On 23 February 2024, the Federal Trade Commission (FTC) issued a finalised order against Tel*Link Corp. (GTL) and its subsidiaries, Telmate LLC and TouchPay Holdings LLC, related to their failure to secure sensitive user data. The FTC found that the companies failed to implement adequate security measures to protect users' personal information while copying sensitive unencrypted data of 649'500 users into the cloud for testing purposes. The actions allowed malicious users to gain access to the personal information stored in the cloud. Despite alleged knowledge of these security vulnerabilities, GTL only informed affected customers about the data breach after nine months, contacting only 45'000 of the affected users. The order mandates that companies implement a comprehensive data security program and prohibits them from misrepresenting their data security practices. This includes deploying "change management" measures, using multifactor authentication, and minimising data collection and storage. The companies must also obtain initial and biennial assessments from a qualified, independent third-party professional to ensure the implementation and effectiveness of their Information Security Program. This includes specific provisions for documentation, independent review, and FTC oversight for twenty years. Furthermore, the companies are ordered to offer affected consumers enrollment in a credit monitoring and identity protection product offered by an approved third party, including automated credit monitoring alerts, consumer report monitoring, identity theft insurance, and customer service assistance. Within 120 days of receiving third-party approval for a credit monitoring and identity protection product, the respondents must post notices on their websites and mobile apps. They must also send direct notices to affected consumers who have not been previously notified of the breach. Additionally, they must inform facilities of their obligations to facilitate affected incarcerated consumers' access to communications related to this order. If there are any security incidents in the future, companies must notify users in compliance with federal, state, or local breach reporting requirements.
Original source