AGENCY:

Federal Trade Commission.

ACTION:

Proposed consent agreement; request for comment.

SUMMARY:

The consent agreement in this matter settles alleged violations of federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order—embodied in the consent agreement—that would settle these allegations.

DATES:

Comments must be received on or before December 21, 2023.

ADDRESSES:

Interested parties may file comments online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Please write “Global Tel*Link Corporation; File No. 212 3012” on your comment and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, please mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Ave. NW, Mail Stop H–144 (Annex I), Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT:

Robin Wetherill (202–326–2220), Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Ave. NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

Pursuant to section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC § Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing a consent order to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of 30 days. The following Analysis to Aid Public Comment describes the terms of the consent agreement and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained at https://www.ftc.gov/​news-events/​commission-actions.

You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before December 21, 2023. Write “Global Tel*Link Corporation; File No. 212 3012” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the https://www.regulations.gov website.

Because of heightened security screening, postal mail addressed to the Commission will be subject to delay. We strongly encourage you to submit your comments online through the https://www.regulations.gov website. If you prefer to file your comment on paper, write “Global Tel*Link Corporation; File No. 212 3012” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Ave. NW, Mail Stop H–144 (Annex I), Washington, DC 20580. If possible, submit your paper comment to the Commission by overnight service.

Because your comment will be placed on the publicly accessible website at https://www.regulations.gov, you are solely responsible for making sure your comment does not include any sensitive or confidential information. Your comment should not include sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure your comment does not include sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . is privileged or confidential”—as provided by Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule § 4.10(a)(2), 16 CFR 4.10(a)(2)—including competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule § 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule § 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted on the https://www.regulations.gov website—as legally required by FTC Rule § 4.9(b)—we cannot redact or remove your comment from that website, unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule § 4.9(c), and the General Counsel grants that request.

Visit the FTC website at http://www.ftc.gov to read this document and the news release describing the proposed settlement. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments it receives on or before December 21, 2023. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/​site-information/​privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

The Federal Trade Commission (the “Commission”) has accepted, subject to final approval, an agreement containing a consent order from Global Tel*Link Corporation, which also operates under the name Viapath (“Viapath”); Telmate, LLC (“Telmate”); and TouchPay Holdings, LLC (“TouchPay”) (collectively, “Respondents”). The Proposed Order has been placed on the public record for 30 days for receipt of comments from interested persons. Comments received during this period will become part of the public record. After 30 days, the Commission will again review the agreement and the comments received, and it will decide whether it should withdraw from the agreement and take appropriate action Start Printed Page 81082 or make final the agreement's Proposed Order.

Viapath is one of the largest providers of inmate telephone services in the United States. In combination with subsidiaries such as Telmate and TouchPay, Viapath also provides a host of additional communications, technology, and financial services to incarcerated consumers, their friends and family, and other outside contacts of incarcerated individuals, and to jails, prisons, and other carceral institutions (“Facility” or “Facilities”).

In August 2020, a third-party contractor engaged by Telmate left a database containing consumers' personal information publicly exposed on the internet (the “Incident”). The exposed database contained the personal information of thousands of people who used Respondents' products and services, including GettingOut, VisitNow (also known as VisitMe), Command, Telmate Inmate Telephone service, and Guardian.

The exposed personal information included the full text of messages exchanged using Respondents' services, grievance forms submitted by incarcerated people to jails and prisons, and information about incarcerated and non-incarcerated users such as names, dates of birth, phone numbers, usernames or email addresses in combination with passwords, home addresses, driver's license numbers, passport numbers, payment card numbers, financial account information, Social Security numbers, and data related to telephone services (like the dates and times of calls, called numbers, calling numbers, station used, and location information, like certain individuals' latitude and longitude at particular points in time). One or more unauthorized individuals accessed the exposed database and downloaded personal information from it. At least some of the exposed information was made available for sale on the dark web, where other people could also access or buy it.

The Commission's proposed six-count complaint alleges Respondents violated Section 5(a) of the Federal Trade Commission Act by: (1) unfairly failing to employ reasonable data security measures (Count I); (2) unfairly failing to notify consumers affected by the Incident in a timely manner (Count II); (3) deceptively misrepresenting that Respondents implemented reasonable and appropriate measures to protect consumers' personal information against unauthorized access; (4) deceptively misrepresenting that Respondents had no reason to believe that consumers' sensitive personal information was affected by the Incident; (5) deceptively misrepresenting that Respondents would timely notify affected consumers; and (6) deceptively 2 misrepresenting that Respondents had never experienced a data security breach or that they had not experienced a data security breach within a particular timeframe that included the dates of the Incident.

The Proposed Order contains provisions designed to prevent Respondents from engaging in the same or similar acts or practices in the future. The Proposed Order also contains provisions designed to provide products to consumers affected by the Incident. Provision I of the Proposed Order requires Respondents to establish and implement, and thereafter maintain, a comprehensive data security program that protects the security, confidentiality, and integrity of consumers' Personal Information, as that term is defined in the Proposed Order. Provision II of the Proposed Order requires Respondents to obtain initial and biennial data security assessments by an independent third-party professional (“Assessor”) for 20 years, and Provision III requires Respondents to cooperate with the Assessor in connection with the assessments required by Provision II. Provision IV of the Proposed Order requires that a senior corporate manager or senior office of Respondents certify Respondents' compliance with the Proposed Order. Provision V of the Proposed Order requires Respondents to provide consumers affected by the Incident with two years of enrollment in a credit monitoring and identity protection product. This provision includes requirements that are designed to help incarcerated consumers affected by the Incident access the product. Provision VI of the Proposed Order requires Respondents to notify consumers and relevant Facilities of any future incident that results in Respondents notifying, pursuant to a statutory or regulatory requirement, any U.S. federal, state, or local government entity that Personal Information of or about an individual consumer was, or is reasonably believed to have been, accessed or acquired, or publicly exposed without authorization (“Covered Incident”). Provision VII of the Proposed Order requires Respondents to notify the Commission of any future Covered Incident.

Provision VIII of the Proposed Order prohibits Respondents from misrepresenting: (1) Respondents' privacy and security measures to prevent unauthorized access to Personal Information; (2) the occurrence, extent, nature, potential consequences, or any other fact relating to a Covered Incident actually or potentially involving or affecting Personal Information within the ownership, custody, or control of one or more Respondents; (3) the extent to which Respondents have notified or will notify affected parties in connection with a Covered Incident; (4) the extent to which Respondents meet or exceed industry-standard security or privacy practices; and (5) the extent to which Respondents otherwise protect the privacy, security, availability, confidentiality, or integrity of Personal Information.

Provision IX of the Proposed Order require Respondents to provide notice of the Incident by: (1) posting notice on each of Respondents' websites and the home screen of each of Respondents' mobile applications that has been used to provide Telmate products and services; and (2) sending notice to each consumer affected by the Incident that did not previously receive notification of the Incident. Provision X of the Proposed Order requires Respondents to provide relevant Facilities with notice of the Incident.

Provisions XI–XIV of the Proposed Order are reporting and compliance provisions, which include recordkeeping requirements and provisions requiring Respondents to provide information or documents necessary for the Commission to monitor compliance. Provision XV states the Proposed Order will remain in effect for 20 years.

The purpose of this analysis is to aid public comment on the proposed order. It is not intended to constitute an official interpretation of the complaint or proposed order, or to modify in any way the proposed order's terms.