LifeLock Agrees to Settle FTC, State Suits Challenging Identity Theft Protection Claims

This posting was written by Jeffrey May, Editor of CCH Trade Regulation Reporter.

Identity theft service LifeLock, Inc. has agreed to pay $12 million and to refrain from making deceptive claims to settle FTC and state charges that it misrepresented its services. The company also is required to take more stringent measures to safeguard the personal information collected from customers.

In addition to LifeLock, the FTC complaint named co-founders Richard Todd Davis and Robert Maynard, Jr., who will be barred from making the same misrepresentations as LifeLock.

Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service, according to the FTC.

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz. Lifelock's services are widely advertised by displaying the CEO’s Social Security number on the side of a truck.

The FTC challenged claims that LifeLock would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened.

LifeLock allegedly misrepresented its own data security. The FTC contended that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis.

According to the agency, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.

The FTC and state settlements with LifeLock bar deceptive claims and prohibit the company from misrepresenting the “means, methods, procedures, effects, effectiveness, coverage, or scope of any identity theft protection service.” They also bar misrepresentations about the risk of identity theft and the manner and extent to which LifeLock protects consumers’ personal information.

The settlements further require LifeLock to establish a comprehensive data security program and obtain biennial independent third-party assessments of that program for twenty years.

A press release concerning FTC v. LifeLock, Inc., FTC File No. 072 306, announced March 9, 2010, appears here on the FTC website. Text of the complaint and proposed final judgment appear here.

Further details will appear in the CCH Trade Regulation Reporter.