Last week, Lifelock agreed to spend $12 million to settle claims over unfair and deceptive business practices and failed to protect customers’ personal information brought by the Federal Trade Commission and 35 state attorney generals.
According to FTC Chairman Jon Leibowitz:
“They developed a market to capitalize on consumers’ fear,” FTC Chairman Jon Leibowitz said at a news conference. “They were exaggerating the service they offered to consumers. This was a fairly egregious case of deceptive advertising.”
Consumers who signed up with the service as early as 2005 — about 1 million customers in all — will be eligible for refunds. The fine is steep for the firm, said Leibowitz.
“We’re taking all the money they had on hand,” he said.
The deceptive advertising the FTC is talking about is the suggestion Lifelock could provide absolute protection against identity theft. In one ad, the firm said it could make consumers’ personal information “useless to a criminal”.
Now I’ve always stated the best way to protect your identity involves some form of credit monitoring and the problem with companies like Lifelock is the lack of such services. It’s good to see the FTC back me up on this. I’ve read many reviews from “Identity theft experts” promoting Lifelock and promising the sky.
Does that mean Lifelock doesn’t provide value? Certainly not. Most of the allegations were centered around the early years of Lifelock’s marketing campaign where CEO Todd Davis plastered his social security number all over the airwaves and billboards. Those ads did get our attention didn’t they?
Lifelock today has moved away from fraud alerts and especially with their Command Center™, they’ve evolved into a comprehensive identity protection service. You can read our original Lifelock review or our Lifelock Command Center review here.
The other charge about mishandling consumer data is much more serious and something a little unsettling. In its complaint against Lifelock, the FTC alleges Lifelock:
- Did not encrypt data, but stored and transmitted it in clear text.
- Failed to require employees to use hard-to-guess passwords.
- Did not install patches and critical updates.
- Did not plan for common vulnerabilities to their network, including SQL injection attacks.
- Did not install antivirus software on employee computers.
- Allowed faxes with personal information to be available in open office area.
This is beyond my comprehension how a company whose core business centers around identity theft protection can maintain such poor security measure regarding the handling of sensitive consumer data. I’m sure Lifelock as a company will survive and having to pay $12 million as a fine will be certainly force any changes that need to be made.
LifeLock CEO Todd Davis said his firm has addressed all concerns raised by the FTC and has long since abandoned many of the techniques the agency said were misleading.
I guess it’s still early days in the identity theft protection industry.