DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

LifeLock Will Pay $12 Million to Settle Charges by the FTC and 35 States That Identity Theft Prevention and Data Security Claims Were False

Posted on March 9, 2010 by Dissent

LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services, which it widely advertised by displaying the CEO’s Social Security number on the side of a truck.

In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” said FTC Chairman Jon Leibowitz.

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Illinois Attorney General Lisa Madigan said. “Consumers can take definitive steps to minimize the chances of having their personal information stolen, and this settlement will help them make more informed decisions about whether to enroll in ID theft protection services.”

Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service.

According to the FTC’s complaint, LifeLock has claimed:

  • “By now you’ve heard about individuals whose identities have been stolen by identity thieves . . . LifeLock protects against this ever happening to you. Guaranteed.”
  • “Please know that we are the first company to prevent identity theft from occurring.”
  • “Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens.”

The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only 17 percent of identity theft incidents, according to an FTC survey released in 2007.

The FTC’s complaint further alleged that LifeLock also claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. The FTC charged that those claims were false.

In addition to its deceptive identity theft protection claims, LifeLock allegedly made claims about its own data security that were not true.

According to the FTC, LifeLock routinely collected sensitive information from its customers, including their social security numbers and credit card numbers. The company claimed:

  • “Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”
  • “All stored personal data is electronically encrypted.”
  • “LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”

The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.

The FTC and state settlements with LifeLock bar deceptive claims, and prohibit the company from misrepresenting the “means, methods, procedures, effects, effectiveness, coverage, or scope of any identity theft protection service.” They also bar misrepresentations about the risk of identity theft, and the manner and extent to which LifeLock protects consumers’ personal information. In addition, the settlements require LifeLock to establish a comprehensive data security program and obtain biennial independent third-party assessments of that program for twenty years.

The Attorneys General of Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia participated in this settlement.

In addition to LifeLock, the FTC complaint named co-founders Richard Todd Davis and Robert J. Maynard, Jr., who will be barred from the same misrepresentations as LifeLock.

The Commission vote to authorize staff to file the complaint and the settlement with LifeLock and Richard Todd Davis was 4-0. The Commission vote to authorize staff to file the settlement with Robert J. Maynard, Jr. was 3-1, with Commissioner J. Thomas Rosch dissenting. The documents were filed in the U.S. District Court for the District of Arizona.

The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying. Customers do not have to contact the FTC to be eligible for refunds. Up-to-date information about the redress program can be found at 202-326-3757 and at www.ftc.gov/lifelock.

Source:  Federal Trade Commission

Note: LifeLock issued a press release, that you can read here.  It says, in part:

The FTC and State Attorneys General action, which resulted from an examination of old practices and products, has no impact on LifeLock’s current services. Nothing changes because this was based on activity from over two years ago.

Category: ID TheftOf NoteU.S.

Post navigation

← Medical Files, Pills Found In Abandoned St. Bernard Nursing Home
How to reconcile Kaiser's statements about who can access patient data →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • B.C. health authority faces class-action lawsuit over 2009 data breach (1)
  • Private Industry Notification: Silent Ransom Group Targeting Law Firms
  • Data Breach Lawsuits Against Chord Specialty Dental Partners Consolidated
  • PA: York County alerts residents of potential data breach
  • FTC Finalizes Order with GoDaddy over Data Security Failures
  • Hacker steals $223 million in Cetus Protocol cryptocurrency heist
  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say
  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • D.C. Federal Court Rules Termination of Democrat PCLOB Members Is Unlawful
  • Meta may continue to train AI with user data, German court says
  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.