[Federal Register Volume 88, Number 223 (Tuesday, November 21, 2023)]
[Notices]
[Pages 81081-81082]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-25690]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 212 3012]


Global Tel*Link; Analysis of Proposed Consent Order To Aid Public 
Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis of Proposed Consent Order to Aid 
Public Comment describes both the allegations in the complaint and the 
terms of the consent order--embodied in the consent agreement--that 
would settle these allegations.

DATES: Comments must be received on or before December 21, 2023.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``Global Tel*Link 
Corporation; File No. 212 3012'' on your comment and file your comment 
online at https://www.regulations.gov by following the instructions on 
the web-based form. If you prefer to file your comment on paper, please 
mail your comment to the following address: Federal Trade Commission, 
Office of the Secretary, 600 Pennsylvania Ave. NW, Mail Stop H-144 
(Annex I), Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Robin Wetherill (202-326-2220), 
Attorney, Division of Privacy and Identity Protection, Bureau of 
Consumer Protection, Federal Trade Commission, 600 Pennsylvania Ave. 
NW, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Sec.  Rule 2.34, 16 CFR 
2.34, notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of 30 days. The following 
Analysis to Aid Public Comment describes the terms of the consent 
agreement and the allegations in the complaint. An electronic copy of 
the full text of the consent agreement package can be obtained at 
https://www.ftc.gov/news-events/commission-actions.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before December 21, 
2023. Write ``Global Tel*Link Corporation; File No. 212 3012'' on your 
comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including, to the 
extent practicable, on the https://www.regulations.gov website.
    Because of heightened security screening, postal mail addressed to 
the Commission will be subject to delay. We strongly encourage you to 
submit your comments online through the https://www.regulations.gov 
website. If you prefer to file your comment on paper, write ``Global 
Tel*Link Corporation; File No. 212 3012'' on your comment and on the 
envelope, and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Ave. NW, Mail 
Stop H-144 (Annex I), Washington, DC 20580. If possible, submit your 
paper comment to the Commission by overnight service.
    Because your comment will be placed on the publicly accessible 
website at https://www.regulations.gov, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. Your comment should not include sensitive personal 
information, such as your or anyone else's Social Security number; date 
of birth; driver's license number or other state identification number, 
or foreign country equivalent; passport number; financial account 
number; or credit or debit card number. You are also solely responsible 
for making sure your comment does not include sensitive health 
information, such as medical records or other individually identifiable 
health information. In addition, your comment should not include any 
``trade secret or any commercial or financial information which . . . 
is privileged or confidential''--as provided by Section 6(f) of the FTC 
Act, 15 U.S.C. 46(f), and FTC Rule Sec.  4.10(a)(2), 16 CFR 
4.10(a)(2)--including competitively sensitive information such as 
costs, sales statistics, inventories, formulas, patterns, devices, 
manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule Sec.  4.9(c). In 
particular, the written request for confidential treatment that 
accompanies the comment must include the factual and legal basis for 
the request and must identify the specific portions of the comment to 
be withheld from the public record. See FTC Rule Sec.  4.9(c). Your 
comment will be kept confidential only if the General Counsel grants 
your request in accordance with the law and the public interest. Once 
your comment has been posted on the https://www.regulations.gov 
website--as legally required by FTC Rule Sec.  4.9(b)--we cannot redact 
or remove your comment from that website, unless you submit a 
confidentiality request that meets the requirements for such treatment 
under FTC Rule Sec.  4.9(c), and the General Counsel grants that 
request.
    Visit the FTC website at http://www.ftc.gov to read this document 
and the news release describing the proposed settlement. The FTC Act 
and other laws the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
it receives on or before December 21, 2023. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (the ``Commission'') has accepted, 
subject to final approval, an agreement containing a consent order from 
Global Tel*Link Corporation, which also operates under the name Viapath 
(``Viapath''); Telmate, LLC (``Telmate''); and TouchPay Holdings, LLC 
(``TouchPay'') (collectively, ``Respondents''). The Proposed Order has 
been placed on the public record for 30 days for receipt of comments 
from interested persons. Comments received during this period will 
become part of the public record. After 30 days, the Commission will 
again review the agreement and the comments received, and it will 
decide whether it should withdraw from the agreement and take 
appropriate action

[[Page 81082]]

or make final the agreement's Proposed Order.
    Viapath is one of the largest providers of inmate telephone 
services in the United States. In combination with subsidiaries such as 
Telmate and TouchPay, Viapath also provides a host of additional 
communications, technology, and financial services to incarcerated 
consumers, their friends and family, and other outside contacts of 
incarcerated individuals, and to jails, prisons, and other carceral 
institutions (``Facility'' or ``Facilities'').
    In August 2020, a third-party contractor engaged by Telmate left a 
database containing consumers' personal information publicly exposed on 
the internet (the ``Incident''). The exposed database contained the 
personal information of thousands of people who used Respondents' 
products and services, including GettingOut, VisitNow (also known as 
VisitMe), Command, Telmate Inmate Telephone service, and Guardian.
    The exposed personal information included the full text of messages 
exchanged using Respondents' services, grievance forms submitted by 
incarcerated people to jails and prisons, and information about 
incarcerated and non-incarcerated users such as names, dates of birth, 
phone numbers, usernames or email addresses in combination with 
passwords, home addresses, driver's license numbers, passport numbers, 
payment card numbers, financial account information, Social Security 
numbers, and data related to telephone services (like the dates and 
times of calls, called numbers, calling numbers, station used, and 
location information, like certain individuals' latitude and longitude 
at particular points in time). One or more unauthorized individuals 
accessed the exposed database and downloaded personal information from 
it. At least some of the exposed information was made available for 
sale on the dark web, where other people could also access or buy it.
    The Commission's proposed six-count complaint alleges Respondents 
violated Section 5(a) of the Federal Trade Commission Act by: (1) 
unfairly failing to employ reasonable data security measures (Count I); 
(2) unfairly failing to notify consumers affected by the Incident in a 
timely manner (Count II); (3) deceptively misrepresenting that 
Respondents implemented reasonable and appropriate measures to protect 
consumers' personal information against unauthorized access; (4) 
deceptively misrepresenting that Respondents had no reason to believe 
that consumers' sensitive personal information was affected by the 
Incident; (5) deceptively misrepresenting that Respondents would timely 
notify affected consumers; and (6) deceptively 2 misrepresenting that 
Respondents had never experienced a data security breach or that they 
had not experienced a data security breach within a particular 
timeframe that included the dates of the Incident.
    The Proposed Order contains provisions designed to prevent 
Respondents from engaging in the same or similar acts or practices in 
the future. The Proposed Order also contains provisions designed to 
provide products to consumers affected by the Incident. Provision I of 
the Proposed Order requires Respondents to establish and implement, and 
thereafter maintain, a comprehensive data security program that 
protects the security, confidentiality, and integrity of consumers' 
Personal Information, as that term is defined in the Proposed Order. 
Provision II of the Proposed Order requires Respondents to obtain 
initial and biennial data security assessments by an independent third-
party professional (``Assessor'') for 20 years, and Provision III 
requires Respondents to cooperate with the Assessor in connection with 
the assessments required by Provision II. Provision IV of the Proposed 
Order requires that a senior corporate manager or senior office of 
Respondents certify Respondents' compliance with the Proposed Order. 
Provision V of the Proposed Order requires Respondents to provide 
consumers affected by the Incident with two years of enrollment in a 
credit monitoring and identity protection product. This provision 
includes requirements that are designed to help incarcerated consumers 
affected by the Incident access the product. Provision VI of the 
Proposed Order requires Respondents to notify consumers and relevant 
Facilities of any future incident that results in Respondents 
notifying, pursuant to a statutory or regulatory requirement, any U.S. 
federal, state, or local government entity that Personal Information of 
or about an individual consumer was, or is reasonably believed to have 
been, accessed or acquired, or publicly exposed without authorization 
(``Covered Incident''). Provision VII of the Proposed Order requires 
Respondents to notify the Commission of any future Covered Incident.
    Provision VIII of the Proposed Order prohibits Respondents from 
misrepresenting: (1) Respondents' privacy and security measures to 
prevent unauthorized access to Personal Information; (2) the 
occurrence, extent, nature, potential consequences, or any other fact 
relating to a Covered Incident actually or potentially involving or 
affecting Personal Information within the ownership, custody, or 
control of one or more Respondents; (3) the extent to which Respondents 
have notified or will notify affected parties in connection with a 
Covered Incident; (4) the extent to which Respondents meet or exceed 
industry-standard security or privacy practices; and (5) the extent to 
which Respondents otherwise protect the privacy, security, 
availability, confidentiality, or integrity of Personal Information.
    Provision IX of the Proposed Order require Respondents to provide 
notice of the Incident by: (1) posting notice on each of Respondents' 
websites and the home screen of each of Respondents' mobile 
applications that has been used to provide Telmate products and 
services; and (2) sending notice to each consumer affected by the 
Incident that did not previously receive notification of the Incident. 
Provision X of the Proposed Order requires Respondents to provide 
relevant Facilities with notice of the Incident.
    Provisions XI-XIV of the Proposed Order are reporting and 
compliance provisions, which include recordkeeping requirements and 
provisions requiring Respondents to provide information or documents 
necessary for the Commission to monitor compliance. Provision XV states 
the Proposed Order will remain in effect for 20 years.
    The purpose of this analysis is to aid public comment on the 
proposed order. It is not intended to constitute an official 
interpretation of the complaint or proposed order, or to modify in any 
way the proposed order's terms.

    By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2023-25690 Filed 11-20-23; 8:45 am]
BILLING CODE 6750-01-P