LifeLock, Inc., a self-proclaimed “industry leader in the rapidly growing field of identity theft protection” has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that Lifelock falsely promoted its identity theft protection services. Lifelock publicized its services through advertisements that publicly disclosed its CEO’s Social Security number. As part of the settlement, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.
The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against a few types of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. New account fraud, the type of identity theft for which fraud alerts are most effective, comprised only about 17 percent of identity theft incidents. The FTC also alleged that Lifelock provided no protection against other types of identify theft, such as medical identity theft and employment identity theft.
The FTC’s complaint further alleged that LifeLock claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. Ironically, the FTC also charged that LifeLock’s own data repositories were not encrypted, and sensitive consumer information was shared inappropriately, and could have been exploited by hackers.
The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement.