failed to alert all those affected by the incident.” The FTC’s complaint alleges GTL and the subsidiaries “failed to implement adequate security safeguards to protect personal information they collect from users of its services,” it said. That enabled bad actors “to gain access to unencrypted personal information stored in the cloud and used for testing,” it said. The complaint alleges GTL and the subsidiaries violated Section 5(a) of the FTC Act when they made numerous false and deceptive promises to protect the sensitive personally identifiable information that they collect in connection with offering their products and services. The companies then failed to provide timely notice to affected consumers so that they could take steps to protect themselves from identity theft, the FTC said. They also made multiple misleading representations about the data security incident. As part of a proposed order with the FTC, GTL and the subsidiaries will be required to implement a “comprehensive data security program” to prevent future breaches, said the agency. The companies also will need to notify users of its products affected by the data breach who didn’t previously receive notice, and provide them with credit monitoring and identity protection products, it said.