Incident & Breach Response , Security Operations , Standards, Regulations & Compliance
FTC Proposes New Cyber Disclosure Rule After Prison Hack
Federal Contractor Must Comply With New Reporting Measures Following Data BreachA major telecommunications contractor for prison systems nationwide will be forced to implement new cyber incident disclosure policies after failing to secure sensitive information for hundreds of thousands of users.
See Also: Meeting the Mandate: A Proactive Approach to Cybersecurity Compliance and Incident Reporting
The U.S. Federal Trade Commission said Thursday it had reached an agreement with Global Tel*Link Corp., a Virginia-based communications firm that provides jails and prison systems with phone and video services for prisoners, following a multilayered security incident that began in 2020.
Issues first arose for Global Tel*Link, which rebranded to ViaPath Technologies in January 2022, when it failed to secure sensitive information for "hundreds of thousands of users" while testing new search software with a third-party vendor in August 2020.
According to an administrative complaint, Global Tel*Link and a third-party vendor left the personal data of incarcerated individuals unencrypted and fully accessible on the internet without any safeguards. Forensic analysis confirmed that hackers had accessed "billions of bytes of the exposed data," the FTC said.
The FTC alleged that Global Tel*Link and the third party had left personal information, including the Social Security numbers of 650,000 users, exposed online and had failed to contact the vast majority of affected users for nearly nine months.
Agency attorneys said the company previously had positioned itself as a champion of cybersecurity, promising strong security practices and calling data security "the cornerstone of what we do."
The commission unanimously voted to approve the consent agreement with Global Tel*Link requiring it to implement a comprehensive data security program that includes multifactor authentication for the next 20 years. It must also notify the FTC within 10 days of reporting security incidents to any federal, state or local authorities.
Under the new disclosure rules, the company must notify consumers and facilities within 30 days of data breaches and certain security incidents. Global Tel*Link agreed to notify individuals affected by previous data breaches and provide credit monitoring and identity protection services.
Sam Levine, director of the FTC's Bureau of Consumer Protection, said in a statement that the incarcerated population faces limited options for communicating with loved ones. "When consumers have little or no choice about whether to use a business's products or services, the business has an even greater responsibility to ensure that its practices don't cause harm."