Cross-posted from DataBreaches.net:
The Federal Trade Commission today asserted that LifeLock violated a 2010 settlement with the agency and 35 state attorneys general by continuing to make deceptive claims about its identity theft protection services, and by failing to take steps required to protect its users’ data.
In documents filed with the U.S. District Court for the District of Arizona, the FTC charged that LifeLock failed to live up to its obligations under the 2010 settlement, and asked the court to impose an order requiring LifeLock to provide full redress to all consumers affected by the company’s order violations.
“It is essential that companies live up to their obligations under orders obtained by the FTC,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “If a company continues with practices that violate orders and harm consumers, we will act.”
The 2010 settlement stemmed from previous FTC allegations that LifeLock used false claims to promote its identity theft protection services. The settlement barred the company and its principals from making any further deceptive claims; required LifeLock to take more stringent measures to safeguard the personal information it collects from customers; and required LifeLock to pay $12 million for consumer refunds.
The FTC charged today that in spite of these promises, from at least October 2012 through March 2014, LifeLock violated the 2010 Order by: 1) failing to establish and maintain a comprehensive information security program to protect its users’ sensitive personal data, including credit card, social security, and bank account numbers; 2) falsely advertising that it protected consumers’ sensitive data with the same high-level safeguards as financial institutions; and 3) failing to meet the 2010 order’s recordkeeping requirements.
The FTC also asserts that from at least January 2012 through December 2014, LifeLock falsely claimed it protected consumers’ identity 24/7/365 by providing alerts “as soon as” it received any indication there was a problem.
Details of the FTC’s action against the company were filed under seal. The court will determine which portions of the case will be unsealed.
The Commission vote to file the application for a show cause order was 4-1, with Commissioner Maureen K. Ohlhausen voting no.
In response, LifeLock, whose stock has plunged 38% since the announcement, issued the following statement:
“After more than 18 months of cooperation and dialogue with the FTC, it became clear to us that we could not come to a satisfactory resolution of their issues outside a court of law. We disagree with the substance of the FTC’s contentions and are prepared to take our case to court.
“LifeLock is proud of the valuable service we provide to our members. Quite simply, our members are our highest priority, and we work hard to protect them against threats to their identity. We help our members by alerting them of potential identity threats and, if a member does become a victim of identity theft, our specialists step in. We spend up to $1 million to help in remediation and recovery.
“Importantly the FTC is not seeking any relief that would change LifeLock services and products going forward. The claims raised by the FTC are all related to the past, not to current business practices.
“LifeLock takes the accuracy of our advertising materials very seriously. The alerting claims raised by the FTC did not result in any known identity theft for LifeLock members.
“Security of our systems has always been, and will remain, of primary importance to us. Based on the evidence, we do not believe that anything the FTC is alleging has resulted in any member’s data being taken. As required by the FTC’s consent order in 2010, LifeLock hired highly-credentialed, independent professionals to assess its information security. We are committed to maintaining high standards and to continual improvement, and we have spent thousands of hours and millions of dollars to achieve those standards in full compliance with the order. Every audit completed by those third parties affirmed that we were in compliance.”
Governor Tom Ridge, Former Secretary of Homeland Security, former Governor of Pennsylvania, and Member, LifeLock Board of Directors said, “My colleagues and I on the company’s board of directors know the people of LifeLock, meeting and talking with them on a regular basis. These are truly dedicated employees, committed to their work—namely, helping to protect LifeLock members from identity theft and restoring the identities of those who are victimized. Whether they’re responding to member calls or focused on developing new products and technology for LifeLock members, these are the kind of people you want on your side. As directors, we take great pride in their commitment to the communities in which they work and live. It’s part of the LifeLock culture, supporting children and victims of domestic violence, training law enforcement to help fight identity theft, and educating families on digital citizenship and online safety for their children.”