FTC Focuses on Vendors and Secure Software Development: Settlement with Global Tel*Link Corp.
March 20, 2024
Privacy Plus+
Privacy, Technology and Perspective
This week, let’s consider the Federal Trade Commission’s recent settlement with Global Tel*Link Corp. and two of its subsidiaries (collectively, “GTL”), providers of products and services to jails, prisons, and detention facilities, including communication and payment services for incarcerated individuals.
The Complaint:
According to the Complaint, GTL contracted with state Departments of Correction, the Federal Bureau of Prisons, county and city jails, immigration detention facilities, and juvenile detention facilities (collectively, “Facilities”) in all 50 states, the District of Columbia, and Puerto Rico. GTL’s annual net revenue is over $600M. In marketing materials, GTL stated that “more than 85% of the U.S. inmate population” used its products and services. In addition, over 13 million consumers who were not incarcerated used GTL’s services in their capacity as family and friends of incarcerated individuals. They accessed these services for a fee through websites and apps, while those incarcerated used kiosks and tablets made available in the jails and prisons.
In connection with its business, GTL collected a significant amount of sensitive information from incarcerated individuals and their contacts, including their names, addresses, financial account information, passport, driver’s license, and social security numbers. Using that information and other information collected from incarcerated individuals and their contacts, GLT also offered products and services to Facilities to allow them to surveil and investigate incarcerated consumers and contacts.
In advertising materials and responses to RFPs, GTL extolled its data security practices, even providing documents to Facilities that made specific representations about its data security safeguards, like “Our technologies leverage multiple layers of firewalls, SSL, and best-industry security standards to ensure all data transmitted through our systems are [sic] secure.” In addition, GTL published a (largely boilerplate) public-facing privacy notice on its website that made this security representation to consumers:
“We seek to use industry standard physical, technical, and administrative security measures designed to protect your personally identifiable information. However, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us in accordance with the ‘Contact Us’ section above.”
In 2020, GTL engineers (and more specifically, a contractor engaged by GTL) copied a large database into an AWS cloud storage environment (“Test Environment”) for the purpose of testing a product that GTL was developing. The data contained real data, including personally identifiable information (e.g. contact information, payment card and financial account information, personal messages, and grievance forms) about the users of GTL’s products and services. According to the Complaint, the Test Environment wasn’t adequately secured, and as a result, was left accessible via the Internet for two days. The FTC found that there were multiple instances of unauthorized access to the Test Environment (and the data within it) and that GTL made misrepresentations regarding this security incident (“Incident”) and failed to properly notify consumers about it.
The FTC's Complaint alleged these specific deficiencies in GTL’s data security practices:
+ Insufficient Encryption Practices: GTL took no steps to encrypt or otherwise obfuscate the data in the Test Environment, and allegedly stored the sensitive personal information in the Test Environment in clear, readable text.
+ Lack of Automated Monitoring: GTL failed to utilize automated monitoring tools in the test environment, including available AWS features, which could have alerted to any changes in security settings.
+ Absence of Perimeter Firewall: GTL did not deploy a perimeter firewall to safeguard the Test Environment from external threats.
+ Lack of Log Monitoring Solution: GTL lacked a log monitoring solution to provide alerts to the GTL information security team for Test Environment protection.
+ No Intrusion Prevention System: GTL omitted the use of an Intrusion Prevention System to defend the Test Environment against unauthorized access attempts.
+ Neglected Vendor Security Assessment: Despite their vendor's access to sensitive data, GTL neglected to vet or assess the vendor's data security practices.
+ Inadequate Employee Training: GTL did not provide, or require its vendor/contractor to provide, secure development or data security training to its engineers, despite their access to sensitive information.
+ Poor Consumer Data Inventory: GTL failed to reasonably inventory or track consumers' personally identifiable information, including monitoring transfers and categories of data within the Test Environment.
According to the FTC’s six-count complaint, GTL violated Section 5(a) of the FTC Act by: (1) unfairly failing to employ reasonable data security measures (Count I); (2) unfairly failing to notify consumers affected by the Incident in a timely manner (Count II); (3) deceptively misrepresenting that Respondents implemented reasonable and appropriate measures to protect consumers’ personal information against unauthorized access; (4) deceptively misrepresenting that Respondents had no reason to believe that consumers’ sensitive personal information was affected by the Incident; (5) deceptively misrepresenting that Respondents would timely notify affected consumers; and (6) deceptively misrepresenting that Respondents had never experienced a data security breach or that they had not experienced a data security breach within a particular timeframe that included the dates of the Incident.
A link to the Complaint follows: https://www.ftc.gov/system/files/ftc_gov/pdf/Complaint-GlobalTelLink.pdf
The Settlement:
Under the terms of the proposed settlement, GLT is prohibited from making misrepresentations about privacy and security and also ordered to take the following measures:
+ Enhanced Security Measures: GTL is required to implement and maintain a comprehensive written information security program and related security safeguards, including security training and training in secure software development practices;
+ Third-Party Assessments: GTL must undergo initial and biennial data security assessments by independent third parties for 20 years, and is obligated to cooperate with the assessors during these assessments.
+ Certification of Compliance: A senior corporate manager or officer of GTL must certify compliance with the proposed order.
+ Consumer Support: GTL is mandated to provide affected consumers with two years of enrollment in a credit monitoring and identity protection product, including provisions for incarcerated consumers.
+ Incident Notification: GTL must notify consumers and relevant Facilities of any future incidents involving unauthorized access or exposure of personal information, and is required to notify the FTC of any future covered incidents.
+ Reporting and compliance: These provisions include reporting requirements, recordkeeping obligations, and the provision of information necessary for Commission monitoring.
For more on the settlement, you can click on the following to the Decision and Order:
https://www.ftc.gov/system/files/ftc_gov/pdf/DecisionandOrder-GlobalTelLinkCorp.pdf
Our Thoughts:
1. Notably, FTC continues to zero in on service providers, especially, on the issue of their security posture in connection with software development. Could this be an area of sensitivity due to the SolarWinds attack? We had labeled “2021 – This Year of Supply Chain (Vendor) Management,” but for the FTC, perhaps 2024 is the year of addressing vendor risk. If interested, you can read more about SolarWinds by searching “SolarWinds” on our Privacy Plus+ News blog, available at the following link:
https://www.hoschmorris.com/privacy-plus-news
2. The FTC’s case against GTL echoes its recent case against Blackbaud, which also focused on faulting a service provider for allegedly insecure software development practices. The Blackbaud Decision and Order contains more specifics on what the FTC considers to be secure software development practices. You can read more about Blackbaud by clicking on our previous post, “Blackbaud’s FTC Deal: Delete Data, Amp Up Security,” available at the following link:
https://www.hoschmorris.com/privacy-plus-news/blackbaud
3. Holding service providers to stringent data security standards benefits consumers as well as contracting public and private entities. However, we wonder whether the Facilities that contracted with GTL should also be held accountable. Do you also find it troubling that a single service provider services (or claims to serve) “more than 85% of the U.S. inmate population”? A single service provider already means that GTL owns a de facto monopoly over these services to this population and the temptation to charge monopoly prices to incarcerated individuals and their families and friends – rarely an affluent population, much less one with strong bargaining power – must be compelling. This is one of the most vulnerable populations in our society, and to compound such a monopoly with a failure to respect at least their privacy seems to us simply cruel, and unnecessarily so. Holding GTL and the contracting Facilities to account seems just, especially under these circumstances.
For more insights into the case against GTL and its implications for data security practices, visit the FTC's official announcement and case summary on their website, available at the following link:
https://www.ftc.gov/legal-library/browse/cases-proceedings/2123012-global-tel-link-corporation
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet, and technology. Open the Future℠.