Cybershitcurity: Telmate Part 2 - Public Records Requests
How to craft targeted public records requests for breach notifications.
This is the second part of a two part series. If you haven’t yet, please read part 1 here.
From our first foray into GTL’s breach notification, we know that they did not properly disclose it, got caught with their breach pants around their ankles, and the FTC was not impressed.
Being able to piece together the size and scope of a breach using the publicly available State breach databases is extremely useful, particularly when you are dealing with a reporting party who may be withholding the full story.
However, there are a number of places that do not have a public database and in fact may have more records available than just a breach notification.
This is where our trusty friend, public records requests, come in extremely handy. In most jurisdictions (including internationally, where breach notifications are required) the breach notifications and some communications between the reporting party and the regulator are part of the public record.
This means that, with a well-crafted request (duh), we can attempt to retrieve these records. You, as a journalist, due diligence investigator or researcher, should be doing this, particularly if you are doing due diligence on a vendor before their product or humans touch your supply chain.
I’ll show you the basics of a good public records request for breach data, and you can adapt to your own needs as you see fit.
Build a Template
This will save you an incredible amount of time. Just build yourself a template in Microsoft Word or Google Docs. Having a template per state or agency is even better; this has saved me countless hours of repetitive work and will do the same for you.
The first and most critical thing:
will haunt you and your dreams forever.Where possible, you also want to use your full mailing address, printed name, and date with an embedded signature.
Any boilerplate language relating to how you like your records delivered (electronic or snail-mail) and whether you are willing and able to pay any fees can remain the same for most of your requests, so having it pasted into the bottom of your template, as you will see below.
To find the right language to use for each State, I use the NFOIC.org website, FOIA.gov and MuckRock.com together to confirm the correct verbiage. NFOIC.org has sample requests for each State that you can use, and they encourage you to use and modify them.
After my introductory preamble (and the letterhead!) I borrow a bit of language from the NFOIC website’s Oregon example:
Under the Oregon Public Records Law, §192.410 et seq., I am requesting an opportunity to obtain copies of the following records:
We are going to request consumer complaints and breach records, both of which are generally funnelled into the Attorney General’s office. Some public records folks may caution against combining requests like this, while others may point out that most agencies can and will amalgamate requests that are close together and related to the same topic.
You do you and see what kind of results you get. Report back if you so desire.
All cyber breach notification records from:
GLOBAL TEL LINK CORPORATION an Idaho corporation, operating at 3120 Fairview Park Drive, Suite 300, Falls Church, Virginia, 22042. This company provides telecommunications, and technology services to government agencies, primarily in corrections.
Subsidiaries or business names may include:○ d/b/a GTL;
○ d/b/a ViaPath Technologies;
○ Telmate, LLC;
○ TouchPay Holdings, LLC;
○ d/b/a GTL Financial Services.
All consumer complaints related to this breach and/or any other consumer complaints against the company or subsidiaries listed above.
It is worth pausing to reflect here. I am not simply sending the company name over, crossing my fingers and hoping for the best from the DA’s office.
I have done some primary research, ensured I have found the correct name of the company, their mailing address, and the additional details around subsidiaries, and told them what this company actually does. These details help the person on the other side of the request understand what you, the requestor, are looking for.
The more vague and ambiguous you are, the more likely you will face delays, denials or an increased amount of back and forth with the FOIA officer to sort it all out.
We want to limit the scope of the search in terms of timeframe. In almost every public records request I file, I use this to ensure that the request will not be overbroad, cause delays or get a denial simply for an incorrect time range.
I am seeking records from August 1, 2020, through July 13, 2024, to limit the scope of your search.
This will help the FOIA officer limit their search and potentially limit the amount of “what time range are you seeking?” kinda questions in the future.
There are efficiency gains everywhere when you are doing research and investigative work. Find them, adopt them and use them repeatedly.
The only thing left to do is click send. Don’t forget to do that.
Now?
We wait.
Update! Dude, Where’s My Equity?
On January 5, 2024, I wrote a post on Vroom, a car company that was accumulating bad consumer reviews and financial losses and had duped Bloomberg analysts into thinking that pink, curvy waves were perfectly normal in the stock market.
Vroom was another excellent example where myself and another analyst had sent countless FOIA to various consumer protection agencies and had read firsthand - and sometimes heartbreaking - accounts of people doing battle with Vroom.
While combing for records in the Cybershitcurity posts, I encountered some updates from an FTC action against Vroom that’s definitely worth the read.
“The Federal Trade Commission has taken action against online used car dealer Vroom for misrepresenting that it thoroughly examined all vehicles before listing them for sale and failing to obtain consumers’ consent to shipment delays or provide prompt refunds when cars weren’t delivered in the time Vroom promised.” - Federal Trade Commission, July 2, 2024.
I’ve said it before, and I’ll say it again.
Follow the angry consumers, and you can usually hit pay dirt.
Sample Cybersecurity Breach FOIA
Name
Address
City, State, Country
DATE, 202X
Office of the Attorney General
Oregon Department of Justice
1162 Court Street NE
Salem, OR 97301
PublicRecordsRequests@doj.state.or.us
Dear Custodian of Records:
Under the Oregon Public Records Law, §192.410 et seq., I am requesting an opportunity to obtain copies of the following public records:
All cyber breach notification records from:
GLOBAL TEL LINK CORPORATION an Idaho corporation, operating at 3120 Fairview Park Drive, Suite 300, Falls Church, Virginia, 22042. This company is in the business of providing telecommunications, and technology services to government agencies, primarily in corrections.
Subsidiaries or business names may include:○ d/b/a GTL;
○ d/b/a ViaPath Technologies;
○ Telmate, LLC;
○ TouchPay Holdings, LLC;
○ d/b/a GTL Financial Services.All consumer complaints related to this breach and/or any other consumer complaints against the company or subsidiaries listed above.
To limit the scope of your search, I am seeking records from August 1, 2020, through July 13, 2024.
If you deny any or all of this request, please cite each specific exemption you feel justifies the refusal to release the information and notify me of the appeal procedures available to me under the law.
Furthermore, I ask that all records be provided electronically, in a rolling fashion, as they are discovered with PDF, the preferred document format and CSV, the preferred summary data or spreadsheet format, should there be any.
I am willing to pay fees if necessary, but please provide an estimate if that is required. Please don’t hesitate to reach out if you have any questions or require any clarifications. I am happy to assist you.
Thank you kindly,
[Signature]
Printed Name