FTC Charges LifeLock with DeceptionCommission Raises Concern Over Security of Customer Data
The Federal Trade Commission says LifeLock has violated a 2010 settlement with the commission and 35 state attorneys general by continuing to make deceptive claims about its identity theft protection services and by failing to take steps to protect users' data.
See Also: DevOps - Security's Big Opportunity
After the FTC made the announcement on July 21, LifeLock's stock plummeted, dropping nearly 50 percent by the close of trading on the New York Stock Exchange. LifeLock markets a variety of identity theft protection and data breach alert services to consumers and risk management services to governments and businesses.
The FTC is asking a federal court to issue an order requiring LifeLock to "provide full redress to all consumers affected by the company's order violations."
In documents filed with the U.S. District Court in Phoenix on July 21, the FTC maintains that LifeLock failed to take steps required to protect its customers' data.
"It is essential that companies live up to their obligations under orders obtained by the FTC," said Jessica Rich, director of the FTC's Bureau of Consumer Protection. "If a company continues with practices that violate orders and harm consumers, we will act."
LifeLock did not immediately respond to a request for an interview, but in a statement the company said that after 18 months of cooperation and dialogue with the FTC, it became clear that the two sides could not come to a satisfactory resolution. "We disagree with the substance of the FTC's contentions and are prepared to take our case to court," the LifeLock statement says.
As part of its response to the FTC's announcement, LifeLock issued a statement from board member Tom Ridge, the former Homeland Security secretary and Pennsylvania governor, who attests to the integrity of the company's leaders and employees. "These are the kind of people you want on your side," Ridge said in the statement, which did not directly address the FTC allegations.
2010 Settlement Details
According to the FTC, the 2010 settlement stemmed from previous FTC allegations that LifeLock used false claims to promote its identity theft protection services. The settlement barred the company and its principals from making any further deceptive claims, required LifeLock to take more stringent measures to safeguard the personal information it collects from customers and required LifeLock to pay $12 million for consumer refunds.
The new FTC charges contend that in spite of these promises, from at least October 2012 through March 2014, LifeLock violated the 2010 order by failing to establish and maintain a comprehensive information security program to protect its users' sensitive personal data, including credit card, Social Security and bank account numbers; falsely advertising that it protected consumers' sensitive data with the same high-level safeguards as financial institutions; and failing to meet the 2010 order's recordkeeping requirements.
The FTC also asserts that from at least January 2012 through last December, LifeLock falsely claimed it protected consumers' identity around the clock by providing alerts "as soon as" it received any indication there was a problem.
LifeLock: Customer Data Secure
LifeLock, in its statement, notes: "Importantly, the FTC is not seeking any relief that would change LifeLock services and products going forward.
"The claims raised by the FTC are all related to the past, not to current business practices. LifeLock takes the accuracy of our advertising materials very seriously. The alerting claims raised by the FTC did not result in any known identity theft for LifeLock members. ... Based on the evidence, we do not believe that anything the FTC is alleging has resulted in any member's data being taken."
The company says that it fulfilled a 2010 consent order requirement that it hire highly credentialed, independent professionals to assess its information security, and says it has spent thousands of hours and millions of dollars to achieve the high security standards the FTC ordered. "Every audit completed by those third parties affirmed that we were in compliance," the company says.
LifeLock did not immediately reply to Information Security Media Group's request for additional comment.
In recent years, The FTC has stepped up its enforcement actions to protect consumers' digitized information. In 2013, the FTC filed a complaint against LabMD, alleging that the medical testing lab failed to reasonably protect consumers' personal information, including medical information. LabMD argues that the FTC has overstepped its authority in issuing the proposed order, and the case is continuing (see FTC's LabMD Case: The Next Steps).
In 2012, the FTC filed a suit against the hotel chain Wyndham Worldwide and three of its subsidiaries in connection with three security breaches that exposed stored card details for nearly 670,000 accounts (see FTC Sues Hotel Chain for Card Breaches). That case continues to be adjudicated in the federal courts.