With the increasing frequency of customer-database breaches and credit-card information theft at brick-and-mortar retailers, customers have a lot of reasons to fear identity theft — and to consider identity-protection services such as LifeLock. But its users may want to rethink trusting LifeLock, as it has agreed to pay $100 million to settle charges filed in a Federal Trade Commission (FTC) complaint alleging that the company used deceptive advertising and improperly secured customer information, including names, banking information and Social Security numbers.
In an easy-to-read statement issued yesterday (Dec. 17), FTC Chairwoman Edith Ramirez explained that this settlement, the largest ever related to an FTC complaint, stems from LifeLock's inability to provide "reasonable security for consumer data," and that the commission had found it "particularly troubling" that consumers paid for the services rendered.
The complaint, filed this past July, alleged that from 2012 to 2014, LifeLock violated the terms of a 2010 court-ordered agreement and resulting settlement that forbade LifeLock from engaging in further deceptive advertising and mandated that it beef up its data-security practices.
The FTC also found fault in LifeLock's claims that it protects "consumers' sensitive data with the same high-level safeguards used by financial institutions" and that the company "would send alerts 'as soon as' it received any indication that a consumer may be a victim of identity theft."
As a further penalty, going forward, the FTC will extend the terms of the 2010 agreement, which now subjects LifeLock to regular monitoring and audits until 2023.
In 2010, the FTC alleged that LifeLock had not been encrypting customer information, nor had created any security measures to limit employee access to those customer records. In the subsequent settlement, LifeLock agreed to pay $12 million for engaging in deceptive advertising. The record penalty LifeLock agreed to yesterday is meant to be proportional to its recent earnings; LifeLock's end-of-year financial report for 2014 revealed the company had revenues of $476 million, a substantial increase from the $370 million it earned in 2013.
"Our settlement, which provides for substantial consumer redress, is an important step in ensuring that LifeLock complies with its continuing obligations to engage in truthful advertising and protect the security of its customers’ information," the FTC said in a formal statement.
Commissioner Maureen K. Ohlhausen dissented from the FTC order, citing lack of "clear and convincing evidence that LifeLock failed to establish and maintain a comprehensive information security program."
Ohlhausen noted that LifeLock had fully complied with the Payment Card Industry Data Security Standard (PCI-DSS), the widely used standard for online credit-card processing. The other three commissioners stated that PCI-DSS was not enough to satisfy the terms of the 2010 agreement; PCI compliance would have had no bearing on the charges of deceptive advertising.
In its own statement released yesterday, LifeLock admitted the FTC's charges, but said its former bad behavior had ended, explaining that the "the settlement does not require us to change any of our current products or practices."
According to the FTC, $68 million of the settlement may be used to recompense LifeLock customers who have filed several class-action suits against the company. Monies distributed from that fund "must be paid directly to and received by customers" and not used to pay legal or administrative fees. (Legal fees in lawsuits are normally one-third of award amounts.)
Earlier this year, Tom's Guide gave LifeLock an Editor's Choice award in a review roundup of identity-protection services. We will be re-evaluating that award.