According to an FTC press release on March 3, 2010 and as reported in various media outlet reports, like this one from The New York Times, LifeLock, Inc., an identity theft protection company, has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services.
The FTC claims and state attorneys general actions appear to have been centered around LifeLock’s representations that its protections against identity theft were complete, absolute, and guaranteed. FTC Chairman Jon Leibowitz noted in the FTC’s press release,
"While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it."
According to the FTC’s complaint, LifeLock has at times claimed:
- “By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed.”
- “Please know that we are the first company to prevent identity theft from occurring.”
- “Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens.”
The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files allegedly protected only against certain forms of identity theft, gave no protection against the misuse of existing accounts, and provided no protection against medical or employmentidentity theft (in which the personal information is used to get medical care or apply for jobs). The FTC’s complaint further alleged that LifeLock falsely claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened.
In addition to its deceptive identity theft protection claims, LifeLock allegedly made claims about its own data security that were not true. According to the FTC, LifeLock routinely collected sensitive information from its customers. The company claimed:
- “Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”
- “All stored personal data is electronically encrypted.”
- “LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”
The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. The agency further charged that the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.
LifeLock CEO Richard Todd Davis and co-founder Robert J. Maynard, Jr. were named as individual defendants in the FTC complaint. Davis himself became perhaps the most famous victim of identity theft after posting his social security number on trucks and in television commercials for the company. Maynard resigned from the company amid controversy in the summer of 2007.
The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying. According to the FTC press release, customers do not have to contact the FTC to be eligible for refunds and up-to-date information about the redress program can be found at 202-326-3757 and at www.ftc.gov/lifelock.
LifeLock issued a press release on March 9, 2010 entitled, “LifeLock, FTC & State Attorneys General Agree to Advertising Standards”, and stating that the agreement “provides regulatory guidance for identity theft protection industry”.
