LifeLock tops the list of companies that seized the marketing opportunity to exploit our justifiable concerns about identity theft. Its aggressive advertising made it seem that LifeLock provided the answer to stop data breaches and protect Social Security numbers. Well, turns out the company did something else.
The Federal Trade Commission (FTC) alleged that from October 2012 through March 2014, “LifeLock failed to establish and maintain a comprehensive information security program to protect users’ sensitive personal information including their Social Security, credit card and bank account numbers.”
LifeLock violated an 2010 FTC agreement in which the company promised to protect private information. Consequently, in a record settlement, Lifelock will pay $100 million to consumers who signed on with the company expecting protection.
“This settlement demonstrates the Commission’s commitment to enforcing the orders it has in place against companies, including orders requiring reasonable security for consumer data. The fact that consumers paid LifeLock for help in protecting their sensitive personal information makes the charges in this case particularly troubling,” FTC Chairwoman Edith Ramirez said.
The FTC alleged that Lifelock:
- Failed to maintain a comprehensive information security program to protect users’ sensitive personal information including their Social Security, credit card and bank account numbers.
- Falsely advertised that it protected consumers’ sensitive data with the same high-level safeguards used by financial institutions.
- Falsely advertised that it would send alerts “as soon as” it received any indication that a consumer may be a victim of identity theft. Finally, the FTC alleged that the company failed to abide by the order’s record keeping requirements.
LifeLock must deposit $100 million into the registry of the U.S. District Court for the District of Arizona. The FTC says, “Of that $100 million, $68 million may be used to redress fees paid to LifeLock by class action consumers who were allegedly injured by the same behavior alleged by the FTC. These funds, however, must be paid directly to and received by consumers, and may not be used for any administrative or legal costs associated with the class action.”