Description

Issued FTC final order on Global Tel*Link's Data Security Breach

On 23 February 2024, the Federal Trade Commission (FTC) issued a finalised order against Tel*Link Corp. (GTL) and its subsidiaries, Telmate LLC and TouchPay Holdings LLC, related to their failure to secure sensitive user data. The FTC found that the companies failed to implement adequate security measures to protect users' personal information while copying sensitive unencrypted data of 649'500 users into the cloud for testing purposes. The actions allowed malicious users to gain access to the personal information stored in the cloud. Despite alleged knowledge of these security vulnerabilities, GTL only informed affected customers about the data breach after nine months, contacting only 45'000 of the affected users. The order mandates that companies implement a comprehensive data security program and prohibits them from misrepresenting their data security practices. This includes deploying "change management" measures, using multifactor authentication, and minimising data collection and storage. The companies must also obtain initial and biennial assessments from a qualified, independent third-party professional to ensure the implementation and effectiveness of their Information Security Program. This includes specific provisions for documentation, independent review, and FTC oversight for twenty years. Furthermore, the companies are ordered to offer affected consumers enrollment in a credit monitoring and identity protection product offered by an approved third party, including automated credit monitoring alerts, consumer report monitoring, identity theft insurance, and customer service assistance. Within 120 days of receiving third-party approval for a credit monitoring and identity protection product, the respondents must post notices on their websites and mobile apps. They must also send direct notices to affected consumers who have not been previously notified of the breach. Additionally, they must inform facilities of their obligations to facilitate affected incarcerated consumers' access to communications related to this order. If there are any security incidents in the future, companies must notify users in compliance with federal, state, or local breach reporting requirements.

Original source

Scope

Policy Area
Data governance
Policy Instrument
Cybersecurity regulation
Regulated Economic Activity
infrastructure provider: internet and telecom services
Implementation Level
national
Government Branch
executive
Government Body
consumer protection authority

Complete timeline of this policy change

Hide details
2023-11-16
in force

On 16 November 2023, the Federal Trade Commission (FTC) issued a decision against Tel*Link Corp. (G…

2023-11-21
in consultation

On 21 November 2023, the public consultation opened on the Federal Trade Commission's (FTC) propose…

2023-12-21
processing consultation

On 21 December 2023, the public consultation closed on the Federal Trade Commission's (FTC) propose…

2024-02-23
in force

On 23 February 2024, the Federal Trade Commission (FTC) issued a finalised order against Tel*Link C…

We use cookies and other technologies to perform analytics on our website. By opting in, you consent to the use by us and our third-party partners of cookies and data gathered from your use of our platform. See our Privacy Policy to learn more about the use of data and your rights.