FTC Substantiates Allegations Against ViaPath Related to Data Breach and Orders Remedial Action
by Douglas Ankney
In February 2024, Commissioners Lina Khan, Chair; Rebecca Kelly Slaughter, and Alvaro M. Bedoya of the Federal Trade Commission (“FTC”) determined that the facts substantiated the allegations made against Respondents Global Tel Link Corporation (“GTL”); Telmate, LLC; and TouchPay Holdings, LLC (collectively “ViaPath” or “Respondents”). And in their Decision and Order, the Commissioners ordered Respondents to take specific remedial actions to address the issues raised in the Complaint.
Complaint Respondents contract with the Federal Bureau of Prisons; state Departments of Corrections; immigration and juvenile detention centers; county jails, and city jails (collectively “Facilities”). Respondents have contracts with Facilities in all 50 states, the District of Columbia and Puerto Rico and boast that “more than 1.9 million incarcerated people, constituting more than 85% of the inmate population” use their services.
The incarcerated people include persons convicted of crimes and persons detained awaiting trial as well as civil detainees in immigration detention centers. Additionally, ViaPath’s services were used by more than 13 million consumers in 2020 who were not incarcerated (that is, they were family and friends of the incarcerated persons). GTL’s annual revenue alone was over $600 million. The incarcerated consumers access Respondents’ services via kiosks and tablets provided by the Respondents within the Facilities. Consumers not incarcerated access Respondents’ services via websites and mobile apps, viz., gettingout.com and connectnetwork.com. For various fees charged by Respondents, those consumers not incarcerated can communicate with the incarcerated persons via voice calls, video calls, text messages or emails. The consumers not incarcerated can also deposit money into an incarcerated persons’ trust account.
Creating an account to use Respondents’ services requires incarcerated consumers and their contacts to provide extensive information in most instances, including “their names, addresses, government identification numbers such as passport numbers or driver’s license numbers, Social Security numbers, and financial account information.”
Disturbingly, the FTC Complaint explained that this mountain of information collected by ViaPath from incarcerated consumers and their contacts enables ViaPath to “offer products and services that allow Facilities to surveil and investigate incarcerated consumers and their non-incarcerated contacts.” Since 2017, executives from GTL have been shown in a YouTube video touting the Respondents’ alleged superior security system protecting the personal information collected from incarcerated consumers and their contacts.
The executives state: “GTL is different in data security from our competition” because data security is “the cornerstone of what we do”; and “A facility that’s looking for a secure environment … should be asking these questions: have you had a breach? And if you’ve had one, what have you done to correct it?” When ViaPath seeks to contract new business or to continue current contracts, the company usually responds to a Facility’s “Request for Proposals” (RFPs). Often, a Facility will inquire about the Respondents’ data security practices. The Respondents answer with: “At GTL, we take information security and data protection very seriously.” Respondents then give an overview of their “Information Security Framework” (ISF) that allegedly includes: “Controls [that] are in place to limit access only from specific IP addresses. This means that access to customer data will be denied if a request is from an unknown IP address;” and “Multiple layers of 128-bit encryption and perimeter firewall protection prevent unauthorized access from the Internet.”
Respondents rely on search and storage software (“Search Software”) and in 2019, “Respondents initiated a process to transition to a newer version of the Search Software.” This entailed contracting with a third-party vendor (“Vendor”) for the provision of software development.
In August 2020, Respondents copied to the cloud of Amazon Web Services (AWS) “a large volume of production data” that included: personally identifiable information of approximately 649,500 incarcerated consumers and their contacts, including “individual’s full names; dates of birth; phone numbers; usernames or email addresses in combination with passwords; home addresses; driver’s license numbers; passport numbers; location information; information about individuals’ race, religion, and whether they are transgender; approximately 80,000 grievances submitted by incarcerated consumers to Facilities; and the content, dates and times, senders, and recipients of approximately 75,000 written messages that incarcerated and non-incarcerated users had exchanged using Respondents’ services. In numerous instances, the written messages contained payment card numbers, financial account information and Social Security numbers.”
Around August 11, 2020, one of the Vendor’s technicians changed the security settings that exposed the above data and made it accessible to ANYONE using the internet. Unidentified individuals with IP addresses not associated with Respondents accessed the approximately 44,000,000,000 bytes of data stored in the AWS cloud. Forensic analysis “indicated there was exfiltration of data … by one or more of these individuals.”
The users’ data remained completely vulnerable and exposed, without even password protection, until August 13, 2020, when a security researcher made Respondents aware that the data was unprotected. Respondents then reconfigured the security settings so that the data was again inaccessible from the internet.
But the damage and fallout soon predictably followed. On September 1, 2020, Respondents were notified by an identity monitoring service that “sensitive data related to GTL” had been released on the “dark web” for sale in “connection with fraud, identity theft, and other criminal purposes.” Shortly thereafter, Respondents began receiving numerous complaints from consumers stating their personal information was located on the dark web that resulted in fraudulent transactions and financial harm to those consumers.
But on September 4, 2020, Respondents released an article about the breach via Comparitech, stating, inter alia, that “no medical data, passwords, or consumer payment information was affected.” And instead of notifying those affected consumers immediately, Respondents waited until May 2021 before alerting any of them. Unbelievably, even then the Respondents notified only 45,000 of the 649,500 users whose data had been exposed.
Furthermore, since the data breach, Respondents have denied ever experiencing a data breach when responding to RFPs to contract new business or extend current business. For example, since December 2020, “Respondents have stated in their RFP responses to potential Facility customers that ‘there were no system incidents that resulted in a significant failure in the achievement of one or more of service commitments and system requirements throughout the period April 1, 2020, to September 30, 2020’ where ‘system requirements’ are defined to include that ‘Logical access to programs, data and computer resources is restricted to authorized and appropriate users, and such users are restricted to performing authorized and appropriate actions.’”
Based on the above facts, the FTC found that the below listed counts of the Complaint were sustained: Count I - Unfair Data Security Practices; Count II - Unfair Failure to Notify Affected Consumers of the Incident; Count III - Misrepresentations Regarding Data Security; Count IV - Misrepresentations to Individual Users Regarding the Incident; Count V - Misrepresentations to Individual Users Regarding Notice; and Count VI - Deceptive Representations to Facilities Regarding the Incident.
Taken together, these Counts I through VI supported a finding that “[t]he acts and practices of Respondents as alleged in this complaint constitute unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act.” Upon being served with the Complaint, the Respondents entered into a Consent Agreement with the FTC on February 23, 2024.
Pursuant to that Consent Agreement, the FTC issued a Decision and Order (“D & O”) mandating corrective steps Respondents must implement. Some highlights of what the D & O requires include:
1. “Respondents, and any business that Respondents control directly, or indirectly, in connection with the collection, maintenance, use, or disclosure of, or provision of access to, Personal Information, must, within sixty (60) days of the effective date of this Order, establish and implement, and thereafter maintain, a comprehensive information security program (“Information Security Program”) that protects the security, confidentiality, and integrity of such Personal Information”;
2. Respondents must obtain “initial and biennial assessments” (“Assessment”) of the Information Security Program and these Assessments must be performed by “a qualified, objective, third-party professional” (“Assessor”);
3. The Respondents must fully disclose and make available to the Assessor “all information and material in their possession, custody, or control that is relevant to the Assessment for which there is no reasonable claim of privilege;”
4. An annual certification that the “Respondents have established, implemented, and maintained the requirements” of the D & O;
5. Respondents must provide credit monitoring and identity protection, including up to $1,000,000 in identity theft insurance to cover costs related to incidents of identity theft or fraud to any Affected Consumers as a result of the breach in August 2020;
6. In the event of any future breaches, the Respondents must notify each Affected Consumer within 30 days;
7. The Respondents must notify the FTC within 10 days of any future incidents/breaches;
8. Respondents are prohibited from making misrepresentations about ViaPath’s security and privacy measures in place and about any past breaches;
9. Respondents must send a notice of the terms of the Consent Agreement to all Affected Consumers (those affected by the August 2020 breach);
10. Respondents must provide the above notice to all Facilities where one or more Affected Consumers reside;
11. Respondents were required to acknowledge to the FTC that they had received the D & O;
12. Respondents must submit annual sworn statements of compliance with the D & O;
13. Respondents must create and retain for five years certain records, including “[a]ccounting records showing the revenues from all goods and services sold, the costs incurred in generating those revenues, and resulting net profit or loss;” as well as the personal contact information of anyone connected to providing Respondents’ services; and
14. Respondents must agree to supply within ten days any records the FTC may request to enable verification of Respondents’ compliance with the D & O.
Source: United States Federal Trade Commission, In the Matter of Global Tel Link Corporation, Complaint and Decision and Order, No. 212-3012 (February 23, 2024)

