On March 9, 2010, the Federal Trade Commission and 35 state attorneys general announced a negotiated settlement with LifeLock, Inc. and its co-founders, Richard Todd Davis and Robert J. Maynard. The settlement, which will require the identity theft protection services provider to pay $11 million to the FTC and an additional $1 million to the group of participating state attorneys general, resolves charges that LifeLock misrepresented the nature and effectiveness of the identity theft protection services it offers, and made false claims about its own data security practices. Specifically, the FTC alleged that LifeLock promised its customers complete protection against all types of identity theft, but the fraud alerts that LifeLock placed on its customers’ credit files protected only against certain forms of identity theft, which did not include medical identity theft, employment identity theft or the misuse of existing accounts – the most common form of identity theft. Moreover, the FTC alleged that even with respect to new account fraud, the type of identity theft for which fraud alerts are most effective, they do not provide absolute protection. LifeLock therefore deceived consumers by making statements like “LifeLock protects against [identity theft] ever happening to you. Guaranteed.”
In the words of FTC Chairman Jon Leibowitz, “While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it.”
The FTC further alleged that LifeLock misrepresented the company’s data security practices to its customers. Among other things, LifeLock claimed that “only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis” and promised that “all stored personal data is electronically encrypted.” In reality, according to the FTC, data was not encrypted and was not shared only on a “need to know” basis. Consequently, sensitive personal information about LifeLock customers was susceptible to exploitation by those seeking access to customer information.
In addition to carrying a hefty penalty, LifeLock’s settlement with the FTC and state attorneys general prohibits the company and its co-founders from making deceptive claims, misrepresenting the “means, methods, procedures, effects, effectiveness, coverage, or scope of any identity theft protection service,” or misrepresenting the risk of identity theft or the manner and extent to which the company’s services protect against this risk. LifeLock also agreed to implement a comprehensive information security program to protect customer information, obtain independent audits of the program every other year for the next twenty years and comply with certain record-keeping obligations. The FTC will use the settlement funds to provide refunds to LifeLock customers.