FTC files complaint against Global Tel Link for neglecting cybersecurity and delaying breach notification
The U.S. Federal Trade Commission (FTC) announced that it has filed a complaint against prison communications provider Global Tel Link for ineffective cybersecurity measures and failing to notify consumers after a data breach.
Global Tel Link, which provide telephonic and video communication services for federal, state, and local correctional institutions and payment processing for incarcerated individuals, is responsible the collection and handling of personal information such as names, addresses, government identification numbers, Social Security numbers, and financial account details.
In August 2020, an incident occurred where Global Tel Link, in collaboration with a third-party vendor, transferred a substantial volume of sensitive, unencrypted personal information pertaining to approximately 650,000 users into cloud storage. The FTC alleges that the transfer was inadequately secured, lacking essential safeguards such as encryption, firewalls, and monitoring systems, thus leaving the data vulnerable to unauthorized access.
A significant portion of the data subsequently appeared on the dark web. Global Tel Link allegedly delayed notifying the affected consumers for approximately nine months after having become aware of the data breach, during which time the consumers were uninformed and unable to take preventive actions against potential identity theft.
In a proposed order against Global Tel Link, the FTC would prohibit the company and two of its subsidiaries from making false representations regarding their data security practices. Furthermore, the company would be required to establish and maintain a comprehensive data security program, which encompasses several essential elements such as change management protocols, the implementation of multifactor authentication, and rigorous procedures for data minimization.
The FTC also proposes to compel Global Tel Link to provide prompt notifications to affected consumers regarding the data breach, offer credit monitoring and identity protection services to these individuals, and ensure timely reporting of any future data breaches or security incidents to the relevant consumers and the FTC.
ALPHV files SEC complaint against MeridianLink for non-disclosure of cyberattack
The ALPHV/BlackCat ransomware operation has escalated its extortion methods by filing a complaint with the U.S. Securities and Exchange Commission (SEC) against MeridianLink, a software company providing digital solutions to financial organizations. This unprecedented move comes after MeridianLink allegedly failed to comply with the SEC’s four-day rule for disclosing cyberattacks.
On November 7, MeridianLink was attacked by the ALPHV ransomware gang, who claimed to have stolen company data which had not been encrypted or sufficiently protected. Despite apparent attempts by MeridianLink to reach out, no negotiations ensued, prompting ALPHV to threaten data leakage if a ransom was not paid within 24 hours.
Frustrated by the lack of response from MeridianLink, ALPHV filed a complaint with the SEC, alleging that the company failed to disclose a significant breach impacting customer data and operational information. This action aligns with the SEC’s new rules, set to come into effect December 15, 2023, mandating publicly traded companies to report material cyberattacks within four business days.
MeridianLink confirmed the cyberattack, stating immediate containment actions and ongoing investigations with third-party experts. They are yet to determine if consumer personal information was compromised but assured minimal business disruption.
This incident marks a novel approach by ransomware groups in exerting pressure, moving beyond traditional methods of contacting customers or directly intimidating victims.
To mitigate risks in the wake of recent ransomware threats, organizations should prioritize strengthening their cybersecurity infrastructure and adhering to strict data privacy practices. Key measures include implementing advanced security systems, conducting frequent vulnerability checks, ensuring regular software updates, and establishing prompt incident response protocols. Employee training in cybersecurity awareness is also critical, along with routine audits and consultation with cybersecurity experts.
Fears that India’s DPDP Act could impact businesses
Several companies have expressed concerns about the impact of India’s Digital Personal Data Protection Act (DPDPA) on their business operations, according to a report by the Economic Times.
The DPDPA places new obligations on “data fiduciaries”, including (unless an exception applies) obtaining consent for processing personal data unless, deleting personal data on request, and providing notice before using personal data. Certain companies that use personal data for multiple purposes are seeking legal advice on how the law could impact their regulations.
Organisations in the healthcare and banking sectors argue that the law should exempt their industries from certain rules. Hospital chain Narayana Health argues that the law could require healthcare providers to delete information needed to treat patients. Certain financial institutions are concerned that the law would prohibit the use of data for cross-selling activities.
Certain online businesses have argued that the law’s limits on the storage of personal data could require them to delete information about transactions and could lead to the premature closure of customer accounts.
Telecommunications firms have also expressed concern about the law potentially disrupting their business model by tightening the rules on the use of customers’ personal data to promote third-party services.
Ghana DPC publishes end of year statement
Ghana’s Data Protection Commission (DPC) shared an end of year statement where it reminded the public and organisations of the following:
- Data Subjects have the legal authority to initially report issues to their data controllers, with the option to escalate unresolved matters to the Commission.
- Entities are reminded of the mandatory requirement to register with the Commission according to Act 843 Section 46(3) before manually and/or electronically collecting and using personal data. Failure to comply is deemed a criminal offense.
- The establishment of a fast-track court to address data protection non-compliance is underway. Institutions previously audited or spot-checked in enforcement actions will imminently face prosecution by the Attorney General’s office.
- From 9th January, 2024, the audit and spot-check scope will expand to include the examination of valid data protection registration licenses, organisational measures, efforts towards data protection, and implemented privacy programs.
- A reminder for medium to large institutions to train Data Protection Supervisors, as per Act 843 Section 58. Data Protection Supervisors should collaborate with the DPC to implement the institution’s in-house privacy program.
Finally, the Commission shared that it is scaling up its collaboration with over 75 Peer Regulators to include Industry Bodies and Associations.
Latest reading of the UK’s Data Protection and Digital Information Bill
The Data Protection and Digital Information Bill had its third reading by the House of Commons on 29th November 2023, and will now be reviewed by the House of Lords during the 2023-2024 session. During the latest reading of the Bill, several editions were discussed, including updates to data subject requests, provisions to reform the regulator, so-called ‘Smart Data Schemes’ and simplifying language used around the existing framework. Please look out for a fuller article exploring the bill soon!
As a global B Corp organisation, HewardMills is ready to partner and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements. Contact our team if you want to discuss any of the topics or regulatory updates discussed.