LifeLock will pay $11 million to settle FTC complaint

This post comes from partner site ConsumerAffairs.com.

LifeLock Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle complaints that the company used false claims to promote its identity theft protection services -- which it widely advertised by displaying the CEO’s Social Security number on the side of a truck.

In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information it collects from customers.

“While LifeLock promised consumers complete protection against all types of identity theft, in truth, the protection it actually provided left enough holes that you could drive a truck through it,” FTC Chairman Jon Leibowitz said.

“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Illinois Attorney General Lisa Madigan said. “Consumers can take definitive steps to minimize the chances of having their personal information stolen, and this settlement will help them make more informed decisions about whether to enroll in ID theft protection services.”

• Bing: Should you pay for ID theft protection?

Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service.

According to the FTC’s complaint, LifeLock has claimed:

• “By now you’ve heard about individuals whose identities have been stolen by identity thieves. ... LifeLock protects against this ever happening to you. Guaranteed.”
• “Please know that we are the first company to prevent identity theft from occurring.”
• “Do you ever worry about identity theft? If so, it’s time you got to know LifeLock. We work to stop identity theft before it happens.”

The FTC’s complaint said the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. The agency said the company also provided no protection against medical or employment identity theft, in which thieves use personal information to get medical care or apply for jobs.

Even for types of identity theft for which fraud alerts are most effective, LifeLock does not provide absolute protection, the FTC said. LifeLock alerts creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

New-account fraud comprised only 17% of identity theft incidents, according to an FTC survey released in 2007.

The FTC’s complaint also said that LifeLock falsely claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened.

In addition to deceptive ID protection claims, LifeLock also made claims about its own data security that were not true, the FTC alleged. The agency said LifeLock routinely collected sensitive information from its customers, including their Social Security and credit card numbers. The company claimed:

• “Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”
• “All stored personal data is electronically encrypted.”
• “LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”

The FTC said LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency said, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.

Related reading at ConsumerAffairs.com:

• Bogus Web site targets Madoff victims
• Class action alleges deceptive practices by LifeLock
• LifeLock sales surge despite critics