EPIC Commends FTC’s GTL Data Breach Settlement, Urges Tailored Remedies

In comments to the Federal Trade Commission, EPIC commended the FTC for taking enforcement action against prison communications company Global Tel*Link (GTL, now known as ViaPath) for unfair and deceptive trade practices related to a 2020 data breach exposing the personal information of hundreds of thousands of incarcerated persons and their families, friends, lawyers, and other contacts, as well as to the company’s subsequent further misconduct.

GTL put more than 600,000 unique individuals’ personally identifiable information, including such sensitive information as usernames or email addresses in combination with passwords, home addresses, driver’s license numbers, passport numbers, location information, and information about race, religion and whether the individual is transgender. It also included tens of thousands of grievances sent by incarcerated consumers to facilities, as well as tens of thousands of messages exchanged between incarcerated and non-incarcerated users, which sometimes contained financial information and Social Security numbers. Numerous consumers reported fraudulent transactions on their credit card after the breach.

Despite this, after the incident GTL continued to represent that it had never experienced a breach, including in its Request for Proposal (RFP) responses to contract opportunities with other facilities. GTL did not provide notice of the breach to consumers for approximately nine months and when it did, it notified fewer than eight percent of impacted consumers. GTL additionally represented that consumer payment and medical information was not affected when it knew that to be false.

EPIC encouraged the FTC to approve the proposed consent order, praised the Commission for its attention to harms to incarcerated persons and their families, and encouraged the FTC “to work with the FCC to rein in the litany of harmful data practices in the prison telecommunications industry and reduce costs for consumers forced to use companies like GTL to communicate with their loved ones.”

Additionally and specifically, EPIC praised the FTC’s imposition of technical controls and data retention limits, but noted that GTL should not be permitted to retain data for its intelligence services offerings. EPIC also praised the proposed consent order’s requirement that GTL facilitate communications between incarcerated persons and credit monitoring services, but EPIC urged the FTC to further tailor its remedies to include assistance with resolving credit report disputes and providing support in multiple languages.

EPIC regularly files comments in response to proposed FTC consent orders and complaints regarding business practices that violate privacy rights. Additionally, EPIC advocates for stronger consumer protection safeguards in the prison communications context.