Shares of leading identity-protection service LifeLock plunged by nearly half yesterday (July 21), and its stock trades were halted twice, after the Federal Trade Commission filed a legal complaint that the company had failed to meet its obligations under a 2010 settlement with the agency.
The FTC said that LifeLock had failed to protect consumer data, engaged in false advertising and failed to keep records in the manner mandated by the 2010 agreement. The incidents that led to the allegations were not disclosed. A LifeLock statement in response did not deny the allegations, but said they all related to past, not current, business practices.
In a recent round of reviews of identity-protection services, Tom's Guide rated LifeLock's Ultimate Plus service highest and named it our Editor's Choice. We found it offered the most comprehensive information and the most useful alerts. Until further details are provided regarding the FTC complaint, we stand by that review.
However, most people do not need to subscribe to an identity-protection service, and the services' marketing materials frequently exaggerate both the risks of identity theft and the ability of the services to protect personal information. Much of what the services provide can be performed or obtained by an individual consumer at no cost; the question is whether the convenience is worth the cost.
What did LifeLock allegedly do?
The FTC complaint against LifeLock, filed yesterday in the U.S. District Court for the District of Arizona (LifeLock is based in Tempe, just outside Phoenix), states that LifeLock:
— Failed to "to establish and maintain a comprehensive information-security program to protect its users' sensitive personal data, including credit card, Social Security and bank-account numbers";
— "Falsely advertis[ed] that it protected consumers' sensitive data with the same high-level safeguards as financial institutions";
— Failed "to meet the 2010 order’s recordkeeping requirements"; and
— "Falsely claim[ed] it protected consumers' identity 24/7/365 by providing alerts 'as soon as' it received any indication there was a problem."
"The claims raised by the FTC are all related to the past, not to current business practices," LifeLock said in its own press statement. "The alerting claims raised by the FTC did not result in any known identity theft for LifeLock members."
The details of what exactly prompted the complaint were sealed. An FTC spokesman told Tom's Guide that the agency could provide no further comment until the court decided what to unseal.
What was the original agreement that was violated?
The March 2010 agreement between LifeLock and the FTC barred LifeLock from engaging in deceptive advertising and mandated that the company "take more stringent measures to safeguard the personal information they [the company and its founders] collect from customers."
The FTC went after LifeLock back then because the company's ads exaggerated what the service could do, including guaranteeing that LifeLock could "prevent" identity theft, monitoring customers' credit reports and making sure creditors called customers before opening accounts. The FTC said all three claims were false.
In reality, there is no foolproof way to prevent identity theft. Identity-protection services merely alert customers to when identity theft has occurred, which helps the affected individual minimize the potential damage by catching the crime early.
The 2010 settlement agreement stated that LifeLock had also said in its marketing materials that the personal information it collected from customers — which included names, addresses, dates of birth and Social Security numbers, which together could be used to steal someone's identity — was encrypted and restricted to "need to know" employees.
The FTC said neither statement was true, and that LifeLock was placing customers' data at risk. (It is not clear from the 2015 complaint whether such data still is at risk.)
As part of the agreement, LifeLock paid the FTC $11 million and the attorneys general of 35 states a total of $1 million. The FTC used its part of the money to issue partial refunds to LifeLock customers.
Other LifeLock Controversies
In October 2009, LifeLock settled a civil case against credit-reporting bureau Experian, which alleged that LifeLock had harmed its business by flooding its systems with bogus fraud alerts.
Until that point, a large part of LifeLock's paid services consisted of repeatedly filing temporary individual fraud alerts with the three credit-reporting bureaus on behalf of its clients. This practice created a state of permanent alert, which meant that LifeLock and its clients received notifications every time a client's credit was checked.
However, fraud alerts are meant to be requested by consumers directly from the credit agencies, who would prefer consumers did so only when necessary. Furthermore, they're free and can renewed every 90 days. In essence, LifeLock had been collecting money from consumers for information that other businesses were required by law to provide at no cost.
Longtime television watchers may remember the ad in which LifeLock co-founder Todd Davis stated his Social Security number and dared anyone to steal his identity. A 2010 news report said that a result of the ad campaign, which included billboards, Davis' identity was stolen at least 13 times.
Do you need to pay for LifeLock's services?
Most people will never need to pay for an identity-protection service. Such services are truly useful to only two groups of people: those who learn that their highly sensitive personal information, such as dates of birth or Social Security numbers, have been compromised in a data breach; and those who know that someone else is already impersonating them.
Furthermore, in the case of large-scale data breaches, victims are often offered one or two years of free subscriptions to an identity-protection service. If you find yourself in such a position, take the offer, as long as it doesn't restrict your ability to take civil action against other involved parties.
The free coverage won't guarantee that your identity won't be stolen, but it can't hurt. However, two services that are frequently offered in such instances, AllClearID and ProtectMyID, rated poorly in our reviews and we cannot recommend paying for them.
MORE: What to Do After a Data Breach
For those who already are the victims of identity theft, such services are useful in that they help mitigate the damage. However, it's even more important for victims of identity theft to file police reports and complaints with the FTC, because that will help in future legal matters.
For credit-card theft and resulting fraud, identity-protection services are mostly useless. Almost every American adult has had a credit-card number stolen. They just don't know it, because the banks and other card issuers catch the theft and fraud quickly.
The consumer will almost never be on the hook for fraudulent charges stemming from a stolen credit card, and will rarely be liable for charges stemming from a stolen debit card.
If you don't know of any active threats to your identity, but still want to protect it, there are a couple of things you can do for absolutely free.
First, check your credit report. Each of the three major reporting agencies — Equifax, Experian and TransUnion — lets you get one free credit report per year. But because they essentially contain the same information, you can get a fresh report every four months if you cycle through the agencies yearly.
Second, ask one of the agencies to place a 90-day fraud alert on your credit file. The agency you contact will notify the other two. You'll be notified of everything that happens over the next three months, and most of it will be really dull. If you like what you see, and feel it makes you safer, ask again every three months.
- 10 Simple Steps to Avoid Identity Theft
- How Data-Breach Hype Undermines Your Security
- Worst Data Breaches of All Time
Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.
