FTC: LifeLock Will Pay $12 Million to Settle Charges About Its ID Theft Prevention, Data Security Claims
The Federal Trade Commission announced that LifeLock, an identity theft protection company, will pay $11 million to the FTC and $1 million to a group of 35 state attorneys general “to settle charges that the company used false claims to promote its identity theft protection services.” The FTC will use the settlement money to provide refunds to affected consumers. More information can be found at 202-326-3757 and at www.ftc.gov/lifelock.
Alaska, Arizona, California, Delaware, Florida, Hawaii, Idaho, Illinois, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Michigan, Missouri, Mississippi, Montana, Nebraska, Nevada, New Mexico, New York, North Carolina, North Dakota, Ohio, Oregon, Pennsylvania, South Carolina, South Dakota, Tennessee, Texas, Vermont, Virginia, Washington, and West Virginia participated in this settlement.
In one of the largest FTC-state coordinated settlements on record, LifeLock and its principals will be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers. […]
“This agreement effectively prevents LifeLock from misrepresenting that its services offer absolute prevention against identity theft because there is unfortunately no foolproof way to avoid ID theft,” Illinois Attorney General Lisa Madigan said. […]
Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service. […]
In addition to its deceptive identity theft protection claims, LifeLock allegedly made claims about its own data security that were not true. According to the FTC, LifeLock routinely collected sensitive information from its customers, including their social security numbers and credit card numbers. The company claimed:
- “Only authorized employees of LifeLock will have access to the data that you provide to us, and that access is granted only on a ‘need to know’ basis.”
- “All stored personal data is electronically encrypted.”
- “LifeLock uses highly secure physical, electronic, and managerial procedures to safeguard the confidentiality and security of the data you provide to us.”
The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.